Edit tour

Windows Analysis Report
dstream.log.exe

Overview

General Information

Sample name:	dstream.log.exe
Analysis ID:	1467957
MD5:	fb1d8d0ba73b7d30b38057853705b160
SHA1:	5b36e28d52a1ac061a0653d23baf5277cb543568
SHA256:	ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

dstream.log.exe (PID: 3248 cmdline: "C:\Users\user\Desktop\dstream.log.exe" MD5: FB1D8D0BA73B7D30B38057853705B160)

rundatastream.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\dstream.log.exe" MD5: 1A57E40A51FBFBDA36DBCB8F7F107F05)

cmd.exe (PID: 5632 cmdline: C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4548 cmdline: C:\Windows\system32\cmd.exe /c "del msupdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4836 cmdline: C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1476 cmdline: powershell .\image3.jpg:msupdate.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell .\image3.jpg:msupdate.exe, CommandLine: powershell .\image3.jpg:msupdate.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4836, ParentProcessName: cmd.exe, ProcessCommandLine: powershell .\image3.jpg:msupdate.exe, ProcessId: 1476, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dstream.log.exe	Virustotal: Detection: 36%			Perma Link
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Machine Learning detection for sample

Source: dstream.log.exe

Joe Sandbox ML: detected

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://json.org
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python37.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.megginson.com/SAX/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe, 00000002.00000002.2261749406.0000028B1C270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	String found in binary or memory: http://wwwsearch.sf.net/):
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: rundatastream.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD943BFE88: DeviceIoControl,

2_2_00007FFD943BFE88

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CAC90	0_2_00007FF7BC6CAC90
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7190	0_2_00007FF7BC6D7190
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C8D80	0_2_00007FF7BC6C8D80
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2D70	0_2_00007FF7BC6C2D70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D11C0	0_2_00007FF7BC6D11C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C15A0	0_2_00007FF7BC6C15A0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7E70	0_2_00007FF7BC6C7E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D3E70	0_2_00007FF7BC6D3E70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DF668	0_2_00007FF7BC6DF668
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2250	0_2_00007FF7BC6C2250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C4250	0_2_00007FF7BC6C4250
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C7A30	0_2_00007FF7BC6C7A30
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D0E28	0_2_00007FF7BC6D0E28
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C3F00	0_2_00007FF7BC6C3F00
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D06C8	0_2_00007FF7BC6D06C8
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D02C0	0_2_00007FF7BC6D02C0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DBB70	0_2_00007FF7BC6DBB70
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370	0_2_00007FF7BC6D8370
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2B60	0_2_00007FF7BC6C2B60
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D7810	0_2_00007FF7BC6D7810
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6DC00C	0_2_00007FF7BC6DC00C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C63F0	0_2_00007FF7BC6C63F0
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1C88	0_2_00007FF7BC6D1C88
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C2080	0_2_00007FF7BC6C2080
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D1850	0_2_00007FF7BC6D1850
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6C9430	0_2_00007FF7BC6C9430
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D6CFC	0_2_00007FF7BC6D6CFC
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D04C4	0_2_00007FF7BC6D04C4
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4C64	2_2_00007FFD942C4C64
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C4654	2_2_00007FFD942C4654
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942D000C	2_2_00007FFD942D000C
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944267EC	2_2_00007FFD944267EC
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942DA950	2_2_00007FFD942DA950
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1990	2_2_00007FFD942E1990
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E1A99	2_2_00007FFD942E1A99
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CF2E0	2_2_00007FFD942CF2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD944262E0	2_2_00007FFD944262E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942CEB20	2_2_00007FFD942CEB20
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942E5370	2_2_00007FFD942E5370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD942C1414	2_2_00007FFD942C1414
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA4336E04	2_2_00007FFDA4336E04

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944487F4 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD942D9420 appears 193 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD943054EC appears 227 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: String function: 00007FFD944512A8 appears 75 times

Source: dstream.log.exe	Binary or memory string: OriginalFilename vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython37.dll. vs dstream.log.exe
Source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dstream.log.exe
Source: dstream.log.exe	Binary or memory string: OriginalFilenamerundatastream.exe< vs dstream.log.exe

Source: classification engine

Classification label: mal52.evad.winEXE@16/24@0/0

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CAB70 GetProcessId,GenerateConsoleCtrlEvent,GetLastError,FormatMessageA,WaitForSingleObject,CloseHandle,SHFileOperationW,

0_2_00007FF7BC6CAB70

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Users\user\Desktop\dstream.log.exe

File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783

Jump to behavior

Source: dstream.log.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rundatastream.exe

Binary or memory string: Insert thousands separators into a digit string. spec is a dictionary whose keys should include 'thousands_sep' and 'grouping'; typically it's the result of parsing the format specifier using _parse_format_specifier. The min_width keyword arg

Source: dstream.log.exe	Virustotal: Detection: 36%
Source: dstream.log.exe	ReversingLabs: Detection: 37%

Source: rundatastream.exe	String found in binary or memory: Fused multiply-add. Returns selfother+third with no rounding of the intermediate product selfother. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: rundatastream.exe	String found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: rundatastream.exe	String found in binary or memory: v v Request-started Req-sent-unread-response \| \| response.read() v Request-sent This diagram presents the following rules: -
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: helpz#use -h/--help for command line helprA
Source: rundatastream.exe	String found in binary or memory: \| response.read() \| putrequest() v v Idle Req-started-unread-response ______/\| / \| response.read() \| \| ( putheader() )* endheaders()
Source: rundatastream.exe	String found in binary or memory: ransitions: (null) \| \| HTTPConnection() v Idle \| \| putrequest() v Request-started \| \| ( putheader() )* endheaders() v Request-sent \|\_____________________________ \|
Source: rundatastream.exe	String found in binary or memory: .ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm AIX supports two styles for dlopen(): svr4 (System V Release 4) which is common on posix pla
Source: rundatastream.exe	String found in binary or memory: ------ Idle _CS_IDLE None Request-started _CS_REQ_STARTED None Request-sent _CS_REQ_SENT None Unread-response _CS_IDLE <response_class> Req-started-unread-re
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: rundatastream.exe	String found in binary or memory: null addr-spec in angle-addrz*obsolete route specification in angle-addrz.expected addr-spec or obs-route but found '{}'z"missing trailing '>' on angle-addr) rr
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: angle-addr-startrk
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: Enable the SMTPUTF8 extension and behave as an RFC 6531 smtp proxy. --debug -d Turn on debugging prints. --help -h Print this message and exit. Version: %(__version__)s If localhost is not given then `localhost' is used
Source: rundatastream.exe	String found in binary or memory: address_list = (address ("," address)) / obs-addr-list obs-addr-list = ([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: rundatastream.exe	String found in binary or memory: can't send non-None value to a just-started coroutine

Source: C:\Users\user\Desktop\dstream.log.exe

File read: C:\Users\user\Desktop\dstream.log.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dstream.log.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe
Source: C:\Users\user\Desktop\dstream.log.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe "C:\Users\user\Desktop\dstream.log.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: python37.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wpdshext.dll	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: dstream.log.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dstream.log.exe

Static file information: File size 5161736 > 1048576

Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dstream.log.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dstream.log.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: dstream.log.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\18\s\PCbuild\amd64\python37.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ctypes.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\unicodedata.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: dstream.log.exe, 00000000.00000003.2179946053.00000256C52F3000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_asyncio.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\pyexpat.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_socket.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_ssl.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5374000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_overlapped.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_lzma.pdbNN source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_elementtree.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _elementtree.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_queue.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmp, rundatastream.exe, 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmp, vcruntime140.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_multiprocessing.pdb source: dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr

Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dstream.log.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: dstream.log.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA
Source: rundatastream.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Code function: 2_2_00007FFD942DDB54 push 8B4C0005h; retf

2_2_00007FFD942DDB59

Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dstream.log.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2569			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662			Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dstream.log.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2569 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 2662 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dstream.log.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D8370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF7BC6D8370
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD943BAD7C FindFirstFileW,FindClose,		2_2_00007FFD943BAD7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7BC6CBD58

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6DA11C GetProcessHeap,

0_2_00007FF7BC6DA11C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6CBD58
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CB600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7BC6CB600
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6CBF3C SetUnhandledExceptionFilter,	0_2_00007FF7BC6CBF3C
Source: C:\Users\user\Desktop\dstream.log.exe	Code function: 0_2_00007FF7BC6D48F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BC6D48F0
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFD9431CC44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFD9431CC44
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Code function: 2_2_00007FFDA433CCD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFDA433CCD8

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "del msupdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell .\image3.jpg:msupdate.exe	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6C51C0 cpuid

0_2_00007FF7BC6C51C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dstream.log.exe

Code function: 0_2_00007FF7BC6CA440 GetSystemTimeAsFileTime,

0_2_00007FF7BC6CA440

Source: C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dstream.log.exe	37%	Virustotal		Browse
dstream.log.exe	38%	ReversingLabs	Win64.Trojan.Generic
dstream.log.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://xml.org/sax/features/namespaces	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
http://www.robotstxt.org/norobots-rfc.txt	0%	Virustotal		Browse
http://www.robotstxt.org/norobots-rfc.txt	0%	Avira URL Cloud	safe
http://www.megginson.com/SAX/.	0%	Avira URL Cloud	safe
http://python.org/dev/peps/pep-0263/	0%	Avira URL Cloud	safe
http://xml.python.org/entities/fragment-builder/internalz	0%	Avira URL Cloud	safe
http://xml.python.org/entities/fragment-builder/internalz	0%	Virustotal		Browse
http://www.megginson.com/SAX/.	2%	Virustotal		Browse
http://www.python.org/	0%	Avira URL Cloud	safe
http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org	0%	Avira URL Cloud	safe
http://xml.org/sax/features/external-general-entities	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0506/	0%	Avira URL Cloud	safe
https://www.python.org/dev/peps/pep-0506/	0%	Virustotal		Browse
http://www.python.org/download/releases/2.3/mro/.	0%	Virustotal		Browse
http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(	1%	Virustotal		Browse
http://python.org/dev/peps/pep-0263/	0%	Virustotal		Browse
http://www.python.org/	0%	Virustotal		Browse
http://xml.org/sax/features/external-general-entities	0%	Virustotal		Browse
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Virustotal		Browse
http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org	0%	Virustotal		Browse
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Avira URL Cloud	safe
http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(	0%	Avira URL Cloud	safe
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	0%	Avira URL Cloud	safe
http://www.iana.org/assignments/character-sets	0%	Avira URL Cloud	safe
http://xml.org/sax/features/external-parameter-entities	0%	Avira URL Cloud	safe
http://www.python.org/download/releases/2.3/mro/.	0%	Avira URL Cloud	safe
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm	0%	Avira URL Cloud	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate	0%	Avira URL Cloud	safe
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz	0%	Avira URL Cloud	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	Virustotal		Browse
http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2	0%	Avira URL Cloud	safe
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	1%	Virustotal		Browse
http://www.iana.org/assignments/character-sets	0%	Virustotal		Browse
http://wwwsearch.sf.net/):	0%	Avira URL Cloud	safe
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm	0%	Virustotal		Browse
https://www.openssl.org/H	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate	0%	Virustotal		Browse
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz	0%	Virustotal		Browse
http://www.xmlrpc.com/discuss/msgReader$1208z	0%	Avira URL Cloud	safe
http://xml.org/sax/features/external-parameter-entities	0%	Virustotal		Browse
http://www.iana.org/time-zones/repository/tz-link.html	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	0%	Avira URL Cloud	safe
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm	0%	Avira URL Cloud	safe
http://www.xmlrpc.com/discuss/msgReader$1208z	0%	Virustotal		Browse
http://curl.haxx.se/rfc/cookie_spec.html	0%	Avira URL Cloud	safe
http://www.iana.org/time-zones/repository/tz-link.html	0%	Virustotal		Browse
http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2	0%	Virustotal		Browse
http://speleotrove.com/decimal/decarith.html	0%	Avira URL Cloud	safe
http://wwwsearch.sf.net/):	0%	Virustotal		Browse
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	0%	Virustotal		Browse
http://www.xmlrpc.com/discuss/msgReader$1208	0%	Avira URL Cloud	safe
http://www.python.org/dev/peps/pep-0205/	0%	Avira URL Cloud	safe
http://curl.haxx.se/rfc/cookie_spec.html	0%	Virustotal		Browse
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Avira URL Cloud	safe
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm	0%	Virustotal		Browse
http://xmlrpc.usefulinc.com/doc/reserved.html	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Avira URL Cloud	safe
http://json.org	0%	Avira URL Cloud	safe
http://www.xmlrpc.com/discuss/msgReader$1208	0%	Virustotal		Browse
http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Virustotal		Browse
http://xmlrpc.usefulinc.com/doc/reserved.html	0%	Virustotal		Browse
https://www.openssl.org/H	0%	Virustotal		Browse
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Virustotal		Browse
http://json.org	0%	Virustotal		Browse
http://www.python.org/dev/peps/pep-0205/	0%	Virustotal		Browse
http://speleotrove.com/decimal/decarith.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.18	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://python.org/dev/peps/pep-0263/	python37.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.python.org/entities/fragment-builder/internalz	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.megginson.com/SAX/.	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.robotstxt.org/norobots-rfc.txt	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.org/sax/features/external-general-entities	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	false	URL Reputation: safe	unknown
http://www.python.org/	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespaces	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org	rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/dev/peps/pep-0506/	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.python.org/download/releases/2.3/mro/.	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe, 00000002.00000002.2261749406.0000028B1C270000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.org/sax/features/external-parameter-entities	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/character-sets	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz	rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://wwwsearch.sf.net/):	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C5943000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2188641217.00000256C310A000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C53E9000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C574A000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _elementtree.pyd.0.dr	false	URL Reputation: safe	unknown
https://www.openssl.org/H	dstream.log.exe, 00000000.00000003.2179946053.00000256C53DE000.00000004.00000020.00020000.00000000.sdmp, dstream.log.exe, 00000000.00000003.2179946053.00000256C545E000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.xmlrpc.com/discuss/msgReader$1208z	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp, rundatastream.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://speleotrove.com/decimal/decarith.html	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.python.org/dev/peps/pep-0205/	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.xmlrpc.com/discuss/msgReader$1208	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xmlrpc.usefulinc.com/doc/reserved.html	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	dstream.log.exe, 00000000.00000003.2179946053.00000256C4A89000.00000004.00000020.00020000.00000000.sdmp, rundatastream.exe, rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://json.org	rundatastream.exe, 00000002.00000000.2187963017.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht	rundatastream.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467957
Start date and time:	2024-07-05 06:47:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dstream.log.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@16/24@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	https://supp-review9482.eu/	Get hash	malicious	Unknown	Browse	217.20.57.18
	13334c17-0dbd-4b95-8089-8c7deb9440fa.eml	Get hash	malicious	Unknown	Browse	217.20.57.40
	https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1	Get hash	malicious	Unknown	Browse	217.20.57.18
	https://mail.support-xfinity.152-42-227-61.cprapid.com/Billing_Pay_Online.html?Review-VerificationMyAccount	Get hash	malicious	Unknown	Browse	217.20.57.18
	https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDA	Get hash	malicious	Unknown	Browse	217.20.57.34
	http://we-whatsapp-kf.top/	Get hash	malicious	Unknown	Browse	217.20.57.34
	http://scamwebsite.com/	Get hash	malicious	Unknown	Browse	217.20.57.18
	https://tr.alertsgame.ru/	Get hash	malicious	Unknown	Browse	217.20.57.18
	http://boldlydaisy.com	Get hash	malicious	Unknown	Browse	217.20.57.18
	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	217.20.57.40

