Edit tour

Windows Analysis Report
x11.exe

Overview

General Information

Sample name:	x11.exe
Analysis ID:	1502754
MD5:	ba856e48421c75592a0b45953c21dd2c
SHA1:	380e0bedddbb9e232b9169d51daa778dfa22118d
SHA256:	4563d61b8760e3d73772b888b1db881386b37a4aa5937fe1eff597793b427d9c
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

x11.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\x11.exe" MD5: BA856E48421C75592A0B45953C21DD2C)

k1.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\k1.exe" MD5: 692D72923747BE1ED2C05CD6B4118BF4)

conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\k1.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\k1.exe	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for submitted file

Source: x11.exe	ReversingLabs: Detection: 47%
Source: x11.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Source: x11.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: x11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: x11.exe

Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0027F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0027F826
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00291630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00291630
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002A1FF8 FindFirstFileExA,	0_2_002A1FF8

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_00279B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00279B5C

Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028355D	0_2_0028355D
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028B76F	0_2_0028B76F
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0027BF3D	0_2_0027BF3D
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028A008	0_2_0028A008
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0029C0D6	0_2_0029C0D6
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028A222	0_2_0028A222
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00285214	0_2_00285214
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028C27F	0_2_0028C27F
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002992D0	0_2_002992D0
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002A4360	0_2_002A4360
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002846CF	0_2_002846CF
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002A86D2	0_2_002A86D2
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002A480E	0_2_002A480E
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002748AA	0_2_002748AA
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00275AFE	0_2_00275AFE
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028ABC8	0_2_0028ABC8
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0028BC05	0_2_0028BC05
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00277CBA	0_2_00277CBA
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00284D32	0_2_00284D32
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00273D9D	0_2_00273D9D
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0029BEA7	0_2_0029BEA7
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00275F39	0_2_00275F39
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00285F0B	0_2_00285F0B

Source: C:\Users\user\Desktop\x11.exe	Code function: String function: 002957A5 appears 34 times
Source: C:\Users\user\Desktop\x11.exe	Code function: String function: 00296630 appears 31 times
Source: C:\Users\user\Desktop\x11.exe	Code function: String function: 002957D8 appears 67 times

Source: k1.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: x11.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@4/2@0/0

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_0027932C GetLastError,FormatMessageW,_wcslen,LocalFree,

0_2_0027932C

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_0028EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0028EBD3

Source: C:\Users\user\Desktop\x11.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_3853406

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03

Source: C:\Users\user\Desktop\x11.exe	Command line argument: 0T,	0_2_0029454A
Source: C:\Users\user\Desktop\x11.exe	Command line argument: sfxname	0_2_0029454A
Source: C:\Users\user\Desktop\x11.exe	Command line argument: sfxstime	0_2_0029454A
Source: C:\Users\user\Desktop\x11.exe	Command line argument: STARTDLG	0_2_0029454A

Source: x11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\x11.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\x11.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x11.exe	ReversingLabs: Detection: 47%
Source: x11.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\x11.exe

File read: C:\Users\user\Desktop\x11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\x11.exe "C:\Users\user\Desktop\x11.exe"
Source: C:\Users\user\Desktop\x11.exe	Process created: C:\Users\user\Desktop\k1.exe "C:\Users\user\Desktop\k1.exe"
Source: C:\Users\user\Desktop\k1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\x11.exe	Process created: C:\Users\user\Desktop\k1.exe "C:\Users\user\Desktop\k1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x11.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x11.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k1.exe	Section loaded: opencl.dll	Jump to behavior

Source: C:\Users\user\Desktop\x11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\x11.exe

File written: C:\Users\user\Desktop\poolworker.config.ini

Jump to behavior

Source: x11.exe

Static file information: File size 1780016 > 1048576

Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: x11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: x11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: x11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: x11.exe

Source: x11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: x11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: x11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: x11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: x11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\x11.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_3853406

Jump to behavior

Source: x11.exe	Static PE information: real checksum: 0x0 should be: 0x1bb124
Source: k1.exe.0.dr	Static PE information: real checksum: 0x3f27e7 should be: 0x3edda5

Source: x11.exe	Static PE information: section name: .didat
Source: k1.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00296680 push ecx; ret		0_2_00296693
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00295773 push ecx; ret		0_2_00295786

Source: C:\Users\user\Desktop\x11.exe

File created: C:\Users\user\Desktop\k1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\x11.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0027F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0027F826
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00291630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,	0_2_00291630
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_002A1FF8 FindFirstFileExA,	0_2_002A1FF8

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_00294E14 VirtualQuery,GetSystemInfo,

0_2_00294E14

Source: x11.exe, 00000000.00000002.2124473595.0000000007304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: x11.exe, 00000000.00000002.2124473595.0000000007304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_00296878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00296878

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_0029ECAA mov eax, dword ptr fs:[00000030h]

0_2_0029ECAA

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_002A2CE0 GetProcessHeap,

0_2_002A2CE0

Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00296878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00296878
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00296A0B SetUnhandledExceptionFilter,	0_2_00296A0B
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_0029AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0029AAC4
Source: C:\Users\user\Desktop\x11.exe	Code function: 0_2_00295BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00295BBF

Source: C:\Users\user\Desktop\x11.exe

Process created: C:\Users\user\Desktop\k1.exe "C:\Users\user\Desktop\k1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_00296694 cpuid

0_2_00296694

Source: C:\Users\user\Desktop\x11.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0028FD34

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_0029454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0029454A

Source: C:\Users\user\Desktop\x11.exe

Code function: 0_2_002803BE GetVersionExW,

0_2_002803BE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x11.exe	47%	ReversingLabs	Win32.Trojan.Generic
x11.exe	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\k1.exe	33%	ReversingLabs	Win64.PUA.Generic
C:\Users\user\Desktop\k1.exe	18%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502754
Start date and time:	2024-09-02 08:47:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x11.exe
Detection:	MAL
Classification:	mal60.winEXE@4/2@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 105 Number of non-executed functions: 107
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\x11.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4109824
Entropy (8bit):	6.282561549846907
Encrypted:	false
SSDEEP:	49152:A+W0qUi3UHScrb/THvO90d7HjmAFd4A64nsfJRsjcaH7ALfSadLLfrXHz8LbHpD5:Y32S4j1cE/oOX
MD5:	692D72923747BE1ED2C05CD6B4118BF4
SHA1:	046050976D2FA16CF25E10F4895011E066414B0E
SHA-256:	C035C371F1AD9A96B51F28FBE9E6F7A402BF10CD1CA2D82AABBC78BA07C7703F
SHA-512:	8C6780FE09F701AC3FA5F397A4AA88475B5E26E19621D66B7404C720DF87E31A692004DEE672CF76CF6327421C1AA2A14B1F09EB6933C2AAA8E74F2FEF116548
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33% Antivirus: Virustotal, Detection: 18%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........................!...>...............@...............................D......'?...`... .......................................D......D...............>..............PD.,m..........................`.=.(...................0.D..............................text.....!.......!.................`.``.data.........!.......!.............@.`..rdata...\|....#..\|...p#.............@.`@.pdata........>.......=.............@.0@.xdata..D....0>.......>.............@.0@.bss....D....P>.......................`..edata.......D......&>.............@.0@.idata........D......(>.............@.@..CRT....h....0D......D>.............@.@..tls.........@D......F>.............@.@..reloc..,m...PD..n...H>.............@.0B........................................................................................................................................................................

C:\Users\user\Desktop\poolworker.config.ini

Download File

Process:	C:\Users\user\Desktop\x11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.9685535937840655
Encrypted:	false
SSDEEP:	3:GRLYm5cQ4RCoqkMkS0uiBLyo/yuUqvovy:85kRJ7Sfi0LuUqvovy
MD5:	1CFF20FC77835E110B62445BE05114C2
SHA1:	7981667914201CF92FBCCEB6D42A05DE8A87F451
SHA-256:	5B0263857106FA941B4FD3DF40E3F2ADE971A75F6B4847226AA150C620704595
SHA-512:	A33564018C6629F612B8FE2A710553A0FC24DED14260798C4B6BC17298BA1089CFF6DFB7C71CA9BA7F3A298FB0282E257DE4C60B43C15C773D94A71C8A90B664
Malicious:	false
Reputation:	low
Preview:	..pool = 94.156.69.214:110....rewards = 1HKqQMABXdU5nd2W9159Q1P4BNvUX1G3cn....supervene = 18......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.8872350678107255
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x11.exe
File size:	1'780'016 bytes
MD5:	ba856e48421c75592a0b45953c21dd2c
SHA1:	380e0bedddbb9e232b9169d51daa778dfa22118d
SHA256:	4563d61b8760e3d73772b888b1db881386b37a4aa5937fe1eff597793b427d9c
SHA512:	4675cc8016c75ea178175e5a5fb0b15c05cd36068a76b4952755b7225f6af6b6de5d6dcf990e965d48775307b6ecf1955da15da1d72def96fba02aa298215111
SSDEEP:	49152:ppUlRhkMregcRijcwsCyb6Dgh3+bS22+UaIK179FwiZO1VpSu:ppUlhregcjCLgF+bSsUaIw9F01eu
TLSH:	20851202B7C185B2E47218370BA98750563DBD312F6689DF63C069BD9E319D2DA31FA3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#.b#...#0.b#..f"!.b#..a".b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x4265d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6640971F [Sun May 12 10:17:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	99ee65c2db82c04251a5c24f214c8892

Entrypoint Preview

Instruction
call 00007F6CF884E25Bh
jmp 00007F6CF884DBDDh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F6CF884D28Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F6CF884D279h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F6CF88407B9h
push 0044634Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F6CF884EA87h
int3
jmp 00007F6CF88547BEh
int3
int3
push 004293C0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00449778h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x47d70	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47da4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0xe360	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x2afc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44580	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x44600	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ec58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4722c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a32c	0x3a400	e320764e1b3c816ba80aeb820cb8a274	False	0.581381605418455	data	6.685359764265178	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0xcbf8	0xcc00	47c3be3304bfdfb2a778f355849d1c3f	False	0.4439529718137255	data	5.167069652624378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x49000	0xd7e0	0x1200	6335f9314c2900dccb530e151f1b1ee8	False	0.3956163194444444	data	4.0290550032041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x57000	0x1a8	0x200	232a8fe82993b55cefe09cffc39a79b0	False	0.462890625	data	3.5080985761326375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x58000	0xe360	0xe400	4608b3917311b11e58d5198fc7272acf	False	0.6301226699561403	data	6.596441520276781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x2afc	0x2c00	98fd4bc572f87a21f69dc57f720a6dbc	False	0.75	data	6.617141671767599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x58680	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x591c8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x5a778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x5ace0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x5b588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x5c430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x5c898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x5d940	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x5fee8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x645b8	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x64388	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x644c8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x64258	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x63f20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x63cc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x64f98	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x65180	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x65350	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x65508	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x65650	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x65ac0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x65c28	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x65d80	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x65e90	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x65f50	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x66110	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x63c60	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x64840	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:47:54
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\x11.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x11.exe"
Imagebase:	0x270000
File size:	1'780'016 bytes
MD5 hash:	BA856E48421C75592A0B45953C21DD2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:47:54
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\k1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\k1.exe"
Imagebase:	0xef0000
File size:	4'109'824 bytes
MD5 hash:	692D72923747BE1ED2C05CD6B4118BF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 33%, ReversingLabs Detection: 18%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:47:54
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0029454A Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 252filesleeptimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00286D7B: GetModuleHandleW.KERNEL32(kernel32,1ECC2FF4), ref: 00286DC7
Part of subcall function 00286D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00286DD9
Part of subcall function 00286D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00286E03