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	BazaLoader	Browse
	ChanChanProxy.exe	Get hash	malicious	Unknown	Browse
	D4p0ZEHZfW.exe	Get hash	malicious	BitRAT	Browse
	#U6d17#U53d1#U6c34 (1).exe	Get hash	malicious	Unknown	Browse
	q5gOFRHj6T.exe	Get hash	malicious	Unknown	Browse
	quvdyekzhimbwca.exe	Get hash	malicious	Unknown	Browse
	dubholeazknjmit.exe	Get hash	malicious	Unknown	Browse
	fabndurlqgvijxm.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd	E5JFfJi2bQ.exe	Get hash	malicious	AsyncRAT	Browse
	devpas.exe	Get hash	malicious	RHADAMANTHYS	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	BazaLoader	Browse
	cW9NTN3EAj.exe	Get hash	malicious	Unknown	Browse
	HVqTxn73uD.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse
	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.773832331134527
Encrypted:	false
SSDEEP:	3:NlllulD/:NllUD
MD5:	D9ADDC8BC71EE61261940D67A7EFF73A
SHA1:	44DABE2479B4D251FC348A7198B3F5665BC48F5C
SHA-256:	3945C70445A1C3E3E162F1EE5EBBD03C93D3D4483316AE2AF1D9C025D0B204A7
SHA-512:	87100FEF4AB233A92DD99E02668390D1C546DEB0DB9E1E7C470E1AC9D63A36C64081E31262786128526FF2FE223E883DBF338587A55A961F6CB7C38A419967AE
Malicious:	false
Reputation:	low
Preview:	@...e.................................R.........................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0s1cbyv.0vl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl0ett3z.0ks.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73744
Entropy (8bit):	5.899692891859365
Encrypted:	false
SSDEEP:	1536:P/NHFMdDgugn5BHr/1Rq6mMxnBGpI8snaqy27:X/485x1Rq6mgncpI8snaw7
MD5:	3A9762EE38BFAC66D381270C80D8B787
SHA1:	44036D492A5BB4A8EDFC5DDF3EE84772C74A77ED
SHA-256:	9531365763F8BBFF9FA7E18EABEFE866F99EA4B8E127B265A8952E16217C61E1
SHA-512:	4AFE20524D3043FC526C585C2E5589F4505FDBF4B2011577A595AA836423484BAB18A9F5F4DB82D204A3506DBC55923CFBEF1B0F4DAD54FE2DC2A771CD1F632E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: ChanChanProxy.exe, Detection: malicious, Browse Filename: D4p0ZEHZfW.exe, Detection: malicious, Browse Filename: #U6d17#U53d1#U6c34 (1).exe, Detection: malicious, Browse Filename: q5gOFRHj6T.exe, Detection: malicious, Browse Filename: quvdyekzhimbwca.exe, Detection: malicious, Browse Filename: dubholeazknjmit.exe, Detection: malicious, Browse Filename: fabndurlqgvijxm.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1l..1l..1l..8.B.3l...2..3l...2..3l...2..;l...2..;l..2..2l..j...3l..1l..Hl..2..0l..2..0l..2..0l..2..0l..Rich1l..................PE..d...r.:_.........." .....r...........Y.......................................P............`......................................... ...P...p...d....0.......................@..`...`...T............................................................................text...gp.......r.................. ..`.rdata..t:.......<...v..............@..@.data....7.......2..................@....pdata..............................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc..`....@......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	94736
Entropy (8bit):	6.337586298062742
Encrypted:	false
SSDEEP:	1536:DGb6DBCvurMRnQhVx8/Nlv+SSm9YmFN87Xgq4ToV+dypRI84VAyE:abfXyg7pp9TC7Xgq4ToV+kRI84VY
MD5:	CF77513525FC652BAD6C7F85E192E94B
SHA1:	23EC3BB9CDC356500EC192CAC16906864D5E9A81
SHA-256:	8BCE02E8D44003C5301608B1722F7E26AADA2A03D731FA92A48C124DB40E2E41
SHA-512:	DBC1BA8794CE2D027145C78B7E1FC842FFBABB090ABF9C29044657BDECD44396014B4F7C2B896DE18AAD6CFA113A4841A9CA567E501A6247832B205FE39584A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: E5JFfJi2bQ.exe, Detection: malicious, Browse Filename: devpas.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: cW9NTN3EAj.exe, Detection: malicious, Browse Filename: HVqTxn73uD.exe, Detection: malicious, Browse Filename: jcY9CjvBDG.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: sCzFNAYGKI.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.l..k?..k?..k?.\|.?..k?.Zj>..k?B..?..k?.Zh>..k?.Zn>..k?.Zo>..k?vZj>..k?.lj>..k?..j?..k?vZc>..k?vZk>..k?vZ.?..k?vZi>..k?Rich..k?........PE..d...z.:_.........." .........j......$...............................................<6....`........................................../..H...80...............`.......X..................T............................................................................text............................... ..`.rdata...;.......<..................@..@.data........@.......0..............@....pdata.......`.......>..............@..@.gfids.......p.......H..............@..@.rsrc................J..............@..@.reloc...............V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132624
Entropy (8bit):	5.962671714439977
Encrypted:	false
SSDEEP:	1536:bRyGuR/8oD9tR2yHBIjxBaVGTODsAR04D0RfUGpd0/b8aMgiadI8VPEye:bcDd8oM+kBVQ/8f5pdObL7dI8VPG
MD5:	5E869EEBB6169CE66225EB6725D5BE4A
SHA1:	747887DA0D7AB152E1D54608C430E78192D5A788
SHA-256:	430F1886CAF059F05CDE6EB2E8D96FEB25982749A151231E471E4B8D7F54F173
SHA-512:	FEB6888BB61E271B1670317435EE8653DEDD559263788FBF9A7766BC952DEFD7A43E7C3D9F539673C262ABEDD97B0C4DD707F0F5339B1C1570DB4E25DA804A16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........$\.kw\.kw\.kwU..wZ.kwg.jv^.kwg.hv_.kwg.nvV.kwg.ovV.kw..jv^.kw..ov].kw..jv[.kw\.jw..kw..hv].kw..cvT.kw..kv].kw..w].kw..iv].kwRich\.kw........................PE..d...r.:_.........." .........................................................@....../G....`.......................................................... .......................0.......e..T............................f...............0...............................text............................... ..`.rdata..pq...0...r..................@..@.data....9.......4..................@....pdata..............................@..@.gfids..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	267280
Entropy (8bit):	6.490803702039132
Encrypted:	false
SSDEEP:	6144:16wN+Xkv3Pt2R4ihr6iboTfWebtedJ/gqWya38LWuAxR:U4ExW4oTdoC3R
MD5:	75A0542682D8F534F4A1BA48EB32218F
SHA1:	A9B878F45B575A0502003EBCFE3D6EB9AC7DD126
SHA-256:	5767525D2CDD2A89DE97A11784EC0769C30935302C135F087B09894F8865BE8B
SHA-512:	4682B8E4A81F7EFFC89D580DCA10CCFCCEBE562C2745626833CD5818DE9753C3A1E064A47C7DDC4676B6E1C7071C484156FABE98E423E625BB5D2C2B843C33DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q#!.0Mr.0Mr.0Mr.H.r.0Mr.nLs.0Mr.nNs.0Mr.nHs.0Mr.nIs.0Mr.nLs.0Mr.XLs.0Mr.0Lr?0Mr.nNs.0Mr.n@s.0Mr.nMs.0Mr.n.r.0Mr.nOs.0MrRich.0Mr........PE..d...q.:_.........." .........R...............................................@......&5....`.........................................P8..P....8....... ..........\|/...........0...... ...T............................................................................text...8........................... ..`.rdata..2...........................@..@.data...h....P...\|...:..............@....pdata..\|/.......0..................@..@.gfids..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	207888
Entropy (8bit):	6.299632329784148
Encrypted:	false
SSDEEP:	3072:eA5zdNfn+gUP4DoqYjDn0sYwtk9/h337lm2Fad8u2JyoMMMMMMF4S1jzhI8AfC:eAxL/+gUPJjD0sYw6nBmRQye1jz3
MD5:	7D0C4AB57FDC1BD30C0E8E42CCC2AA35
SHA1:	81BFF07B6B5DD843E2227A3E8054500CFEC65983
SHA-256:	EE8C4A8FE8EAA918A4FEE353D46F4191BD161582098B400C33220847D84797DB
SHA-512:	56AE9F10DE02E7C777673814128D0252B47D001D2EDC74BFF9D85D7B0B6538B6F4D3D163E301DFB31429EC1EEEFEE550A72D6E424F20E10EB63C28DB0E69FBBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..B&oo.&oo.&oo./...*oo..1n.$oo..1l.$oo..1j.,oo..1k.,oo..1n.$oo.}.n.%oo.&on..oo..1g."oo..1o.'oo..1..'oo..1m.'oo.Rich&oo.........................PE..d...v.:_.........." .....0...........-.......................................P............`.............................................X...........0...........%...........@..4....}..T...........................P~...............@...............................text...s........0.................. ..`.rdata.......@.......4..............@..@.data...............................@....pdata...%.......&..................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc..4....@......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38928
Entropy (8bit):	5.959951673192366
Encrypted:	false
SSDEEP:	768:AyvaHXGH0o9MBl7nqHQ03dpI8sIZhWDG4yfkO:UKnyBlmHQadpI8sIZcyMO
MD5:	B32CB9615A9BADA55E8F20DCEA2FBF48
SHA1:	A9C6E2D44B07B31C898A6D83B7093BF90915062D
SHA-256:	CA4F433A68C3921526F31F46D8A45709B946BBD40F04A4CFC6C245CB9EE0EAB5
SHA-512:	5C583292DE2BA33A3FC1129DFB4E2429FF2A30EEAF9C0BCFF6CCA487921F0CA02C3002B24353832504C3EEC96A7B2C507F455B18717BCD11B239BBBBD79FADBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%_..a>..a>..a>..hF^.c>..Z`..c>..Z`..c>..Z`..k>..Z`..k>...`..c>..:V..c>...W..b>..a>..8>...`..`>...`..`>...`2.`>...`..`>..Richa>..................PE..d...y.:_.........." .....6...J.......4....................................................`..........................................e..P...`e..x....................~..............0[..T............................[...............P...............................text....5.......6.................. ..`.rdata..p ...P..."...:..............@..@.data...0............\..............@....pdata...............h..............@..@.gfids...............n..............@..@.rsrc................p..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176144
Entropy (8bit):	6.6945247495968045
Encrypted:	false
SSDEEP:	3072:KCvUDHEIzx6yBexOV3fNDjGTtDlQxueKd03DV8tv9XIGIPExZJV9mNoA2v1kqnfE:tvUtdBexOlNDk+xTKg8tlJKyXYOAC1Lc
MD5:	5FBB728A3B3ABBDD830033586183A206
SHA1:	066FDE2FA80485C4F22E0552A4D433584D672A54
SHA-256:	F9BC6036D9E4D57D08848418367743FB608434C04434AB07DA9DABE4725F9A9B
SHA-512:	31E7C9FE9D8680378F8E3EA4473461BA830DF2D80A3E24E5D02A106128D048430E5D5558C0B99EC51C3D1892C76E4BAA14D63D1EC1FC6B1728858AA2A255B2FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).o.z.o.z.o.z..7z.o.z.1.{.o.z.1.{.o.z.1.{.o.z.1.{.o.zi1.{.o.z...{.o.z.o.z.o.zi1.{.o.zi1.{.o.zi1[z.o.zi1.{.o.zRich.o.z........................PE..d.....:_.........." ................H.....................................................`.........................................PW..L....W..x...............t...............@....3..T............................4...............................................text...#........................... ..`.rdata..............................@..@.data........p.......T..............@....pdata..t............n..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29712
Entropy (8bit):	5.960619050057232
Encrypted:	false
SSDEEP:	384:iPzxbi1duybZ93GDXIV0Y5FoTewHJ4nhB/5I8kBLheX1nYPLxDG4y8SNu7:imeIxo6wuH/5I8kthelWDG4ya7
MD5:	3CF091905D3CC49070B0C39848F0D48B
SHA1:	888716F84768545A3B21B36CA0BE2D52D22F9F8A
SHA-256:	7A0A1D04A326E21636A08F5F9772625F8B07BA1CE3FB2C78052BEC3CF795704A
SHA-512:	A9BDD51EBE1DE8CA36EF89B1A6BA9AA213A414C9F6C23819DF3A8F702ACDC6B53F0B096A813B3E93BC4E380791B404276CF2D89A0DE26AAC9A412BCFE49FF4F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................%............................}...............}.....}.....}.I....}.....Rich...................PE..d...t.:_.........." ....."...:....... ...................................................`..........................................O..`...`O..x....... ....p..`....Z..............`G..T............................G...............@...............................text.... .......".................. ..`.rdata..J....@.......&..............@..@.data...`....`.......@..............@....pdata..`....p.......F..............@..@.gfids...............J..............@..@.rsrc... ............L..............@..@.reloc...............X..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46096
Entropy (8bit):	5.925988445470974
Encrypted:	false
SSDEEP:	768:U4ljYOwns/tk8iin8alqEahsMJrrnoYIJVI8JtAWDG4yCO:TjtKPsMJrUVI8JtNyp
MD5:	F22850F077950F7566B4C6C15A184BF3
SHA1:	E200F6BA1378CAEED367C9A365B13232919F1DFA
SHA-256:	EFE043D0FC7C922968F44469FD70FDBB49569D8CA8AF82AAEA796F5B687F5660
SHA-512:	9799823371169D85D8A1DC95378C4ABD74A09C88A0A32F65F25B77D8E31A9321C9877E13B0A5F0E7E9C30976DA6ADAB0D084A8F07EC6070701146E9C29FBF00B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................z........................5.........................5......5......5......5......Rich............................PE..d...v.:_.........." .....<...`......8/....................................................`.........................................pn..X....n.......................................W..T...........................pW...............P..p............................text..._:.......<.................. ..`.rdata...+...P...,...@..............@..@.data...H............l..............@....pdata...............~..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28176
Entropy (8bit):	5.982244926544283
Encrypted:	false
SSDEEP:	384:lDZ54qTq9Qe//7vWXhTR/cEI6rgdI8qU8nYPLxDG4y8HmsuEyo:p4qwQ0WRtS6rgdI8qU8WDG4y6XuEyo
MD5:	C0A70188685E44E73576E3CD63FC1F68
SHA1:	36F88CA5C1DDA929B932D656368515E851AEB175
SHA-256:	E499824D58570C3130BA8EF1AC2D503E71F916C634B2708CC22E95C223F83D0A
SHA-512:	B9168BF1B98DA4A9DFD7B1B040E1214FD69E8DFC2019774890291703AB48075C791CC27AF5D735220BD25C47643F098820563DC537748471765AFF164B00A4AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kUe./4../4../4..&L..-4...j..-4...j..-4...j..%4...j..&4..j..,4..t\..-4../4...4..j...4..j...4..j...4..j...4..Rich/4..........................PE..d...t.:_.........." .........8......8.....................................................`..........................................:..L....;..d............`.......T..........l... 4..T............................4...............0...............................text...s........................... ..`.rdata.. ....0......."..............@..@.data........P.......6..............@....pdata.......`.......@..............@..@.gfids.......p.......D..............@..@.rsrc................F..............@..@.reloc..l............R..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	76816
Entropy (8bit):	6.0942584309558985
Encrypted:	false
SSDEEP:	1536:vG/A9Fu5OEPenRXk5d2jw/hEdFcvY+RgOmkcH7dI8VwYyo:e/Anu5OEPenRXRjw/h0FcvYcgOmkcbdV
MD5:	8EA18D0EEAE9044C278D2EA7A1DBAE36
SHA1:	DE210842DA8CB1CB14318789575D65117D14E728
SHA-256:	9822C258A9D25062E51EAFC45D62ED19722E0450A212668F6737EB3BFE3A41C2
SHA-512:	D275CE71D422CFAACEF1220DC1F35AFBA14B38A205623E3652766DB11621B2A1D80C5D0FB0A7DF19402EBE48603E76B8F8852F6CBFF95A181D33E797476029F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%A..K...K...K......K..J...K..H...K..N...K..O...K.G.J...K...J...K...J.A.K.G.C...K.G.K...K.G.....K.G.I...K.Rich..K.........PE..d...~.:_.........." .....x...........v.......................................`....... ....`.........................................0...P............@....... ...............P.........T...........................@................................................text...cw.......x.................. ..`.rdata..bA.......B...\|..............@..@.data....=.......8..................@....pdata....... ......................@..@.gfids.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120848
Entropy (8bit):	6.015568704435241
Encrypted:	false
SSDEEP:	3072:B9+/8UxGzqHYjeS0Woia4TMpi6EPQNvURI847uHV:b+UUxGiY8Wo1UVV
MD5:	5A393BB4F3AE499541356E57A766EB6A
SHA1:	908F68F4EA1A754FD31EDB662332CF0DF238CF9A
SHA-256:	B6593B3AF0E993FD5043A7EAB327409F4BF8CDCD8336ACA97DBE6325AEFDB047
SHA-512:	958584FD4EFAA5DD301CBCECBFC8927F9D2CAEC9E2826B2AF9257C5EEFB4B0B81DBBADBD3C1D867F56705C854284666F98D428DC2377CCC49F8E1F9BBBED158F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...............x2......^.......^.......^.......^......k^......Zi.......h..............k^......k^......k^^.....k^......Rich....................PE..d.....:_.........." .....................................................................`..........................................;..d...T<..................................h....%..T............................&..................8............................text...s........................... ..`.rdata..r...........................@..@.data....N...p...J...P..............@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..h...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3399200
Entropy (8bit):	6.094152840203032
Encrypted:	false
SSDEEP:	98304:R3+YyRoAK2rXHsoz5O8M1CPwDv3uFh+r:t9yWAK2zsozZM1CPwDv3uFh+r
MD5:	CC4CBF715966CDCAD95A1E6C95592B3D
SHA1:	D5873FEA9C084BCC753D1C93B2D0716257BEA7C3
SHA-256:	594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
SHA-512:	3B5AF9FBBC915D172648C2B0B513B5D2151F940CCF54C23148CD303E6660395F180981B148202BEF76F5209ACC53B8953B1CB067546F90389A6AA300C1FBE477
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K..K..K..;K..K...J..K...J..K...J..K...J..K...J..K..Kb.Kd..J..Kd..J..Kd..J..Kd.WK..Kd..J..KRich..K........................PE..d......^.........." .....R$..........r.......................................`4......~4...`.........................................`...hg...3.@.....3.\|.....1.......3. .....3..O...m,.8............................m,...............3..............................text...GQ$......R$................. ..`.rdata.......p$......V$.............@..@.data....z...P1..,...41.............@....pdata..P.....1......`1.............@..@.idata...#....3..$....3.............@..@.00cfg........3......@3.............@..@.rsrc...\|.....3......B3.............@..@.reloc..fx....3..z...J3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	689184
Entropy (8bit):	5.526574117413294
Encrypted:	false
SSDEEP:	12288:1SurcFFRd4l6NCNH98PikxqceDotbA/nJspatQM5eJpAJfeMw4o8s6U2lvz:1KWZH98PiRLsAtf8AmMHogU2lvz
MD5:	BC778F33480148EFA5D62B2EC85AAA7D
SHA1:	B1EC87CBD8BC4398C6EBB26549961C8AAB53D855
SHA-256:	9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
SHA-512:	80C1DD9D0179E6CC5F33EB62D05576A350AF78B5170BFDF2ECDA16F1D8C3C2D0E991A5534A113361AE62079FB165FFF2344EFD1B43031F1A7BFDA696552EE173
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......T...T...T...T...TS.U...TZ.U...TS.U...TS.U...TS.U...T..U...T...T.T..U-..T..U...T..uT...T..U...TRich...T........PE..d......^.........." .....(...H.......%..............................................H.....`..............................................N..85..........s........K...j.. .......L.......8............................................ ..8............................text....&.......(.................. ..`.rdata...%...@...&...,..............@..@.data...!M...p...D...R..............@....pdata..TT.......V..................@..@.idata...V... ...X..................@..@.00cfg...............D..............@..@.rsrc...s............F..............@..@.reloc..5............N..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	202768
Entropy (8bit):	6.312695764898477
Encrypted:	false
SSDEEP:	3072:nT3d9F9j+gUPNDoqAdeEaUwExv0yOWIkPQXLBLBtpug8FGty+auDomdI8VhHF:jHF1+gUP8deIwEXLIfLB6g8FGJauDom7
MD5:	6500AA010C8B50FFD1544F08AF03FA4F
SHA1:	A03F9F70D4ECC565F0FAE26EF690D63E3711A20A
SHA-256:	752CF6804AAC09480BF1E839A26285EC2668405010ED7FFD2021596E49B94DEC
SHA-512:	F5F0521039C816408A5DD8B7394F9DB5250E6DC14C0328898F1BED5DE1E8A26338A678896F20AAFA13C56B903B787F274D3DEC467808787D00C74350863175D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[c.4...g...g...g.z\g...g$\.f...g$\.f...g$\.f...g$\.f...g.\.f...gDj.f...g...gq..g.\.f...g.\.f...g.\0g...g.\.f...gRich...g........PE..d...}.:_.........." .....$...........".......................................P............`.........................................P...P............0...........#...........@..........T...........................P................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...............................@....pdata...#.......$..................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3750416
Entropy (8bit):	6.384383088490926
Encrypted:	false
SSDEEP:	49152:KjVpkcACTIK0IKhyn9iafAdH1ZRHLqUCbNSuvYVeP84mzIAA5H0LMznZPMXT7p31:3CTIdKI7UWu4cAgHCMzqNOyVB
MD5:	C4709F84E6CF6E082B80C80B87ABE551
SHA1:	C0C55B229722F7F2010D34E26857DF640182F796
SHA-256:	CA8E39F2B1D277B0A24A43B5B8EADA5BAF2DE97488F7EF2484014DF6E270B3F3
SHA-512:	E04A5832B9F2E1E53BA096E011367D46E6710389967FA7014A0E2D4A6CE6FC8D09D0CE20CEE7E7D67D5057D37854EDDAB48BEF7DF1767F2EC3A4AB91475B7CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.y...y...y.......y...'...y......y...'...y...'...y...'...y.......y...y...x..,'..Fy..,'...y..,'...y..,'...y..Rich.y..........................PE..d...c.:_.........." .....8.... .....D.........................................<.......9...`.........................................p....... ?/.\|.....;.......9..w... 9.......;..q......T........................... ................P..0............................text....7.......8.................. ..`.rdata.......P.......<..............@..@.data....z...p/......P/.............@....pdata...w....9..x...(7.............@..@.gfids.......p;.......8.............@..@.rsrc.........;.......8.............@..@.reloc...q....;..r....8.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5145600
Entropy (8bit):	5.631205830474162
Encrypted:	false
SSDEEP:	98304:bhubD2gatF4+95Bgw6c7Rx1Q+ngco6GZdL:bhubDutF4+ud
MD5:	1A57E40A51FBFBDA36DBCB8F7F107F05
SHA1:	5EC003E5A626809B6F3E8A0FCB7A58B5052EC0EE
SHA-256:	824A954BA7D3527E06A20AF8B81AAC9F7546250BDFD8326C2B05D6F297A1A347
SHA-512:	7B779DDD54C733F1A77B70ED9DC14F195EBE63BD0F2DB02C47BE7FA2C1F71455632760C3D6A370CF0A1137EF21B043421886307631923BC9D00064D0641BC533
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............E...E...E...D...E...Di..E...D..E...E...E...D..E...D..E...D..EQ..D...E...D...E...E...E.5.D...E.5.D...ERich...E........................PE..d...D\nf.........."....%.4...LK.....d..........@..............................N...........`..................................................Z..<....p...lI..0...+............N......'...............................%..@............P..`............................text...p3.......4.................. ..`.rdata...+...P...,...8..............@..@.data...H........t...d..............@....pdata...+...0...,..................@..@_RDATA..\....`......................@..@.rsrc....lI..p...nI.................@..@.reloc........N......tN.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27152
Entropy (8bit):	6.048170705523046
Encrypted:	false
SSDEEP:	384:FekE2XR1G6sOhmQI2HTRcqJcE99qT3dI8qGvnYPLxDG4y8Z6K9:F9csXHN/d9qT3dI8qGvWDG4yM
MD5:	FB4A0D7ABAEAA76676846AD0F08FEFA5
SHA1:	755FD998215511506EDD2C5C52807B46CA9393B2
SHA-256:	65A3C8806D456E9DF2211051ED808A087A96C94D38E23D43121AC120B4D36429
SHA-512:	F5B3557F823EE4C662F2C9B7ECC5497934712E046AA8AE8E625F41756BEB5E524227355316F9145BFABB89B0F6F93A1F37FA94751A66C344C38CE449E879D35F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i...`.e.k...R...k...R...j...R...c...R...c......k...2...l...i...R......h......h......h......h...Richi...........................PE..d...v.:_.........." .........4.......................................................C....`.........................................0:..L...\|:..x............`.......P..........,....3..T...........................`3...............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......6..............@....pdata.......`.......<..............@..@.gfids.......p.......@..............@..@.rsrc................B..............@..@.reloc..,............N..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1073680
Entropy (8bit):	5.327852618149687
Encrypted:	false
SSDEEP:	12288:ge+YbeoEYa6l0SYxytHcQJJwEI+V/IFx7agsSJNzkRoEVnOPmrZ6bK:ge+BN6axoc1r+VUx7agnNctOo6K
MD5:	4D3D8E16E98558FF9DAC8FC7061E2759
SHA1:	C918AB67B580F955B6361F9900930DA38CEC7C91
SHA-256:	016D962782BEAE0EA8417A17E67956B27610F4565CFF71DD35A6E52AB187C095
SHA-512:	0DFABFAD969DA806BC9C6C664CDF31647D89951832FF7E4E5EEED81F1DE9263ED71BDDEFF76EBB8E47D6248AD4F832CB8AD456F11E401C3481674BD60283991A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VQx..Qx..Qx..X.O.Wx..j&..Sx..j&..Sx..j&..Zx..j&..[x...&..Rx......Sx..Qx...x...&..Px...&..Px...&#.Px...&..Px..RichQx..........................PE..d...w.:_.........." .....@..........h5....................................................`..........................................b..X...Hc.......p.......P..X....H..............`u..T............................u...............P..8............................text...Q?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata..X....P......................@..@.gfids.......`.......8..............@..@.rsrc........p.......:..............@..@.reloc...............F..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\dstream.log.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87864
Entropy (8bit):	6.50974924823557
Encrypted:	false
SSDEEP:	1536:JiOTTyNdd/mqN5fomseOpLJ5UP4nVnWecbtGgcNZVKL:JD4Vzgh5UXecbt2ju
MD5:	89A24C66E7A522F1E0016B1D0B4316DC
SHA1:	5340DD64CFE26E3D5F68F7ED344C4FD96FBD0D42
SHA-256:	3096CAFB6A21B6D28CF4FE2DD85814F599412C0FE1EF090DD08D1C03AFFE9AB6
SHA-512:	E88E0459744A950829CD508A93E2EF0061293AB32FACD9D8951686CBE271B34460EFD159FD8EC4AA96FF8A629741006458B166E5CFF21F35D049AD059BC56A1A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).uym~.m~.m~....o~.d..f~.m~.F~.V .+n~.V .+g~.V .+f~.V .+s~.V .+l~.V .l~.V .+l~.Richm~.........PE..d....Z.........." .........T......@........................................p......m.....`A........................................0...4...d........P.......0..........8?...`..p...p...8............................................................................text...'........................... ..`.rdata..f5.......6..................@..@.data........ ......................@....pdata.......0......................@..@_RDATA.......@......................@..@.rsrc........P......................@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46592211975674
Encrypted:	false
SSDEEP:	6144:xzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:pZHtBZWOKnMM6bFpZj4
MD5:	B2BD69D7009289BBB76096EBC1D6954A
SHA1:	7A99D32D0C3DE60E4DEB9FD17A91F82A1B6C87A8
SHA-256:	7416CDED6A06E80AF77AE6A608DE4C1CFDAB79E40E08B0E54BB8967EFB33B553
SHA-512:	8EFC68FF6F2C1FDF1A323D2F3EFB89E67C7B1746331591AA9CA7076497F96158CCCC9CAE7B0805D9EF9F381F85090976ECE9B0A1E98F6B6C32E3C509F948E6B8
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj.8.................................................................................................................................................................................................................................................................................................................................................Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9879497170846
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dstream.log.exe
File size:	5'161'736 bytes
MD5:	fb1d8d0ba73b7d30b38057853705b160
SHA1:	5b36e28d52a1ac061a0653d23baf5277cb543568
SHA256:	ca7a8be040371db76cadba7e926c9d98ab61a8b8e7e6d39f6e015fca6cb5bab4
SHA512:	4b1937788cd7d7d328a529f693f1eb9247eeab122729343e9a076f552d8a7ef0d0fa5f1fdf78747f4b2c071b61b5ab644bf2733076fe2c62031a7f47f4622ed2
SSDEEP:	98304:25LWJ3+vTtkBZQnyFNT3FPfJ6DFkhyzQjh5/5IAOP/Q:25LWVCnoZ38DzQ15/5IVXQ
TLSH:	3F363398B05849EFD1A6B07798722F21E5B8FD8203209AFF1394D165BF135928F367B1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x...3...~...3.......3...r...m.x.y...m...P...m...h...m...q...3.......x.......NY..y...NY..y...Richx..................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14000b9d4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x666E5C47 [Sun Jun 16 03:30:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ac0e09d0c87fe7a2b9c519b9d03a9c4c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F37E08082F0h
dec eax
add esp, 28h
jmp 00007F37E0807F0Fh
int3
int3
dec eax
sub esp, 28h
call 00007F37E0808870h
test eax, eax
je 00007F37E08080B3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F37E0808097h
dec eax
cmp ecx, eax
je 00007F37E08080A6h
xor eax, eax
dec eax
cmpxchg dword ptr [00023624h], ecx
jne 00007F37E0808080h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F37E0808089h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [0002360Fh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [000235FFh], al
call 00007F37E080866Fh
call 00007F37E0808A22h
test al, al
jne 00007F37E0808096h
xor al, al
jmp 00007F37E08080A6h
call 00007F37E081096Dh
test al, al
jne 00007F37E080809Bh
xor ecx, ecx
call 00007F37E0808A32h
jmp 00007F37E080807Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000235C4h], 00000000h
mov ebx, ecx
jne 00007F37E08080F9h
cmp ecx, 01h
jnbe 00007F37E08080FCh
call 00007F37E08087D6h
test eax, eax
je 00007F37E08080BAh
test ebx, ebx
jne 00007F37E08080B6h
dec eax
lea ecx, dword ptr [000235AEh]
call 00007F37E080818Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3f000	0x17ac	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x43000	0x688	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a6e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a5a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x2e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f3c0	0x1f400	c7d29c2b9e87232d702678fef015b4e0	False	0.5670234375	data	6.515564388042751	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0xc0a2	0xc200	1259dc72b2fcd8cac4883850ac241c67	False	0.45636678479381443	data	4.9579720079993015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x10e20	0xc00	7efb5e45c6396e8e72c035a72454c779	False	0.13834635416666666	data	1.9365092737279315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3f000	0x17ac	0x1800	eabc79cf61614335abee2595bf6febe1	False	0.4845377604166667	PEX Binary Archive	5.238277906459359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x41000	0x15c	0x200	0e298e939cd8ebce21635f36fc348f7f	False	0.38671875	data	2.7705155368720655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x42000	0x658	0x800	b53d0343aa24f65d3e1dcfe211dd0f55	False	0.3662109375	data	5.043383609702607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x43000	0x688	0x800	258f86e1560af5f605f5562e4e0b7884	False	0.51123046875	data	4.9284885046123845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x420a0	0x278	data			0.44936708860759494
RT_MANIFEST	0x42318	0x33d	ASCII text, with very long lines (829), with no line terminators			0.4873341375150784

Imports

DLL	Import
SHELL32.dll	SHFileOperationW, SHGetFolderPathW
imagehlp.dll	UnMapAndLoad, MapAndLoad
KERNEL32.dll	TlsFree, WriteConsoleW, HeapReAlloc, HeapSize, SetFilePointerEx, CreateDirectoryW, ReadFile, SetConsoleCtrlHandler, GetCommandLineW, WriteFile, GetShortPathNameW, GetModuleFileNameW, GetProcessId, SetFilePointer, GetTempPathW, WaitForSingleObject, CreateFileW, GetLastError, CloseHandle, SetEnvironmentVariableA, GetCurrentProcessId, CreateProcessW, GetSystemTimeAsFileTime, FormatMessageA, GenerateConsoleCtrlEvent, GetExitCodeProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, GetFileSizeEx, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetStdHandle, HeapAlloc, MultiByteToWideChar, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetFileType, WideCharToMultiByte, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 06:48:32.212599039 CEST	1.1.1.1	192.168.2.6	0x16f5	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.18	A (IP address)	IN (0x0001)	false
Jul 5, 2024 06:48:32.212599039 CEST	1.1.1.1	192.168.2.6	0x16f5	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.34	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:48:11
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\dstream.log.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dstream.log.exe"
Imagebase:	0x7ff7bc6c0000
File size:	5'161'736 bytes
MD5 hash:	FB1D8D0BA73B7D30B38057853705B160
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:48:12
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dstream.log.exe"
Imagebase:	0x7ff6ee5c0000
File size:	5'145'600 bytes
MD5 hash:	1A57E40A51FBFBDA36DBCB8F7F107F05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:48:13
Start date:	05/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "type msupdate.exe > image3.jpg:msupdate.exe"
Imagebase:	0x7ff634030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:48:13
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:48:16
Start date:	05/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "del msupdate.exe"
Imagebase:	0x7ff634030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:48:16
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:48:19
Start date:	05/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell .\image3.jpg:msupdate.exe"
Imagebase:	0x7ff634030000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:48:19
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:48:19
Start date:	05/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell .\image3.jpg:msupdate.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF7BC6CAC90 Relevance: 79.3, APIs: 30, Strings: 15, Instructions: 531filewindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF7BC6CACCA
GetLastError.KERNEL32 ref: 00007FF7BC6CACD4
FormatMessageA.KERNEL32 ref: 00007FF7BC6CAD01
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF7BC6CAD40
GetLastError.KERNEL32 ref: 00007FF7BC6CAD4A
FormatMessageA.KERNEL32 ref: 00007FF7BC6CAD77
CreateDirectoryW.KERNELBASE ref: 00007FF7BC6CAD9A
CreateFileW.KERNELBASE ref: 00007FF7BC6CADCF
GetShortPathNameW.KERNELBASE ref: 00007FF7BC6CAE1E
GetShortPathNameW.KERNELBASE ref: 00007FF7BC6CAE4A
SetFilePointer.KERNELBASE ref: 00007FF7BC6CAED3
SetFilePointer.KERNELBASE ref: 00007FF7BC6CAF04
ReadFile.KERNELBASE ref: 00007FF7BC6CAF2F
SetFilePointer.KERNELBASE ref: 00007FF7BC6CAF61
ReadFile.KERNELBASE ref: 00007FF7BC6CAF8C

Part of subcall function 00007FF7BC6CA8E0: GetLastError.KERNEL32 ref: 00007FF7BC6CA8E9
Part of subcall function 00007FF7BC6CA8E0: FormatMessageA.KERNEL32 ref: 00007FF7BC6CA914

Part of subcall function 00007FF7BC6CF6DC: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7BC6CF99E,?,?,00000000,00007FF7BC6D4ADE), ref: 00007FF7BC6CF702

Strings

C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783\vcruntime140.dll, xrefs: 00007FF7BC6CB00F
, xrefs: 00007FF7BC6CB486
K, xrefs: 00007FF7BC6CAFA5
NUITKA_ONEFILE_PARENT, xrefs: 00007FF7BC6CB423
Error, failed to open '%ls' for writing., xrefs: 00007FF7BC6CB598
Error, failed to access unpacked executable., xrefs: 00007FF7BC6CADE2
C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783\rundatastream.exe, xrefs: 00007FF7BC6CB01C, 00007FF7BC6CB355
Error, failed to locate onefile filename., xrefs: 00007FF7BC6CAD07
Error, failed to register signal handler., xrefs: 00007FF7BC6CAD7D
\dont-search-path, xrefs: 00007FF7BC6CB389
Error, couldn't runtime expand temporary directory pattern:, xrefs: 00007FF7BC6CB555
Y, xrefs: 00007FF7BC6CAFBB
%TEMP%\onefile_%PID%_%TIME%, xrefs: 00007FF7BC6CB561
C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783, xrefs: 00007FF7BC6CAD90, 00007FF7BC6CB36E
A, xrefs: 00007FF7BC6CAFB0

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File$ErrorFormatLastMessageNamePointer$CreatePathReadShort$ConsoleCtrlDirectoryFeatureHandlerModulePresentProcessor
String ID: $%TEMP%\onefile_%PID%_%TIME%$A$C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783$C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783\rundatastream.exe$C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783\vcruntime140.dll$Error, couldn't runtime expand temporary directory pattern:$Error, failed to access unpacked executable.$Error, failed to locate onefile filename.$Error, failed to open '%ls' for writing.$Error, failed to register signal handler.$K$NUITKA_ONEFILE_PARENT$Y$\dont-search-path
API String ID: 3937968633-3750203934
Opcode ID: 052ab336f62f6aacd9355f45df89163515396c9a00b8d4c695212a01258f1c53
Instruction ID: d87069eaa8d31ca49b44fb6d25f007f5e18f11d325ed42c9237a2300b3f9d154
Opcode Fuzzy Hash: 052ab336f62f6aacd9355f45df89163515396c9a00b8d4c695212a01258f1c53
Instruction Fuzzy Hash: BD328421A1864281E712BB18E410ABAF3A6FFA6788FC0C535D74D436ADDF7DD485C720

Function 00007FF7BC6CAB70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49synchronizationwindowCOMMON

Download Yara Rule

APIs

GetProcessId.KERNEL32 ref: 00007FF7BC6CAB87
GenerateConsoleCtrlEvent.KERNEL32 ref: 00007FF7BC6CAB91
GetLastError.KERNEL32 ref: 00007FF7BC6CAB9B
FormatMessageA.KERNEL32 ref: 00007FF7BC6CABC7
WaitForSingleObject.KERNEL32 ref: 00007FF7BC6CABF2
CloseHandle.KERNEL32 ref: 00007FF7BC6CABFF
SHFileOperationW.SHELL32 ref: 00007FF7BC6CAC4F

Strings

C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783, xrefs: 00007FF7BC6CAC0D
Failed to send CTRL-C to child process., xrefs: 00007FF7BC6CABCD

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CloseConsoleCtrlErrorEventFileFormatGenerateHandleLastMessageObjectOperationProcessSingleWait
String ID: C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783$Failed to send CTRL-C to child process.
API String ID: 4185614815-789361439
Opcode ID: f561157c7c38a756df84a534cdef40b17fd149feedbf9c903231cf1b92af38a4
Instruction ID: 72cd0af4f31f1d1b2f44d364fcd1e58277ccb5d37a6e1dda935c82927c69c669
Opcode Fuzzy Hash: f561157c7c38a756df84a534cdef40b17fd149feedbf9c903231cf1b92af38a4
Instruction Fuzzy Hash: E9213631A0CB8286E711EB58F85076AB3A6FF95788F808136D74D8266DDF3DD444D720

Function 00007FF7BC6CB860 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7BC6CB86F

Part of subcall function 00007FF7BC6CBA24: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7BC6CBA46

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7BC6CB884
__scrt_release_startup_lock.LIBCMT ref: 00007FF7BC6CB8F2
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7BC6CB945

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: dce74b2f6d7858518ca18e5687f89e643830ad491a290fb219cca55f8439f985
Instruction ID: da5e29e41d817851746b80c9443d4721bcbebb329c4a04a6b39f7d2efe48c251
Opcode Fuzzy Hash: dce74b2f6d7858518ca18e5687f89e643830ad491a290fb219cca55f8439f985
Instruction Fuzzy Hash: 3F314820E0D20345EA16BB6D9451BBA93A39FB778CFC0C035D74D4B6DFCE2DA8848261

Function 00007FF7BC6CF594 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7BC6CF590), ref: 00007FF7BC6CF5A5
TerminateProcess.KERNEL32(?,?,?,00007FF7BC6CF590), ref: 00007FF7BC6CF5B0
ExitProcess.KERNEL32 ref: 00007FF7BC6CF5BF

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4055f651c0c246543d5ac86e3fd3dbac438b4a14224d2e6117c2b18e0789028f
Instruction ID: 468a505ee7cf0fc6e281c5effab4968ac2bf065af0c9565f5bfedcc89b7171e5
Opcode Fuzzy Hash: 4055f651c0c246543d5ac86e3fd3dbac438b4a14224d2e6117c2b18e0789028f
Instruction Fuzzy Hash: 85D01710B0820342EA0ABF3898458B993131F7A74AB80943DCB0B8638BDD2EA4089261

Function 00007FF7BC6D5A84 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,00000000,00007FF7BC6D9996,?,?,?,00007FF7BC6D99D3,?,?,00000000,00007FF7BC6D9ECD,?,?,?,00007FF7BC6D9DFF), ref: 00007FF7BC6D5A9A
GetLastError.KERNEL32(?,?,00000000,00007FF7BC6D9996,?,?,?,00007FF7BC6D99D3,?,?,00000000,00007FF7BC6D9ECD,?,?,?,00007FF7BC6D9DFF), ref: 00007FF7BC6D5AA4

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: ce0948fecc9d7e54df5e8f4da5652d1466c4ce4fa1bfae00bf0852d8f715b78b
Instruction ID: 12718a9c17885ec1c1f8814f78a4e932c9e2cfe12d22cef7bdf6ba36f493d24e
Opcode Fuzzy Hash: ce0948fecc9d7e54df5e8f4da5652d1466c4ce4fa1bfae00bf0852d8f715b78b
Instruction Fuzzy Hash: 8BE08690F0964743FF16BBB95884878A3535FA6748FCCC035CB0D8665EDD2C68A543B0

Function 00007FF7BC6CF4C5 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7BC6CF4F3

Part of subcall function 00007FF7BC6CF5EC: GetModuleHandleExW.KERNEL32 ref: 00007FF7BC6CF611
Part of subcall function 00007FF7BC6CF5EC: GetProcAddress.KERNEL32 ref: 00007FF7BC6CF627
Part of subcall function 00007FF7BC6CF5EC: FreeLibrary.KERNEL32 ref: 00007FF7BC6CF64E

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: cbfdff3f66ec1cb61838929dfd3c134f9ff58d4689a51f64f2205533c134c9c9
Instruction ID: 5e2bcc10c6f7bf48a2461427af279826707d362c731194e8565b63e68381429d
Opcode Fuzzy Hash: cbfdff3f66ec1cb61838929dfd3c134f9ff58d4689a51f64f2205533c134c9c9
Instruction Fuzzy Hash: B121A072E04B0199EB16EF6CD0406AD33A1EB2531CF849636D71D87AC9DF38D486C751

Function 00007FF7BC6D95B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6D95E3

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5e09b996b4f39bdc144a7422a4387001fd20d6f67051bfa4429e62758db17776
Instruction ID: f95b7e114bc5674c461abf5ce0c550ad7a72845eebe9ee82d0a0f03ec5af5096
Opcode Fuzzy Hash: 5e09b996b4f39bdc144a7422a4387001fd20d6f67051bfa4429e62758db17776
Instruction Fuzzy Hash: F111663190D68282F312BF18A440979F396FB62748F958435E76D4779ECE3CE8208B60

Function 00007FF7BC6D4F38 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7BC6D590E,?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D4F8D

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f02394e12f0b0f412ad0511da1f9294b77fa5c43d3fa51ba5ee621305ff8bc5b
Instruction ID: b72ec776f62b87077444761ba63d48036e834d2539bc3d7766e64166cb7b2c22
Opcode Fuzzy Hash: f02394e12f0b0f412ad0511da1f9294b77fa5c43d3fa51ba5ee621305ff8bc5b
Instruction Fuzzy Hash: C4F0AF01F0930342FE177BA95450AB8A3925FE6B88F8CC430CA0E862AEDD1CE9618231

Function 00007FF7BC6D6974 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7BC6D68DD,?,?,?,00007FF7BC6D0C58), ref: 00007FF7BC6D69B2

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4c0717f1cdc8f8df66da853b8d48a1a3a7913ef375afbb5a9b1904c084483452
Instruction ID: 0aebec3a74cfbd2af7e8cecf9642289441be756bea4e0928e44339716bdd102c
Opcode Fuzzy Hash: 4c0717f1cdc8f8df66da853b8d48a1a3a7913ef375afbb5a9b1904c084483452
Instruction Fuzzy Hash: 82F05E00B0C20341FE267AAD5850A7493925FB67A8F88CA34DA2E8A2CEDE1CE5618130

Non-executed Functions

Function 00007FF7BC6CA440 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 196COMMON

Download Yara Rule

Strings

COMPANY, xrefs: 00007FF7BC6CA6C3
TEMP, xrefs: 00007FF7BC6CA4C9
CACHE_DIR, xrefs: 00007FF7BC6CA661
PID, xrefs: 00007FF7BC6CA55E
HOME, xrefs: 00007FF7BC6CA644
updatelogic, xrefs: 00007FF7BC6CA6FD, 00007FF7BC6CA76D
PRODUCT, xrefs: 00007FF7BC6CA739
5.3.0.0-5...3...0...0, xrefs: 00007FF7BC6CA7DD
TIME, xrefs: 00007FF7BC6CA816
%TEMP%\onefile_%PID%_%TIME%, xrefs: 00007FF7BC6CA476
PROGRAM, xrefs: 00007FF7BC6CA4F1
%lld, xrefs: 00007FF7BC6CA847
C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783, xrefs: 00007FF7BC6CA485
VERSION, xrefs: 00007FF7BC6CA7A9

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: %TEMP%\onefile_%PID%_%TIME%$%lld$5.3.0.0-5...3...0...0$C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783$CACHE_DIR$COMPANY$HOME$PID$PRODUCT$PROGRAM$TEMP$TIME$VERSION$updatelogic
API String ID: 0-3191177013
Opcode ID: 713767e04934b2dfda0d1b5df6f1d0a54cf91e4dcb0e3adfa77639c17ba4703b
Instruction ID: 9547479631d30b866e47ccc1eeeaffdc41ce5000d5f48aa3958bc8e1ed16acd8
Opcode Fuzzy Hash: 713767e04934b2dfda0d1b5df6f1d0a54cf91e4dcb0e3adfa77639c17ba4703b
Instruction Fuzzy Hash: 3E818765B1964381EA22AF19D410AFAB3A6FF66788FC0D032C74D8215EEF3DD456C360

Function 00007FF7BC6DC00C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7BC6DC05A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6DC6C6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6DC83C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6DCAFA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6DCD1A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6DCF57
memcpy_s.LIBCPMT ref: 00007FF7BC6DD032
memcpy_s.LIBCPMT ref: 00007FF7BC6DD0DD
memcpy_s.LIBCPMT ref: 00007FF7BC6DD1AC

Strings

1#QNAN, xrefs: 00007FF7BC6DC173
1#INF, xrefs: 00007FF7BC6DC183
1#IND, xrefs: 00007FF7BC6DC147
1#SNAN, xrefs: 00007FF7BC6DC16A

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 87b9213b6598af07eb8d1530f76efede2e8bc17bd471710aeacf5c3e3bb1998e
Instruction ID: b501002299deb4c90704de16abdae25996b89239927fcedbf55f76a8073b6c19
Opcode Fuzzy Hash: 87b9213b6598af07eb8d1530f76efede2e8bc17bd471710aeacf5c3e3bb1998e
Instruction Fuzzy Hash: E6B20A72A182864BE7269F6CD440FFDB7A2FB6534CF809135D74957A8CEB38A910CB50

Function 00007FF7BC6CBD58 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7BC6CBD74
RtlCaptureContext.KERNEL32 ref: 00007FF7BC6CBDA1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BC6CBDBB
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BC6CBDFC
IsDebuggerPresent.KERNEL32 ref: 00007FF7BC6CBE50
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BC6CBE71
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BC6CBE7C

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: ecc87c728d9134544b44de582408ed54e050f4d2a6405b8fa837f0fbd0d40c3a
Instruction ID: 38784903fce30cb8b3927b495cae9ffd3804b9ed8e0a5c42849fc8509d56a18a
Opcode Fuzzy Hash: ecc87c728d9134544b44de582408ed54e050f4d2a6405b8fa837f0fbd0d40c3a
Instruction Fuzzy Hash: F531B672608B8185EB619F64E8407EE7361FB95748F84803ADB4E43B99EF3CD248D710

Function 00007FF7BC6D48F0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7BC6D4969
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BC6D4981
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BC6D49BC
IsDebuggerPresent.KERNEL32 ref: 00007FF7BC6D49F5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BC6D49FF
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BC6D4A0A

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 10b7bcf8786016dded377023b6a3d83c6c99cbcb26a7ee9cb633963b1d815aa9
Instruction ID: 410f0a1a1cdad005cc53fe08f9663c3fa86c8240acb8621e97c06704ae40a303
Opcode Fuzzy Hash: 10b7bcf8786016dded377023b6a3d83c6c99cbcb26a7ee9cb633963b1d815aa9
Instruction Fuzzy Hash: 8F31E632608B8286DB21DF29E8406AE73A1FB95758F844136EB8D43B5DDF3CC155CB10

Function 00007FF7BC6D8370 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6D83BC
FindFirstFileExW.KERNEL32 ref: 00007FF7BC6D84C6

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 18e4e6ac8f53bf10a4fa7cd60f3a5f7228ba7ba0aed65be2a3402df0291c35ed
Instruction ID: 383db3fef3a249a00e1565aa107e6a51d1e145478becac369fec34ba5d202c18
Opcode Fuzzy Hash: 18e4e6ac8f53bf10a4fa7cd60f3a5f7228ba7ba0aed65be2a3402df0291c35ed
Instruction Fuzzy Hash: 84B1EB51B1869241EA62AB2D95049BDE352EF6ABECF848131EB4D07B8DDF3CE4518370

Function 00007FF7BC6DBB70 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7BC6DBBD6
memcpy_s.LIBCPMT ref: 00007FF7BC6DBC01

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: c87bac45fa1c4fecd6c8404f31b33b7153bd6565fc3d1442458bcd1d24cba5fb
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 1EC1C772B1868687D725DF1AA044A6AF792F7E9B88F84C135DB4A4374CDB3DE811CB40

Function 00007FF7BC6C4250 Relevance: 4.8, Strings: 3, Instructions: 1029COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7BC6C5021
@, xrefs: 00007FF7BC6C503B
@, xrefs: 00007FF7BC6C5054

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: @$@$@
API String ID: 0-1177533131
Opcode ID: ba8dcc85a86abb1c01ea7c4882e7cf2040815fbccdf80a1480fbb7c4bc94de07
Instruction ID: 86d743d65e34267f23ff69ac365d3f29232bbf135e47a108ff4950dad54b0a22
Opcode Fuzzy Hash: ba8dcc85a86abb1c01ea7c4882e7cf2040815fbccdf80a1480fbb7c4bc94de07
Instruction Fuzzy Hash: 43922633B246D147DB04DF29D45027EBBB1F79A798B084126EB9DC7BD8EA28C515CB20

Function 00007FF7BC6C7E70 Relevance: 3.3, Strings: 2, Instructions: 764COMMON

Download Yara Rule

Strings

#, xrefs: 00007FF7BC6C7F8D
4, xrefs: 00007FF7BC6C865F

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: d104f9678b08ada7fb75871e2dd3a44a10f4034ede789ef5fc11531a99e7d879
Instruction ID: 128b7d0db05b58971a88c8b44d7bc49db6198134b6f538e558aa7383d374e84e
Opcode Fuzzy Hash: d104f9678b08ada7fb75871e2dd3a44a10f4034ede789ef5fc11531a99e7d879
Instruction Fuzzy Hash: 1E622533A1869186D725DF29D004ABEB7A2F76A798F85C136DB8D03798DB3DD444CB20

Function 00007FF7BC6DF668 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7BC6DF8B7
RaiseException.KERNEL32 ref: 00007FF7BC6DF8C8

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 788bc86a1f05762f55aed558cc7faf0347ad1811ed0d1f513233d1fc943d0910
Instruction ID: b27dd2b5581db13de27d65cecd1587e872c5a524233d096b6f36a2ec50135921
Opcode Fuzzy Hash: 788bc86a1f05762f55aed558cc7faf0347ad1811ed0d1f513233d1fc943d0910
Instruction Fuzzy Hash: 2DB17A73A00B898AEB16CF2DC8427687BA1F745B4CF14C922DB6D877A8CB39D461C711

Function 00007FF7BC6C63F0 Relevance: 3.1, Strings: 2, Instructions: 633COMMON

Download Yara Rule

Strings

#, xrefs: 00007FF7BC6C69BB
4, xrefs: 00007FF7BC6C66EB

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: 278c4525af4e4de455cde0262d67465256cd019789eb2c8529dfc63910e1c571
Instruction ID: 0de82f46daa0a3bd2b9252e3bf6cc9cb25610903a3d0cdf8855d8f6ef03fc16d
Opcode Fuzzy Hash: 278c4525af4e4de455cde0262d67465256cd019789eb2c8529dfc63910e1c571
Instruction Fuzzy Hash: E7424933B1869182DB119F19E0049AEFBA2FB65788F948135EF9E43B98DB3DE445C700

Function 00007FF7BC6D7190 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF7BC6D729D
gfff, xrefs: 00007FF7BC6D731A

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: e6c92b63ab8348172b4f1d15cfa2912c8af0ee62ec8be1f2865f45132d15813e
Instruction ID: e2124a76fa9ad1936b62a2cce07ee4444fb241493a0b38891a390b93efe21708
Opcode Fuzzy Hash: e6c92b63ab8348172b4f1d15cfa2912c8af0ee62ec8be1f2865f45132d15813e
Instruction Fuzzy Hash: C2517D22B1C2C146E72A9F399801B69E792F766B58F88C231DB6847ACDCF3DD4548711

Function 00007FF7BC6C2D70 Relevance: 2.0, Strings: 1, Instructions: 744COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7BC6C3777

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 17a32754b3be5ecddc6ca883ffe9f6f2205faa1975401ee855b00d3c5a03e51d
Instruction ID: 9501f240981ac28c94f3f799929d72c1faa190a8906987a1f232e8b773b1d5ad
Opcode Fuzzy Hash: 17a32754b3be5ecddc6ca883ffe9f6f2205faa1975401ee855b00d3c5a03e51d
Instruction Fuzzy Hash: CE522A33B187E44BD7458B29E450ABE7BB6E765394B04813AEE9D93BC9DE2CD044CB10

Function 00007FF7BC6D6CFC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7BC6D703E

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 600295280efd9409e43e2c28a74049d09f6741da58054a69084e457645398cc1
Instruction ID: 76dc49c9017a99f84465f0ccc071c74c316e8426ab2ede6a216ef384d0b515a3
Opcode Fuzzy Hash: 600295280efd9409e43e2c28a74049d09f6741da58054a69084e457645398cc1
Instruction Fuzzy Hash: 21A16862A187C646EB22DB29A000BA9B792AB727C8F44C131DF4D4779DDE3DD511C711

Function 00007FF7BC6D0E28 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7BC6D1032

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7b72d27635fc442e1ebff75513c9f2638703599bd79b72d565658fcebe974105
Instruction ID: 4daaf1872e6475237b73367aaf0adb7e3f2cfb84d3a0b5e2b9e18c4c329c719a
Opcode Fuzzy Hash: 7b72d27635fc442e1ebff75513c9f2638703599bd79b72d565658fcebe974105
Instruction Fuzzy Hash: 4BB1D27290868585E766AF2DC050A3CBBA2E766B5CFA88135DF4D4338DCF79D460C721

Function 00007FF7BC6D11C0 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7BC6D13A2

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ef49cb94395e06cbb21b3baba8ca1d8c7f68af0937311a89fd99be838a8fed40
Instruction ID: e9a9939ca51fa2d03d55bb7aaeaaac366f91c02107138201f51f241a23f77eb0
Opcode Fuzzy Hash: ef49cb94395e06cbb21b3baba8ca1d8c7f68af0937311a89fd99be838a8fed40
Instruction Fuzzy Hash: B0B1BE72A0878585E7669F2DC05063C7BA2EB56B5CFA88135CB4E4339DCFB9D461C720

Function 00007FF7BC6DA11C Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7BC6DA120

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9c72b5a89da4e52dbf914038315902266e436a9e788fb0955957fe8c3ebdc79d
Instruction ID: 0dd9a8c4acb5ba33f515819fb6aaa160658e7034f4f16c2e436e20dfd6db8e2b
Opcode Fuzzy Hash: 9c72b5a89da4e52dbf914038315902266e436a9e788fb0955957fe8c3ebdc79d
Instruction Fuzzy Hash: 47B09B10E17603C7E64537155C8151463A56F55704FD54035C10C80324DD2D11F59711

Function 00007FF7BC6C9430 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350510907982cde61b13ae1233c41c743ab28a77f136f96fae7077054a619dc1
Instruction ID: 7e00cd1186aaf58b4b78043cc3d165d779e9bb15a5ca073c2fcce58568220309
Opcode Fuzzy Hash: 350510907982cde61b13ae1233c41c743ab28a77f136f96fae7077054a619dc1
Instruction Fuzzy Hash: F882F333B04B858AEB11DF29D4405ADB7B1F76A78CB548222EB5D43B99EF38E191C310

Function 00007FF7BC6C15A0 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ad6508ab47d8ef33e35aa79bd4716b28f8f82bacfa5e90686771094938a787
Instruction ID: 1cc9c6d33cbca4cf974a1535bcb8d3539ba12079e93639b9443e1efd429e2f8e
Opcode Fuzzy Hash: 95ad6508ab47d8ef33e35aa79bd4716b28f8f82bacfa5e90686771094938a787
Instruction Fuzzy Hash: 6F32353272859643DB16DA2DD804ABAB793E7A6794F84C132DB4E47B88DE3CD906C710

Function 00007FF7BC6C8D80 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca7bdffcef837c8e57137e3534567cde4225a05dea147659d17b9120dae63f1
Instruction ID: f5afb4223abfb8985dba0820534d8bb8e7cd914bf258a7ca43727153f5b410b8
Opcode Fuzzy Hash: 4ca7bdffcef837c8e57137e3534567cde4225a05dea147659d17b9120dae63f1
Instruction Fuzzy Hash: 8112E332B04B9586EB11DF69D4405AD77B1FB5A79CB448226EF6D43B98EF38E181C310

Function 00007FF7BC6D1850 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cee7c84b11f69186bbbf18f56321aabaa6c1170a366f8276b9d23cf500201f9
Instruction ID: b61b141bf6ce178440d63998cd2a51e3bcdd81cf91340af8bb329426b3a75a29
Opcode Fuzzy Hash: 2cee7c84b11f69186bbbf18f56321aabaa6c1170a366f8276b9d23cf500201f9
Instruction Fuzzy Hash: 89E1C832A0864245E766AA2CC154B7CA793EB6776CF94C235CB4D062DDDFACD861C360

Function 00007FF7BC6D1C88 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d9d41570245a27f984b05403bb5f629f7b368093541d6f23e95c0a6537895b
Instruction ID: 6c90cbe52910a7eb805904b07b9449434bcbcb0667c433f90aa62732dcab1a32
Opcode Fuzzy Hash: f0d9d41570245a27f984b05403bb5f629f7b368093541d6f23e95c0a6537895b
Instruction Fuzzy Hash: 25D1ED22A0864685EB7AAE2DC000A7DA7A2EF6675CF948135CF0D076DDCF7DD861C760

Function 00007FF7BC6C7A30 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b6a183fb11f1282db785b6933484257d85cc300f661719a3b157d215283c24
Instruction ID: 595b1fafa78fafc10fd03eaba59c90cf836fec665a802c0ecb1386ea21394ca7
Opcode Fuzzy Hash: f2b6a183fb11f1282db785b6933484257d85cc300f661719a3b157d215283c24
Instruction Fuzzy Hash: 53B11D72E1C68786E62DAA2995049BAE795FB22758F848231DF6D037C8CF3CF551D320

Function 00007FF7BC6C3F00 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05f8c27b852701baa8cd5df555216814e0e57102f2b6b68aaebeeba4e56982f
Instruction ID: ff813d20b42c5ebeea9d5f6123d77230f424fa55e830a9ea21a4b7b23e20fd03
Opcode Fuzzy Hash: a05f8c27b852701baa8cd5df555216814e0e57102f2b6b68aaebeeba4e56982f
Instruction Fuzzy Hash: 72913923B281E042CF25DB29E414F7AAB92E76A7C4F498132DB9D87FC4D92DC905D720

Function 00007FF7BC6C2250 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27fe6feacafa742b75648adf972571a9b279ac0f4b8fbe1e7f86c1305f1079
Instruction ID: 90023e0f381a423265aebc7d8b05facc01ca4c33d36b80624be48a98e7df2feb
Opcode Fuzzy Hash: ff27fe6feacafa742b75648adf972571a9b279ac0f4b8fbe1e7f86c1305f1079
Instruction Fuzzy Hash: 278114A3B2851142DB26AB1DE400F7EA752BB5675AF849234EF2E47BC8DE3DE441C710

Function 00007FF7BC6D7810 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc3bffe48da8fd73621cbb623fedd7790d8ed95187b395c2f8ab6cf70fbd321
Instruction ID: a4556eb5dd5bd3f7c1f24e5a8a332c461fabefe7258f0a647df900572bb2ac60
Opcode Fuzzy Hash: 2dc3bffe48da8fd73621cbb623fedd7790d8ed95187b395c2f8ab6cf70fbd321
Instruction Fuzzy Hash: C0814772A0C38146E779DB1DA040B7AA792FB66798F848235DBAD47B8CCF3CD5508B11

Function 00007FF7BC6C2B60 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bd80f57eb232d678d590fbd4c45bac1d99471cf1f8379814a0f31ac97e6f79
Instruction ID: d6bcf85c6bf89e16298d93bf612583c9819686ec8d41e7e8c8787250cbfe1a14
Opcode Fuzzy Hash: d5bd80f57eb232d678d590fbd4c45bac1d99471cf1f8379814a0f31ac97e6f79
Instruction Fuzzy Hash: C45188237286E446CB259A2DE414FBAAB63E376794F498236DE9D87BC4CD2CC441DB10

Function 00007FF7BC6D06C8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec2cbce4c66990969fc68eb1171d784d3a118b3073380cc2cd3637851bbe89f
Instruction ID: 8cccbee61544036be1cfeffaeba9e41a4ca1db952e737232edf5fb64c4ad98bb
Opcode Fuzzy Hash: 6ec2cbce4c66990969fc68eb1171d784d3a118b3073380cc2cd3637851bbe89f
Instruction Fuzzy Hash: 5B51B936E1865586E7259B2DC040A3977A2EB66B5CF648131CF4C1779CCF3AE862CB90

Function 00007FF7BC6D02C0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d55e7b74c74ae9c8f477ccd41f7837cfeba25c56cc48b04a18bdb2e1b261f03
Instruction ID: 2d04b5d4a685a55adb126bbcf13d6b3e299b2029725e8d03355f7347967aed86
Opcode Fuzzy Hash: 0d55e7b74c74ae9c8f477ccd41f7837cfeba25c56cc48b04a18bdb2e1b261f03
Instruction Fuzzy Hash: 7351C836E1865686E7259B2DC080A3C63A2EB56B5CFA58031CF4C1779CCB39E863C750

Function 00007FF7BC6D04C4 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c52b6d51fff24f610222c5cbc3aaeb594f0196ce920fdcd3c71be82fc94997f
Instruction ID: a6e25f8d5f15b413757efc83572ad3b6e35eafe13ca9a97a22127b20e88cb985
Opcode Fuzzy Hash: 9c52b6d51fff24f610222c5cbc3aaeb594f0196ce920fdcd3c71be82fc94997f
Instruction Fuzzy Hash: AA51D936E2865586E7259B2CC04073877A1EB66B5CFA48131DF4D0779DCB3AE863C750

Function 00007FF7BC6D3E70 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 881ede52497160d17bfa5c4327c6d1d64eefa22b30db9c65c619d8db33ba8106
Instruction ID: 83b726ca51c0ebfb755f9fa86e5f92d909ef8278397f70aa61f87618bf23cfa6
Opcode Fuzzy Hash: 881ede52497160d17bfa5c4327c6d1d64eefa22b30db9c65c619d8db33ba8106
Instruction Fuzzy Hash: BF411262714A5582EF04DF2AD914969A3A2BB59FD8B89D032EF0D87B5CEE3DC4518300

Function 00007FF7BC6C2080 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f84a022e858a858e21bc3260534c36122f747569052417c17b48ee8a6de69d
Instruction ID: f81b2f07a4c3fe464bb482efcb8653bab59d02dadd8810f1c90719f4631b7910
Opcode Fuzzy Hash: 40f84a022e858a858e21bc3260534c36122f747569052417c17b48ee8a6de69d
Instruction Fuzzy Hash: 5E4126A2714B5046DD08DF2DB855929E75AF388BC0B99A433DF8D57B64EE3CD652C300

Function 00007FF7BC6C51C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aab68525deca0184b32cec1a1024981a7b3053b8abb821f3f05023d839e3477
Instruction ID: f3fb779b2a229e37c5e2a05ee1651053612fbdb3d7b7d422e603df9b09a343f2
Opcode Fuzzy Hash: 9aab68525deca0184b32cec1a1024981a7b3053b8abb821f3f05023d839e3477
Instruction Fuzzy Hash: 44113072D1E7C082E355DF28A4496C83AA8F310B4CF74D538DE596B360DBBA7963A704

Function 00007FF7BC6CBF3C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0278e2b4d9830ca251596cf284610aad4b12314c1d13d881d26cdfd600733c
Instruction ID: be1b6369bd05ff88cad9dbf1aaef5a4117a779c67e5ef480f79fe33cfd0b43f2
Opcode Fuzzy Hash: cc0278e2b4d9830ca251596cf284610aad4b12314c1d13d881d26cdfd600733c
Instruction Fuzzy Hash: F9A0022290CC43D0E60AEB08E961D35A333FBB6348BD0D072C22D4116DAF3DE540EB64

Function 00007FF7BC6D5AC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF7BC6D5DA2), ref: 00007FF7BC6D5C3C
GetProcAddress.KERNEL32(?,00000000,?,00007FF7BC6D5DA2), ref: 00007FF7BC6D5C48

Strings

ext-ms-, xrefs: 00007FF7BC6D5B99
%TEMP%\onefile_%PID%_%TIME%, xrefs: 00007FF7BC6D5AD6
api-ms-, xrefs: 00007FF7BC6D5B86

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressFreeLibraryProc
String ID: %TEMP%\onefile_%PID%_%TIME%$api-ms-$ext-ms-
API String ID: 3013587201-527191339
Opcode ID: 33b2eb8f39e01a37c98db0153a76e138676b2a97e3f530989414cb1786bc45c0
Instruction ID: 2310264f55b4dee8b0ba85adf662c38d87d55915d0d34830db4bbc48ab36a99e
Opcode Fuzzy Hash: 33b2eb8f39e01a37c98db0153a76e138676b2a97e3f530989414cb1786bc45c0
Instruction Fuzzy Hash: ED41E761B19A0241FA17EB1EA810975A392BF26BD8F89C53ADF1D47B4CDE3CE4558320

Function 00007FF7BC6CDFC0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7BC6CE01D

Part of subcall function 00007FF7BC6CEF1C: __GetUnwindTryBlock.LIBCMT ref: 00007FF7BC6CEF5F
Part of subcall function 00007FF7BC6CEF1C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7BC6CEF84

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7BC6CE0F5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7BC6CE34A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BC6CE456

Strings

csm, xrefs: 00007FF7BC6CE037
csm, xrefs: 00007FF7BC6CE09E
csm, xrefs: 00007FF7BC6CE118

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c44cdab44309f536c8643caebba11c9f696316a535538b6a18482a3c6b83000f
Instruction ID: f9528706cc1a1480bed036e9218ab9a742ffc666220feb37e452dacbd8463788
Opcode Fuzzy Hash: c44cdab44309f536c8643caebba11c9f696316a535538b6a18482a3c6b83000f
Instruction Fuzzy Hash: 65E19132A0878186EB21AF6994406AEB7B1FB6678CF408135DF8D57B59CF3CE4A0C711

Function 00007FF7BC6CCBD4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7BC6CCE86,?,?,?,00007FF7BC6CCB78,?,?,00000001,00007FF7BC6CC3E1), ref: 00007FF7BC6CCC59
GetLastError.KERNEL32(?,?,?,00007FF7BC6CCE86,?,?,?,00007FF7BC6CCB78,?,?,00000001,00007FF7BC6CC3E1), ref: 00007FF7BC6CCC67
LoadLibraryExW.KERNEL32(?,?,?,00007FF7BC6CCE86,?,?,?,00007FF7BC6CCB78,?,?,00000001,00007FF7BC6CC3E1), ref: 00007FF7BC6CCC91
FreeLibrary.KERNEL32(?,?,?,00007FF7BC6CCE86,?,?,?,00007FF7BC6CCB78,?,?,00000001,00007FF7BC6CC3E1), ref: 00007FF7BC6CCCD7
GetProcAddress.KERNEL32(?,?,?,00007FF7BC6CCE86,?,?,?,00007FF7BC6CCB78,?,?,00000001,00007FF7BC6CC3E1), ref: 00007FF7BC6CCCE3

Strings

api-ms-, xrefs: 00007FF7BC6CCC79

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: be524e1eb67e573fc5b475188c4d948c4325beb85c5a9406d03dd95f9e823d66
Instruction ID: 188fa613c340940fdc27df33bcafa19f776a8ba9577b35405505e1e7fd3ae823
Opcode Fuzzy Hash: be524e1eb67e573fc5b475188c4d948c4325beb85c5a9406d03dd95f9e823d66
Instruction Fuzzy Hash: F031C921B1AA4291EE13FB0D9440D76A395BF26BA8FD98536DF5D06348EF3CE4448320