Part of subcall function 00281309: __EH_prolog3.LIBCMT ref: 00281310
Part of subcall function 00281309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,1ECC2FF4,?,?,?,00000000,002AA279,000000FF), ref: 00281319

Part of subcall function 0028F4D4: OleInitialize.OLE32(00000000), ref: 0028F4ED
Part of subcall function 0028F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028F524
Part of subcall function 0028F4D4: SHGetMalloc.SHELL32(002C532C), ref: 0028F52E

GetCommandLineW.KERNEL32 ref: 00294608
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 0029464F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00294661
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0029466F
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 0029467D

Part of subcall function 0028FC38: __EH_prolog3.LIBCMT ref: 0028FC3F

Part of subcall function 00293EFC: __EH_prolog3_GS.LIBCMT ref: 00293F03
Part of subcall function 00293EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00293F1B
Part of subcall function 00293EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00293F86

Part of subcall function 002851BF: _wcslen.LIBCMT ref: 002851E3

UnmapViewOfFile.KERNEL32(00000000,002C5430,00000400,002C5430,002C5430,00000400,00000000,00000001,?,00000000), ref: 002946CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 002946D3
SetEnvironmentVariableW.KERNEL32(sfxname,002B9698,00000000), ref: 0029472F
GetLocalTime.KERNEL32(?), ref: 0029473A
_swprintf.LIBCMT ref: 00294779
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0029478E
GetModuleHandleW.KERNEL32(00000000), ref: 00294795
LoadIconW.USER32(00000000,00000064), ref: 002947AC
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00294803
Sleep.KERNEL32(00000000), ref: 00294834
DeleteObject.GDI32 ref: 00294858
DeleteObject.GDI32(2E050D7E), ref: 00294868

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Part of subcall function 002919EE: __EH_prolog3_GS.LIBCMT ref: 002919F5

CloseHandle.KERNEL32 ref: 002948AA

Strings

winrarsfxmappingfile.tmp, xrefs: 00294643
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0029476A
0T,, xrefs: 002946AA
STARTDLG, xrefs: 002947F8
sfxstime, xrefs: 00294789
sfxname, xrefs: 0029472A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$0T,$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3142445277-246775543
Opcode ID: 781579dd803830d633f23b075ba56370645f84a1345a251353c9c7e9b3db6fc9
Instruction ID: 3519402e2a4fac0b4e98a9cce6cc3cf43f7cacc5e4c5e69b2a8ae0d63b9b41d1
Opcode Fuzzy Hash: 781579dd803830d633f23b075ba56370645f84a1345a251353c9c7e9b3db6fc9
Instruction Fuzzy Hash: C491DE70524750AFC720BF64EC49FAB77ECAB49700F40492DF54992291EB74E8A5CF21

Function 0028EBD3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00290845,00000066), ref: 0028EBE6
SizeofResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EBFD
LoadResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC14
LockResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC23
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC3E
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC4F
GlobalUnlock.KERNEL32(00000000), ref: 0028ECD7

Part of subcall function 0028EB06: GdipAlloc.GDIPLUS(00000010), ref: 0028EB0C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028ECB8
GlobalFree.KERNEL32(00000000), ref: 0028ECDE

Strings

PNG, xrefs: 0028EBD7

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 00eaa323269f3fe69467d77b409a72bedbd2f5236884fa91981816e746213d4b
Instruction ID: 1031e79bee05b8eab204ff992586b31f109d30c56b466ece2d2496d9527378f7
Opcode Fuzzy Hash: 00eaa323269f3fe69467d77b409a72bedbd2f5236884fa91981816e746213d4b
Instruction Fuzzy Hash: 54315E75A11202ABDB10AF61ED4CD2BBFACFF45754B15052AF916D22A1EF31D821CB60

Function 0028355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON

Download Yara Rule

APIs

Part of subcall function 00288781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,1ECC2FF4,00000007,?,?,?,00288751,?,?,?,?,0000000C,00274426), ref: 0028879D

_wcslen.LIBCMT ref: 0028395A
__fprintf_l.LIBCMT ref: 00283AA7

Strings

@%s:, xrefs: 00283A91, 00283A9D
$%s:, xrefs: 00283A8A
*messages***, xrefs: 0028373A
*messages***, xrefs: 00283773
,, xrefs: 00283AE2
RTL, xrefs: 00283A69

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ByteCharMultiWide__fprintf_l_wcslen
String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
API String ID: 1796436225-285229759
Opcode ID: e3ae3d5372146b4c094db5af5f5ba454d2c8a1a8077816f7028e3b1e2d29d58b
Instruction ID: b38cbeaa1ed3b52f3138bd7f9b63f07c4892c49ac6265262b34c4e0d3de57e61
Opcode Fuzzy Hash: e3ae3d5372146b4c094db5af5f5ba454d2c8a1a8077816f7028e3b1e2d29d58b
Instruction Fuzzy Hash: 5F52F675921259AFDF24EFA8CC45AEDB7B4FF04B10F10052AE805EB2C1EB719A64CB50

Function 0027F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027F830
FindFirstFileW.KERNELBASE(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F859
FindFirstFileW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049), ref: 0027F8A4
GetLastError.KERNEL32(?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049,?,00000000), ref: 0027F902
FindNextFileW.KERNEL32(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F92D
GetLastError.KERNEL32(?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049,?,00000000), ref: 0027F93A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileFind$ErrorFirstLast$H_prolog3_Next
String ID:
API String ID: 3831798110-0
Opcode ID: a57e6b2f4e7bf4807325cd940e44dd60c6cfb9df065d5fe9d8cecfad8bc15a7f
Instruction ID: 5176c06063edca632fe663cf018f64465b67cab9c5e13da352cb8bbe2ad6512b
Opcode Fuzzy Hash: a57e6b2f4e7bf4807325cd940e44dd60c6cfb9df065d5fe9d8cecfad8bc15a7f
Instruction Fuzzy Hash: BA514371915619DFCF54DF64D988AEDB7B8BF09320F1042AAE519E3290DB30AAA4CF50

Function 0027BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027C342

Part of subcall function 00282095: __EH_prolog3_GS.LIBCMT ref: 0028209C

Part of subcall function 002757C0: __EH_prolog3.LIBCMT ref: 002757C7

Strings

__tmp_reference_source_, xrefs: 0027C33D, 0027C349

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3H_prolog3__wcslen
String ID: __tmp_reference_source_
API String ID: 1523997010-685763994
Opcode ID: cb3289657e22af97c621bcd5ce20d14a33cda84d431b821489cb69b7ce116dba
Instruction ID: fa0fa8280502290c15950c93c58495e6105decf8e15c8509bbd6e34cd2a390d5
Opcode Fuzzy Hash: cb3289657e22af97c621bcd5ce20d14a33cda84d431b821489cb69b7ce116dba
Instruction Fuzzy Hash: 36D2E57092428A9FDF29DF74C890BEEBBB4BF05304F14855EE49E97241DB30A969CB50

Function 0029ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002,00000000), ref: 0029ECCB
TerminateProcess.KERNEL32(00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002,00000000), ref: 0029ECD2
ExitProcess.KERNEL32 ref: 0029ECE4

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 935525420e971c33510c60226e70061257f107c7d5641739675a636e91a2947b
Instruction ID: 4fb8fe43f544fb32ed441bf2ce004c2fc79a68c7d07452d3eeb74f4ccf034ed8
Opcode Fuzzy Hash: 935525420e971c33510c60226e70061257f107c7d5641739675a636e91a2947b
Instruction Fuzzy Hash: 85E0B632150608AFCF11AF54EE0DA587B69EF52391F150424F945AA222CF36EDA2DB50

Function 0028B76F Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 356b5361dd64e6f715d81803efe2377399896979182c56f88cd7690f92bb34f9
Instruction ID: e45b8c86407771d38c0f3139da580d45f546e25d77ab19fc6702fff1f3eb19bc
Opcode Fuzzy Hash: 356b5361dd64e6f715d81803efe2377399896979182c56f88cd7690f92bb34f9
Instruction Fuzzy Hash: 94E1D3755193458FDB25EF28C884B5BBBE4BF88308F08456DEC889B382D774E964CB52

Function 00290900 Relevance: 91.9, APIs: 42, Strings: 10, Instructions: 935windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0029090A

Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

EndDialog.USER32(?,00000000), ref: 00290A18
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00290A57
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00290A71
IsDialogMessageW.USER32(?,?), ref: 00290A84
TranslateMessage.USER32(?), ref: 00290A92
DispatchMessageW.USER32(?), ref: 00290A9C
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00290ADE
GetDlgItem.USER32(?,00000068), ref: 00290B04
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00290B1F
SendMessageW.USER32(00000000,000000C2,00000000,002AC6C8), ref: 00290B32
SetFocus.USER32(00000000), ref: 00290B39
GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00290C20
GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00290C4C
GetTickCount.KERNEL32 ref: 00290C79
GetLastError.KERNEL32(?,00000011), ref: 00290CD5
GetCommandLineW.KERNEL32 ref: 00290DF9
_wcslen.LIBCMT ref: 00290E06
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,002C5430,00000400,00000001,00000001), ref: 00290E85
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00290EA3
ShellExecuteExW.SHELL32(0000003C), ref: 00290EDC
Sleep.KERNEL32(00000064), ref: 00290F25
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,002C5430,00000400), ref: 00290F61
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,002C5430,00000400), ref: 00290F6D
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00291072