Function 00007FF7BC6D5678 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7BC6D5687
FlsGetValue.KERNEL32 ref: 00007FF7BC6D569C
FlsSetValue.KERNEL32 ref: 00007FF7BC6D56BD
FlsSetValue.KERNEL32 ref: 00007FF7BC6D56EA
FlsSetValue.KERNEL32 ref: 00007FF7BC6D56FB
FlsSetValue.KERNEL32 ref: 00007FF7BC6D570C
SetLastError.KERNEL32 ref: 00007FF7BC6D5727

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0cc5402b84f758c4271f1aa16c01f6fae8a308a818b5928784db28093582c4bf
Instruction ID: c56eaff6e269b76c901893a5d3a89334cc2c0d97db740ff7bcc97e4ae7ec8896
Opcode Fuzzy Hash: 0cc5402b84f758c4271f1aa16c01f6fae8a308a818b5928784db28093582c4bf
Instruction Fuzzy Hash: 3A21A160A0828342FA66B32D554187DD3435F667ACF94C639EB2D46EDEDE2CA4614220

Function 00007FF7BC6DEE78 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7BC6DEEA9
GetLastError.KERNEL32 ref: 00007FF7BC6DEEB5
CloseHandle.KERNEL32 ref: 00007FF7BC6DEECD
CreateFileW.KERNEL32 ref: 00007FF7BC6DEEF8
WriteConsoleW.KERNEL32 ref: 00007FF7BC6DEF17

Strings

CONOUT$, xrefs: 00007FF7BC6DEED9

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 0e00cd62a7a3902094f99b322ee7b8ee2f62b63f95ad0485e1596a5f5d8da048
Instruction ID: c5b478e6b795b736558350914f9a7d33a6a84b42332d4340139a7f3224aea5b3
Opcode Fuzzy Hash: 0e00cd62a7a3902094f99b322ee7b8ee2f62b63f95ad0485e1596a5f5d8da048
Instruction Fuzzy Hash: CD11EC31718A4282E351AB4AE844729E3A1FB99FE8F408235DB5D83B9CDF7DD4548710

Function 00007FF7BC6D57F0 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D57FF
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D5835
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D5862
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D5873
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D5884
SetLastError.KERNEL32(?,?,?,00007FF7BC6D5A6D,?,?,?,?,00007FF7BC6D4F9F,?,?,00000000,00007FF7BC6D590E,?,?,?), ref: 00007FF7BC6D589F

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ee148f4be8cfe0799c57237698451a0f6a95b5cdf6484c952ce5099f24ac6d61
Instruction ID: 40b026bb2e1881585473c759c8c7713e2a9e0f5d601335374e7579b96f6652f8
Opcode Fuzzy Hash: ee148f4be8cfe0799c57237698451a0f6a95b5cdf6484c952ce5099f24ac6d61
Instruction Fuzzy Hash: 2811A160F0C25342FA267329654587DE3436F667BCFC4C639DA3E46ECEDE2CA4A14220

Function 00007FF7BC6CC1E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BC6CC20B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7BC6CC2A0
RtlUnwindEx.KERNEL32 ref: 00007FF7BC6CC2EF

Strings

f, xrefs: 00007FF7BC6CC21E
csm, xrefs: 00007FF7BC6CC286

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: f8130a11db687009fa6639b95c5e07baec577d4d4f843acdabcdbd7737b3c783
Instruction ID: 1619a19f60993b1100a5b30955faa30884a129da15eefb182cbbfdea16d6c013
Opcode Fuzzy Hash: f8130a11db687009fa6639b95c5e07baec577d4d4f843acdabcdbd7737b3c783
Instruction Fuzzy Hash: 5D519432A0960296DB16EB19E404E2EB756FB66B8CF90C035DB9E4374CEF7DE8418710

Function 00007FF7BC6CF5EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7BC6CF611
GetProcAddress.KERNEL32 ref: 00007FF7BC6CF627
FreeLibrary.KERNEL32 ref: 00007FF7BC6CF64E

Strings

mscoree.dll, xrefs: 00007FF7BC6CF608
CorExitProcess, xrefs: 00007FF7BC6CF620

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2af3b227ae15d0f77a1e21f18893b17dba8bef6b3a8307e3f86ec068823517b4
Instruction ID: 6a5e73247ae18c1b0e8602b56f415bbde62c3c4d4e16785fbc0b16d40847a7e1
Opcode Fuzzy Hash: 2af3b227ae15d0f77a1e21f18893b17dba8bef6b3a8307e3f86ec068823517b4
Instruction Fuzzy Hash: 4BF0C86160860381EB15AB28E454B799332AF6A769F944236C76D451F8CF2DD485D320

Function 00007FF7BC6DF2B0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7BC6DF2D8
_set_statfp.LIBCMT ref: 00007FF7BC6DF2F3
_set_statfp.LIBCMT ref: 00007FF7BC6DF30F
_set_statfp.LIBCMT ref: 00007FF7BC6DF34B

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 3a712edb43eefe081016b663f864f5399d40ebd49305789552501c3995f396b1
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: 3E11D322D1CA0381F256316CE441B3992836F7636CEDB8634EB6EC62DE8E3C5C624162

Function 00007FF7BC6D58B8 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D58D7
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D58F6
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D591E
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D592F
FlsSetValue.KERNEL32(?,?,?,00007FF7BC6D487F,?,?,00000000,00007FF7BC6D4B1A), ref: 00007FF7BC6D5940

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 70f22fd26877e26fd1f5677f389258ae140429eb9c16d658f2141398dd3b6569
Instruction ID: 8ce6882310b8e57e6be02e92d2c11d5e3671e242004cf111abb3a661ba65805a
Opcode Fuzzy Hash: 70f22fd26877e26fd1f5677f389258ae140429eb9c16d658f2141398dd3b6569
Instruction Fuzzy Hash: DF1193A0E0824341FA667329654197DD3435F667B8EC8C639D63D4AECDDD2CA4614220

Function 00007FF7BC6D574C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7BC6D575D
FlsSetValue.KERNEL32 ref: 00007FF7BC6D577C
FlsSetValue.KERNEL32 ref: 00007FF7BC6D57A4
FlsSetValue.KERNEL32 ref: 00007FF7BC6D57B5
FlsSetValue.KERNEL32 ref: 00007FF7BC6D57C6

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b5b63efb44819eb330ac4f3abc49f6f7f56682563c3d2faa27d9153c1f484041
Instruction ID: 3de63c5dfcd62f983699cdcc3f4de5bc3257177e9c275ae697ab110f1cf50f9b
Opcode Fuzzy Hash: b5b63efb44819eb330ac4f3abc49f6f7f56682563c3d2faa27d9153c1f484041
Instruction Fuzzy Hash: 7B1112A0A0920781F96BB22D5452DB993435F6732CEE48739D73D49ADEDD1CB4614231

Function 00007FF7BC6CE498 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7BC6CE4E4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7BC6CE533

Strings

RCC, xrefs: 00007FF7BC6CE501
MOC, xrefs: 00007FF7BC6CE4F8

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 0be028d7ac0c4ec896316e1f9103cf6cce5ef8834604ae2c1fa05adb49898076
Instruction ID: 87076ca4b815ab77ebfdb6dd1566492d8fcbe75096c2cad95415e8e6e17a8492
Opcode Fuzzy Hash: 0be028d7ac0c4ec896316e1f9103cf6cce5ef8834604ae2c1fa05adb49898076
Instruction Fuzzy Hash: 15619933A08B858AE711DF69D0406AEB7B1FB55B8CF948225EF4D13B98DB38E465C710

Function 00007FF7BC6CE7F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BC6CE81C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7BC6CE904

Strings

csm, xrefs: 00007FF7BC6CE956
csm, xrefs: 00007FF7BC6CE83E

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 2548dea0f533b99c0f1a3f359ddf3b70687b80a6ff4ae413730ab8f4a98dda38
Instruction ID: 0d62d34dd4663b787dee4db32b454016d7f196d8d689b241a832132488fa87c2
Opcode Fuzzy Hash: 2548dea0f533b99c0f1a3f359ddf3b70687b80a6ff4ae413730ab8f4a98dda38
Instruction Fuzzy Hash: 5151B5329086828ADB75AB19904476AB7B2FB66B88F54C135DB9D476CDCF3CE460C710

Function 00007FF7BC6DA8F0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7BC6DA96F
WriteFile.KERNEL32 ref: 00007FF7BC6DAC37
WriteFile.KERNEL32 ref: 00007FF7BC6DAC7D
GetLastError.KERNEL32 ref: 00007FF7BC6DAD33

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3361e7b0a4a01c86be7f689050dcb8175c18a7f7fa488bd35ccabded482c3f68
Instruction ID: a829442852e31940746ffe64a96923e3ed8f733d0dac56dab12bebf6f54a415b
Opcode Fuzzy Hash: 3361e7b0a4a01c86be7f689050dcb8175c18a7f7fa488bd35ccabded482c3f68
Instruction Fuzzy Hash: 26D12832B08A8189E712DF68D4406AC77B2FB5579CB848235CF5D97BAEDE38D456C320

Function 00007FF7BC6DB218 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7BC6DB203), ref: 00007FF7BC6DB334
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7BC6DB203), ref: 00007FF7BC6DB3BF

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: d26b7108da04b1d6ade1a439dc006868cde7a2577c5aa964054f66e6243fd7d4
Instruction ID: 0e216fc3853c6f178979077e9dcfbf6de73fc113ea86854fec3b7c39f0567e7b
Opcode Fuzzy Hash: d26b7108da04b1d6ade1a439dc006868cde7a2577c5aa964054f66e6243fd7d4
Instruction Fuzzy Hash: 9D911932F0865285F752EF6D9480A7CA7A2ABA678CF948139DF0E5769DCF38D451C320

Function 00007FF7BC6CBC38 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7BC6CBC64
GetCurrentThreadId.KERNEL32 ref: 00007FF7BC6CBC72
GetCurrentProcessId.KERNEL32 ref: 00007FF7BC6CBC7E
QueryPerformanceCounter.KERNEL32 ref: 00007FF7BC6CBC8E

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 266c0d6f6f968f6a4e115eca7bdf0b44c9a17825bcc9060ec7015ac9a463f65a
Instruction ID: 13916f6754d95f159d48708ec9c7deb495babd56a30ad01422d179173d2a21d4
Opcode Fuzzy Hash: 266c0d6f6f968f6a4e115eca7bdf0b44c9a17825bcc9060ec7015ac9a463f65a
Instruction Fuzzy Hash: 1A117332B14F0289EB00DF64E8456B873A4FB29758F844D31DB6D46758DF78D1988350

Function 00007FF7BC6D37AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6D37DE

Part of subcall function 00007FF7BC6D5A84: RtlDeleteBoundaryDescriptor.NTDLL(?,?,00000000,00007FF7BC6D9996,?,?,?,00007FF7BC6D99D3,?,?,00000000,00007FF7BC6D9ECD,?,?,?,00007FF7BC6D9DFF), ref: 00007FF7BC6D5A9A
Part of subcall function 00007FF7BC6D5A84: GetLastError.KERNEL32(?,?,00000000,00007FF7BC6D9996,?,?,?,00007FF7BC6D99D3,?,?,00000000,00007FF7BC6D9ECD,?,?,?,00007FF7BC6D9DFF), ref: 00007FF7BC6D5AA4

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7BC6CB7D1), ref: 00007FF7BC6D37FC

Strings

C:\Users\user\Desktop\dstream.log.exe, xrefs: 00007FF7BC6D37EA

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\dstream.log.exe
API String ID: 3976345311-3363711775
Opcode ID: addb991eec39e7f9dcc760c3be5645f43ef13cf5583ab8fbc0d0e601c7c435c7
Instruction ID: 5959f17a963a0b183a2c5b44dc0f6b38c6a606fd6fb02ec2819abdaa8b667939
Opcode Fuzzy Hash: addb991eec39e7f9dcc760c3be5645f43ef13cf5583ab8fbc0d0e601c7c435c7
Instruction Fuzzy Hash: 6741B875A08B538AE716FF1994808B8B7A6EF5678CB848075EB0D47B4DDF3DD4918320

Function 00007FF7BC6DAF88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7BC6DB09F
GetLastError.KERNEL32 ref: 00007FF7BC6DB0C1

Strings

U, xrefs: 00007FF7BC6DB04B

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: edccec16b3022fd624643ca2c3d557c552a0589b9f395fd33be6678bad1b8261
Instruction ID: 080bef158a1b924bfb63f4e28cef6c1de44460e742e0413b63ae98b0b511ceed
Opcode Fuzzy Hash: edccec16b3022fd624643ca2c3d557c552a0589b9f395fd33be6678bad1b8261
Instruction Fuzzy Hash: 7441E522B18A8181DB21DF29E4447A9B761FBA9788F848031EF4D8779CEF3CD455C720

Function 00007FF7BC6D4484 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6D44A1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BC6D44FA

Strings

%TEMP%\onefile_%PID%_%TIME%, xrefs: 00007FF7BC6D44DE

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID: %TEMP%\onefile_%PID%_%TIME%
API String ID: 3215553584-1520714333
Opcode ID: b6f9d8ebf31fa66e504c26de95435c2f10ec97f2079d01c6a1c89ddd030fe641
Instruction ID: 0afc10ffb0e3cd107de1e0093711603248ee7310fc8a9da0147c824bf9ab2839
Opcode Fuzzy Hash: b6f9d8ebf31fa66e504c26de95435c2f10ec97f2079d01c6a1c89ddd030fe641
Instruction Fuzzy Hash: 4B412161D1C75282EA22A7099041779B792EF6679CFC8C131EB8D472DDDE3CD8A18720

Function 00007FF7BC6CF320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7BC6CF370
RaiseException.KERNEL32 ref: 00007FF7BC6CF3B1

Strings

csm, xrefs: 00007FF7BC6CF39E

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6cc3a245ac0ed7d0591d0cdb94bad24c90f55041f70c360502f369ebfc4c35ec
Instruction ID: 1ad167203bea6d382356c8244e7e300f643f45af43f33e92ecfea999809bfeff
Opcode Fuzzy Hash: 6cc3a245ac0ed7d0591d0cdb94bad24c90f55041f70c360502f369ebfc4c35ec
Instruction Fuzzy Hash: BF116032608B4182EB619F19F40065AB7E2FB99B88F588232DF9C47759DF3CC5518B40

Function 00007FF7BC6CA8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7BC6CA8E9
FormatMessageA.KERNEL32 ref: 00007FF7BC6CA914

Strings

C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783, xrefs: 00007FF7BC6CA8E0

Memory Dump Source

Source File: 00000000.00000002.2269352035.00007FF7BC6C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BC6C0000, based on PE: true

Associated: 00000000.00000002.2269337776.00007FF7BC6C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269376379.00007FF7BC6E1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269392590.00007FF7BC6F6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2269482607.00007FF7BC6FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorFormatLastMessage
String ID: C:\Users\user\AppData\Local\Temp\\onefile_3248_133646284912282783
API String ID: 3479602957-1959902396
Opcode ID: 1e81388750679c601e3fd34f20a9a7a594047ab76ede4be05ed85ff58875150a
Instruction ID: baa1d63a7dd9eb754453fb7088d16aa5ecb34e4e44a5a896eb8be88b2e04f745
Opcode Fuzzy Hash: 1e81388750679c601e3fd34f20a9a7a594047ab76ede4be05ed85ff58875150a
Instruction Fuzzy Hash: 38E06561A18B4146D751E725B400956A7E1AB9D794F444132DB4EC676DDE3CD1854700

Analysis Process: rundatastream.exePID: 6212, Parent PID: 3248COMMON

Executed Functions

Function 00007FFD942E01A8 Relevance: 18.4, APIs: 6, Strings: 4, Instructions: 939COMMON

Download Yara Rule

Strings

marshal data too short, xrefs: 00007FFD94336047, 00007FFD943361AF, 00007FFD94336317, 00007FFD9433647F, 00007FFD943365E7, 00007FFD94336752
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 00007FFD94336185, 00007FFD943362ED, 00007FFD94336455, 00007FFD943365BD, 00007FFD94336727, 00007FFD9433688F
EOF read where not expected, xrefs: 00007FFD94336193, 00007FFD943362FB, 00007FFD94336463, 00007FFD943365CB, 00007FFD94336739, 00007FFD9433689D
bad marshal data (index list too large), xrefs: 00007FFD94336035

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: EOF read where not expected$bad marshal data (index list too large)$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 0-2341825754
Opcode ID: ecec5fdecb04c0112d9d55a826d4dc352f5f0305c3dc222854f124bc59100f4b
Instruction ID: 907ab7052aa199164d8ef889925eed9f5d3440f829193ed140028a0f08cea5cb
Opcode Fuzzy Hash: ecec5fdecb04c0112d9d55a826d4dc352f5f0305c3dc222854f124bc59100f4b
Instruction Fuzzy Hash: 95928F61B09A5285FB789BE5C4B02BD23A0BF46B98F54C239DE5D177AADE3DE401C340

Function 00007FFD942DFC5C Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942DFD4D
getc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD943359AE

Strings

marshal data too short, xrefs: 00007FFD943359F9
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 00007FFD94335944
..\Objects\listobject.c, xrefs: 00007FFD94335C07
EOF read where not expected, xrefs: 00007FFD94335B1E
EOF read where object expected, xrefs: 00007FFD943359E0
cannot add more objects to list, xrefs: 00007FFD94335BE1
size must be positive, xrefs: 00007FFD94335B41

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: getcmemcpy
String ID: ..\Objects\listobject.c$EOF read where not expected$EOF read where object expected$cannot add more objects to list$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned$size must be positive
API String ID: 880964854-2925454399
Opcode ID: bb178ebcb5740fa70e6b5d544ce72188983dde16f7d7b53ec582d59b84fd5e5c
Instruction ID: 47c8e1473587bd26bfbfee8198e151fe571e7023f5d5117c0a993d0b6550be6a
Opcode Fuzzy Hash: bb178ebcb5740fa70e6b5d544ce72188983dde16f7d7b53ec582d59b84fd5e5c
Instruction Fuzzy Hash: D3028061B0AA5281FA359BE5D4F02BD23A0BF46B98F558235CA5E07BE7DF2DE441C340

Function 00007FFD94314FD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94353B8B
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94353B9B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94353C44

Strings

import time: %9ld | %10ld | %*s%s, xrefs: 00007FFD94353C4F
import time: self [us] | cumulative | imported package, xrefs: 00007FFD94353B94

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __acrt_iob_func$fputs
String ID: import time: %9ld | %10ld | %*s%s$import time: self [us] | cumulative | imported package
API String ID: 3348629196-381389485
Opcode ID: 2e7dfb9f2ed18fba51c9f8da8ca5821e40d1c0632b17067b9d9ef153f72aa4a9
Instruction ID: 58a694f4569e512fe5f7b58ba0f19349a51c25de6d6076a3ffd5c8b8083c169a
Opcode Fuzzy Hash: 2e7dfb9f2ed18fba51c9f8da8ca5821e40d1c0632b17067b9d9ef153f72aa4a9
Instruction Fuzzy Hash: 0841ACB2B18B4686EA349FD2E8E05A573A0FB4AB84F44803ADD4D4B766DE3CF445C740

Function 00007FFD942F3C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942F3C87
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD942F3C99
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942F3CA5

Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89E2
Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89FE

Strings

an integer is required, xrefs: 00007FFD94344042

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _errno_set_thread_local_invalid_parameter_handler$_lseeki64
String ID: an integer is required
API String ID: 2849220434-1781588940
Opcode ID: 8f38ad2c946ec6b2d44f8f557fc2b13032869d1bcd5b7035c4fe3d4133113697
Instruction ID: a122188a9faf45ece53f16e990b7d778b29867e1f3580c2c7510aa96dc322797
Opcode Fuzzy Hash: 8f38ad2c946ec6b2d44f8f557fc2b13032869d1bcd5b7035c4fe3d4133113697
Instruction Fuzzy Hash: 7B319221F08A1381FA38ABA2A4E01B962A0BF46BD4F54D435DE0D47B97EE7DE452C300

Function 00007FFD942C7B80 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 273COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942C7C9E

Strings

VUUUUUUU, xrefs: 00007FFD942C7BE6
GC object already tracked, xrefs: 00007FFD94325CF3, 00007FFD94325D87
..\Objects\dictobject.c, xrefs: 00007FFD94325DC4
VUUUUUUU, xrefs: 00007FFD94325C08

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID: ..\Objects\dictobject.c$GC object already tracked$VUUUUUUU$VUUUUUUU
API String ID: 3510742995-2243225601
Opcode ID: 7ff510f71de436b82e62fcbfd8c4f8e5b3412e0df4fe69129606875d5164df8e
Instruction ID: 9547be348567b0b239c180d59a6caae5055b2255f441ebbe9d0856b2148af354
Opcode Fuzzy Hash: 7ff510f71de436b82e62fcbfd8c4f8e5b3412e0df4fe69129606875d5164df8e
Instruction Fuzzy Hash: 0AC1A032B09B4681EA349BA5D9A027873A0FF46BB4F548336CA6D477E6DF39E551C300

Function 00007FFD942C58F4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD942C2A6D), ref: 00007FFD942C59F3
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFD942C2A6D), ref: 00007FFD942C5A23
memcpy.VCRUNTIME140 ref: 00007FFD942C5AB7

Strings

VUUUUUUU, xrefs: 00007FFD942C5913

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset$memcpy
String ID: VUUUUUUU
API String ID: 368790112-1633625446
Opcode ID: ef7c9cb484b0f734f3d1183a3871af5a3a9dc50ebbd219d64d1921f62d81e218
Instruction ID: e6d2f573cb48e7c909d8f05296e405cbdb7662bcb53b936d644b90547c57b750
Opcode Fuzzy Hash: ef7c9cb484b0f734f3d1183a3871af5a3a9dc50ebbd219d64d1921f62d81e218
Instruction Fuzzy Hash: C891E432B09B5682EA38AB45D5A03797761FF46BA4F508235CA6D07BE6DF3DE181C300

Function 00007FFD942D348C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942D3536

Strings

attribute name must be string, not '%.200s', xrefs: 00007FFD9432DD14
'%.50s' object has no attribute '%U', xrefs: 00007FFD9432DD59

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID: '%.50s' object has no attribute '%U'$attribute name must be string, not '%.200s'
API String ID: 3510742995-52871160
Opcode ID: d27ef5582bbfee890698c1d5e47131ab4a81bb1279bb0f05fc76d9079088bc93
Instruction ID: e79f5e25e9b1251fce67d8624dabd0dfc6b211d9d95700890fe329adb4a35cdb
Opcode Fuzzy Hash: d27ef5582bbfee890698c1d5e47131ab4a81bb1279bb0f05fc76d9079088bc93
Instruction Fuzzy Hash: 4441A362B0AA4284EA71ABA6E4A01B967A4BF4BBC4F54C135DE4D07397EE3DE445C340

Function 00007FFD942E003C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942E015E

Strings

marshal data too short, xrefs: 00007FFD94335640
byte string is too large, xrefs: 00007FFD943357B0

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID: byte string is too large$marshal data too short
API String ID: 3510742995-2573376387
Opcode ID: 3504eeefeb97bc2f94c61669745b566b49b7d7c7df0e9d52b09c85efee6f2241
Instruction ID: 97d8df6a3f461a95ac303519733b211dd15330855665818b6241dd88d5efbdd1
Opcode Fuzzy Hash: 3504eeefeb97bc2f94c61669745b566b49b7d7c7df0e9d52b09c85efee6f2241
Instruction Fuzzy Hash: 2A41C562B4975284FA359BE594F027927E1AF42BA4B55C339C96D07BE6DE3DE401C300

Function 00007FFD942DCA2A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942DCC5D

Strings

..\Modules\gcmodule.c, xrefs: 00007FFD94333F4A

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: ..\Modules\gcmodule.c
API String ID: 2221118986-707286096
Opcode ID: d59c385ac39d04f951db277cbff4f153a8480257e08d6969cf8c18d761d2b0b7
Instruction ID: deddc7c4ddda4ecf2a09cac19a6b374d0ac2195d8686351b698911252b5fae8f
Opcode Fuzzy Hash: d59c385ac39d04f951db277cbff4f153a8480257e08d6969cf8c18d761d2b0b7
Instruction Fuzzy Hash: 75517A32B4AB0282EB60DF65E4A026833A8FB4AB94F458635DF5D47796DF3DD451C340

Function 00007FFD942CCED0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942CCF8E

Strings

GC object already tracked, xrefs: 00007FFD94328DD9

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: GC object already tracked
API String ID: 2221118986-3349536495
Opcode ID: e6696cc3a1ca0eb0efe082366ccbdfa1749d770ef99245383b2b15ed2c10e832
Instruction ID: 6882c8a39a652a6426a35da9f19c8cf9e8535cb5217a04dd81566ac1d5ef0895
Opcode Fuzzy Hash: e6696cc3a1ca0eb0efe082366ccbdfa1749d770ef99245383b2b15ed2c10e832
Instruction Fuzzy Hash: 85515961B09B8285EB349B95E5A027862A0BB06BB4F148735DA7E077E6CF7DE052C300

Function 00007FFD942DF3C5 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942DF470

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f774a82ea3e4f078965ce6dd097f5a77d9524edb4836cfc40fc70e28b10fe2fc
Instruction ID: 94a1a5f39e2a0cb0615b0f790cbd8d0175e229aab2766184c2df075940312e50
Opcode Fuzzy Hash: f774a82ea3e4f078965ce6dd097f5a77d9524edb4836cfc40fc70e28b10fe2fc
Instruction Fuzzy Hash: 29319351B0E68280FD70D795A6E02795361BF5BBE0F098631DE2E477DBDE2DE441C208

Function 00007FFD942E0F82 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD942E0FCE

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: de94f488ee3790d52faa7aab927a674f606a91286c06b93dff274d8d510b8dc5
Instruction ID: d9b5bb9947520e0a7488bcfea5e9ea5acfe07e158c4057bafcc65a54920f0068
Opcode Fuzzy Hash: de94f488ee3790d52faa7aab927a674f606a91286c06b93dff274d8d510b8dc5
Instruction Fuzzy Hash: 3EF0F910F0D21384FE745BD164F027B5290BF577A9E58C635D82E0A3D3EEADA4A3C201

Non-executed Functions

Function 00007FFD944267EC Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 333COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD9442684D

Strings

utf-8, xrefs: 00007FFD94426A87, 00007FFD94426BCF
surrogates not allowed, xrefs: 00007FFD9442689A, 00007FFD94426900, 00007FFD94426BC0

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: surrogates not allowed$utf-8
API String ID: 2221118986-596787060
Opcode ID: 6e1a3e8e9135ae35aa50b73a0041b11bf1850c409099cb1095604cae9010d58d
Instruction ID: 020e37d386c063689d5ef5d8318a0a4553d3eb69da5927c5d3aaafa6fc960a33
Opcode Fuzzy Hash: 6e1a3e8e9135ae35aa50b73a0041b11bf1850c409099cb1095604cae9010d58d
Instruction Fuzzy Hash: 97D1C732B09A5686FB259FE5D4A02BD67A0FB56B94F048135DE4D0BB9ECE7CE512C300

Function 00007FFD943BFE88 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FFD943BFED9

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: ef1807e5464a469517ea34e4808b41cbefc05e677e1f8f2872ff8a22d648e09c
Instruction ID: c22b7b89ebaf116fa2cae2b772c110e66348effe823cecc51156d153baca3463
Opcode Fuzzy Hash: ef1807e5464a469517ea34e4808b41cbefc05e677e1f8f2872ff8a22d648e09c
Instruction Fuzzy Hash: 58016272B18A8146E7A09BA0F49576A6394FB89348F449035EB4C86B56DF3CD014CB00

Function 00007FFDA4338D30 Relevance: 63.3, APIs: 11, Strings: 25, Instructions: 272COMMON

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFDA4338DBD
DName::DName.LIBCMT ref: 00007FFDA4338EBE
UnDecorator::getECSUDataType.LIBVCRUNTIME ref: 00007FFDA4338F73
DName::DName.LIBCMT ref: 00007FFDA43390F5
DName::operator+=.LIBCMT ref: 00007FFDA433910A
DName::operator+=.LIBCMT ref: 00007FFDA433915E
DName::operator+=.LIBCMT ref: 00007FFDA433916B
DName::operator+=.LIBCMT ref: 00007FFDA4339194