Part of subcall function 00271E1F: GetDlgItem.USER32(?,?), ref: 00271E34
Part of subcall function 00271E1F: ShowWindow.USER32(00000000), ref: 00271E3B

SetDlgItemTextW.USER32(?,00000065,002AC6C8), ref: 0029108A
GetDlgItem.USER32(?,00000065), ref: 00291093
GetWindowLongW.USER32(00000000,000000F0), ref: 002910A2
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00291422
EndDialog.USER32(?,00000001), ref: 00291436
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002910B1

Part of subcall function 0028E265: __EH_prolog3_GS.LIBCMT ref: 0028E26C
Part of subcall function 0028E265: ShowWindow.USER32(?,00000000,00000038), ref: 0028E294
Part of subcall function 0028E265: GetWindowRect.USER32(?,?), ref: 0028E2D8
Part of subcall function 0028E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 0028E373

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0029114F
SendMessageW.USER32(?,00000080,00000001,000103EB), ref: 00291284
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,2E050D7E), ref: 0029129D
GetDlgItem.USER32(?,00000068), ref: 002912A6
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 002912BE
GetDlgItem.USER32(?,00000066), ref: 002912E6
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0029135D
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00291371
EnableWindow.USER32(?,00000000), ref: 002915A7
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 002915E8
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0029160D

Part of subcall function 00291D4F: __EH_prolog3_GS.LIBCMT ref: 00291D59

Strings

winrarsfxmappingfile.tmp, xrefs: 00290E71
@, xrefs: 00290D98
<, xrefs: 00290D8E
-el -s2 "-d%s" "-sp%s", xrefs: 00290D75
__tmp_rar_sfx_access_check_, xrefs: 00290C91
J), xrefs: 002913DC
@S,, xrefs: 00290DDD
STARTDLG, xrefs: 0029091C
LICENSEDLG, xrefs: 00291417
\S,, xrefs: 00290BF2

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusH_prolog3_catch_HandleLineMappingParamRectShellSleepTickTranslateUnmapUser_wcslen
String ID: -el -s2 "-d%s" "-sp%s"$<$@$@S,$LICENSEDLG$STARTDLG$\S,$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp$J)
API String ID: 3523736112-1258988733
Opcode ID: c995d54ba933fa9ef122a58af09b2294594f91cbc89cf36f5b897eb0234b9db6
Instruction ID: 57dba16cdbed5563d5818df07cb1e690591c390a5e2b5a3a62acd2dc2333fdea
Opcode Fuzzy Hash: c995d54ba933fa9ef122a58af09b2294594f91cbc89cf36f5b897eb0234b9db6
Instruction Fuzzy Hash: 0B72C570824359AEEF21EB64DC89FED7BB8AF05700F004199F509B7192DBB45AA4CF21

Function 00286D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,1ECC2FF4), ref: 00286DC7
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00286DD9
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00286E03
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002870CA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002870DF
ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 002870FF
CloseHandle.KERNEL32(00000000), ref: 00287187
CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 002871F8
AllocConsole.KERNEL32 ref: 0028735E
GetCurrentProcessId.KERNEL32 ref: 00287368
AttachConsole.KERNEL32(00000000), ref: 0028736F
GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 0028738F
WriteConsoleW.KERNEL32(00000000), ref: 00287396
Sleep.KERNEL32(00002710), ref: 002873A1
FreeConsole.KERNEL32 ref: 002873A7
ExitProcess.KERNEL32 ref: 002873B7

Strings

dwmapi.dll, xrefs: 00286E6C, 002872B3
uxtheme.dll, xrefs: 002872BD
SetDllDirectoryW, xrefs: 00286DD3
SetDefaultDllDirectories, xrefs: 00286DFD
DXGIDebug.dll, xrefs: 00286E37, 002871E0
kernel32, xrefs: 00286DBE
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 0028734E

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 2644799563-3298887752
Opcode ID: 5f94ec6d022925d09440f443d2432db7e88ded7e8d7f6387100c9d09c11349bf
Instruction ID: 1d71b67b76000acb93ca38eb698cd744c8874610dd7055b0933940ea77b6faf5
Opcode Fuzzy Hash: 5f94ec6d022925d09440f443d2432db7e88ded7e8d7f6387100c9d09c11349bf
Instruction Fuzzy Hash: 73F180B1425288DBCF20EFA4DC49BDE3BA9BF06304F604119F90A9B691DF709669CF51

Function 00293572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00290678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
Part of subcall function 00290678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
Part of subcall function 00290678: IsDialogMessageW.USER32(000103F8,?), ref: 002906AE
Part of subcall function 00290678: TranslateMessage.USER32(?), ref: 002906BC
Part of subcall function 00290678: DispatchMessageW.USER32(?), ref: 002906C6

GetDlgItem.USER32(00000068,00000000), ref: 00293595
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,0028FD20,00000001,?,?), ref: 002935BA
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002935C9
SendMessageW.USER32(00000000,000000C2,00000000,002AC6C8), ref: 002935D7
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002935F1
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0029360B
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0029364F
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00293662
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00293675
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0029369C
SendMessageW.USER32(00000000,000000C2,00000000,002AC860), ref: 002936AB

Strings

\, xrefs: 002935FB

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: a818c80a9ca79e7b8619caf2b847e301b0adb9117a05e6a671e45ad896c77fd9
Instruction ID: 8de7e5f3109386ec3b38c8056a4af97aa8e7aaa9f1c02bb62e34f29f75e0a0d0
Opcode Fuzzy Hash: a818c80a9ca79e7b8619caf2b847e301b0adb9117a05e6a671e45ad896c77fd9
Instruction Fuzzy Hash: 4131D071249700BFE310DF21EC49F6B7BECEF46700F040518F96596190DBA4A9448FAA

Function 002938A0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002938A7
ShellExecuteExW.SHELL32(?), ref: 00293AA4
ShowWindow.USER32(?,00000000), ref: 00293ADD
GetExitCodeProcess.KERNEL32(?,?), ref: 00293B0F
CloseHandle.KERNEL32(?), ref: 00293B33
ShowWindow.USER32(?,00000001), ref: 00293B76

Strings

.inf, xrefs: 00293A13
\*, xrefs: 00293A22
.exe, xrefs: 00293B3D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ShowWindow$CloseCodeExecuteExitH_prolog3_HandleProcessShell
String ID: .exe$.inf$\*
API String ID: 1358420184-4212905900
Opcode ID: e2eac52a878a106bc1aa4eb1518d34011f430ac7132df70a396747ba363dbc4b
Instruction ID: 53e494eeff1f5530d34266842b38b3ec848fcf4ed5f04d5f3717575054495bd5
Opcode Fuzzy Hash: e2eac52a878a106bc1aa4eb1518d34011f430ac7132df70a396747ba363dbc4b
Instruction Fuzzy Hash: ACB1DD31A20259DFDF21DF64D898BEDB7B5FF44310F248119E844A7290DBB0AEA6CB50

Function 00289556 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002897AB

Strings

Lc+, xrefs: 0028978B
Lc+, xrefs: 00289781, 00289785
Lc+, xrefs: 00289799
Lc+, xrefs: 00289719, 0028979D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID: Lc+$Lc+$Lc+$Lc+
API String ID: 431132790-1939725009
Opcode ID: 5867d32866fcf98395fbe7e2a364f8db377e225c88bb36c9c77d4ad7380c627d
Instruction ID: 41ca5c6155453f5871e550e18a233b22b51b3ce1eb4b1413aa471ac781d99463
Opcode Fuzzy Hash: 5867d32866fcf98395fbe7e2a364f8db377e225c88bb36c9c77d4ad7380c627d
Instruction Fuzzy Hash: 918158B99363168FDB24FF64C885B7AB7E8AF41300F0C092EE455971C1E7B499A48B91

Function 00293EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00293F03
SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00293F1B
SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00293F86

Strings

sfxpar, xrefs: 00293F81
sfxcmd, xrefs: 00293F16

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: EnvironmentVariable$H_prolog3_
String ID: sfxcmd$sfxpar
API String ID: 3605364767-3493335439
Opcode ID: 329c241512ab7f7732ec5842938e4e756a56fe4fe5fa8810f6561adafd168c80
Instruction ID: 94cedf22fbe737a730001045c38793817e4b040a704dfd5f71d89c8d3427e7e4
Opcode Fuzzy Hash: 329c241512ab7f7732ec5842938e4e756a56fe4fe5fa8810f6561adafd168c80
Instruction Fuzzy Hash: 33212570E21218DFCF14DFA8E9889EDB7F9EF09300B10442AF446A7640DB30AA65CF65

Function 0027E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,1ECC2FF4,?,?,00000000,?,?,00000000,002A9E6B,000000FF), ref: 0027E248
GetLastError.KERNEL32(?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0027E25A
CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,002A9E6B,000000FF,?,00000011), ref: 0027E2A6
GetLastError.KERNEL32(?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0027E2AF
SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,002A9E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 0027E346

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: de99ae3af585e7b011a7c121cfb6741e91989f08fa6485b2dfc47f5400b5942d
Instruction ID: 4d7a511a0a21f833c346f955f2b862930bc3c5eea5af6708a22999c80ada42d5
Opcode Fuzzy Hash: de99ae3af585e7b011a7c121cfb6741e91989f08fa6485b2dfc47f5400b5942d
Instruction Fuzzy Hash: B261AE7092024ADFDF24CF64D885BEE7BA8FF09314F208259F91997281D7749964CBA4

Function 002874EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 002877CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,002773B8), ref: 002877E1
Part of subcall function 002877CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,002773B8), ref: 002877F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000,1ECC2FF4,?,?,00000001,00000000,002AA603,000000FF,?,002890B9,?,?,00275630,?), ref: 0028752A
FindCloseChangeNotification.KERNELBASE(?,?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?), ref: 00287544
DeleteCriticalSection.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 0028755D
CloseHandle.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00287569
CloseHandle.KERNEL32(?,?,002890B9,?,?,00275630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00287575

Part of subcall function 002875ED: WaitForSingleObject.KERNEL32(?,000000FF,0028770A,?,?,0028777F,?,?,?,?,?,00287769), ref: 002875F3
Part of subcall function 002875ED: GetLastError.KERNEL32(?,?,0028777F,?,?,?,?,?,00287769), ref: 002875FF

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: c4e778bf1df741b0f28b74f4f6798cc6280efa50d943e4860bb012e2e229ae2a
Instruction ID: 876223270e4699ecbff15e090722147ef183f9e99e4f3f5b91bd7a364f70fa02
Opcode Fuzzy Hash: c4e778bf1df741b0f28b74f4f6798cc6280efa50d943e4860bb012e2e229ae2a
Instruction Fuzzy Hash: 9511C476004704EFD7229F64EC88FC6FBA9FB09710F50492AF556921A0CF75A954CB50

Function 00290678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
IsDialogMessageW.USER32(000103F8,?), ref: 002906AE
TranslateMessage.USER32(?), ref: 002906BC
DispatchMessageW.USER32(?), ref: 002906C6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 9048cc592297e034cd0b6ccc45c3ec0680426f35635f16a729397c372eb6c7cd
Instruction ID: 332bb2e08735ea4d7479f807eb33b9f7d3cc5e0c37b63f023b18d925442f55ac
Opcode Fuzzy Hash: 9048cc592297e034cd0b6ccc45c3ec0680426f35635f16a729397c372eb6c7cd
Instruction Fuzzy Hash: E9F0D0B191622EAB8F20AFE2EC4CDDB7FBCEE452517404415F516D2050E724D515CBB0

Function 00292813 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002928B3

Strings

MAX, xrefs: 00292970
MIN, xrefs: 002929A4
HIDE, xrefs: 0029293D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _wcslen
String ID: HIDE$MAX$MIN
API String ID: 176396367-2426493550
Opcode ID: c238699ac1cd551dd50e44b6fc1578e1283379e062d495db0ba9075e562d3461
Instruction ID: 013f627ba6c628f71449971ecec4d25e91394d4326e4d5575970d8dd70b861c9
Opcode Fuzzy Hash: c238699ac1cd551dd50e44b6fc1578e1283379e062d495db0ba9075e562d3461
Instruction Fuzzy Hash: E1A16C72C20269DECF25DFA4CC84ADDB7B8BF49310F14419AD409B7241EB705A99CFA0

Function 0028F2CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0028F2EF
SHAutoComplete.SHLWAPI(?,00000010), ref: 0028F326

Part of subcall function 00288DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00280E3F,?,?,?,00000046,00281ECE,00000046,?,exe,00000046), ref: 00288DBA

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0028F316

Strings

EDIT, xrefs: 0028F2FA, 0028F305, 0028F312

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 6b91ffeed531b17fd6f112580fce94398592b15b0482727190bf13884ff7d82b
Instruction ID: c15c61faa53842fb9629d355c396d0d08cdd9a57d69f1b3307dcef7a94770466
Opcode Fuzzy Hash: 6b91ffeed531b17fd6f112580fce94398592b15b0482727190bf13884ff7d82b
Instruction Fuzzy Hash: 4CF0C835711219ABDB20AF24AD09FDFB7AC9F45B10F000065BA01E71C1DA70AA558B65

Function 0028F4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON

Download Yara Rule

APIs

Part of subcall function 00286C5E: __EH_prolog3_GS.LIBCMT ref: 00286C65
Part of subcall function 00286C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A

OleInitialize.OLE32(00000000), ref: 0028F4ED
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028F524
SHGetMalloc.SHELL32(002C532C), ref: 0028F52E

Strings

riched20.dll, xrefs: 0028F4DC

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
String ID: riched20.dll
API String ID: 2446841611-3360196438
Opcode ID: 1a002fa5d4f2135b6c3fe69cd8980b5d2d9d72212f7ed55d07560830997f55dd
Instruction ID: 0375b7904521396cf85161f5c0da45543c9b2ff8fbbef70472741ea043f865ac
Opcode Fuzzy Hash: 1a002fa5d4f2135b6c3fe69cd8980b5d2d9d72212f7ed55d07560830997f55dd
Instruction Fuzzy Hash: 2FF0F9B5D00219ABCB10AF99DC4DDEEFBFCEF95700F00405AE415E2251DBB856558FA1

Function 0027E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027E94F
GetStdHandle.KERNEL32(000000F5,0000002C,00282D28,?,?,?,?,00000000,0028ABB6,?,?,?,?,?,0028A80E,?), ref: 0027E978
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0027E9BE

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileH_prolog3_HandleWrite
String ID:
API String ID: 2898186245-0
Opcode ID: 68d03a5d33ceaed458b416873a8b340b650fd84a76f5c0c857b707deb655710d
Instruction ID: 87a9b703edc29419c154351b77ecff180af283d4827267837706333a24629cae
Opcode Fuzzy Hash: 68d03a5d33ceaed458b416873a8b340b650fd84a76f5c0c857b707deb655710d
Instruction Fuzzy Hash: 9941D036A21215EBDF10DF64D884BED7B76BF89700F158158F905AB280CB709D64CBA1

Function 0027EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027EFF6
CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?,00000001,?,?), ref: 0027F01F
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?), ref: 0027F075
GetLastError.KERNEL32(?,?,00000024,0027EBA7,?,00000001,00000000,?,?,00000024,0027A4DE,?,00000001,?,?,00000000), ref: 0027F0E3

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CreateDirectory$ErrorH_prolog3_Last
String ID:
API String ID: 3709856315-0
Opcode ID: 65955f0d575f3880114fa1f68e71fe02c0523419cbcc67a2dcdf7aed5a0ec013
Instruction ID: 13ab6bf2d6ae9a67272f05ade48e6232973dc5230c266a22119bfb5a349b29aa
Opcode Fuzzy Hash: 65955f0d575f3880114fa1f68e71fe02c0523419cbcc67a2dcdf7aed5a0ec013
Instruction Fuzzy Hash: 2731F771924209DBCF50DFE9CA88AEEBBF8AF48300F10842AE504E3351DB308951CB71

Function 0027E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E029
ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E041
GetLastError.KERNEL32(?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E073
GetLastError.KERNEL32(?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E092

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: ae96e5923cc7bdc94f59288872ef2bf1e9b605db4f0fe1ea43d86493ced6cd76
Instruction ID: 8e1c897fcb95180ca8285a890dc8b5e3b7e942921df693a3a5ecc3a03681b3ad
Opcode Fuzzy Hash: ae96e5923cc7bdc94f59288872ef2bf1e9b605db4f0fe1ea43d86493ced6cd76
Instruction Fuzzy Hash: 7C11C230520219EBDF305F60D908B6E37A9FB49324F22C6A9E42EE5190CBF19D649B75

Function 00287628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 0028764C
SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,0027736D,00275AB0,?), ref: 00287693

Part of subcall function 002792EB: __EH_prolog3_GS.LIBCMT ref: 002792F2

Part of subcall function 00279500: __EH_prolog3_GS.LIBCMT ref: 00279507

Strings

CreateThread failed, xrefs: 00287658

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_Thread$CreatePriority
String ID: CreateThread failed
API String ID: 3138599208-3849766595
Opcode ID: 8abcd1f025290641b690c85436c5a9666a89812dcfc4c800628c5fac0efd3382
Instruction ID: 332362be060c4c77c34b61d6ce194de9fac3b4c903a309111f4be4cabb728ff8
Opcode Fuzzy Hash: 8abcd1f025290641b690c85436c5a9666a89812dcfc4c800628c5fac0efd3382
Instruction Fuzzy Hash: 8601F2752697167BE6107E68AC85FA2739CEB42750F300529F94AA2181DAB1A8648728

Function 00293C78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00293C82
_wcslen.LIBCMT ref: 00293C99

Part of subcall function 00286A89: _wcslen.LIBCMT ref: 00286AA6

Part of subcall function 0027B03D: __EH_prolog3_GS.LIBCMT ref: 0027B044

Part of subcall function 0027B3E1: __EH_prolog3_GS.LIBCMT ref: 0027B3E8

Strings

|Z,, xrefs: 00293CA1

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3__wcslen$H_prolog3_catch_
String ID: |Z,
API String ID: 1265872803-3492188443
Opcode ID: 44415677dfdc273c0892155e8aaf3b33399ae086e3c68be6411a15012bcfe882
Instruction ID: ca295d595a76810911cf67baf7981783dbad910d3db9f1776522625e171ecde3
Opcode Fuzzy Hash: 44415677dfdc273c0892155e8aaf3b33399ae086e3c68be6411a15012bcfe882
Instruction Fuzzy Hash: 5511AC359319B09FC705EB64AC15FDD7BA49B16310F40429EE44897253CBB0AAD4CFA1

Function 0027DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027DEA1
CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,0027E8F5,?,?,0027A6B9,?,00000011,?), ref: 0027DF15
CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,0027D303,?,?,?), ref: 0027DF65

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CreateFile$H_prolog3_
String ID:
API String ID: 1771569470-0
Opcode ID: 273f9ba8bfa952dc55b2e04a985e158110712569f7cb072164a59e8c9df1b84d
Instruction ID: c221011f1dc6ee6d06df4cc7d59ce86907ed7ed1fb31f9021c1675d69b321a16
Opcode Fuzzy Hash: 273f9ba8bfa952dc55b2e04a985e158110712569f7cb072164a59e8c9df1b84d
Instruction Fuzzy Hash: 394180709202099FDF14DFA4D889BEEB7F8AF09320F10961EE056A6281D774A9548B25

Function 00286C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00286C65
GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A
LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00286D0C

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: DirectoryH_prolog3_LibraryLoadSystem
String ID:
API String ID: 1552931673-0
Opcode ID: 24656a0859593abb8f9647a12cc70770fa676c64c16812b4f2e1dce13c32e077
Instruction ID: 35763d9011d210bde53cd87506977fe203ec44d1124984ba18c32a58ad3b6593
Opcode Fuzzy Hash: 24656a0859593abb8f9647a12cc70770fa676c64c16812b4f2e1dce13c32e077
Instruction Fuzzy Hash: 0031AE75E20208DBCF04EBE4C889BEEBBB8AF48314F10411EE505B7281DB345A65CF65

Function 0027F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027F592
SetFileAttributesW.KERNELBASE(?,?,00000024,0027A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0027F5A8
SetFileAttributesW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049), ref: 0027F5EB

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: e6db0eb333604af733b5227c5ca0dbc14860523401ac58ce5910ad6251ddf66b
Instruction ID: 1376c4d55a82c8112d02bf6800a80a5e15779d3913ab0e053d4601781f90015c
Opcode Fuzzy Hash: e6db0eb333604af733b5227c5ca0dbc14860523401ac58ce5910ad6251ddf66b
Instruction Fuzzy Hash: A8112970924219EBCF04DFA4E985ADEB7B8BF08310F14802AF514E7250DB349A65CF64

Function 0027EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027EC6A
DeleteFileW.KERNELBASE(?,00000024,0027D6F7,?), ref: 0027EC7D
DeleteFileW.KERNEL32(00000000,?,00000000), ref: 0027ECBD