Strings

char, xrefs: 00007FFDA4338E21
float, xrefs: 00007FFDA4338DB2
short, xrefs: 00007FFDA4338E18
char16_t, xrefs: 00007FFDA4338FBA
signed , xrefs: 00007FFDA43390EA
__int32, xrefs: 00007FFDA4338F28
volatile, xrefs: 00007FFDA43390A7
void, xrefs: 00007FFDA4338FD9
UNKNOWN, xrefs: 00007FFDA4338F96
__int64, xrefs: 00007FFDA4338F1C
int, xrefs: 00007FFDA4338E0F
bool, xrefs: 00007FFDA4338F34
__int128, xrefs: 00007FFDA4338F10
long, xrefs: 00007FFDA4338E06
__int16, xrefs: 00007FFDA4338EE8
long , xrefs: 00007FFDA4338FEC
volatile, xrefs: 00007FFDA43390BE
double, xrefs: 00007FFDA4339006
wchar_t, xrefs: 00007FFDA4338FA2
<unknown>, xrefs: 00007FFDA4338FC6
__int8, xrefs: 00007FFDA4338E9B
char32_t, xrefs: 00007FFDA4338FAE
unsigned , xrefs: 00007FFDA4338DFA
__w64 , xrefs: 00007FFDA4338EB0
const, xrefs: 00007FFDA433908C

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::$DataDecorator::getName::operator=Type
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 4214689379-3737837666
Opcode ID: 652ae0b6b3366500e24b489b33b801a0c5d0ff13822910b63d2dc081d5838a9d
Instruction ID: afdeec18aeaeb8eb1709b21fc2174d727ff9b2674ef8f3dcce3fe7e644df379f
Opcode Fuzzy Hash: 652ae0b6b3366500e24b489b33b801a0c5d0ff13822910b63d2dc081d5838a9d
Instruction Fuzzy Hash: CED19F69F9AE5394FB14EB6498F02FC23A1AF12344F904532E91E556F7DFACB5848308

Function 00007FFDA433557C Relevance: 53.0, APIs: 27, Strings: 3, Instructions: 474COMMON

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFDA4335609
DName::DName.LIBCMT ref: 00007FFDA4335624
DName::operator+=.LIBCMT ref: 00007FFDA4335639

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

DName::operator+=.LIBCMT ref: 00007FFDA433569F
DName::operator+=.LIBCMT ref: 00007FFDA43356AC
DName::operator+=.LIBCMT ref: 00007FFDA4335784
DName::operator+=.LIBCMT ref: 00007FFDA433579E
DName::DName.LIBCMT ref: 00007FFDA433585C
DName::DName.LIBCMT ref: 00007FFDA43358A0
DName::operator=.LIBVCRUNTIME ref: 00007FFDA433595D
DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433597C
DName::operator=.LIBVCRUNTIME ref: 00007FFDA43359AA
DName::operator+=.LIBCMT ref: 00007FFDA43359E8
DName::operator+=.LIBCMT ref: 00007FFDA4335A12
DName::operator+=.LIBCMT ref: 00007FFDA4335A3B
DName::operator+=.LIBCMT ref: 00007FFDA4335A64
DName::operator+=.LIBCMT ref: 00007FFDA4335A8D
DName::operator+=.LIBCMT ref: 00007FFDA4335AB8
UnDecorator::getDataType.LIBCMT ref: 00007FFDA4335ADA
DName::operator+=.LIBCMT ref: 00007FFDA4335B04
DName::operator=.LIBVCRUNTIME ref: 00007FFDA4335B2F
DName::DName.LIBCMT ref: 00007FFDA4335BE0
DName::DName.LIBCMT ref: 00007FFDA4335C43
DName::operator+=.LIBCMT ref: 00007FFDA4335C64
UnDecorator::getSymbolName.LIBVCRUNTIME ref: 00007FFDA4335C81
DName::operator+=.LIBCMT ref: 00007FFDA4335C8D
DName::operator=.LIBVCRUNTIME ref: 00007FFDA4335D0A

Strings

operator, xrefs: 00007FFDA4335619
`anonymous namespace', xrefs: 00007FFDA4335910
`string', xrefs: 00007FFDA43358CB

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$Name$Name::Name::operator=$Decorator::get$DataSymbolType
String ID: `anonymous namespace'$`string'$operator
API String ID: 825515786-815891235
Opcode ID: 96dcc9c9da573c9d0908bd087082acdff8a4c51e6b015d4d7128ed174d4eecd0
Instruction ID: 38ae8d9e3bd1eee3c26fd76a9902ecbf3da789df2987a7d54954740603553146
Opcode Fuzzy Hash: 96dcc9c9da573c9d0908bd087082acdff8a4c51e6b015d4d7128ed174d4eecd0
Instruction Fuzzy Hash: AD22A022FAAE5684FB10BB24D8F42FC2360AF16749F544135DA4D56BBBDF2CB5458308

Function 00007FFDA4331B10 Relevance: 51.1, APIs: 26, Strings: 3, Instructions: 385COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA433B734: RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,00007FFDA4331B5C), ref: 00007FFDA433B809

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331C28
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331C44
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331C59
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331C76
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331CAC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331CBD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331CD5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331CEA
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA4331D1F
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDA4331D2F
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331D35
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331D3C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331ECB
CatchIt.LIBVCRUNTIME ref: 00007FFDA4331F0A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331F21
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331F28
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331F2F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331F36
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331F9A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331FAE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4331FC5
_UnwindNestedFrames.LIBVCRUNTIME ref: 00007FFDA433201F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA433202E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA433205D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA433206B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDA4332072

Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332418
Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332449
Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332486
Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324A7
Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324CA
Part of subcall function 00007FFDA43323E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324E8

Strings

csm, xrefs: 00007FFDA4331BEC
csm, xrefs: 00007FFDA4331C8A
csm, xrefs: 00007FFDA4331D43

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate$CatchEntryExceptionFramesFunctionLookupNestedThrowUnwindstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 1388491409-393685449
Opcode ID: f889a481ed503a28d6428ccabb53bc113c922f1ac01794c17f25f0bdd2df0b58
Instruction ID: 522dd8f1b66e50c119218b6c3a9f319560d1fb5891bcfc00d2b56fa6130758a0
Opcode Fuzzy Hash: f889a481ed503a28d6428ccabb53bc113c922f1ac01794c17f25f0bdd2df0b58
Instruction Fuzzy Hash: CDF16832B4AE4286EA64AF6190F42B927A4FF46B49F044535EE5D03BB6CF3CF455C248

Function 00007FFD942CE40C Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 228fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD942CE461
GetFileInformationByHandle.KERNEL32 ref: 00007FFD942CE47B
CloseHandle.KERNEL32 ref: 00007FFD942CE499
memset.VCRUNTIME140 ref: 00007FFD942CE4AB
wcsrchr.VCRUNTIME140 ref: 00007FFD942CE5CF
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942CE5E7
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942CE5FB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942CE60F
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942CE623
GetLastError.KERNEL32 ref: 00007FFD942CE64E
CloseHandle.KERNEL32 ref: 00007FFD94329B17
CloseHandle.KERNEL32 ref: 00007FFD94329B33
CreateFileW.KERNEL32 ref: 00007FFD94329B70
CloseHandle.KERNEL32 ref: 00007FFD94329B95

Strings

stat, xrefs: 00007FFD942CE412
.exe, xrefs: 00007FFD942CE605
.cmd, xrefs: 00007FFD942CE5F1
.bat, xrefs: 00007FFD942CE5DD
.com, xrefs: 00007FFD942CE619

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: Handle$Close_wcsicmp$File$Create$ErrorInformationLastmemsetwcsrchr
String ID: .bat$.cmd$.com$.exe$stat
API String ID: 2118996985-2376718810
Opcode ID: b2d06d6f8892b4ea8db17d80dd97d02532dd19205d3b105340cb6971f8e45813
Instruction ID: 9c273b2a02a2593274d02f7840887cecb337e3e1a48f780fe3972b1badb2a89a
Opcode Fuzzy Hash: b2d06d6f8892b4ea8db17d80dd97d02532dd19205d3b105340cb6971f8e45813
Instruction Fuzzy Hash: DDA1A172B186029AF734AFA5D5A47B823A4FB4A795F40C135DA0D4BB89EF3CE515C700

Function 00007FFD94303D94 Relevance: 36.3, APIs: 7, Strings: 17, Instructions: 274stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94303E7F

Strings

utf_, xrefs: 00007FFD9434ABDE, 00007FFD9434ABF2, 00007FFD94303E7B, 00007FFD9434AB8F, 00007FFD9434AB77, 00007FFD9434ABB6, 00007FFD94303E07, 00007FFD9434ABCA
iso8859_1, xrefs: 00007FFD9434ABEB
latin_1, xrefs: 00007FFD9434ABC3
_, xrefs: 00007FFD94303E2D
u, xrefs: 00007FFD94303E1B
latin1, xrefs: 00007FFD9434ABAF
sOnns, xrefs: 00007FFD94427C98
f, xrefs: 00007FFD94303E27
locale, xrefs: 00007FFD94427C6F
us_ascii, xrefs: 00007FFD9434AB70
mbcs, xrefs: 00007FFD9434AB88
t, xrefs: 00007FFD94303E21
ascii, xrefs: 00007FFD94303E74
iso_8859_1, xrefs: 00007FFD9434ABD7
'%.400s' encoder returned '%.400s' instead of 'bytes'; use codecs.encode() to encode to arbitrary types, xrefs: 00007FFD9434AC5A
encoder %s returned bytearray instead of bytes; use codecs.encode() to encode to arbitrary types, xrefs: 00007FFD9434AC86
embedded null character, xrefs: 00007FFD94427C0E

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: strcmp
String ID: '%.400s' encoder returned '%.400s' instead of 'bytes'; use codecs.encode() to encode to arbitrary types$_$ascii$embedded null character$encoder %s returned bytearray instead of bytes; use codecs.encode() to encode to arbitrary types$f$iso8859_1$iso_8859_1$latin1$latin_1$locale$mbcs$sOnns$t$u$us_ascii$utf_
API String ID: 1004003707-3634592645
Opcode ID: c89a1b8b4f92d542d1da5469dccb65a34dfb21d156b441653749aeff0e828fdc
Instruction ID: 918887257f064c85a279d7e98c25122d7cbe423e390e5b642f565fa2c2496f39
Opcode Fuzzy Hash: c89a1b8b4f92d542d1da5469dccb65a34dfb21d156b441653749aeff0e828fdc
Instruction Fuzzy Hash: E5C16D61B5C64381FB71ABF598E02B963A1AF47BD4F44C239DA0D4769BEE6CE944C300

Function 00007FFDA4336A38 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 244COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00007FFDA4336B2D
DName::operator+=.LIBCMT ref: 00007FFDA4336B55

Part of subcall function 00007FFDA4334FFC: UnDecorator::getDataType.LIBCMT ref: 00007FFDA433502D

DName::DName.LIBCMT ref: 00007FFDA4336B78
DName::operator+=.LIBCMT ref: 00007FFDA4336C11
DName::operator+=.LIBCMT ref: 00007FFDA4336C47
DName::operator+=.LIBCMT ref: 00007FFDA4336C68
DName::operator+=.LIBCMT ref: 00007FFDA4336C89
atol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDA4336D2C
DName::DName.LIBCMT ref: 00007FFDA4336D94
DName::DName.LIBCMT ref: 00007FFDA4336DBC
DName::operator+=.LIBCMT ref: 00007FFDA4336DD3

Strings

NULL, xrefs: 00007FFDA4336B67
`template-type-parameter-, xrefs: 00007FFDA4336DFA
`generic-class-parameter-, xrefs: 00007FFDA4336DF1
`generic-method-parameter-, xrefs: 00007FFDA4336DB1
{, xrefs: 00007FFDA4336BE3

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::$DataDecorator::getTypeatol
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-${
API String ID: 2525535886-4023094362
Opcode ID: 3c98c1573ac54ae0277f88398db95881d9eb47b6a89f3846d5d1bb82fe50e054
Instruction ID: 6bec55157afe185ae7f84064662db4e80caef78e72cfbbf7b1c7ca36f254d739
Opcode Fuzzy Hash: 3c98c1573ac54ae0277f88398db95881d9eb47b6a89f3846d5d1bb82fe50e054
Instruction Fuzzy Hash: A0B18B22F8AE4288EA30FB65D4F02FC2761AB56744F854131D94D267BBDE6CF5498348

Function 00007FFDA43333C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BB97
Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBAE
Part of subcall function 00007FFDA433BB80: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBC9
Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBDD

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43333F1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333412
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333431
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433344F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433346D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433348B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43334AD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43334C9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43334EA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333505
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333523
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333541
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333563
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433357A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333596

Strings

csm, xrefs: 00007FFDA43334D4
csm, xrefs: 00007FFDA43333FC

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID: csm$csm
API String ID: 579254285-3733052814
Opcode ID: 45cca4d0ffd97efbe55d83480c269ecd84b97f5836f703120389ae3c3790b18b
Instruction ID: e5e3f30b3e6cb36ad6b41e39a2d4f3280f741239915a8575ab1eb2952283e011
Opcode Fuzzy Hash: 45cca4d0ffd97efbe55d83480c269ecd84b97f5836f703120389ae3c3790b18b
Instruction Fuzzy Hash: EA51AF71F8BE0691FA65BB9490F507827A0AF56B11F616578CAAD027F3DF2CF8408609

Function 00007FFDA4339308 Relevance: 27.4, APIs: 18, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA433AE28: DNameStatusNode::make.LIBVCRUNTIME ref: 00007FFDA433AE54

DName::operator+=.LIBCMT ref: 00007FFDA4339357

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameNode::makeStatus
String ID:
API String ID: 693010828-0
Opcode ID: 81a3ac060f484930e87d256b1fc36fbf336144cc8650566317e4f646af0a157c
Instruction ID: 4552dd9eaf51f16610aa9624774b790aa1d4213a947f4efe0c60bba762c8ce3e
Opcode Fuzzy Hash: 81a3ac060f484930e87d256b1fc36fbf336144cc8650566317e4f646af0a157c
Instruction Fuzzy Hash: CA02AE62F59E4689F701AF78C4B12FC27A0EF46708F448135EA4A16BBBDF2CA545C348

Function 00007FFDA4335DFC Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00007FFDA4335E7C
DName::operator+=.LIBCMT ref: 00007FFDA4335E92
DName::operator+=.LIBCMT ref: 00007FFDA4335EE4
DName::operator+=.LIBCMT ref: 00007FFDA4335F9B
DName::operator+=.LIBCMT ref: 00007FFDA4335FCA
DName::operator+=.LIBCMT ref: 00007FFDA43360B9
DName::operator+=.LIBCMT ref: 00007FFDA433613B
DName::operator+=.LIBCMT ref: 00007FFDA4336030

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

DName::operator+=.LIBCMT ref: 00007FFDA43362F6

Strings

`anonymous namespace', xrefs: 00007FFDA433620C

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::
String ID: `anonymous namespace'
API String ID: 2762593306-3062148218
Opcode ID: 858dfd3fef869ec2ddac69bba782c9aad46e608f0a4a88788e7b7597dfe50bf0
Instruction ID: b00c4d9b52586ac82292bbfe119d26fd9b65f64e18c9e0fba2e887f1798567fc
Opcode Fuzzy Hash: 858dfd3fef869ec2ddac69bba782c9aad46e608f0a4a88788e7b7597dfe50bf0
Instruction Fuzzy Hash: 81E19322E5DE8685E721AB24D4A11BDB760FB96344F405231EA8D16BBBDF3CF584C704

Function 00007FFDA43320D4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA4332114
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA4332137
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA4332140
CatchIt.LIBVCRUNTIME ref: 00007FFDA4332356

Part of subcall function 00007FFDA43327B4: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332821
Part of subcall function 00007FFDA43327B4: _UnwindNestedFrames.LIBVCRUNTIME ref: 00007FFDA4332864

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA4332386
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA433238D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA4332394
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA433239B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA43323A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA43323A9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA43323B0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA43323B7
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA433205B), ref: 00007FFDA43323BE

Part of subcall function 00007FFDA4334618: GetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA4334634
Part of subcall function 00007FFDA4334618: SetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA433469E

Part of subcall function 00007FFDA4334618: _calloc_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA4331886), ref: 00007FFDA4334667
Part of subcall function 00007FFDA4334618: _free_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA4331886), ref: 00007FFDA4334696

Strings

RCC, xrefs: 00007FFDA4332154
MOC, xrefs: 00007FFDA433214C

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$ErrorLast$CatchEncodeFramesNestedPointerUnwind_calloc_base_free_baseterminate
String ID: MOC$RCC
API String ID: 877949404-2084237596
Opcode ID: 283647711e7bae1a9b84f589119842750264778a0593f98941379736ee52325d
Instruction ID: 6f52b9437d99c484620eb616918919a1001a077734a509a4e5b6c27cdef8f27c
Opcode Fuzzy Hash: 283647711e7bae1a9b84f589119842750264778a0593f98941379736ee52325d
Instruction Fuzzy Hash: E7818B32B4AE8685EA64AB14D4F03BD67A0EF82B49F058435DA6D027BACF3CF405C744

Function 00007FFD942C4250 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 318stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942C4317
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942C432E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942C4345

Strings

False, xrefs: 00007FFD942C433B
(%s) unknown error, xrefs: 00007FFD94323308
True, xrefs: 00007FFD942C4324
value error, xrefs: 00007FFD94323298
(%s) %s, xrefs: 00007FFD943232E8
dict unpacking cannot be used in dict comprehension, xrefs: 00007FFD94323177
unicode error, xrefs: 00007FFD9432327B
unhandled atom %d, xrefs: 00007FFD943230C0
None, xrefs: 00007FFD942C430D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: strcmp
String ID: (%s) %s$(%s) unknown error$False$None$True$dict unpacking cannot be used in dict comprehension$unhandled atom %d$unicode error$value error
API String ID: 1004003707-592389903
Opcode ID: 195cc06a536eea12b7520711959b1aef04d8960609d117ccd1ac9fa48d97e00b
Instruction ID: 224e076fa15937b203cf10ee8c1622bdbb2cf4450413f010d39f30a60ca8eb4b
Opcode Fuzzy Hash: 195cc06a536eea12b7520711959b1aef04d8960609d117ccd1ac9fa48d97e00b
Instruction Fuzzy Hash: EAD14861B4964281EA78BBB596B127E22A0FF4ABA4F00C139DA1E177D7DF3DE551C300

Function 00007FFD942C28E8 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942C2931
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD942C293C
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942C2948

Part of subcall function 00007FFD942C2990: GetConsoleMode.KERNEL32(?,?,00000000,00007FFD942C295C), ref: 00007FFD942C29A4

_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94321E27

Strings

CONOUT$, xrefs: 00007FFD94321E36, 00007FFD94321F25
CON, xrefs: 00007FFD94321E4F, 00007FFD94321F3D
CONIN$, xrefs: 00007FFD94321E1D, 00007FFD94321F0D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _set_thread_local_invalid_parameter_handler$ConsoleMode_get_osfhandle_wcsicmp
String ID: CON$CONIN$$CONOUT$
API String ID: 3217251221-1984682790
Opcode ID: 986c24e134a8abc110fe1e8f689fc64e49e6508b7762ff476cfbfa1e275bb334
Instruction ID: 137aa9c37382cc6c734638b36b94404781129243dbf136e13c8fb0807083641b
Opcode Fuzzy Hash: 986c24e134a8abc110fe1e8f689fc64e49e6508b7762ff476cfbfa1e275bb334
Instruction Fuzzy Hash: 0B619021F4864386FEB4ABA1A5F427963A1BF87B91F44C135C91E47A96DF3CE449C300

Function 00007FFDA4333010 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433309F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43330B7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43330CC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43330EA
RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4333100
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433311B

Strings

MOC, xrefs: 00007FFDA4333051
csm, xrefs: 00007FFDA43331ED
csm, xrefs: 00007FFDA4333073
RCC, xrefs: 00007FFDA433305D

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 1701874949-1441736206
Opcode ID: cb408c1bcf52114bc0c8292cec68ed63ff13c5b0b3e07f307aba3b015628615a
Instruction ID: d091be0cd8dfb94127a77b04950fdd81db252208d5e6498be679b4fcc2c2e242
Opcode Fuzzy Hash: cb408c1bcf52114bc0c8292cec68ed63ff13c5b0b3e07f307aba3b015628615a
Instruction Fuzzy Hash: D9617C32F4BE4686FAA0BF10D4B036922A4FF46B55F14A075DA5D427BACF3CF8418649

Function 00007FFD94420318 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94420331
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94420348
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD94420365

Strings

backslashreplace, xrefs: 00007FFD9442038F
xmlcharrefreplace, xrefs: 00007FFD944203C3
ignore, xrefs: 00007FFD94420375
strict, xrefs: 00007FFD9442032A
surrogatepass, xrefs: 00007FFD944203A9
replace, xrefs: 00007FFD9442035B
surrogateescape, xrefs: 00007FFD9442033E

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: strcmp
String ID: backslashreplace$ignore$replace$strict$surrogateescape$surrogatepass$xmlcharrefreplace
API String ID: 1004003707-1620100038
Opcode ID: 91e9cda847e082d6fa5fe10b3f9c3985c49da8b7b961c41163897b97cb54df9c
Instruction ID: cea127da3221fdeaf42a8dfd7517d7e36f5457cbd819d323e1894239fe159eb5
Opcode Fuzzy Hash: 91e9cda847e082d6fa5fe10b3f9c3985c49da8b7b961c41163897b97cb54df9c
Instruction Fuzzy Hash: 7811E664F4E60352FA78A6E598F137A02919F0B384F94E135DD0E8A2DBEEEDE455C210

Function 00007FFD942F40E4 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 392COMMON

Download Yara Rule

Strings

too many digits in integer, xrefs: 00007FFD94344519
-, xrefs: 00007FFD942F4160
0, xrefs: 00007FFD9434454E
invalid literal for int() with base %d: %.200R, xrefs: 00007FFD9434491D
0, xrefs: 00007FFD942F4174
_, xrefs: 00007FFD9434471A
_, xrefs: 00007FFD94344745
int() arg 2 must be >= 2 and <= 36, xrefs: 00007FFD94344509
+, xrefs: 00007FFD942F4157

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: +$-$0$0$_$_$int() arg 2 must be >= 2 and <= 36$invalid literal for int() with base %d: %.200R$too many digits in integer
API String ID: 0-4232543357
Opcode ID: a7419bbfac2b93d9c57f7c1bf6cc33874ce3ace00a31b41acc30ca9eb4f9ca43
Instruction ID: 7f7d44f452fd29dc0f08839f3c6fcba31f9065063c0b61ab48521b3005936233
Opcode Fuzzy Hash: a7419bbfac2b93d9c57f7c1bf6cc33874ce3ace00a31b41acc30ca9eb4f9ca43
Instruction Fuzzy Hash: 4EF10F22B0869285FB719FF194B02B92BA4BF27798F58C179DA5D17687CF3EA441C300

Function 00007FFD943043C8 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 215COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FFD9434B0BC

Strings

can't resolve package from __spec__ or __package__, falling back on __name__ and __path__, xrefs: 00007FFD9434AF67
attempted relative import beyond top-level package, xrefs: 00007FFD9434B07B
__spec__.parent must be a string, xrefs: 00007FFD9434AF57
%U.%U, xrefs: 00007FFD9434B0B2
package must be a string, xrefs: 00007FFD9434AED6
'__name__' not in globals, xrefs: 00007FFD9434AEB3
globals must be a dict, xrefs: 00007FFD9434AEC3
attempted relative import with no known parent package, xrefs: 00007FFD9434B03B
__package__ != __spec__.parent, xrefs: 00007FFD9434AF09
__name__ must be a string, xrefs: 00007FFD9434AEDF

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _scwprintf
String ID: %U.%U$'__name__' not in globals$__name__ must be a string$__package__ != __spec__.parent$__spec__.parent must be a string$attempted relative import beyond top-level package$attempted relative import with no known parent package$can't resolve package from __spec__ or __package__, falling back on __name__ and __path__$globals must be a dict$package must be a string
API String ID: 1992661772-3138962734
Opcode ID: 6c585f18f56e860f734b18b5ffe05669c203592780a8575c49c47261fb0cd326
Instruction ID: 268a1add7f45ae0e24a65745b2dfeda43b27d04aa9ae03f480fbec377a3c5f67
Opcode Fuzzy Hash: 6c585f18f56e860f734b18b5ffe05669c203592780a8575c49c47261fb0cd326
Instruction Fuzzy Hash: 3E91AE21B4974281EEB4EBA6D9E02B92351AF46BA4F58C239D92D077D7DF3CE545C300

Function 00007FFDA43352B8 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

template-parameter-, xrefs: 00007FFDA4335386
generic-type-, xrefs: 00007FFDA43353C1

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID:
String ID: generic-type-$template-parameter-
API String ID: 0-13229604
Opcode ID: 70b443f6515fd204edc871a350c1bb8dec40db9c85fcd18bef4ce3e17bfd1a57
Instruction ID: 7f2132fd329c423df7715eaea237b12da1e287fe7c23852a69118d80f9b03783
Opcode Fuzzy Hash: 70b443f6515fd204edc871a350c1bb8dec40db9c85fcd18bef4ce3e17bfd1a57
Instruction Fuzzy Hash: 13819C22F9AE8684FB10AB24D4F02FC2761AB56789F905131DA4E127B7DF3CB546C348

Function 00007FFD942CE214 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFD942D9190: EnterCriticalSection.KERNEL32(?,?,?,00007FFD942D89C3,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D91C1
Part of subcall function 00007FFD942D9190: LeaveCriticalSection.KERNEL32(?,?,?,00007FFD942D89C3,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D91E6

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94329AB4

Part of subcall function 00007FFD942CE40C: CreateFileW.KERNEL32 ref: 00007FFD942CE461
Part of subcall function 00007FFD942CE40C: GetFileInformationByHandle.KERNEL32 ref: 00007FFD942CE47B
Part of subcall function 00007FFD942CE40C: CloseHandle.KERNEL32 ref: 00007FFD942CE499
Part of subcall function 00007FFD942CE40C: memset.VCRUNTIME140 ref: 00007FFD942CE4AB

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942CE350
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942CE362

Part of subcall function 00007FFD942D90C0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90D8
Part of subcall function 00007FFD942D90C0: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90E7
Part of subcall function 00007FFD942D90C0: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9107
Part of subcall function 00007FFD942D90C0: LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9136
Part of subcall function 00007FFD942D90C0: LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9164
Part of subcall function 00007FFD942D90C0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D916A

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942CE382

Part of subcall function 00007FFD942D78F0: memset.VCRUNTIME140 ref: 00007FFD942D79CC

Strings

stat, xrefs: 00007FFD942CE246
%s: can't specify dir_fd without matching path, xrefs: 00007FFD94329A25
path, xrefs: 00007FFD942CE23A
PyEval_SaveThread: NULL tstate, xrefs: 00007FFD94329A64
%s: cannot use fd and follow_symlinks together, xrefs: 00007FFD94329A48
%s: can't specify both dir_fd and fd, xrefs: 00007FFD94329A37
PyEval_RestoreThread: NULL tstate, xrefs: 00007FFD94329A8C

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: CriticalSection$_errno$EnterLeave$FileHandlememset$CloseCreateInformationabort
String ID: %s: can't specify both dir_fd and fd$%s: can't specify dir_fd without matching path$%s: cannot use fd and follow_symlinks together$PyEval_RestoreThread: NULL tstate$PyEval_SaveThread: NULL tstate$path$stat
API String ID: 3840619809-792632094
Opcode ID: 166c779aea3d5dc1211d32470d7c0897fcaef826ac74cf98492bdeff6ef10ce9
Instruction ID: fd760ad0494de0cb41ceef54610153fe2c16559d75dc6ebd79f1a1593239cbb9
Opcode Fuzzy Hash: 166c779aea3d5dc1211d32470d7c0897fcaef826ac74cf98492bdeff6ef10ce9
Instruction Fuzzy Hash: CA716E32B08A4296FB30ABE4E8E02B973A0BF86754F54C139D95D4B696DF7CE445C700

Function 00007FFDA433673C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 191COMMON

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFDA4336835
DName::operator+=.LIBCMT ref: 00007FFDA43369D3

Strings

void, xrefs: 00007FFDA4336822
..., xrefs: 00007FFDA43369E3
`template-parameter, xrefs: 00007FFDA43368F6, 00007FFDA4336934

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=Name::operator=
String ID: ...$`template-parameter$void
API String ID: 1838073732-2152273162
Opcode ID: 2d67cdb223639da10c89b53df5ad5b59e5e5ffd93af26713ac1e28e1a3bfb401
Instruction ID: af357d67606284c6fef3a5a54b1f4207d37fd2c08eb492c0fd6173696f078293
Opcode Fuzzy Hash: 2d67cdb223639da10c89b53df5ad5b59e5e5ffd93af26713ac1e28e1a3bfb401
Instruction Fuzzy Hash: 43916122F8AE8689FA21EB25E4B01B82760FB46748F549135D98D167B7DF2CF545C308