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: DeleteFile$H_prolog3_
String ID:
API String ID: 3558260747-0
Opcode ID: 3e50de2cf350b34e225b3a6322d2dcfca4d95e63a0e9a6ab71329abff131d591
Instruction ID: 310b3af7e391a6612541c12f1ffdec72cbee03f5379c0c068834a2478a762560
Opcode Fuzzy Hash: 3e50de2cf350b34e225b3a6322d2dcfca4d95e63a0e9a6ab71329abff131d591
Instruction Fuzzy Hash: EF110A75D20219DBDF05DFA4E989AEEB7B8AF0D310F14502AE504E7250DB349AA4CF74

Function 0027ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027ED26
GetFileAttributesW.KERNELBASE(?,00000024,0027ED16,00000000,0027A4A1,1ECC2FF4,?,0027CDDD,?,?,?,?,?,?,?,?), ref: 0027ED39
GetFileAttributesW.KERNELBASE(?,?,?), ref: 0027ED79

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AttributesFile$H_prolog3_
String ID:
API String ID: 2559025557-0
Opcode ID: 5511a2f76ca6eec24f21cbcd1706ced217d5f44c8930bdbb8eabf136c27c8151
Instruction ID: 509e194c7d5f0061b61fbe5460afa233a9de516f05be928cfc40570d909b168b
Opcode Fuzzy Hash: 5511a2f76ca6eec24f21cbcd1706ced217d5f44c8930bdbb8eabf136c27c8151
Instruction Fuzzy Hash: 55113774920218DBCF14EFE8E8899EDB7F9AF4D310F14442AE504F3280DB309A548B74

Function 0029492B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: bf81d63f212d3a5ec2066679540f4f4223f5b6a47c51673c79ad63ce11793d5e
Instruction ID: 185ac7f4323d844864ca748e49d91d686398a33c6a23fbabf045374bf613ce52
Opcode Fuzzy Hash: bf81d63f212d3a5ec2066679540f4f4223f5b6a47c51673c79ad63ce11793d5e
Instruction Fuzzy Hash: 5CB0128127C0016C360472157E02D37011CC0C5B51330471EF804C1581D4C14E730431

Function 00294921 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 0182094c468073eadc2e385ada9fd2103671ac77ce7692ff403289609ad5dd9e
Instruction ID: 75f891bfacc9fe7af1631f8e511fdb33c960cbc8281c8790e8859b86a26ad38f
Opcode Fuzzy Hash: 0182094c468073eadc2e385ada9fd2103671ac77ce7692ff403289609ad5dd9e
Instruction Fuzzy Hash: 3FB0128127C1016C374472157D02D37011CC0C5B51330471EF404C1581D4C04DB20431

Function 0029493F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: ee868c4bc5bc5062a11c583b43d0ab2ce0abbe6fbf6c22c9a831cfebe66c54e2
Instruction ID: 2c15b8595a550a56a5029b095ab5e2150f0be6ffc8b7ccc5294b2227d276bcbf
Opcode Fuzzy Hash: ee868c4bc5bc5062a11c583b43d0ab2ce0abbe6fbf6c22c9a831cfebe66c54e2
Instruction Fuzzy Hash: 89B0128527C1016C360472143D02D37010CC0C6B51330861EF804C1681D4C05D720431

Function 00294935 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 38659ccc35d4ae37cf7a04096f888b8ec1e498b080a9b69d5d781f717dd8e9be
Instruction ID: eeaf46bf4b45b0e8e8cc09e2f597aa0795624af62a31d5ebecf78741ab4646b7
Opcode Fuzzy Hash: 38659ccc35d4ae37cf7a04096f888b8ec1e498b080a9b69d5d781f717dd8e9be
Instruction Fuzzy Hash: 00B0128127C1016C360472147D02D37011CC0C5B51330471FF404C1581D4C04D720431

Function 00294906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: d33d438056a6df595c4c7a9febb59f4be3cd52192b5e299629eed1d911f78d1d
Instruction ID: f0b24bf8f67149a116ab5d65dea8d58ed7269d4ffdb2674693cb5388ccb0eff9
Opcode Fuzzy Hash: d33d438056a6df595c4c7a9febb59f4be3cd52192b5e299629eed1d911f78d1d
Instruction Fuzzy Hash: 5CB0129127C0017C360432113E02D37020CC4C1B51331461EF800C048298C25E730431

Function 00294967 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912, 00294967

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 8024a96be05a96642512d2cfc92e8a6cda65da4bf6bc76b2058ffe798cc3ebf9
Instruction ID: 493d66392755bf6aca9ac5560c03d028dbeed71632e47f7c8f665bd451fe7376
Opcode Fuzzy Hash: 8024a96be05a96642512d2cfc92e8a6cda65da4bf6bc76b2058ffe798cc3ebf9
Instruction Fuzzy Hash: 1BB0128127C0026C364876143D02D37010CC0C6B51330C61FF804C1681D4C04D760431

Function 0029497B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 46c22965d2638a8bde0ca6457880262729d0771d08fd5715943fabbb4018ee3c
Instruction ID: 89edbef68786dc7b791bef3fe491623c1dbd9a53fe87c0737b040f3366405e00
Opcode Fuzzy Hash: 46c22965d2638a8bde0ca6457880262729d0771d08fd5715943fabbb4018ee3c
Instruction Fuzzy Hash: AEB0128127C0016C364872153E02D37010CC0C5B51330861EF804C1681D4C14E7B1431

Function 00294949 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 9c71618178eb7d5c821070ef030897303414b1acf1865e7447d82b00ab6a794d
Instruction ID: 2b5cb6e6feee502f3ef19854006731d744b452dbe91f581a9fd718a344b7078b
Opcode Fuzzy Hash: 9c71618178eb7d5c821070ef030897303414b1acf1865e7447d82b00ab6a794d
Instruction Fuzzy Hash: 8BB0128527C2016C3B4472153D02D37011CC0C5B51330471EF404C1681D4C04DB20431

Function 0029495D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: ed434a23c49028f06afe450a7738cd495b6bf175d32fed4062a5c744afb74af9
Instruction ID: 062a61dfbeaf5cd12cf644769df0920817dcaebf8031936f978598b1e4eed5c5
Opcode Fuzzy Hash: ed434a23c49028f06afe450a7738cd495b6bf175d32fed4062a5c744afb74af9
Instruction Fuzzy Hash: B9B012C527C1016C360472143D02D37010CC0C5B51330461EF404C1681D4C04D720531

Function 00294953 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 1cfbc110237affb76c0e2b687b557ca6e769deb96749004143afd4e70d35b0ad
Instruction ID: dcb5ba21d119e0c7f2b0adf7def03c67c79ce14cdcb4ff8e39f422430bae696e
Opcode Fuzzy Hash: 1cfbc110237affb76c0e2b687b557ca6e769deb96749004143afd4e70d35b0ad
Instruction Fuzzy Hash: 0DB0128527C2016C360472153E02D37010CC0C5B51330461EF804C1681D4C14F730431

Function 002949A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 10f5d08cbe0feffe0ed9385334f2dc0d8ca2b88eb8c49b48b985425e551b4f89
Instruction ID: b1a22a7a204322a34bcf02ac41b1fb77bdd4a8454051ba5ad32e0c5524479e66
Opcode Fuzzy Hash: 10f5d08cbe0feffe0ed9385334f2dc0d8ca2b88eb8c49b48b985425e551b4f89
Instruction Fuzzy Hash: A8B0129127C0016C360472153E02E37010CC0C5B51330462EF804C1581D4C14F730431

Function 002949B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 546b6e215957a247843d6c4d04a2df0df31c57b75130b5f7036a2b76335bc638
Instruction ID: 9a0512b1f1841ffe318b176dfa7de766e8e2bfc1c77224abf586f914161f9331
Opcode Fuzzy Hash: 546b6e215957a247843d6c4d04a2df0df31c57b75130b5f7036a2b76335bc638
Instruction Fuzzy Hash: 47B012812BD0016C3A0472143D02D37010DC0C6B51330861EF808C15C1D4C04D720431

Function 0029498F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: ffc00b4469fbb5e1aa4374d5746809f2c13128937eb7d1484cf32338a9af3447
Instruction ID: de5ef3b3e3b666bb543ff00546243a3380aa5dc2f28607707cedeba8f4319504
Opcode Fuzzy Hash: ffc00b4469fbb5e1aa4374d5746809f2c13128937eb7d1484cf32338a9af3447
Instruction Fuzzy Hash: D6B0129227C0016C360472143D02E37010CC0C6B51330862EF804C1581D4C04E720431

Function 00294985 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: c0ee3ddc9db8f3443d35e213b7ced1b27cc52ed64995ff1d67461580c5a292c0
Instruction ID: 78052c5bf4e8f77704c0e6a49162cc708c7ed21f76d40f1d9890991e058c57d7
Opcode Fuzzy Hash: c0ee3ddc9db8f3443d35e213b7ced1b27cc52ed64995ff1d67461580c5a292c0
Instruction Fuzzy Hash: 5FB0128127C0016C364872643D02D37010CC0C5B513308A1EF405C1681D4C04D760431

Function 00294999 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 9f68d349de5b2ea9677804ddb80ebd0d28f548b2bd0bf1db1f55447399e3ec1a
Instruction ID: aa80478e8112b470736cc0e2120a20f06a3743fb96d99f5ea08399578e745c0d
Opcode Fuzzy Hash: 9f68d349de5b2ea9677804ddb80ebd0d28f548b2bd0bf1db1f55447399e3ec1a
Instruction Fuzzy Hash: FAB0129127C1016C374472153D02E37010CC0C5B51330472EF404C1581D4C04EB20431

Function 002949C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: d78e02f0e22e0545c0314c3594b5223d272c8bec8814ac33b0fdf1b01c14b956
Instruction ID: 930be10ca2763813048e368f20d5f4476614f26c04d3b98e10754be20287050f
Opcode Fuzzy Hash: d78e02f0e22e0545c0314c3594b5223d272c8bec8814ac33b0fdf1b01c14b956
Instruction Fuzzy Hash: 78B0129127D1016C3B4473153D02D37010DC0C5B51330471EF408C1581D4C08DB20431

Function 002949D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 42c8f1f133486789da1cb18526bc7b9c733d934468c4d01b91af9baca5d50d05
Instruction ID: f40f824524deb4a098748cbc57be0a8a5eea9cec14d6fe3c973ee530d214b24e
Opcode Fuzzy Hash: 42c8f1f133486789da1cb18526bc7b9c733d934468c4d01b91af9baca5d50d05
Instruction Fuzzy Hash: 71B0128127D0016C3A0472143D02D37014EC4C5B51330461EF408C1581D4C04D720431

Function 00294A07 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 71cf6c7584e33da02226cbfb4cc0166f14121c906bc6da98ba282483f3f36d5b
Instruction ID: 6cba7a358e65a97e109f5d4eefa3ef5e0f3e77df63bece3252f5a411c228a84b
Opcode Fuzzy Hash: 71cf6c7584e33da02226cbfb4cc0166f14121c906bc6da98ba282483f3f36d5b
Instruction Fuzzy Hash: 89B0128127C0016D360472143D03D37010CC0C6B513308A1EF804C5581D4C04D720431

Function 00294976 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: ba51bf44d974ea46f30930becbe0e0594a3a7471ffa7ecded64ae5553de4d5b4
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: ba51bf44d974ea46f30930becbe0e0594a3a7471ffa7ecded64ae5553de4d5b4
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 002949B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: fb6e887399a3af38256422228720a8f95b955ca602d149965aa155c7bb32ea89
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: fb6e887399a3af38256422228720a8f95b955ca602d149965aa155c7bb32ea89
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 002949EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 95fa9c8404b692e05ee789fc5b05043fc82cfc20519c5b1628b06d426ed5352c
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: 95fa9c8404b692e05ee789fc5b05043fc82cfc20519c5b1628b06d426ed5352c
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 002949E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 125a0af44fe3f218a514acfe21d30877f82a7c57a1ef1d05ab8c540986b6d660
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: 125a0af44fe3f218a514acfe21d30877f82a7c57a1ef1d05ab8c540986b6d660
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 002949F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: b57a7068d83dafe8d0e56d32595f63a9b1bdd2dff2a7e00137e2fd255992f69e
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: b57a7068d83dafe8d0e56d32595f63a9b1bdd2dff2a7e00137e2fd255992f69e
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 002949D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: f74516db5a5103b658d610fafbcebc5025618c54f4be19b955388ef6570275a8
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: f74516db5a5103b658d610fafbcebc5025618c54f4be19b955388ef6570275a8
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 00294A02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294918

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Strings

gI), xrefs: 00294912

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: gI)
API String ID: 1269201914-3520096407
Opcode ID: 9a7b85dc3dede5f0de905b4420cc481668a2a05f47f9620da2656a87568d1430
Instruction ID: 1586b432ea45d31d1c25fee7a50dee08d8ae35164b056f193bafc64187be0d95
Opcode Fuzzy Hash: 9a7b85dc3dede5f0de905b4420cc481668a2a05f47f9620da2656a87568d1430
Instruction Fuzzy Hash: D0A001966BD112BC3A0872617E06C7B021DC4DABA63318A1AF842C5982A8815AA61431

Function 0027E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,0027E3B1,?,?,00000000,?,?,0027CC21,?), ref: 0027E55F
GetLastError.KERNEL32 ref: 0027E56E

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 955acbd7924a6119de24b0b792794cd00f719490085144f98a4359df83c970b1
Instruction ID: f1841cf3e8ec1291d2ab12775ee52bc23a8185f2073155e9cf603568d2352f5c
Opcode Fuzzy Hash: 955acbd7924a6119de24b0b792794cd00f719490085144f98a4359df83c970b1
Instruction Fuzzy Hash: 774114706243568BCF209F24D4986AAB3E5FF5C320F56859DD88D83241E7B0DCA08BB2

Function 0027E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 0027E78C
SetFileTime.KERNELBASE(?,?,?,?), ref: 0027E840

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 71eb32f4df11126d3d7e47cf4b147291d88a7168a40290c10cd7ed107e44b4a6
Instruction ID: 4db1d77bf9b8ad77cbc199faf5a34a563468c6591fe5eb182586b97559f6fdd7
Opcode Fuzzy Hash: 71eb32f4df11126d3d7e47cf4b147291d88a7168a40290c10cd7ed107e44b4a6
Instruction Fuzzy Hash: E121E935169242DBCB18DE24C491AABFBE8AF99304F05895CF4C9C3181D739D92CD762

Function 0027E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0027E897
GetLastError.KERNEL32 ref: 0027E8A4

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 44dc67b295f4ffa85333a45bcb3a9a521c79581e6ba24a777f7dbbc4fa79331c
Instruction ID: 9f72f46559b30f84fb1ad6741aa10e2e148f7e2987da6b03ff155a0348bb0e9f
Opcode Fuzzy Hash: 44dc67b295f4ffa85333a45bcb3a9a521c79581e6ba24a777f7dbbc4fa79331c
Instruction Fuzzy Hash: C3112530620301AFEB20DA64C8447A673E9AB09370F618BA8E056D25E0D7B0EC65CB71

Function 00271CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00271CE9
GetDlgItem.USER32(?,?), ref: 00271D01

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_Item_wcslen
String ID:
API String ID: 896027972-0
Opcode ID: 99293a5d7c3863103c36f1613b094f9bdb2ce2c2c293d81ba6a03e1679493ba1
Instruction ID: 43653d0e5c8b1b14b5c0c461eecb52e2e177fbb155996c9c0bc93798caf6a5af
Opcode Fuzzy Hash: 99293a5d7c3863103c36f1613b094f9bdb2ce2c2c293d81ba6a03e1679493ba1
Instruction Fuzzy Hash: 8901B1716202149BD724EFA8C886BEDB7E8AF58700F04410AF91AA7291CB709A71CF10

Function 0029F124 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 002A2BE0: GetEnvironmentStringsW.KERNEL32 ref: 002A2BE9
Part of subcall function 002A2BE0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002A2C0C
Part of subcall function 002A2BE0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002A2C32
Part of subcall function 002A2BE0: _free.LIBCMT ref: 002A2C45
Part of subcall function 002A2BE0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A2C54

_free.LIBCMT ref: 0029F16A
_free.LIBCMT ref: 0029F171

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: be788aab6f44f1ca88be5dec85f430ebee6d5dbe57afc8d0010ae8dc780e0edc
Instruction ID: 355f7551691c5e41b17baefb039bd51b7976b2a14cfe6ead7b774645c0937c19
Opcode Fuzzy Hash: be788aab6f44f1ca88be5dec85f430ebee6d5dbe57afc8d0010ae8dc780e0edc
Instruction Fuzzy Hash: D9E0E512A3961197DEE2363DAD45B2A12104BC2374B11077AF828E70D2CEA4882549E7

Function 002876A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,002876EA,00280B6F), ref: 002876B4
GetProcessAffinityMask.KERNEL32(00000000,?,002876EA), ref: 002876BB

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: f5ff05b96d3b35a17f1c9c44c7bfbf9de0cadf2f301d2f794005978e1cc413a8
Instruction ID: b747b4c88a63b7a0c9fd75c255326eb49d841c8fb71de4160d2d17d336acd682
Opcode Fuzzy Hash: f5ff05b96d3b35a17f1c9c44c7bfbf9de0cadf2f301d2f794005978e1cc413a8
Instruction Fuzzy Hash: C9E09237B26517A79F199BA99C099AB779DAA442443344079A413D3240F974ED0547A0

Function 0028F53A Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,002A9B73,000000FF), ref: 0028F578
OleUninitialize.OLE32(?,?,?,?,002A9B73,000000FF), ref: 0028F57D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 046333e5c45287f93442cc16bd7e24acde006e084786da206eccf2fc61133928
Instruction ID: f9f1238d8b03300426e0a4cf5bd7e7851114f65da6decf23a48f601a89eafdbb
Opcode Fuzzy Hash: 046333e5c45287f93442cc16bd7e24acde006e084786da206eccf2fc61133928
Instruction Fuzzy Hash: 07F05E76608954AFC701DF59EC45F4ABBE8FB49760F004266E916D37A0CB75A840CB90

Function 0028E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028E86A
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0028E871

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: ed160216268798a2b6509925ec2be5d55532b532092e689f25f68ab5bce58a80
Instruction ID: 16aee48e8eb6e37e7cad724ecefc2bb298e5fed9a41742a97393fb9a7ce42070
Opcode Fuzzy Hash: ed160216268798a2b6509925ec2be5d55532b532092e689f25f68ab5bce58a80
Instruction Fuzzy Hash: 86E09275521218EFCF10EF45CC0179DB7F8EF04350F20805AA88593601D7B0AE10DF90

Function 00271E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00271E34
ShowWindow.USER32(00000000), ref: 00271E3B

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 351742344e6b39173f03619e46cb1e6b4470fac0a9972d6a2069f2f8339f05ec
Instruction ID: b40bf2123d7ddccbbfd445645d093f11417c2c4bd8659411c2e455a4fa5269bd
Opcode Fuzzy Hash: 351742344e6b39173f03619e46cb1e6b4470fac0a9972d6a2069f2f8339f05ec
Instruction Fuzzy Hash: 0CC0123205C600BECB010BB1EC0DD2ABBA8ABA4212F08CA08B0B9C0060C239C010DF11

Function 002727E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002727E7

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 94eae78fd7ce9de78eadc9981a2febc9aa24c856df59802cb3957ea5e012c663
Instruction ID: d7660887322c8fc9fec1f165140f217fb68413102053cb2c3a0d08630544da1f
Opcode Fuzzy Hash: 94eae78fd7ce9de78eadc9981a2febc9aa24c856df59802cb3957ea5e012c663
Instruction Fuzzy Hash: BCC1A330A24256DBDF25CF64C8947ED7BE4AF06300F1890B9ED09DF286C7709969CBA1

Function 002720B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002720B7

Part of subcall function 002780EC: __EH_prolog3.LIBCMT ref: 002780F3

Part of subcall function 00282815: __EH_prolog3.LIBCMT ref: 0028281C

Part of subcall function 002776E7: __EH_prolog3.LIBCMT ref: 002776EE

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6baeb3d95a2522b1347c3ca9b41e54a1cbcecee550f2a7c22c2f17830cfeeb90
Instruction ID: 11eab8d81953c028bd1f11da18e81336992af6d7f40a2f8f6d4d7c75a523738d
Opcode Fuzzy Hash: 6baeb3d95a2522b1347c3ca9b41e54a1cbcecee550f2a7c22c2f17830cfeeb90
Instruction Fuzzy Hash: DE51E4B1A15780CEDB45DF6A84807C9BBE0BF59300F0881BADC4DDE69BDBB44254CB61

Function 0027B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027B3E8

Part of subcall function 0027F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?,?,?,?), ref: 0027F739