Function 00007FFD942D90C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90D8
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90E7
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9107
LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9136
LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9164
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D916A

Strings

PyCOND_SIGNAL(_PyRuntime.ceval.gil.switch_cond) failed, xrefs: 00007FFD943310A7
PyCOND_WAIT(_PyRuntime.ceval.gil.cond) failed, xrefs: 00007FFD94331039
take_gil: NULL tstate, xrefs: 00007FFD94330FC0

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: CriticalSection$EnterLeave_errno
String ID: PyCOND_SIGNAL(_PyRuntime.ceval.gil.switch_cond) failed$PyCOND_WAIT(_PyRuntime.ceval.gil.cond) failed$take_gil: NULL tstate
API String ID: 81201238-720980416
Opcode ID: b1577ce6a8251e5756ff26a9a5a75d45fa96917c37f006f95c7f577549770823
Instruction ID: 4631f8745ed1d6548fd7fa81e3cfa700f82a11a837fbf66a7ef23c44f0da4220
Opcode Fuzzy Hash: b1577ce6a8251e5756ff26a9a5a75d45fa96917c37f006f95c7f577549770823
Instruction Fuzzy Hash: CD512AB0F1D68286EA399BA4E8F05B923A4BF46B44F80C139E91D87666DF7CE445C740

Function 00007FFD9444BC80 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FFD9444BCEF
__swprintf_l.LIBCMT ref: 00007FFD9444BD2A
__swprintf_l.LIBCMT ref: 00007FFD9444BD70
__swprintf_l.LIBCMT ref: 00007FFD9444BD98
__swprintf_l.LIBCMT ref: 00007FFD9444BDC1

Strings

%.256s, xrefs: 00007FFD9444BDB7
%.200s() , xrefs: 00007FFD9444BCDE
argument %Id, xrefs: 00007FFD9444BD23
argument, xrefs: 00007FFD9444BD91
, item %d, xrefs: 00007FFD9444BD66

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __swprintf_l
String ID: %.256s$%.200s() $, item %d$argument$argument %Id
API String ID: 1488884202-3361308884
Opcode ID: d664c496e28a323f0291a2345cff415a6218e76905ba0b3fea4e79122400bda2
Instruction ID: e2a8eeafc170bf4254f3d691dd7ea8566766c6304972be0e5ea536c4d5223703
Opcode Fuzzy Hash: d664c496e28a323f0291a2345cff415a6218e76905ba0b3fea4e79122400bda2
Instruction Fuzzy Hash: 8041D3A2B086C555FA71DBE1E9E43F96390AF5A794F848232DC4D0768BDE2CE505C300

Function 00007FFDA433866C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFDA43386CF

Part of subcall function 00007FFDA4338D30: DName::operator=.LIBVCRUNTIME ref: 00007FFDA4338DBD
Part of subcall function 00007FFDA4338D30: DName::DName.LIBCMT ref: 00007FFDA43390F5
Part of subcall function 00007FFDA4338D30: DName::operator+=.LIBCMT ref: 00007FFDA433910A
Part of subcall function 00007FFDA4338D30: DName::operator+=.LIBCMT ref: 00007FFDA433915E
Part of subcall function 00007FFDA4338D30: DName::operator+=.LIBCMT ref: 00007FFDA433916B

DName::operator+=.LIBCMT ref: 00007FFDA43388B3

Strings

std::nullptr_t , xrefs: 00007FFDA43387C1
std::nullptr_t, xrefs: 00007FFDA43387D6
volatile, xrefs: 00007FFDA43386C4, 00007FFDA43387F9

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$Name::operator=$NameName::
String ID: std::nullptr_t$std::nullptr_t $volatile
API String ID: 3827037725-294867888
Opcode ID: 0ea7df04049d07e16cd1842f6fb031b3d330cdb684f49557273bbca790ada4f5
Instruction ID: af32ada26d38292f9de157113cfdc0d1d7b765dd7fc962d9680a81528f2013dd
Opcode Fuzzy Hash: 0ea7df04049d07e16cd1842f6fb031b3d330cdb684f49557273bbca790ada4f5
Instruction Fuzzy Hash: 6D617F25F9EE0784FA19BB25E9B43B826A1FF86784F448531D50D16BBBCF7CB5408208

Function 00007FFDA4332890 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43328C7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43328E1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332929
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433293E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332953
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433298F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332A75
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332A92

Strings

csm, xrefs: 00007FFDA4332A39

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort
String ID: csm
API String ID: 4206212132-1018135373
Opcode ID: aba289c9a0016203411b510f0dce6392862e50737d1210678b76d2a93b3ab7ff
Instruction ID: e804c2a454945020ee8391be01e5bed501df73950eabcc08dde0331922edb547
Opcode Fuzzy Hash: aba289c9a0016203411b510f0dce6392862e50737d1210678b76d2a93b3ab7ff
Instruction Fuzzy Hash: A9516072B4AF4692EA60BB11A4B026963A4FF4AB65F104535DEAD037B6DF3CF4508708

Function 00007FFD9443F740 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 105COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FFD9443F7AD
_scwprintf.LIBCMT ref: 00007FFD9443F7BB
_scwprintf.LIBCMT ref: 00007FFD9443F80A

Strings

was, xrefs: 00007FFD9443F83B
were, xrefs: 00007FFD9443F847
from %zd to %zd, xrefs: 00007FFD9443F79D
positional argument%s (and %zd keyword-only argument%s), xrefs: 00007FFD9443F7EE
%zd, xrefs: 00007FFD9443F7B4
%U() takes %U positional argument%s but %zd%U %s given, xrefs: 00007FFD9443F852

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _scwprintf
String ID: positional argument%s (and %zd keyword-only argument%s)$%U() takes %U positional argument%s but %zd%U %s given$%zd$from %zd to %zd$was$were
API String ID: 1992661772-2411957145
Opcode ID: 1dcaf404ed01601a6bde73b45695737bdf3e08043b06aa97633f8b6134e023b3
Instruction ID: 58f7b0e00182d144ed70c36632a9ecf40b64e6aff0bcd6b81f6bcad17383e731
Opcode Fuzzy Hash: 1dcaf404ed01601a6bde73b45695737bdf3e08043b06aa97633f8b6134e023b3
Instruction Fuzzy Hash: 8241D131B18B4A80EAA99F91DEA026963A4FB46FD4F48C031DD0D07B5ADF7CD542C340

Function 00007FFD942CFDEC Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 189stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,?,?,00007FFD942CF371), ref: 00007FFD942CFE34

Strings

Invalid format string (| specified twice), xrefs: 00007FFD9432BC3D
Invalid format string ($ specified twice), xrefs: 00007FFD9432BC46
%s: '%s', xrefs: 00007FFD9432BC54
Empty keyword parameter name, xrefs: 00007FFD9432BC05
Empty parameter name after $, xrefs: 00007FFD9432BC0E
Invalid format string ($ before |), xrefs: 00007FFD9432BC34
More keyword list entries (%d) than format specifiers (%d), xrefs: 00007FFD9432BC73
more argument specifiers than keyword list entries (remaining format:'%s'), xrefs: 00007FFD9432BC98

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: strchr
String ID: %s: '%s'$Empty keyword parameter name$Empty parameter name after $$Invalid format string ($ before |)$Invalid format string ($ specified twice)$Invalid format string (| specified twice)$More keyword list entries (%d) than format specifiers (%d)$more argument specifiers than keyword list entries (remaining format:'%s')
API String ID: 2830005266-252920663
Opcode ID: 8511f18c1e3cd1db6a5c1bac6dc3a8e30705da873ec90e2fc86077bbc6948e9b
Instruction ID: faf7246d6fb54f2458aba17dcede5e0faf41d6fe1c04b4e1fc795cbdf43c1291
Opcode Fuzzy Hash: 8511f18c1e3cd1db6a5c1bac6dc3a8e30705da873ec90e2fc86077bbc6948e9b
Instruction Fuzzy Hash: 22819D62B09A5681EB71AFA5D4E027877A4FF86B88F128036DA5D037A7DF7DE441C340

Function 00007FFDA4332B60 Relevance: 15.2, APIs: 10, Instructions: 160COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332B9C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332BCD
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332C3A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332C58
__AdjustPointer.LIBCMT ref: 00007FFDA4332C99
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332CA6
__AdjustPointer.LIBCMT ref: 00007FFDA4332CE0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332CF5
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332D3A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFDA4332DA3,?,?,?,00007FFDA4332817), ref: 00007FFDA4332D41

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: terminate$AdjustPointerabort
String ID:
API String ID: 334680829-0
Opcode ID: e53aa5a588c4ff15ee4a4b78e965efed956a7360077a91737507144f45bc7259
Instruction ID: d26d29fb132e0941ce6262e9c33db669235dae186b8ed310d711243d59e18ba6
Opcode Fuzzy Hash: e53aa5a588c4ff15ee4a4b78e965efed956a7360077a91737507144f45bc7259
Instruction Fuzzy Hash: 8F514C25B8BE4685FA69AB15D0F46386390AF56F80B19C435CA7D067F7DE2CF8428318

Function 00007FFD942DEEF0 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 417COMMON

Download Yara Rule

Strings

Inconsistent interned string state., xrefs: 00007FFD94334AFD
, xrefs: 00007FFD942DEF51
deletion of interned string failed, xrefs: 00007FFD94334CDF
..\Objects\dictobject.c, xrefs: 00007FFD94334B41
Immortal interned string died., xrefs: 00007FFD94334B0A

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: $..\Objects\dictobject.c$Immortal interned string died.$Inconsistent interned string state.$deletion of interned string failed
API String ID: 0-2090972053
Opcode ID: 2481623fbea544df1adce8b9a9e27ca44c8b7e1e2a028d59a662eac2f5f47c85
Instruction ID: 097ef0ee8c971aff21d9503d049d3ba3766e6c7cc52c1762fe88033a21cf2766
Opcode Fuzzy Hash: 2481623fbea544df1adce8b9a9e27ca44c8b7e1e2a028d59a662eac2f5f47c85
Instruction Fuzzy Hash: 8B02BF22B09A4681EA749B95D8B437823A1FF56BA4F51C335CA6E077E6DF3DE845C300

Function 00007FFDA4331858 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433188B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331944
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433196D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43319CC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331A20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4331A7D

Strings

csm, xrefs: 00007FFDA4331A53
csm, xrefs: 00007FFDA43318BB

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID: csm$csm
API String ID: 579254285-3733052814
Opcode ID: 18721ea34af84636fe96c0cbba772a656c0898b1f15f6a5dab68f69531c10990
Instruction ID: 957d792eb3e9717efcc40643873c8e2de118a3d5416914a1cd74f4e5f57613a2
Opcode Fuzzy Hash: 18721ea34af84636fe96c0cbba772a656c0898b1f15f6a5dab68f69531c10990
Instruction Fuzzy Hash: 1681BE32B4AA4286EE74AB5694F037962A0AF12B95F044136CB9D07BB7CF3CF450C748

Function 00007FFD943FFB98 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

_finite.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFBB5
_isnan.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFBC2
_isnan.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFBE9
frexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFC20
ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFC8D
ldexp.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,00007FFD942CBF7C), ref: 00007FFD943FFCBD

Strings

cannot convert float NaN to integer, xrefs: 00007FFD943FFBFA
cannot convert float infinity to integer, xrefs: 00007FFD943FFBD3

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _isnanldexp$_finitefrexp
String ID: cannot convert float NaN to integer$cannot convert float infinity to integer
API String ID: 1422574697-126850158
Opcode ID: cae6c879114a03fc70a2237d61bb131e28a87a87fe20b51d66915dc7430e8fba
Instruction ID: bf3ffb5cb156181c58f78ea97aeced3d160f42e4ae3dfe9798d58d29584925f7
Opcode Fuzzy Hash: cae6c879114a03fc70a2237d61bb131e28a87a87fe20b51d66915dc7430e8fba
Instruction Fuzzy Hash: F941E731B18A4686F729ABB498A0079A391EF56745F18C336DE0D57766EF3CF952C300

Function 00007FFDA4333260 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43332AE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43332CF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43332E8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333301
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333322
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333336
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433334D

Strings

csm, xrefs: 00007FFDA4333282

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort
String ID: csm
API String ID: 4206212132-1018135373
Opcode ID: 584ded2bf9d0e7ecbec9ce5d9a297426093a8ed53ac0e51979dd5eb085164eb9
Instruction ID: c4aecb99880cba1dd98815f17f8a1adf031d731de832821adf148714240fdafa
Opcode Fuzzy Hash: 584ded2bf9d0e7ecbec9ce5d9a297426093a8ed53ac0e51979dd5eb085164eb9
Instruction Fuzzy Hash: B4315E31F4BE0691FA64BB11D0F527822A4AF16B35F14A678CA6C027F7DF3CB4908649

Function 00007FFD942D9190 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FFD942D89C3,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D91C1
LeaveCriticalSection.KERNEL32(?,?,?,00007FFD942D89C3,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D91E6

Strings

drop_gil: GIL is not locked, xrefs: 00007FFD943310F2
PyCOND_WAIT(_PyRuntime.ceval.gil.switch_cond) failed, xrefs: 00007FFD94331197
PyCOND_SIGNAL(_PyRuntime.ceval.gil.cond) failed, xrefs: 00007FFD94331128

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: CriticalSection$EnterLeave
String ID: PyCOND_SIGNAL(_PyRuntime.ceval.gil.cond) failed$PyCOND_WAIT(_PyRuntime.ceval.gil.switch_cond) failed$drop_gil: GIL is not locked
API String ID: 3168844106-3733971824
Opcode ID: 8af8c89331202d048f53422b9ef5822c318268084c2eb6b130dc4920c3eb6777
Instruction ID: ae8aa58b25e80e3876356d096b6a2198717d203b4c50c29d514bdfb517d9248d
Opcode Fuzzy Hash: 8af8c89331202d048f53422b9ef5822c318268084c2eb6b130dc4920c3eb6777
Instruction Fuzzy Hash: 463118A1F1D58286FA399B95E8F05B023A4BF96B04F84C136D42D875A7EE6CA845C600

Function 00007FFDA433837C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFDA43383EE
DName::DName.LIBCMT ref: 00007FFDA4338419
DName::operator+=.LIBCMT ref: 00007FFDA433842E

Strings

short , xrefs: 00007FFDA43383DA
char , xrefs: 00007FFDA43383E3
int , xrefs: 00007FFDA43383D1
long , xrefs: 00007FFDA43383C8
unsigned , xrefs: 00007FFDA433840E

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: NameName::Name::operator+=Name::operator=
String ID: char $int $long $short $unsigned
API String ID: 2246115127-3894466517
Opcode ID: e93fbd8945d11942c2728bc56db1264dd46b66c41e3093382a189bac4109bd1e
Instruction ID: 98bfc821ed09db599ddbbaa1a37ab22f4a3788cd7ed6d20a4cba18b4965530b5
Opcode Fuzzy Hash: e93fbd8945d11942c2728bc56db1264dd46b66c41e3093382a189bac4109bd1e
Instruction Fuzzy Hash: CA31C626F8AE46C4FB14AB28E8F10BC23A1AF42754F945131C95C157BBDFACF4458308

Function 00007FFDA43363CC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDA43364AC
DName::DName.LIBVCRUNTIME ref: 00007FFDA43364D8
DName::DName.LIBCMT ref: 00007FFDA43364E7
DName::operator+=.LIBCMT ref: 00007FFDA43364FB
DName::DName.LIBVCRUNTIME ref: 00007FFDA433650A

Strings

`non-type-template-parameter, xrefs: 00007FFDA43363FF

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: NameName::$Name::operator+=
String ID: `non-type-template-parameter
API String ID: 709984152-4247534891
Opcode ID: 35b2574a636812e69d052f40c0f30e216fbf86f2622325e5766a8828a29a38e9
Instruction ID: 33d621996f89a9d71394253d71d0652f66d28b0b5dee97aa2745fbc5621a42ce
Opcode Fuzzy Hash: 35b2574a636812e69d052f40c0f30e216fbf86f2622325e5766a8828a29a38e9
Instruction Fuzzy Hash: 2D419521F8AE5689F620FB2295B01BC7761AF12B80F648031DA4D177B7DF2CF5558348

Function 00007FFDA43388CC Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00007FFDA43388F3

Part of subcall function 00007FFDA43389C4: DName::operator+=.LIBCMT ref: 00007FFDA4338A5E

DName::DName.LIBCMT ref: 00007FFDA43389B6

Strings

void, xrefs: 00007FFDA43389A8
,<ellipsis>, xrefs: 00007FFDA433892B
,..., xrefs: 00007FFDA4338950
..., xrefs: 00007FFDA4338998
<ellipsis>, xrefs: 00007FFDA433897D

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+=
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2414017184-2211150622
Opcode ID: 154fc988d14cce84759b0dc0ec85fd4e2c56fdd01c030ab4a5e63c9da46a57e2
Instruction ID: fe2e1977a453e4bf19433c7b407851a0ebcea2f205be6391368b6691a39c33b7
Opcode Fuzzy Hash: 154fc988d14cce84759b0dc0ec85fd4e2c56fdd01c030ab4a5e63c9da46a57e2
Instruction Fuzzy Hash: E1217A69B9EF8684F712AB18E8B01B83BE0AB46344F849131D58D523B7DF6CF580C309

Function 00007FFDA43339F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA4333A00
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDA4333A11

Part of subcall function 00007FFDA43343A0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDA4331D34), ref: 00007FFDA433441D
Part of subcall function 00007FFDA43343A0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDA4331D34), ref: 00007FFDA433445C

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4333A2B
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDA4333A68
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDA4333A8B

Strings

Access violation - no RTTI data!, xrefs: 00007FFDA4333A6E
Bad read pointer - no RTTI data!, xrefs: 00007FFDA4333A4B

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Exception$Throw$FileHeader$Raisestd::bad_alloc::bad_alloc
String ID: Access violation - no RTTI data!$Bad read pointer - no RTTI data!
API String ID: 1923196666-1829174677
Opcode ID: 3f8b18838d90c56c850e2a1d164cc9922ecef657bb0a605dc12429d838739955
Instruction ID: 61ec71bc7a761e733893446804f4fd55547654a2159d9c5647aabb7a482e0094
Opcode Fuzzy Hash: 3f8b18838d90c56c850e2a1d164cc9922ecef657bb0a605dc12429d838739955
Instruction Fuzzy Hash: 1E110D22B8AE4691FE60EB10E4F12B86370FF95759F80A031D54D463B6EF6CE608C708

Function 00007FFD942C368C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942C36A4
_isatty.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD942C36AF
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD942C36BA
GetConsoleCP.KERNEL32 ref: 00007FFD943226B6
_scwprintf.LIBCMT ref: 00007FFD943226E1

Strings

cp%u, xrefs: 00007FFD943226DA

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _set_thread_local_invalid_parameter_handler$Console_isatty_scwprintf
String ID: cp%u
API String ID: 1103816965-2495265525
Opcode ID: 3e16bc88af80a582e665639ea113100d3b73a264a672a87579cc432629877760
Instruction ID: be6951ef0aced3ea10a48ac53563b37921b81e6a77c1f72b1db40732f3ebab2f
Opcode Fuzzy Hash: 3e16bc88af80a582e665639ea113100d3b73a264a672a87579cc432629877760
Instruction Fuzzy Hash: 79016D31F08A0282F774ABE1A8E007922A4FF46B41F60C435D50E576A6DEBCE845C300

Function 00007FFD942DACD0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942DAED9
memcpy.VCRUNTIME140 ref: 00007FFD942DAF41
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9433318D

Strings

empty separator, xrefs: 00007FFD943331DB
GC object already tracked, xrefs: 00007FFD9433321D
must be str, not %.100s, xrefs: 00007FFD943330F0

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy$abort
String ID: GC object already tracked$empty separator$must be str, not %.100s
API String ID: 3629556515-3941767964
Opcode ID: 136e919b1b97be9f4a5f8744bd2ca8abb2b00351dc4ee0c4d0128777051ea6d1
Instruction ID: e850384cf1d97338d8768b6bacd28614f4d862517dbef414369f280506359c77
Opcode Fuzzy Hash: 136e919b1b97be9f4a5f8744bd2ca8abb2b00351dc4ee0c4d0128777051ea6d1
Instruction Fuzzy Hash: D1D1A161B0DB8282EA749BA5D4B027963A4FF46B94F54C239DE9E477A6CF3DE441C300

Function 00007FFD9441AA48 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 312COMMON

Download Yara Rule

Strings

utf-16-le, xrefs: 00007FFD9441ABB9
utf-16, xrefs: 00007FFD9441ABCB
utf-16-be, xrefs: 00007FFD9441ABC4
utf-8, xrefs: 00007FFD9441AA4F
surrogates not allowed, xrefs: 00007FFD9441ABED, 00007FFD9441ADCD
surrogatepass, xrefs: 00007FFD9441AA50

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: surrogatepass$surrogates not allowed$utf-16$utf-16-be$utf-16-le$utf-8
API String ID: 0-2030462070
Opcode ID: 18480037189cd5195a0414b27eea909ffb4910b0ba7ff81555f5fbd8af51a3cd
Instruction ID: 5325836220f0fd1c58b6ba6c0cf31440db589300ea1c8bab257650329bc4d1ed
Opcode Fuzzy Hash: 18480037189cd5195a0414b27eea909ffb4910b0ba7ff81555f5fbd8af51a3cd
Instruction Fuzzy Hash: D3D1B232B05B4685EB20DFA5D5A43BC23A1EF6AB98F548635DE1D2778ADFB8D405C300

Function 00007FFD9441AEB8 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 292COMMON

Download Yara Rule

Strings

utf-32, xrefs: 00007FFD9441AFE4
utf-32-be, xrefs: 00007FFD9441AFDD
utf-8, xrefs: 00007FFD9441AEBF
surrogates not allowed, xrefs: 00007FFD9441B025, 00007FFD9441B1F8
surrogatepass, xrefs: 00007FFD9441AEC0
utf-32-le, xrefs: 00007FFD9441AFD1

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: surrogatepass$surrogates not allowed$utf-32$utf-32-be$utf-32-le$utf-8
API String ID: 0-3766617750
Opcode ID: 85d5225eb798daf372e2168ecc39d5c8b5fb2ff4b065ab4ce894be66a9a71b6f
Instruction ID: 712cc31159cbbd8a80ad0a6e9af543c90ff12664f2cdcffe033af7c4fe4c986b
Opcode Fuzzy Hash: 85d5225eb798daf372e2168ecc39d5c8b5fb2ff4b065ab4ce894be66a9a71b6f
Instruction Fuzzy Hash: 1EC1A572B09B8689EB60DFA5C4A42BC63A0FB1AB98F148235DE1D1779ADF78D505C300

Function 00007FFDA433A520 Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433A5F7
DName::operator+=.LIBCMT ref: 00007FFDA433A6BA
DName::operator+=.LIBCMT ref: 00007FFDA433A6DB
DName::operator+=.LIBCMT ref: 00007FFDA433A74B

Part of subcall function 00007FFDA433B020: DName::operator=.LIBVCRUNTIME ref: 00007FFDA433B045

DName::operator+=.LIBCMT ref: 00007FFDA433A775
DName::operator+=.LIBCMT ref: 00007FFDA433A7E5
DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433A823

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$Name::operator=
String ID:
API String ID: 1012376036-0
Opcode ID: 416ce3e35122fc123e2fd05a6e34548498637fec3ec67fb789986722d4f9b20f
Instruction ID: 57a28b570cf89dbf2614e96c22911ca408bc7c0f184c859314061ad3c269b05c
Opcode Fuzzy Hash: 416ce3e35122fc123e2fd05a6e34548498637fec3ec67fb789986722d4f9b20f
Instruction Fuzzy Hash: 90A1D322F55E6689F701EB74C8A13EC3770BB55308F444234EE5926ABAEF7CA585C304

Function 00007FFD9444B974 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9444BB3D
__swprintf_l.LIBCMT ref: 00007FFD9444BB8F

Strings

must be sequence of length %d, not %Id, xrefs: 00007FFD9444BA40
must be %d-item sequence, not %.50s, xrefs: 00007FFD9444BB70
is not retrievable, xrefs: 00007FFD9444BB30
None, xrefs: 00007FFD9444BB5F

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __swprintf_lstrncpy
String ID: None$is not retrievable$must be %d-item sequence, not %.50s$must be sequence of length %d, not %Id
API String ID: 342294800-2311616417
Opcode ID: aec54fd45d7be04cbce978d16b5a325912209128fcda8b3214500ed0c5dc81e8
Instruction ID: 17557a3d3688cc9c03afed1b0976b2e61614420bd9dbfc2da34b4f0cbfc5b3b9
Opcode Fuzzy Hash: aec54fd45d7be04cbce978d16b5a325912209128fcda8b3214500ed0c5dc81e8
Instruction Fuzzy Hash: 74513822B08BC685EA758B96E4A03B963A5FB46B84F44C031DE8D47B9ADF7CE545C700

Function 00007FFDA43325E4 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFDA43319F2), ref: 00007FFDA4332618
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFDA43319F2), ref: 00007FFDA4332651
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFDA43319F2), ref: 00007FFDA4332724

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6358ad6979ea7573ebc719a75f9efb155b9e64d51a27fd452c8d6bfb7014676b
Instruction ID: 385fcf722d1d211d8a0439a06e8d8eeb718c25616590ec5769d58b74df66e01c
Opcode Fuzzy Hash: 6358ad6979ea7573ebc719a75f9efb155b9e64d51a27fd452c8d6bfb7014676b
Instruction Fuzzy Hash: 3B518F32B4AE4686EA60BB14E4F527D6760FF86B59F158531DA2D027B3DF3CF4468208

Function 00007FFD942D89CC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89E2

Part of subcall function 00007FFD942D90C0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90D8
Part of subcall function 00007FFD942D90C0: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D90E7
Part of subcall function 00007FFD942D90C0: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9107
Part of subcall function 00007FFD942D90C0: LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9136
Part of subcall function 00007FFD942D90C0: LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D9164
Part of subcall function 00007FFD942D90C0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,00007FFD942D89F2,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD942D916A

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89FE
wcschr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D8B20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD94330CAD

Strings

PyEval_RestoreThread: NULL tstate, xrefs: 00007FFD94330C8E
..\Objects\dictobject.c, xrefs: 00007FFD94330CD1

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: CriticalSection_errno$EnterLeave$abortwcschr
String ID: ..\Objects\dictobject.c$PyEval_RestoreThread: NULL tstate
API String ID: 2086701129-2226139678
Opcode ID: 283227f7ce52235c8a6458e66751a298e687bdde3a2c299f8f7269d8113763e2
Instruction ID: 5aa890eaf86a84c36295a49e3b732d855f861e7ad4eda84adbb492f1907dd7ac
Opcode Fuzzy Hash: 283227f7ce52235c8a6458e66751a298e687bdde3a2c299f8f7269d8113763e2
Instruction Fuzzy Hash: 21419E61B0E64291EA74ABA594F017D22A0BF47BA4F58C635DA2D077EBDE2DE841C300

Function 00007FFDA433A860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433A9EF

Part of subcall function 00007FFDA4335DFC: DName::DName.LIBCMT ref: 00007FFDA4335E7C
Part of subcall function 00007FFDA4335DFC: DName::operator+=.LIBCMT ref: 00007FFDA4335E92
Part of subcall function 00007FFDA4335DFC: DName::operator+=.LIBCMT ref: 00007FFDA4335EE4
Part of subcall function 00007FFDA4335DFC: DName::operator+=.LIBCMT ref: 00007FFDA4335F9B

DName::operator+=.LIBCMT ref: 00007FFDA433A986
DName::operator+=.LIBCMT ref: 00007FFDA433A9A6
DName::operator+=.LIBCMT ref: 00007FFDA433A8EC

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

Part of subcall function 00007FFDA433B020: DName::operator=.LIBVCRUNTIME ref: 00007FFDA433B045

DName::operator+=.LIBCMT ref: 00007FFDA433AA39

Strings

{for , xrefs: 00007FFDA433A913

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::Name::operator=
String ID: {for
API String ID: 712027794-864106941
Opcode ID: 4678b39145674e81dc8f0be71b35f6d5d2363d54f721273051ad2b84673320d4
Instruction ID: 64dc52e29facbb5d79c260e01a0573d32fc92ee0a436e2f233dd3b6e7d68ca9f
Opcode Fuzzy Hash: 4678b39145674e81dc8f0be71b35f6d5d2363d54f721273051ad2b84673320d4
Instruction Fuzzy Hash: CD518262F59E8988FB01AB64D9A13FC3760BB5A758F449130DA4C267B7DF7CA184C348

Function 00007FFD94315300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFD943BFE71,?,?,00000000,00007FFD94328AFE), ref: 00007FFD9431532E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFD943BFE71,?,?,00000000,00007FFD94328AFE), ref: 00007FFD9431535A
LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFD943BFE71,?,?,00000000,00007FFD94328AFE), ref: 00007FFD9431543F

Strings

(iOOiO), xrefs: 00007FFD943153D4
Windows Error 0x%x, xrefs: 00007FFD94354072

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: (iOOiO)$Windows Error 0x%x
API String ID: 1365068426-3903120638
Opcode ID: 08046dfda4f16b712312b86cd33660e874c55d929de56acfb87c335df0583acf
Instruction ID: bf36a401c88b408ed232390965108f54f11f1deb0c8e7c8ba219543d56539ccb
Opcode Fuzzy Hash: 08046dfda4f16b712312b86cd33660e874c55d929de56acfb87c335df0583acf
Instruction Fuzzy Hash: 5B41A622B49B4281EA78ABA6D4A013DA2A5FF9AFD4F58C435DE4D47B56DF7CE401C300

Function 00007FFD94449050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFD944490CE
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD944490F1

Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89E2
Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89FE

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD94449107
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94449144
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94449161

Strings

str file path expected under Windows, got %R, xrefs: 00007FFD94449091

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _errno$ByteCharMultiWide_fileno_wfopenfclose
String ID: str file path expected under Windows, got %R
API String ID: 3245514772-4155840928
Opcode ID: 023078e8e1ce6b6ec9685d1e5334edfcc22aac3a4752fbac32fbee938b6feccc
Instruction ID: 3560a3da63800551a72ac5ba330ee44fd012f35e440fdb0c5f481f5fbdbbe7c1
Opcode Fuzzy Hash: 023078e8e1ce6b6ec9685d1e5334edfcc22aac3a4752fbac32fbee938b6feccc
Instruction Fuzzy Hash: 6B31C331B09A4281FE759BB2A9B527962D1AF4A7D0F44C035EE0D47B9BEE7DE401D700

Function 00007FFDA433BD60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

__isa_available_init.LIBCMT ref: 00007FFDA433BD66
__vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00007FFDA433BDD2
try_get_function.LIBVCRUNTIME ref: 00007FFDA433BE02
TlsAlloc.KERNEL32 ref: 00007FFDA433BE22
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFDA433BE48

Strings

FlsAlloc, xrefs: 00007FFDA433BDFB

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: AllocCriticalInitializeSection__isa_available_init__vcrt___vcrt_uninitialize_lockstry_get_function
String ID: FlsAlloc
API String ID: 1934285216-671089009
Opcode ID: e9aadef85f13c98a46f43c9ae6d6dd93d0ca5eda011a05bfd482366d3dfa9178
Instruction ID: fc6202e6ec330db24004f86317a9aea4ed699cd4a0308b496dc846f415f131bc
Opcode Fuzzy Hash: e9aadef85f13c98a46f43c9ae6d6dd93d0ca5eda011a05bfd482366d3dfa9178
Instruction Fuzzy Hash: 7A219F65F9AE0391FA44BB68E8F12F82291EF57782F919132D51D463B3EE2CF545C208

Function 00007FFD942ED5EC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,?,00000000,00007FFD9445267C,?,?,?,?,00007FFD94353BB2), ref: 00007FFD942ED60D
QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FFD9445267C,?,?,?,?,00007FFD94353BB2), ref: 00007FFD942ED649
QueryPerformanceCounter.KERNEL32(?,?,00000000,00007FFD9445267C,?,?,?,?,00007FFD94353BB2), ref: 00007FFD942ED670

Strings

invalid QueryPerformanceFrequency, xrefs: 00007FFD9433DACE
QueryPerformanceFrequency is too large, xrefs: 00007FFD9433DAE9
QueryPerformanceCounter(), xrefs: 00007FFD9433DAFA

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: PerformanceQuery$Counter$Frequency
String ID: QueryPerformanceCounter()$QueryPerformanceFrequency is too large$invalid QueryPerformanceFrequency
API String ID: 4286973305-3154678726
Opcode ID: 0cccf66fabf1f147cdc9def372632db856a501d760532ac2c54326296797642a
Instruction ID: 2918967dff7952aa13227577bb21a83d71152ccdd5df205bdd224310c1ef7111
Opcode Fuzzy Hash: 0cccf66fabf1f147cdc9def372632db856a501d760532ac2c54326296797642a
Instruction Fuzzy Hash: 0C319C31B2CB4681EA64EBA5E8F42756360FF86780F54C136D65E476A6DF3CE041C700

Function 00007FFDA4332580 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43325A8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43325B9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA43325D0

Part of subcall function 00007FFDA43346B8: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433B988), ref: 00007FFDA43346C6

Strings

csm, xrefs: 00007FFDA4332597
RCC, xrefs: 00007FFDA4332587
MOC, xrefs: 00007FFDA433258F

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID: MOC$RCC$csm
API String ID: 579254285-2671469338
Opcode ID: 59edab420f68e26c261b7c6cf7ce754f960922afdfdda63d0934300365c53850
Instruction ID: ea3ab6425e2e61747111e6ea8a01a612540ef54e076558bc17a525719d694aa0
Opcode Fuzzy Hash: 59edab420f68e26c261b7c6cf7ce754f960922afdfdda63d0934300365c53850
Instruction Fuzzy Hash: B0F06D71F8B90686F6947B50D0FA37832A4AF56706F42A434C62C523B3DF7C79808E19

Function 00007FFD9430FC10 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 322COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD9430FE2A
memcpy.VCRUNTIME140 ref: 00007FFD9430FE64

Strings

, xrefs: 00007FFD94350A3E
join() result is too long for a Python string, xrefs: 00007FFD94350B42
sequence item %zd: expected str instance, %.80s found, xrefs: 00007FFD94350B54
separator: expected str instance, %.80s found, xrefs: 00007FFD94350A7C

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID: $join() result is too long for a Python string$separator: expected str instance, %.80s found$sequence item %zd: expected str instance, %.80s found
API String ID: 3510742995-871204719
Opcode ID: 1fb5bd9c42f62304cccde2afc45d13a4e0a162bdd4b9533c2473218067a23b63
Instruction ID: 4e995fb46a3a08f422b7e9c3f06291180395e7bf03c8609ae31acfde91fbe627
Opcode Fuzzy Hash: 1fb5bd9c42f62304cccde2afc45d13a4e0a162bdd4b9533c2473218067a23b63
Instruction Fuzzy Hash: AED1A622B4978686EA74AEA594E027A67A0FF47B98F14C239DE4D477D6DF3DE401C300

Function 00007FFD942D7170 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 297COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFD942D7366

Strings

slice step cannot be zero, xrefs: 00007FFD9432F9D0
index out of range, xrefs: 00007FFD9432F98C
byte indices must be integers or slices, not %.200s, xrefs: 00007FFD9432FB8E
slice indices must be integers or None or have an __index__ method, xrefs: 00007FFD9432F99C
byte string is too large, xrefs: 00007FFD9432FB24

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpy
String ID: byte indices must be integers or slices, not %.200s$byte string is too large$index out of range$slice indices must be integers or None or have an __index__ method$slice step cannot be zero
API String ID: 3510742995-3840686077
Opcode ID: f2f6d9adc76bdca885d08859b19f1046290c27998b318c34cbce6be135dec42b
Instruction ID: 9ce13c5e6a16d070ac769a94aed0ac55fe70ae5d68dcbc38ab953674f4d123fe
Opcode Fuzzy Hash: f2f6d9adc76bdca885d08859b19f1046290c27998b318c34cbce6be135dec42b
Instruction Fuzzy Hash: 4DC1BC21B4E69291EA71ABE195B02B86290BF46BE0F08C639DD6E077D7DE2DE441D300

Function 00007FFD942CD920 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942CD994
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD942CD9C4

Strings

tuple for startswith must only contain str, not %.100s, xrefs: 00007FFD9432926C
startswith, xrefs: 00007FFD942CD9BA
startswith first arg must be str or a tuple of str, not %.100s, xrefs: 00007FFD94329279
O|OO:, xrefs: 00007FFD942CD94C

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memsetstrncpy
String ID: O|OO:$startswith$startswith first arg must be str or a tuple of str, not %.100s$tuple for startswith must only contain str, not %.100s
API String ID: 388311670-3938993422
Opcode ID: bc33f185dc0edb4ca7ab107d11b28cceb46e1e9114a7ada73a4c074343038e80
Instruction ID: 3f3bd1402e7add29adcd60ecabe94894e1e8f258814f234b8ef50ee37603cc4c
Opcode Fuzzy Hash: bc33f185dc0edb4ca7ab107d11b28cceb46e1e9114a7ada73a4c074343038e80
Instruction Fuzzy Hash: 63518F32B28A4285FB60EBE5D5A01AC33A0FB4A794F408672DD5D5369ADF3DD506C340

Function 00007FFDA43323E0 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332418
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332449
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4332486
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324A7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324CA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4333676,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43324E8

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 59d5b5848c9a01a6136340efe39b5266282e0a80df4d996e1bc98ddf77b63703
Instruction ID: 958eb2a52a20f3f4b00f3ece9161d199a4b69af49c55f365ea579add4ea1972e
Opcode Fuzzy Hash: 59d5b5848c9a01a6136340efe39b5266282e0a80df4d996e1bc98ddf77b63703
Instruction Fuzzy Hash: 0B515C21F8BB8685FA65AB5591F03786690AF02744F298035DF6D027F7EF2CF9518708

Function 00007FFDA4333AA0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFDA4333B0B
FindSITargetTypeInstance.LIBVCRUNTIME ref: 00007FFDA4333B44

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: FileFindHeaderInstanceTargetType
String ID:
API String ID: 746355257-0
Opcode ID: de18a415e55176f084864ee5b84c19d2c950669482b58723c53af6cfe6e88e4f
Instruction ID: 7feacb6f1f8ad6824c6bc824d332b2bafafb681661c0712e5d7f61bf3d364856
Opcode Fuzzy Hash: de18a415e55176f084864ee5b84c19d2c950669482b58723c53af6cfe6e88e4f
Instruction Fuzzy Hash: DE41602274AE8586DA60DF51E4E067AB3A0FB45BD0F1494B5DE8E47B76CF3CE4418704

Function 00007FFDA43398C8 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

UnDecorator::getPtrRefDataType.LIBVCRUNTIME ref: 00007FFDA4339935

Part of subcall function 00007FFDA433A3F8: DName::DName.LIBCMT ref: 00007FFDA433A441

DName::DName.LIBCMT ref: 00007FFDA4339946
DName::operator+=.LIBCMT ref: 00007FFDA4339965
DName::operator+=.LIBCMT ref: 00007FFDA4339976
DName::operator+=.LIBCMT ref: 00007FFDA43399B5
DName::operator+=.LIBCMT ref: 00007FFDA43399D6

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::$DataDecorator::getType
String ID:
API String ID: 3715550830-0
Opcode ID: 959898aa4e6880cfb4dda41399f023586db2259ddd9db413c73ec9293d985265
Instruction ID: 82bdadf260515cd0d5fe1eb54db8db33097d3accf74604d6e5085f298252f570
Opcode Fuzzy Hash: 959898aa4e6880cfb4dda41399f023586db2259ddd9db413c73ec9293d985265
Instruction Fuzzy Hash: E5317E62B4AA4285FB10EA21D8F01BD63A5BF52788F448832DE9D567BBDE3CE4558304

Function 00007FFD942CC124 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94328259,?,?,?,00007FFD942CB6DA), ref: 00007FFD942CC15E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94328259,?,?,?,00007FFD942CB6DA), ref: 00007FFD942CC16F
_read.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFD94328259,?,?,?,00007FFD942CB6DA), ref: 00007FFD942CC181
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94328259,?,?,?,00007FFD942CB6DA), ref: 00007FFD942CC18A

Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89E2
Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89FE

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94328259,?,?,?,00007FFD942CB6DA), ref: 00007FFD942CC1A6

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _errno$_set_thread_local_invalid_parameter_handler$_read
String ID:
API String ID: 2739956359-0
Opcode ID: 035a5fbb8d68e4fe418121a11e4bd035a9c2e7bf62f38d4ab88da437b298bb62
Instruction ID: 501606840091191051c64eb85d2b742ca6070fdd87c6e839755d7e64de93b64a
Opcode Fuzzy Hash: 035a5fbb8d68e4fe418121a11e4bd035a9c2e7bf62f38d4ab88da437b298bb62
Instruction Fuzzy Hash: 69218631F09A1286F635ABA2A8A01697790BF46BA1F45C630ED6D07796CE7CE442C704

Function 00007FFD942DFB9F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

bad marshal data (invalid reference), xrefs: 00007FFD94335C5E
marshal data too short, xrefs: 00007FFD94336A2C
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 00007FFD94336B70
EOF read where not expected, xrefs: 00007FFD94336B7E

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: EOF read where not expected$bad marshal data (invalid reference)$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 0-1399349706
Opcode ID: 8f980172282d79d8fa4a086ee50dd7ddc7d53ef9f24138d26fb0c4e68ab2d5a6
Instruction ID: ee6a9aef9c3cd28e47145abf1af0205d6a019197fe3fe773da5d471d494bbca6
Opcode Fuzzy Hash: 8f980172282d79d8fa4a086ee50dd7ddc7d53ef9f24138d26fb0c4e68ab2d5a6
Instruction Fuzzy Hash: BA619461B49A4284FB78ABB5C4F027823A1FF46B98F54C279CA5D037A7DE2DE451C340

Function 00007FFD9440F5D8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FFD9440F66C
__swprintf_l.LIBCMT ref: 00007FFD9440F6E8

Strings

Cannot create a consistent method resolutionorder (MRO) for bases, xrefs: 00007FFD9440F657
,, xrefs: 00007FFD9440F71F
%s, xrefs: 00007FFD9440F6DB

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __swprintf_l
String ID: %s$,$Cannot create a consistent method resolutionorder (MRO) for bases
API String ID: 1488884202-3781339937
Opcode ID: fc248b0447ac8746cce5eb6a1efbf85056c13afa8f11bc6789d6b5d32318c7ba
Instruction ID: 51813512bd74359e9abba02a09eb1017d3d775d031152bf999ddee36de7286e0
Opcode Fuzzy Hash: fc248b0447ac8746cce5eb6a1efbf85056c13afa8f11bc6789d6b5d32318c7ba
Instruction Fuzzy Hash: A8418122B09A8281EB719B95E5A43BD6390FF4AB94F448531DE4D07B5BDFBCE412C300

Function 00007FFD943E4E80 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

sequence.index(x): x not in sequence, xrefs: 00007FFD943E4FB0
count exceeds C integer size, xrefs: 00007FFD943E4F66
index exceeds C integer size, xrefs: 00007FFD943E4F91
argument of type '%.200s' is not iterable, xrefs: 00007FFD943E4EC8

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: argument of type '%.200s' is not iterable$count exceeds C integer size$index exceeds C integer size$sequence.index(x): x not in sequence
API String ID: 0-2545742423
Opcode ID: 48f7a575f0b5899d4204185d9ad720aeea32235972c64d94dd2d93a632856fe9
Instruction ID: c75b7afcde3a036e6c5a15227ac64e806de9db316e3c33cbbf436cf7693e2b5d
Opcode Fuzzy Hash: 48f7a575f0b5899d4204185d9ad720aeea32235972c64d94dd2d93a632856fe9
Instruction Fuzzy Hash: E5419425B4E54382EA74AAE295E027B62507F1ABB4F14C739DD2D07AC7DE3CF456C200

Function 00007FFD9443F1CC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FFD9443F21D
_scwprintf.LIBCMT ref: 00007FFD9443F2D0

Strings

%U() missing %i required %s argument%s: %U, xrefs: 00007FFD9443F304
%U and %U, xrefs: 00007FFD9443F2C6
, %U, and %U, xrefs: 00007FFD9443F211

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _scwprintf
String ID: %U and %U$%U() missing %i required %s argument%s: %U$, %U, and %U
API String ID: 1992661772-1142423016
Opcode ID: a7b7b3d148548af01b53a1fb381eb759755be1de859a4100bc70777718cb5fce
Instruction ID: cd5f5e95eac579b576ee18227f3fff5f6b8edb8901b91db243c06f0d98eef64e
Opcode Fuzzy Hash: a7b7b3d148548af01b53a1fb381eb759755be1de859a4100bc70777718cb5fce
Instruction Fuzzy Hash: E6415976B08B4A81EA64DF92DAA007D63A0FB46FD0B54C432DE4D07B9ADF6CE555C300

Function 00007FFDA43337D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA433386F
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA4333876
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA433387D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4333894

Strings

csm, xrefs: 00007FFDA43337EE

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: terminate
String ID: csm
API String ID: 1821763600-1018135373
Opcode ID: 7253fee296770127af10519e1f40fa98c0c6a388366d3c10a2b55303015d8757
Instruction ID: 5e31f8bbf67586f801b8ba16dc6f33702447e405ecda9065ab443b288e1a4f00
Opcode Fuzzy Hash: 7253fee296770127af10519e1f40fa98c0c6a388366d3c10a2b55303015d8757
Instruction Fuzzy Hash: 3E11A4B1F8AA4A81EB68AB65C0F42782361FF11B55F149875CA1D4A772CE2CF859C205

Function 00007FFD942C136A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 00007FFD94320B47

Strings

__repr__ returned non-string (type %.200s), xrefs: 00007FFD94320B6B
<NULL>, xrefs: 00007FFD94320B27
while getting the repr of an object, xrefs: 00007FFD94320B52
<%s object at %p>, xrefs: 00007FFD94320B3D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _scwprintf
String ID: while getting the repr of an object$<%s object at %p>$<NULL>$__repr__ returned non-string (type %.200s)
API String ID: 1992661772-3345224824
Opcode ID: 0f3e19fb9437741f4bf45efdb43692c525bade20e1bde2dd3879df3325cb7b2f
Instruction ID: 85f9128062733ea1009186cbf998fd0788c3df8b2ca525e960bfcb4269c1c9cd
Opcode Fuzzy Hash: 0f3e19fb9437741f4bf45efdb43692c525bade20e1bde2dd3879df3325cb7b2f
Instruction Fuzzy Hash: 5D315A61B4864696EA70AFA5D5F12B837B0FF46B49F14C039CA0E872A7DF2CE444C380

Function 00007FFD942ED544 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51timeCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FFD942ED55C
GetSystemTimeAdjustment.KERNEL32(?,?,?,?,?,00007FFD9445264B,?,?,?,?,00007FFD94348A8A), ref: 00007FFD9433DA35

Strings

GetTickCount64(), xrefs: 00007FFD9433DA15
timestamp too large to convert to C _PyTime_t, xrefs: 00007FFD9433D9F1

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: AdjustmentCount64SystemTickTime
String ID: GetTickCount64()$timestamp too large to convert to C _PyTime_t
API String ID: 4101014962-3366763929
Opcode ID: c4df0e352b9d0e30c34766871bb8adc2d96903d290348bd5b73090dd4ad8f2ee
Instruction ID: 488aa9a98da16a245c59ff2bb29c90bb7a6c733b082afb61f8005e7f3931180b
Opcode Fuzzy Hash: c4df0e352b9d0e30c34766871bb8adc2d96903d290348bd5b73090dd4ad8f2ee
Instruction Fuzzy Hash: FE11A731B1CB4281E771AFA4E4A016AA360FF85798F54C635D64D47666EF7CD141C700

Function 00007FFD944512A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FFD9431E76A,?,?,?,?,00007FFD9431FD71), ref: 00007FFD944512C9
_isatty.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FFD9431E76A,?,?,?,?,00007FFD9431FD71), ref: 00007FFD944512D1

Strings

???, xrefs: 00007FFD94451306
<stdin>, xrefs: 00007FFD944512F3

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _fileno_isatty
String ID: <stdin>$???
API String ID: 3177123343-1903793674
Opcode ID: 20789896396ee40e945be55518b26ee7b44d5bfa25404d4670e11fab71fa6a97
Instruction ID: 10c192806a1854d06a1c702562dfa9d319c438650f80b372b69cc6df2ed550e1
Opcode Fuzzy Hash: 20789896396ee40e945be55518b26ee7b44d5bfa25404d4670e11fab71fa6a97
Instruction Fuzzy Hash: BC015E60F0D60381FF7857F5A5F017952A19F07794F50C134DD1A8AA8FEEACE445C200

Function 00007FFD9444B850 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FFD9444B871
__swprintf_l.LIBCMT ref: 00007FFD9444B8AA

Strings

must be %.50s, not %.50s, xrefs: 00007FFD9444B8A0
%.100s, xrefs: 00007FFD9444B864
None, xrefs: 00007FFD9444B884

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __swprintf_l
String ID: %.100s$None$must be %.50s, not %.50s
API String ID: 1488884202-949321308
Opcode ID: ede76fc8783688cbf57b5ccb7c322d2f1df04b23dc8551c7358c2011ed361058
Instruction ID: 05ab95b33cd32cb95bdc6088d4af9fa6e2e4309530dabb3ed8c306a25398447e
Opcode Fuzzy Hash: ede76fc8783688cbf57b5ccb7c322d2f1df04b23dc8551c7358c2011ed361058
Instruction Fuzzy Hash: 53F01D55B09B4585EE719BD2D8A00B86751AB1ABD4FC4C532DC4C1B366DE7CE585C340

Function 00007FFD9441E514 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 26COMMON

Download Yara Rule

Strings

cp%u, xrefs: 00007FFD9441E552
mbcs, xrefs: 00007FFD9441E525
CP_UTF7, xrefs: 00007FFD9441E536
CP_UTF8, xrefs: 00007FFD9441E547

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: CP_UTF7$CP_UTF8$cp%u$mbcs
API String ID: 0-303662680
Opcode ID: f97dd719f4818790a30db890bf78bb31853e559b813c3c62f0e8036fef6e14bf
Instruction ID: a62a374e8c2d19fd8485063101e95097ac257cb2966c4dcf12e929d2b13ddb7c
Opcode Fuzzy Hash: f97dd719f4818790a30db890bf78bb31853e559b813c3c62f0e8036fef6e14bf
Instruction Fuzzy Hash: 70F01765F09A03C1FA7A97D1D4F037522655F3E340E60C035C40E0A69BFEACA985D300

Function 00007FFD94310BBC Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,00007FFD94310BAA,?,?,?,00007FFD94322962,?,?,?,?,?,?,00000002), ref: 00007FFD94310C53
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94310BAA,?,?,?,00007FFD94322962,?,?,?,?,?,?,00000002), ref: 00007FFD943514B3
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94310BAA,?,?,?,00007FFD94322962,?,?,?,?,?,?,00000002), ref: 00007FFD943514CA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFD94310BAA,?,?,?,00007FFD94322962,?,?,?,?,?,?,00000002), ref: 00007FFD943515EA

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: abort$memcmp
String ID:
API String ID: 3422037362-0
Opcode ID: 1380816bc18b79ea9a6ab2aaf812aa8bfb6b4155b61e78eccceb37261ad70eca
Instruction ID: d5e637b5e7192c1cf408ed06b52aefaea21989f4be941e05a7fd853c95336f64
Opcode Fuzzy Hash: 1380816bc18b79ea9a6ab2aaf812aa8bfb6b4155b61e78eccceb37261ad70eca
Instruction Fuzzy Hash: 4E61E3E3FAD05392EE746BF480F053862A1AF17B58B64C639C61F45DC2DE2DB851DA00

Function 00007FFDA43335B8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4331FE0), ref: 00007FFDA43336CA

Part of subcall function 00007FFDA4334618: GetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA4334634
Part of subcall function 00007FFDA4334618: SetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA433469E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4331FE0), ref: 00007FFDA43336B5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4331FE0), ref: 00007FFDA43336BC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4331FE0), ref: 00007FFDA43336C3
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4331FE0), ref: 00007FFDA43336D1

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$ErrorLast$terminate
String ID:
API String ID: 3823219622-0
Opcode ID: b29bd04c6e031e9b0279e85989259f373e6af2ad862aa23fa9f515af0da1fe90
Instruction ID: de65e0bd5bb8270e7e977f0f5d6a8f7d2db98c1e5ec2d543945caa768e00d7fa
Opcode Fuzzy Hash: b29bd04c6e031e9b0279e85989259f373e6af2ad862aa23fa9f515af0da1fe90
Instruction Fuzzy Hash: 9931AC72B4AE868AFA50AB41D8F00BA2764FF46B91B069436DE0D07372DE3CF4418744

Function 00007FFD944497E8 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD94449845
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD94449850
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD9444985C
GetFileType.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD94449892
SetHandleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD944498A8

Part of subcall function 00007FFD94449748: _set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD94449762
Part of subcall function 00007FFD94449748: _get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD9444976D
Part of subcall function 00007FFD94449748: _set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD94449779

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _set_thread_local_invalid_parameter_handler$_get_osfhandle$FileHandleInformationType
String ID:
API String ID: 43746634-0
Opcode ID: d7054d3f0ea8e46e246ef4c309c92cffb57b26788a3be243a1ada7bbd4b45459
Instruction ID: 297cc7ca5037618d67e7cdad9ea53c5f042cf0f40cfb99ce137210b2d32cebf0
Opcode Fuzzy Hash: d7054d3f0ea8e46e246ef4c309c92cffb57b26788a3be243a1ada7bbd4b45459
Instruction Fuzzy Hash: EC21C320F28A1382EF785BBA64A417962D0AF86770F54C234D92E476DFEEBCD841D600

Function 00007FFD943F92A0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD943F92CE
getc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD943F932B
ungetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD943F933B

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _errnogetcungetc
String ID:
API String ID: 3040112995-0
Opcode ID: ee6d43ad7073ac3b9c2ee48eca10459843ea6ba70cccb8ebde9b18ba8bd2c05d
Instruction ID: b5d045e3c4685ea4fa8185fa48180e248d6b5648005f6f1342a4a98811f4a61a
Opcode Fuzzy Hash: ee6d43ad7073ac3b9c2ee48eca10459843ea6ba70cccb8ebde9b18ba8bd2c05d
Instruction Fuzzy Hash: 8621C631B0C64681F6346BE665E403DA390AF527A0F54C975DD5887AFAEF7CD882C300

Function 00007FFD94314864 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFD943282E2), ref: 00007FFD94314894
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00007FFD943282E2), ref: 00007FFD9431489F
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFD943282E2), ref: 00007FFD943148B2

Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89E2
Part of subcall function 00007FFD942D89CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D89FE

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFD943282E2), ref: 00007FFD943535D8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFD943282E2), ref: 00007FFD943535E5

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _errno$_set_thread_local_invalid_parameter_handler$_close
String ID:
API String ID: 3006293143-0
Opcode ID: 90c99ebc4db5cca1f7c79dba1cf3ea5feb9dfa68096ff0bcb97237091747ae0e
Instruction ID: 7800c24b20c6657900af4fe06abba967015d982024d5c5a21b87cdafcdf5bfd0
Opcode Fuzzy Hash: 90c99ebc4db5cca1f7c79dba1cf3ea5feb9dfa68096ff0bcb97237091747ae0e
Instruction Fuzzy Hash: 8D11C431B08A4286E224ABA5A4A002933A0FF8BB60F55D534DA2D4379ACF7DE042C700

Function 00007FFDA433BB80 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BB97
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBAE
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBC9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBDD
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBF7

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID:
API String ID: 579254285-0
Opcode ID: 17821590ba87eae2bf4fb380ef7ddf223aafd3e94c99a3243f47c2a257516f26
Instruction ID: 8fe09c3dd939e4266f6363feb600604e524e021e852db757c437a3a667e79e22
Opcode Fuzzy Hash: 17821590ba87eae2bf4fb380ef7ddf223aafd3e94c99a3243f47c2a257516f26
Instruction Fuzzy Hash: 91014021F8BE4651F964BB51E0F517C23649F16B55F180875C61C067BBDE6CF8808344

Function 00007FFDA4334DD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00007FFDA4334E46
DName::operator+=.LIBCMT ref: 00007FFDA4334E5A

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

DName::operator=.LIBVCRUNTIME ref: 00007FFDA4334F26

Part of subcall function 00007FFDA4334FFC: UnDecorator::getDataType.LIBCMT ref: 00007FFDA433502D

Strings

CV: , xrefs: 00007FFDA4334E38

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$DataDecorator::getNameName::Name::operator=Type
String ID: CV:
API String ID: 3072487126-3725821052
Opcode ID: 39166efe0e7249d59207c238a48dd69f00b105d727c6173734ff8b6b562cee2a
Instruction ID: e2aa7e271fbc421377c5b0f860926b20c07f84e0a44431cb103e588f3a32ef48
Opcode Fuzzy Hash: 39166efe0e7249d59207c238a48dd69f00b105d727c6173734ff8b6b562cee2a
Instruction Fuzzy Hash: 33618516F8EE8698FB11AB24D4B13B827A19F66784F588531EA4D127B7DF2CB544C308