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CloseFindH_prolog3_
String ID:
API String ID: 2672038326-0
Opcode ID: 528f189a2e4359ec00a7dae7a29972cfc217eb77f2b1ec41724f2d7e88b3ad2f
Instruction ID: ac3a530b0b3e6d87a3a7cf398d0ae3d02f1cd074ba9d754dd71ad5585983d97f
Opcode Fuzzy Hash: 528f189a2e4359ec00a7dae7a29972cfc217eb77f2b1ec41724f2d7e88b3ad2f
Instruction Fuzzy Hash: 244158709207098FCB21DFA9C8A5BA9B7B1BF05308F54846EE15E9B352D730A865CF25

Function 00272C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00272C37

Part of subcall function 0028880E: __EH_prolog3.LIBCMT ref: 00288815

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3H_prolog3_
String ID:
API String ID: 3355343447-0
Opcode ID: 0a096ce126c2b669490250dd303cf32eddbc9b02b46c3dbcd012504d7292ddb8
Instruction ID: f1f4da2832ace6fdc2f567819e0e9ad8c3147dc519c791589abe5706179b1758
Opcode Fuzzy Hash: 0a096ce126c2b669490250dd303cf32eddbc9b02b46c3dbcd012504d7292ddb8
Instruction Fuzzy Hash: B331FD7592120CEACF15EFE4D8919EDBBB9EF18300F54412EF409A7251DB7099A9CF60

Function 002776E7 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002776EE

Part of subcall function 00284F2B: __EH_prolog3.LIBCMT ref: 00284F32

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bf5f5dd617a79c75edc933621e2d574826b9f003ad34a5caa79742ad1541e41f
Instruction ID: adcfa3cee32d93d692c7fd8162678e07a765630ac70c8cb41a26b0bd6c8f1863
Opcode Fuzzy Hash: bf5f5dd617a79c75edc933621e2d574826b9f003ad34a5caa79742ad1541e41f
Instruction Fuzzy Hash: 184156B4816B85CAC725EFBAD1493CAFBE4AF64300F10995FD1AE93361D7B025048F19

Function 002897A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002897AB

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 88d48ecf7d46d27f6834f9a0dc220ae82c7ddc1fe558322904989153f39694ac
Instruction ID: 57421d5e00acb037e56ec83cca53fb556a7019a3f135d194c065013c7e8c8356
Opcode Fuzzy Hash: 88d48ecf7d46d27f6834f9a0dc220ae82c7ddc1fe558322904989153f39694ac
Instruction Fuzzy Hash: B6212B75E212139FEF18AF748C49A6E7664BF01304F090139E509AB2C1D7709DA0CBE4

Function 0027D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027D778

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 160c31bc91b46e46aaa8be5ce5f9464b1d87170dd5e939202aa50c237be78040
Instruction ID: 6edcd82f6839fb0a9aef01028483735d3b153f59159aea358d83fc2541ca8bb6
Opcode Fuzzy Hash: 160c31bc91b46e46aaa8be5ce5f9464b1d87170dd5e939202aa50c237be78040
Instruction Fuzzy Hash: 9E218376A1161A9BDB15DFE9CC81AEFB7B9AF88300F14401AE508B7241CB709E158BA5

Function 0027EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027EAFA

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 776a395c08d81e7bd672c070dec27f0e4eefa08252aee07d4fca5edfbb6bc2a0
Instruction ID: bc3f288c075d464a0dd744917c8ce6bb0240250dcda10e4407f1aaa7b124413a
Opcode Fuzzy Hash: 776a395c08d81e7bd672c070dec27f0e4eefa08252aee07d4fca5edfbb6bc2a0
Instruction Fuzzy Hash: A421F9306213059EDF20AF64C842EEE77ADBF1A758F16A489F44AA7181C7709969CB70

Function 002A040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee286a33ce3b248e5c6239afe1d0c650029f5ed31de1cb9afc5b27591b7dc1f4
Instruction ID: 67b03dbaca891ea5c8158aec90e9ed3b37cca32cea43defac58c327b4007945e
Opcode Fuzzy Hash: ee286a33ce3b248e5c6239afe1d0c650029f5ed31de1cb9afc5b27591b7dc1f4
Instruction Fuzzy Hash: D1E0653113521297EA612B65AC85B5B7A48FF4B3A0F294120EE4896191CFA1DC2085A2

Function 0027DE50 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,0027DE10,1ECC2FF4,?,00000000,002A93B1,000000FF,?,0027BEA6,?), ref: 0027DE6B

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 84052aead9291677ad511e7c210355793fa3305971d920cb23b8f7599ad7f995
Instruction ID: f7db0061d22735b639a83e38fa9e3a1759288614ed8facc7e35b8921a4e99354
Opcode Fuzzy Hash: 84052aead9291677ad511e7c210355793fa3305971d920cb23b8f7599ad7f995
Instruction Fuzzy Hash: D8F08270461B039BD7359E24D414392B6F46F21334F04CB1DD1EA465E4C770A9A99A51

Function 0027F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0027F826: __EH_prolog3_GS.LIBCMT ref: 0027F830
Part of subcall function 0027F826: FindFirstFileW.KERNELBASE(?,?,00000274,0027F733,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?), ref: 0027F859
Part of subcall function 0027F826: FindFirstFileW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049), ref: 0027F8A4
Part of subcall function 0027F826: GetLastError.KERNEL32(?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049,?,00000000), ref: 0027F902

FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0027A684,?,?,00000000,?,?,?,?,?,?), ref: 0027F739

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Find$FileFirst$CloseErrorH_prolog3_Last
String ID:
API String ID: 765066492-0
Opcode ID: 309e164cb00a41ee6ff000ed6849875090671910127a476b08eacd0217df5b8a
Instruction ID: 77941b4daee4bb1973eec97967ebda99f2e07df024b9d7e96ed3fdf5ddd9e2fb
Opcode Fuzzy Hash: 309e164cb00a41ee6ff000ed6849875090671910127a476b08eacd0217df5b8a
Instruction Fuzzy Hash: E7F0823501E760AECE616BA48904A8BBFD46F1B360F108B49F0FD121A2C2709465DB22

Function 002873F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 0028742D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: a4b3a3469bb8d399c44204b05f816f8513371de7608c8befeb0e8872040f4bde
Instruction ID: 14e351a4b467cfccf4ab411245c3477f8f2fdeec6b8b219d6e0e20201c0f8650
Opcode Fuzzy Hash: a4b3a3469bb8d399c44204b05f816f8513371de7608c8befeb0e8872040f4bde
Instruction Fuzzy Hash: A1D0C20463A12022EA113B2428497FD190E4F82315F098025B408631C39E9408AA97AA

Function 002711DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00271206

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
Instruction ID: 8b61af632b292fbaeb3f7b2abde11a5b17b4acbe74f84b4c9708c6b79fdb7cb5
Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
Instruction Fuzzy Hash: 53D05E767226134E8B2DEF38C46682E76A46E90305320822DF42ECA682DF31CC35CB59

Function 0028EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0028EB0C

Part of subcall function 0028E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028E86A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
Instruction ID: cdf120a81c994bd3f668c395bf66daee41db4ccc9a5998d4da7e2419aa1c5036
Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
Instruction Fuzzy Hash: 13D0C93432120ABADF467F61CC1297E7A99EF00358F418525BD46951E1EAB1EA30ABA1

Function 00294231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00294256

Part of subcall function 00290678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00290689
Part of subcall function 00290678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0029069A
Part of subcall function 00290678: IsDialogMessageW.USER32(000103F8,?), ref: 002906AE
Part of subcall function 00290678: TranslateMessage.USER32(?), ref: 002906BC
Part of subcall function 00290678: DispatchMessageW.USER32(?), ref: 002906C6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: d99c110430eee003fd7f1fa07e58b7555c5dd427ce4f07c19e5832a249679588
Instruction ID: a199f97a6b2b7ad71a2e4d9809f8f37598e5a12d500ba96d26c6fe284736a24f
Opcode Fuzzy Hash: d99c110430eee003fd7f1fa07e58b7555c5dd427ce4f07c19e5832a249679588
Instruction Fuzzy Hash: 59D09E36155300AEDB122B51DE0AF0A7AE6BB88B04F404654B345340F1C662AE709F16

Function 00294D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Part of subcall function 00294DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00294DF2

DloadProtectSection.DELAYIMP ref: 00294D54

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AcquireDloadExclusiveLockProtectSection
String ID:
API String ID: 3680172570-0
Opcode ID: 9fe1fedbf8a658d8d7b0e4ba7bf881bdaee93454b164d4bcf8339d1965c4f4cd
Instruction ID: 810f380bd881dfea3344716b09bec800f8f373eebc5e9caefd2218e52bc25886
Opcode Fuzzy Hash: 9fe1fedbf8a658d8d7b0e4ba7bf881bdaee93454b164d4bcf8339d1965c4f4cd
Instruction Fuzzy Hash: A3D0123C1307719ECF15BF24AC4EF142390BB05B14F800646F253855B8DFB8A4B3AAA1

Function 0027E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,0027E052,?,?,?,00000000,0027E5D2,?,?,00000000,?,00000000), ref: 0027E15E

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e930dbe418d21b8589b6e343c9626f8a2f21356fb8ae732f7500ea8c5c9b8a16
Instruction ID: 05f00fb8fc49e5fd49783e5ec62ace9f431e40cea10e3fb7d79c289411c51d16
Opcode Fuzzy Hash: e930dbe418d21b8589b6e343c9626f8a2f21356fb8ae732f7500ea8c5c9b8a16
Instruction Fuzzy Hash: 70C0023441021AD68E214E28A84A4997622AA573A67F6D7D4D02DC96A1C7338CA7EA21

Function 00294B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 434a4aaba839316d86ab4c9bfecfab80066f2833490fd19f90ed1603544b5637
Instruction ID: 831969153c4b4d0926c66abdd6440118523ac784988585146646cfde49227682
Opcode Fuzzy Hash: 434a4aaba839316d86ab4c9bfecfab80066f2833490fd19f90ed1603544b5637
Instruction Fuzzy Hash: 1CB0128127D0026C350471095E03E37010CC4C1B15330932EF500C1181D4804C730631

Function 00294B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b8e599a780efac5387b4654aaff1a1677c67f5a205faa018663991b64dea109
Instruction ID: 9d1928fa8b033081d5606d4ed190f79c19ef2cfdec52d8014691eb4326b919fc
Opcode Fuzzy Hash: 6b8e599a780efac5387b4654aaff1a1677c67f5a205faa018663991b64dea109
Instruction Fuzzy Hash: 2FB0128127D1026C3604710A5D03E37010CC4C1B15330532EF400C11C1D4804CB60631