Function 00007FFD9441FA34 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,surrogatepass,utf-8,00007FFD9434ABA9), ref: 00007FFD9441FAF6

Strings

surrogatepass, xrefs: 00007FFD9441FA3E

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: ByteCharMultiWide
String ID: surrogatepass
API String ID: 626452242-3123774191
Opcode ID: 9b1f2ca3376ae4514c77fe970c3160848ce44e28f4aca26a9b19ba736641db68
Instruction ID: 97362a9435baa8df52c5cda3af23a07f83f5074c33e41c75b694b91add24a6cd
Opcode Fuzzy Hash: 9b1f2ca3376ae4514c77fe970c3160848ce44e28f4aca26a9b19ba736641db68
Instruction Fuzzy Hash: 3A51A432B0974282EA749BA594B05796394BF5ABE4F14C535DE4E0779ADF7CF842C300

Function 00007FFDA43336D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43337AF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43337B6

Part of subcall function 00007FFDA4334618: GetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA4334634
Part of subcall function 00007FFDA4334618: SetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA433469E

Part of subcall function 00007FFDA4334618: _calloc_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA4331886), ref: 00007FFDA4334667
Part of subcall function 00007FFDA4334618: _free_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFDA4331886), ref: 00007FFDA4334696

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFDA4331FE0), ref: 00007FFDA43337C1

Strings

?AVbad_exception@std@@, xrefs: 00007FFDA4333765

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$ErrorLast$_calloc_base_free_base
String ID: ?AVbad_exception@std@@
API String ID: 3333041222-709615691
Opcode ID: 2cd9e9f2ca752213b193782c73fe37ad1fd948223c6f743fb4adfdbf3b7e13b4
Instruction ID: cb4918f4ed078af8fd67755ef934372ec172c3c15c49fa732e6d41984a1484dd
Opcode Fuzzy Hash: 2cd9e9f2ca752213b193782c73fe37ad1fd948223c6f743fb4adfdbf3b7e13b4
Instruction Fuzzy Hash: D9218071B4BE4696EA50BB24D4F12B923A0AF42B41F24A474CA5D437B6DE2CF442C358

Function 00007FFD942DFAE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

getc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD943352E9

Strings

bad marshal data (unknown type code), xrefs: 00007FFD94336BAB
EOF read where object expected, xrefs: 00007FFD94335318
recursion limit exceeded, xrefs: 00007FFD9433532D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: getc
String ID: EOF read where object expected$bad marshal data (unknown type code)$recursion limit exceeded
API String ID: 1447138685-1585441539
Opcode ID: 72f05238e171c4731bc8dc38f1f5fda1c7758455a3667ae18ceeee513ad5f25f
Instruction ID: 43046e48aadec9cc2bd162e3f06e3302715d543736d538a64637687f6b1c434d
Opcode Fuzzy Hash: 72f05238e171c4731bc8dc38f1f5fda1c7758455a3667ae18ceeee513ad5f25f
Instruction Fuzzy Hash: 1531C432B08B4185E7749BA8D8A02BD33A5BF46768F948335D56D876E2CF3CE502C340

Function 00007FFDA43329BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA43346B8: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFDA433B988), ref: 00007FFDA43346C6

RaiseException.KERNEL32 ref: 00007FFDA4332A0A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332A75
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4332A92

Strings

csm, xrefs: 00007FFDA4332A39

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$ExceptionRaise
String ID: csm
API String ID: 3453572468-1018135373
Opcode ID: 398f447e40f8b9aea4a622a490f6cd3960eb61f2b693702ec79c34d696902d56
Instruction ID: 06fd1e64468dd5d3fbf7c80012a3de61eee3947c8918221b03e08933e5e779ca
Opcode Fuzzy Hash: 398f447e40f8b9aea4a622a490f6cd3960eb61f2b693702ec79c34d696902d56
Instruction Fuzzy Hash: 85315036B49A4282E770AF11D0A026967A0FB85B65F058231DE9D037B6CF3CF845C744

Function 00007FFDA43381A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00007FFDA43381C5

Part of subcall function 00007FFDA4338270: DName::operator+=.LIBCMT ref: 00007FFDA43382E4

DName::operator+=.LIBCMT ref: 00007FFDA4338215

Part of subcall function 00007FFDA433B0A0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDA433B0B9

Part of subcall function 00007FFDA433B020: DName::operator=.LIBVCRUNTIME ref: 00007FFDA433B045

Strings

void, xrefs: 00007FFDA4338223

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Name::operator+=$NameName::Name::operator=
String ID: void
API String ID: 712027794-3531332078
Opcode ID: 67cc13917f2138c9f90b32b770c00319f242c4671bd540334ac5b61f08d79e04
Instruction ID: 9a7e1b137e69465f0889b0cf302a6f7108870a3516ef07d2667328b138e0282d
Opcode Fuzzy Hash: 67cc13917f2138c9f90b32b770c00319f242c4671bd540334ac5b61f08d79e04
Instruction Fuzzy Hash: A0219C26F9ED8241EB20E710D4B13B963A0AB96344F444032D58D863B7DE9CF585C308

Function 00007FFDA433BD30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFDA433BD39

Part of subcall function 00007FFDA433BFF0: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA433C0B0
Part of subcall function 00007FFDA433BFF0: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFDA433BD3E), ref: 00007FFDA433C0FF

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433BD51

Strings

f, xrefs: 00007FFDA433BD3E
csm, xrefs: 00007FFDA433BD44

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindterminate
String ID: csm$f
API String ID: 2215565074-629598281
Opcode ID: 2305743981d751753b5e4c169f2859148dc55e988f8730a8404b95faf480a321
Instruction ID: beca3bf4c9ba35f9c8658e672d989b7a1e7b7b2e395b14651a76fc1414d316be
Opcode Fuzzy Hash: 2305743981d751753b5e4c169f2859148dc55e988f8730a8404b95faf480a321
Instruction Fuzzy Hash: 8DD05E20F4AA8A81EF643EB150F523816945F1A716F048031CA18043F3CF2EB8A9460A

Function 00007FFD94424680 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD944246E1

Strings

utf-8, xrefs: 00007FFD94424923, 00007FFD94424A19
surrogates not allowed, xrefs: 00007FFD94424731, 00007FFD94424791, 00007FFD94424A0A

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: surrogates not allowed$utf-8
API String ID: 2221118986-596787060
Opcode ID: c52160b0833203163845b01e03a25eca4c2902d94f39dbd5ff5f4423674294e5
Instruction ID: 8cd9a40fb1bc3118fea2a096b6ff19a04aad8de1bdaefa9bf4a21233bbac4a71
Opcode Fuzzy Hash: c52160b0833203163845b01e03a25eca4c2902d94f39dbd5ff5f4423674294e5
Instruction Fuzzy Hash: 02C1B832B09A9286EB359BE5D4A02BD67A0FB56B94F048135DE4D07B9EDFBCD501C340

Function 00007FFD942C8A94 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942C8B6A
memcpy.VCRUNTIME140 ref: 00007FFD94326674

Strings

repeated string is too long, xrefs: 00007FFD9432653D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memcpymemset
String ID: repeated string is too long
API String ID: 1297977491-1463166898
Opcode ID: b66b4e079d7ef6018d943e1ebbb7b53f3f637f554a298f9634d1a29a5af1d24a
Instruction ID: 9530ac320ec51fb3c705e3ff98e47018e424b97673a53395ae4c73187baf8d2b
Opcode Fuzzy Hash: b66b4e079d7ef6018d943e1ebbb7b53f3f637f554a298f9634d1a29a5af1d24a
Instruction Fuzzy Hash: 4871D7A2B5864246FE34AAA581A11782390FF57BB5F24C73DDA3E477D6DF2DE442C200

Function 00007FFD942F6DF0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 200COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942F6F06

Strings

GC object already tracked, xrefs: 00007FFD94345EE4
..\Objects\tupleobject.c, xrefs: 00007FFD94345E97
Cannot extend an incomplete type '%.100s', xrefs: 00007FFD94345E78

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: ..\Objects\tupleobject.c$Cannot extend an incomplete type '%.100s'$GC object already tracked
API String ID: 2221118986-1531276377
Opcode ID: 45d0c4aeb23c45283f6992790ad2a50ee709aaf251b6c28199623e162a16210c
Instruction ID: b0994fb5feb536d5bf00bb5296bbb98d78a32177de6c8409a09c6de6e14636f2
Opcode Fuzzy Hash: 45d0c4aeb23c45283f6992790ad2a50ee709aaf251b6c28199623e162a16210c
Instruction Fuzzy Hash: 1091B032B09B42C1EA759BA1D5A02B863A0FF46BA4F548635DA2E477D6DF3DE442C300

Function 00007FFD942D8A2C Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_wgetenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFD942D8A5F
__p__wenviron.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFD942D8A65
__p__wenviron.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFD942D8A74
wcschr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94447E91), ref: 00007FFD942D8B20

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __p__wenviron$_wgetenvwcschr
String ID:
API String ID: 2623692796-0
Opcode ID: b2d8940238da6f04b2b655228d985c203a1dbf29a26f65f96316c7449fa88c39
Instruction ID: 7a3a89e65ce46feb0eae82ca0dcb1d719e7fe825adf9260453dce35f6625edc1
Opcode Fuzzy Hash: b2d8940238da6f04b2b655228d985c203a1dbf29a26f65f96316c7449fa88c39
Instruction Fuzzy Hash: AC31A161B0BB4280EA749BA584F413922A1BF06FD4F48C234DA2D477D6EF3DE841C340

Function 00007FFD942C9EE8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD942C9F58

Strings

module %s initialized with unknown slot %i, xrefs: 00007FFD94327023
execution of module %s failed without setting an exception, xrefs: 00007FFD9432708E
execution of module %s raised unreported exception, xrefs: 00007FFD94327070

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: memset
String ID: execution of module %s failed without setting an exception$execution of module %s raised unreported exception$module %s initialized with unknown slot %i
API String ID: 2221118986-3514548238
Opcode ID: c3d531d1120ad691036ae51d0ae0a1c17a2ee024ed4d6bd09e3b809c3e430121
Instruction ID: 6ca8fe7ca45d0944ba1192a27789fe14f3a3d4ee06912e86adffbf1dceb74828
Opcode Fuzzy Hash: c3d531d1120ad691036ae51d0ae0a1c17a2ee024ed4d6bd09e3b809c3e430121
Instruction Fuzzy Hash: 53215921F0D64380FA74ABF2A5F03782290BF0BB94F08D539DA0D46687EF6DE844C241

Function 00007FFD942CD660 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFD942CD681
LeaveCriticalSection.KERNEL32 ref: 00007FFD942CD6A7
GetTickCount64.KERNEL32 ref: 00007FFD943290B6
GetTickCount64.KERNEL32 ref: 00007FFD943290DC

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: Count64CriticalSectionTick$EnterLeave
String ID:
API String ID: 3734971401-0
Opcode ID: 4258a6fd17e76c13ad72b4b4d84688782ddbb62c5811d777aec655ae0b219493
Instruction ID: d798e294308c494f2437a930ecf9ad3a1b70213c223f899f6dfe84a4c8452579
Opcode Fuzzy Hash: 4258a6fd17e76c13ad72b4b4d84688782ddbb62c5811d777aec655ae0b219493
Instruction Fuzzy Hash: B921D631B5871285E730AFB5A5D0039B394EF56B65F208235CD1D432DBEEBDE881C640

Function 00007FFD942C86E0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 53stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00007FFD9443A177,?,?,?,00007FFD9432476E), ref: 00007FFD943261FF

Strings

print, xrefs: 00007FFD943261F5
unsupported operand type(s) for %.100s: '%.100s' and '%.100s', xrefs: 00007FFD94326226
unsupported operand type(s) for %.100s: '%.100s' and '%.100s'. Did you mean "print(<message>, file=<output_stream>)"?, xrefs: 00007FFD9432620C

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: strcmp
String ID: print$unsupported operand type(s) for %.100s: '%.100s' and '%.100s'$unsupported operand type(s) for %.100s: '%.100s' and '%.100s'. Did you mean "print(<message>, file=<output_stream>)"?
API String ID: 1004003707-392090593
Opcode ID: e03cb4cd5ddc1b1dde727788a42c0231f19233157358597e2203a9ef208d5070
Instruction ID: 41f39f08559b48a4f9dceab4062d7a8c043824999c30711f21d78d6ca8ea2095
Opcode Fuzzy Hash: e03cb4cd5ddc1b1dde727788a42c0231f19233157358597e2203a9ef208d5070
Instruction Fuzzy Hash: 38215026B08B4AC1DB609B92E4A00697361FB86BD4B44C436DE4D0776ADF3DE451C340

Function 00007FFDA43344F0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4334500
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433451A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA4334547
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433455C

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID:
API String ID: 579254285-0
Opcode ID: f4ae37b6821b64832df375d60d7e2444fd028b9f321884bdce22bd5e2f47125f
Instruction ID: d273d3832deda0f785905c71bca7f6d9e54387721b7f89077e63a5973f086e81
Opcode Fuzzy Hash: f4ae37b6821b64832df375d60d7e2444fd028b9f321884bdce22bd5e2f47125f
Instruction Fuzzy Hash: 9EF0AF21F8BE46A1FD58BB61F4F51782364AF66B40F281438DA2C027B7DE3CF8904608

Function 00007FFDA4334618 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA4334634
SetLastError.KERNEL32(?,?,?,00007FFDA4331886), ref: 00007FFDA433469E

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b64a8aedd98e22daec173e74fc8c38139033bccdf9ce71d87847ffed440a60c6
Instruction ID: 9a701c1d96f5de85760cdf7297084fe346c7831e7168fe0a278e9f8bf1f4583d
Opcode Fuzzy Hash: b64a8aedd98e22daec173e74fc8c38139033bccdf9ce71d87847ffed440a60c6
Instruction Fuzzy Hash: 6D116920F8FE5351F9907B6268B417952916F6ABE1F284A30DD2D067F7DE6CF8418A08

Function 00007FFD94449748 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD94449762
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD9444976D
_set_thread_local_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD94449779
GetHandleInformation.KERNEL32(?,?,00000001,00007FFD9444981D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFD944497A7

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _set_thread_local_invalid_parameter_handler$HandleInformation_get_osfhandle
String ID:
API String ID: 1116477674-0
Opcode ID: eb3a54dc2752f212d9763402b743fd80199a35d904c6bfac37e82d0c23473c47
Instruction ID: 3f3ba84fcd2d9f96a0ae3c46fd15e5bb7c40909531518141f75d8039a4e1ac0b
Opcode Fuzzy Hash: eb3a54dc2752f212d9763402b743fd80199a35d904c6bfac37e82d0c23473c47
Instruction Fuzzy Hash: DF015635F1D54281FA349BB6A4A00396290EF47BA0F54C235D92D47ADADE6CD841D700

Function 00007FF6EE5DE7C8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6EE5DE7F4
GetCurrentThreadId.KERNEL32 ref: 00007FF6EE5DE802
GetCurrentProcessId.KERNEL32 ref: 00007FF6EE5DE80E
QueryPerformanceCounter.KERNEL32 ref: 00007FF6EE5DE81E

Memory Dump Source

Source File: 00000002.00000002.2262370884.00007FF6EE5C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EE5C0000, based on PE: true

Associated: 00000002.00000002.2262329399.00007FF6EE5C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2262445663.00007FF6EE5F5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2262507740.00007FF6EE608000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2262573637.00007FF6EE613000.00000002.00000001.01000000.00000004.sdmpDownload File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 72ee30f866e1e6e4368942cb00744dae88da92efe1257c29fbe2068dc8e18f4c
Instruction ID: 492d6a48d279a7685fef213172e93e6b9a830e956d528e4491820ebdbd1f1f8b
Opcode Fuzzy Hash: 72ee30f866e1e6e4368942cb00744dae88da92efe1257c29fbe2068dc8e18f4c
Instruction Fuzzy Hash: CA114823B14F018AEB00CF60E8543A833A4FB28758F450E31EA6D867A4EFBDE5948340

Function 00007FFD942D0170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

Impossible unicode object state, wstr and str should share memory already., xrefs: 00007FFD9432C256

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: Impossible unicode object state, wstr and str should share memory already.
API String ID: 0-3784591863
Opcode ID: 97822fda90a2793ce2dc8ee9157d58d13ebbc735e06ae83004b7b583aa6037b2
Instruction ID: 8037818dae5bb37fe7ece30c3605bd1f714738d07da9157581729ade2ff0b18a
Opcode Fuzzy Hash: 97822fda90a2793ce2dc8ee9157d58d13ebbc735e06ae83004b7b583aa6037b2
Instruction Fuzzy Hash: E571EE62B09B4282EB349FA4D4B427933A1FF46B88F508635CA5E4779ADF3DE850C300

Function 00007FFD9431E518 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD9431E625
memcpy.VCRUNTIME140 ref: 00007FFD9431E62F

Strings

string is too long, xrefs: 00007FFD9431E579

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: abortmemcpy
String ID: string is too long
API String ID: 985927305-3497403750
Opcode ID: 6a747e5ce6b01742427c7335d5794517c0b585b3c5fca62879d2fbf7fe26c366
Instruction ID: 07776001db9eb661a47e40ddc49122fd05dc6f590b9ec846e6fd9f3f8aa42fb8
Opcode Fuzzy Hash: 6a747e5ce6b01742427c7335d5794517c0b585b3c5fca62879d2fbf7fe26c366
Instruction Fuzzy Hash: E7515BA6B543C585EA209FB884A11B9B7A0EF5BFD0B48C335CA6D073D6DE2DD446C300

Function 00007FFD942CADFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

path should be string, bytes, or os.PathLike, not %.200s, xrefs: 00007FFD94327E5C, 00007FFD94327E86
embedded null character, xrefs: 00007FFD94327E39

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID: embedded null character$path should be string, bytes, or os.PathLike, not %.200s
API String ID: 0-1042558932
Opcode ID: 551d908a4203ed77e198df5f420bdd20203c575ace9d66e6d758a5a6888c13a3
Instruction ID: 17683a2ebf35fb0008387a107fb1fe36edb06760d21579911646107fdd076186
Opcode Fuzzy Hash: 551d908a4203ed77e198df5f420bdd20203c575ace9d66e6d758a5a6888c13a3
Instruction Fuzzy Hash: 0A517D62B4864781EAB4ABB9C5A03787360FF46B94F14D635CA1E0769ADF2DE851C340

Function 00007FFD943169B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,00007FFD94443817), ref: 00007FFD94355322

Strings

compiler_make_closure(), xrefs: 00007FFD94355354
lookup %s in %s %d %dfreevars of %s: %s, xrefs: 00007FFD9435532D

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __acrt_iob_func
String ID: compiler_make_closure()$lookup %s in %s %d %dfreevars of %s: %s
API String ID: 711238415-2453947471
Opcode ID: 41478bcbf2362ccb26b1ccb7e734816b12453479507b4851100e03c335057a22
Instruction ID: 832c3eb44a2ef16d2c30879d673b5c12cff210ff168b9b9c0261833086b54730
Opcode Fuzzy Hash: 41478bcbf2362ccb26b1ccb7e734816b12453479507b4851100e03c335057a22
Instruction Fuzzy Hash: A5518562B0878142EA70EBE6E5901AA77A5FB8ABD0F15C035EE4D47B96DF3DE441C700

Function 00007FFD942F3BB4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD94335300), ref: 00007FFD94343F08

Strings

marshal data too short, xrefs: 00007FFD94343E78
EOF read where not expected, xrefs: 00007FFD94343E81

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: fread
String ID: EOF read where not expected$marshal data too short
API String ID: 1766058891-204740928
Opcode ID: 7fd64b5d6202554512c9225d37cab43f933736b725211030c1373806c0f2f245
Instruction ID: d63d8baabf32b266a4465d18183ff42c6d387de60858f912ba104629fd9419d3
Opcode Fuzzy Hash: 7fd64b5d6202554512c9225d37cab43f933736b725211030c1373806c0f2f245
Instruction Fuzzy Hash: 2F418072B4AA0285EA74ABA1D5E03B823A0FF46B94F14C639D95D07797EF3CE585C340

Function 00007FFD94446650 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FFD94446779

Strings

unknown scope for %.100s in %.100s(%s)symbols: %slocals: %sglobals: %s, xrefs: 00007FFD94446751
__class__, xrefs: 00007FFD9444668B

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: __swprintf_l
String ID: __class__$unknown scope for %.100s in %.100s(%s)symbols: %slocals: %sglobals: %s
API String ID: 1488884202-944862548
Opcode ID: 8f2f9e1296252c3573f7bb8a1f80bf7f7aa68366a82155f64a996c36d3da4d39
Instruction ID: d85701f4ad41da716b13050f49af2a10fed68f36ce9479ff20365a1e4adf9f5b
Opcode Fuzzy Hash: 8f2f9e1296252c3573f7bb8a1f80bf7f7aa68366a82155f64a996c36d3da4d39
Instruction Fuzzy Hash: BE317726B19A4185EB60EB67E8A11A963A4FBCAFC4F048435ED4D47757EF3DD442C700

Function 00007FFD94452518 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

_isnan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FFD944525D1

Strings

Invalid value NaN (not a number), xrefs: 00007FFD944525E2
timestamp too large to convert to C _PyTime_t, xrefs: 00007FFD94452587

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: _isnan
String ID: Invalid value NaN (not a number)$timestamp too large to convert to C _PyTime_t
API String ID: 890761564-372307277
Opcode ID: a5ab71a78b782325f801660db04e869565e5d545335de171eb4115e2aee6a47b
Instruction ID: cadd0610fe34c00d3e24efeafdb512b2c08abc222967f2585540f87924843522
Opcode Fuzzy Hash: a5ab71a78b782325f801660db04e869565e5d545335de171eb4115e2aee6a47b
Instruction Fuzzy Hash: A2210620B0864680FE3497E5A5F02B963907F46BA0F08C731E92D477EBDEACE051C740

Function 00007FFD94467BA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94467C33
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD94467C5F

Strings

... truncated, xrefs: 00007FFD94467C45, 00007FFD94467C58

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID: fputs
String ID: ... truncated
API String ID: 1795875747-3211418726
Opcode ID: d9ea2cedaa77f195fceee1bae36938e0ae5f3b380fcbe9c2ed8c0e9eebdaa61c
Instruction ID: b497b7194b9c03f4e717c28c8f079854d0b78211c0f7b77e36fbdb0a5b06e016
Opcode Fuzzy Hash: d9ea2cedaa77f195fceee1bae36938e0ae5f3b380fcbe9c2ed8c0e9eebdaa61c
Instruction Fuzzy Hash: 8C21C262B04A4545FA30AB92E8E53A96791BF8AFE4F45C031DE0C4B7ABDE7CE545C300

Function 00007FFD942D810C Relevance: 5.3, APIs: 4, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2263966210.00007FFD942C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD942C0000, based on PE: true

Associated: 00000002.00000002.2263909485.00007FFD942C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94475000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94481000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94492000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264157196.00007FFD94504000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264454573.00007FFD945B7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264495098.00007FFD945D1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264520804.00007FFD945D2000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264547655.00007FFD945D6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264629982.00007FFD9460B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264650281.00007FFD9460C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264681448.00007FFD94623000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264741783.00007FFD94624000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264762984.00007FFD94627000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264789966.00007FFD9462A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264813090.00007FFD9462B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264837200.00007FFD9462C000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264862220.00007FFD9462D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264889554.00007FFD94633000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94634000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264910475.00007FFD94651000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264960674.00007FFD94655000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD9465F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2264985811.00007FFD94678000.00000002.00000001.01000000.00000005.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad359776def6abd152e220e04480cd59a6f7648374717460c45000c60b4413f2
Instruction ID: ec8972b56b7ba7db2a5f545fee57a176e421cc3dbae11b5c2ccdca723c1fffd8
Opcode Fuzzy Hash: ad359776def6abd152e220e04480cd59a6f7648374717460c45000c60b4413f2
Instruction Fuzzy Hash: 44D14D32B15B5585EB24DFB6D8A01AC37B4FB8AB98B549036DE0E23B5ADF39D441C300

Function 00007FFDA433D1F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BB97
Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBAE
Part of subcall function 00007FFDA433BB80: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBC9
Part of subcall function 00007FFDA433BB80: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFDA4332A35), ref: 00007FFDA433BBDD

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433D256
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDA433D275

Part of subcall function 00007FFDA433BB40: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFDA4332A5D), ref: 00007FFDA433BB53

Strings

csm, xrefs: 00007FFDA433D216

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: abort$terminate
String ID: csm
API String ID: 579254285-1018135373
Opcode ID: b245221224f26f11d728d39e5b1b689e48b9b1606b1f28af6be6b918521f4e28
Instruction ID: c916dd46f37d0f0c4fc7d8e09178d9e99717fa4c9126484935132cddcb642d17
Opcode Fuzzy Hash: b245221224f26f11d728d39e5b1b689e48b9b1606b1f28af6be6b918521f4e28
Instruction Fuzzy Hash: E6015E61B8BA0285FA20BF6294B517823A0AF57B59F041435D94D46377DF2CF8818208

Function 00007FFDA4334920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDA4334952
TlsSetValue.KERNEL32(?,?,00000000,00007FFDA433465B,?,?,?,00007FFDA4331886), ref: 00007FFDA4334975

Strings

FlsSetValue, xrefs: 00007FFDA4334946

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: b25816031d561911571dd6d2809871ff3366dbec718580c9544da20d346e954a
Instruction ID: bb542d0eec50e84e3bcc1a563ffdf1b5ab47237177f0996b5ace03f59f58b1bd
Opcode Fuzzy Hash: b25816031d561911571dd6d2809871ff3366dbec718580c9544da20d346e954a
Instruction Fuzzy Hash: F5F09021F4AE4391FA45AB02B4F10B96262EF8ABC0F584031E95D1B7B6CE3CF442C348

Function 00007FFDA43345B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDA43345DF
TlsFree.KERNEL32 ref: 00007FFDA43345FC

Strings

FlsFree, xrefs: 00007FFDA43345D8

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Freetry_get_function
String ID: FlsFree
API String ID: 2043475122-3081468905
Opcode ID: 35061532383fe3417fdb6b27bd6877e0051c6e2a8b95e94957c5b3faac9c56a6
Instruction ID: 41efe78dd9724998c857024695063c5b8acafc9971b2489a8aa3fe7a04d7352d
Opcode Fuzzy Hash: 35061532383fe3417fdb6b27bd6877e0051c6e2a8b95e94957c5b3faac9c56a6
Instruction Fuzzy Hash: D1F04F21F4AE4291F654BB14A8F11B82251AF56790F544235D52E063F3DE2CB855C708

Function 00007FFDA43348C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDA43348F2
TlsGetValue.KERNEL32 ref: 00007FFDA433490F

Strings

FlsGetValue, xrefs: 00007FFDA43348EB

Memory Dump Source

Source File: 00000002.00000002.2265064306.00007FFDA4331000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFDA4330000, based on PE: true

Associated: 00000002.00000002.2265033467.00007FFDA4330000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265094590.00007FFDA433E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265114285.00007FFDA4342000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4343000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2265154718.00007FFDA4345000.00000002.00000001.01000000.00000006.sdmpDownload File

Similarity

API ID: Valuetry_get_function
String ID: FlsGetValue
API String ID: 738293619-662576866
Opcode ID: 4a0d5d0c9d2b79da2dd7a698b9c30212248121389b99309127fd8f96ba2f3816
Instruction ID: 10379dcbc3c76ed03480aaedbfcb3ddd4f301a086cec5e9a25983a79366198bb
Opcode Fuzzy Hash: 4a0d5d0c9d2b79da2dd7a698b9c30212248121389b99309127fd8f96ba2f3816
Instruction Fuzzy Hash: 71F08C21F8BE4791EA44BB11B8F11B81291AF4A784F540435D51D0B3B3DE3CF855C348

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dstream.log.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0s1cbyv.0vl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zl0ett3z.0ks.psm1

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_asyncio.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_bz2.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_decimal.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_elementtree.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_lzma.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_multiprocessing.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_overlapped.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_queue.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_socket.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\_ssl.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\libssl-1_1.dll

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\pyexpat.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\python37.dll

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\rundatastream.exe

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\select.pyd

C:\Users\user\AppData\Local\Temp\onefile_3248_133646284912282783\unicodedata.pyd

Windows Analysis Report
dstream.log.exe