Function 00294B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4804329e21ee367818308041c780ac36537e097811e32bc769bbb7b1156a30ad
Instruction ID: 6bf9025c591cd00cde54453a42f3506d897e21a2ace76ae0e453b528e0b34e87
Opcode Fuzzy Hash: 4804329e21ee367818308041c780ac36537e097811e32bc769bbb7b1156a30ad
Instruction Fuzzy Hash: DEB0128127D112AC350471091D13E37010CC4C1B15330922EFC00C1281D4805C720631

Function 00294C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d83f134290fa418240b453aeacdd4893fb46026399ff44418c3551bf26e001c5
Instruction ID: 55cb863b876c0e8ea4326ba0e414bcdf3adbc8aed77b7f1f336b0505396d7d51
Opcode Fuzzy Hash: d83f134290fa418240b453aeacdd4893fb46026399ff44418c3551bf26e001c5
Instruction Fuzzy Hash: 52B012852FD001BC350431041F02C36010CC8D1B22331831FF410D058294800C730431

Function 00294CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e2796055fcf8da54c47bd43b00d10ff5afc982b2154c502aac059bdca6c94a8a
Instruction ID: dbeb4b344dea1cd7421a1541fd48dde5cc8827630186263838d5b4f7dd12e90f
Opcode Fuzzy Hash: e2796055fcf8da54c47bd43b00d10ff5afc982b2154c502aac059bdca6c94a8a
Instruction Fuzzy Hash: 80B0128127D002AC350471141D02E36010CC0C1B11331422FF410C1A81D4800C760531

Function 00294C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 72c3eaabfea461826fb0359fbcf0d3faac2293e397e59accbbb53425f38d215e
Instruction ID: 06dbc780e1c7d87fdb1735dca839936af1f5752003a7fa4c951c9d34dae05f3b
Opcode Fuzzy Hash: 72c3eaabfea461826fb0359fbcf0d3faac2293e397e59accbbb53425f38d215e
Instruction Fuzzy Hash: C3B0128127D001EC350471241D02D37010CC0C1B11331822FF800C1681D4800C760531

Function 00294D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9e2d9b11d596a4ee2a703f21de878425249de57c7233c938b1a2bc9263ef3ad
Instruction ID: cf79fcba16c38f90ecc2d8f8f32efb06d029049a238e0507b10a753a4239c731
Opcode Fuzzy Hash: c9e2d9b11d596a4ee2a703f21de878425249de57c7233c938b1a2bc9263ef3ad
Instruction Fuzzy Hash: 99B0128527D0036C360471141D02D3B010CD0C1B11330422FF404C1581E4C10C770431

Function 00294D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0f2da66d34b3f7394a443d89f2fa328445f77adf7bd0e154e0dfde5b96d0057
Instruction ID: 34c4c9f7922392d93d172eabcd4c64df6ac6227cf674f56248262654612d2851
Opcode Fuzzy Hash: f0f2da66d34b3f7394a443d89f2fa328445f77adf7bd0e154e0dfde5b96d0057
Instruction Fuzzy Hash: 1CB0128527D1026C374471151D02D3B010CC0C1B11330432FF404C1181E4C10CB70431

Function 00294D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 710d8de0576efb3eb48b9c881352ca7f3587d3c33ba298dda9b900e149cad04c
Instruction ID: 2c478e446425c3f66e88ef7d164041b58766d34471c3bd990c57c6f905f9261c
Opcode Fuzzy Hash: 710d8de0576efb3eb48b9c881352ca7f3587d3c33ba298dda9b900e149cad04c
Instruction Fuzzy Hash: 97B0128527D0027C360471141D02D3B010CC4C2B11331821FF804C2181E4C00C7A0431

Function 00294B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bfb46d0963aab7af87a2a3c0b1d0542f10c809060d56be1879ca16086433e056
Instruction ID: 29139f4cf516620363587cb68ee5f0287d7986979db108ee34971520ac3b2d48
Opcode Fuzzy Hash: bfb46d0963aab7af87a2a3c0b1d0542f10c809060d56be1879ca16086433e056
Instruction Fuzzy Hash: 68A022C22BE0033C38083202BE03C3B020CCCC2F2A330A22EF800C00C2A8C00EB30030

Function 00294B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 358e10b33d1dd5fabe12242eff854a7482b8c2930359db4be6518d17f363a3e5
Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
Opcode Fuzzy Hash: 358e10b33d1dd5fabe12242eff854a7482b8c2930359db4be6518d17f363a3e5
Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030

Function 00294B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 22fc639b4fc0b2a7c84b8f9c4d2d9eee4915bc2ecf5be65d633ed8850e66f621
Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
Opcode Fuzzy Hash: 22fc639b4fc0b2a7c84b8f9c4d2d9eee4915bc2ecf5be65d633ed8850e66f621
Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030

Function 00294B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40f846b8d78a0d8e5181aa315301bdbb0b563af2bf8af79d767b875ffff010dd
Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
Opcode Fuzzy Hash: 40f846b8d78a0d8e5181aa315301bdbb0b563af2bf8af79d767b875ffff010dd
Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030

Function 00294B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6560ed53c14cc3d9160a400ab88dc92ed481d97532fb04ba1e7a6fc9c26dbc16
Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
Opcode Fuzzy Hash: 6560ed53c14cc3d9160a400ab88dc92ed481d97532fb04ba1e7a6fc9c26dbc16
Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030

Function 00294B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294B3B

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 667fb04e2ce1f96510f94e06ca78e6fc275fd7eef4a4d890cc52188b456b56ac
Instruction ID: 538f68a10b80f60cb66ac694529496e509d08a9915a4af9e488a54cdc2b97db2
Opcode Fuzzy Hash: 667fb04e2ce1f96510f94e06ca78e6fc275fd7eef4a4d890cc52188b456b56ac
Instruction Fuzzy Hash: CFA022C22BE003BC380832022E03C3B020CC8C2FAA330AA2EF802C00C2A8C00CB30030

Function 00294CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6fdb39ee4769230fadd9bbf25b7ef108375c85817d18bd8964ac2dcf0b3a964
Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
Opcode Fuzzy Hash: f6fdb39ee4769230fadd9bbf25b7ef108375c85817d18bd8964ac2dcf0b3a964
Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431

Function 00294CB2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 19a39d41da0b49866badf7273f35ed69bd49b6b508168b565f7081e34fb0682b
Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
Opcode Fuzzy Hash: 19a39d41da0b49866badf7273f35ed69bd49b6b508168b565f7081e34fb0682b
Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431

Function 00294CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83cbf0f161390daf166967759db6f5f71a8a52b0871c8dd8d083d9e73ffbbeed
Instruction ID: f4a2ba856a821320018475497905e96a25cba758f6233ee02fa7a692c08b22a0
Opcode Fuzzy Hash: 83cbf0f161390daf166967759db6f5f71a8a52b0871c8dd8d083d9e73ffbbeed
Instruction Fuzzy Hash: A0A0019A2BE512BD3A0872616E06C7B021DD4D2B62331861AF801D5582A9811DAA1471

Function 00294CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca461a80ce3d0c2c5a12de1cfb52f6cc11f0995fa520d0a34f00c44737e6fa0e
Instruction ID: 43fb352d493586b75684e55a503103ff82978981424b35710b1d88d089e57fd1
Opcode Fuzzy Hash: ca461a80ce3d0c2c5a12de1cfb52f6cc11f0995fa520d0a34f00c44737e6fa0e
Instruction Fuzzy Hash: 10A0019A2BE513BC3A0872616E06C7B021DD4D6BA23318A1AF802C5582A9811DAA1431

Function 00294CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2987d1c8d898471122b0bd08f3a6cc236d77137d4eca79105d48b9a2a354307f
Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
Opcode Fuzzy Hash: 2987d1c8d898471122b0bd08f3a6cc236d77137d4eca79105d48b9a2a354307f
Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431

Function 00294CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0cbb471fae97db129ce221ab2f4c279e4b27b39dadb0f5f351f22b2b89ec7e7
Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
Opcode Fuzzy Hash: a0cbb471fae97db129ce221ab2f4c279e4b27b39dadb0f5f351f22b2b89ec7e7
Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431

Function 00294CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294C90

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78edab25e7ed0c13caa2c8e010bf058b1d026008a4e50a59828573e8011d24a7
Instruction ID: 8b227b28977e6db61d3d67b1510e67926bf5dffe581e86d9b7edfb46a0028635
Opcode Fuzzy Hash: 78edab25e7ed0c13caa2c8e010bf058b1d026008a4e50a59828573e8011d24a7
Instruction Fuzzy Hash: C7A002D62BE117FC390872516E07C7B021DC4C6FA23328A1FF812D5AD2A8C01DB71431

Function 00294D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00294CF1

Part of subcall function 00294FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00295041
Part of subcall function 00294FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00295052

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 191df4e3268436fa98338447837b17308c401ce5ceff2af9118407352b3bf567
Instruction ID: 43fb352d493586b75684e55a503103ff82978981424b35710b1d88d089e57fd1
Opcode Fuzzy Hash: 191df4e3268436fa98338447837b17308c401ce5ceff2af9118407352b3bf567
Instruction Fuzzy Hash: 10A0019A2BE513BC3A0872616E06C7B021DD4D6BA23318A1AF802C5582A9811DAA1431

Function 00271DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,?), ref: 00271DFC

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: c231d5a8f14eef96c4f434cd1df85e485685c6dc047c26db3e774848381ebec4
Instruction ID: ce9fbe84e4611742771707c3f10a9faf5aaeba25b1b3011ef8517d35b3166d4f
Opcode Fuzzy Hash: c231d5a8f14eef96c4f434cd1df85e485685c6dc047c26db3e774848381ebec4
Instruction Fuzzy Hash: 32C00231518200FFCB05CF58E948E1ABBBAFF96311B51C558F06886030C371D920DF62

Function 0027E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0027D115,?,?,?,?,?,?,?), ref: 0027E8DC

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 4b330638608d944c369b0f65239022981d548edda6a849393921abf9cd439c8a
Instruction ID: 53840edd56892a7e550fa6ffa331ea7859ef15a2d432728472cc898667245527
Opcode Fuzzy Hash: 4b330638608d944c369b0f65239022981d548edda6a849393921abf9cd439c8a
Instruction Fuzzy Hash: EEA00230201109CBDB411F31EE0D70E7B6ABF426D9729C0A8A409C9071DF27CCA3EA41

Non-executed Functions

Function 00279B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00279CB1

Part of subcall function 0027AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0027AC2E
Part of subcall function 0027AC11: GetLastError.KERNEL32 ref: 0027AC72
Part of subcall function 0027AC11: CloseHandle.KERNEL32(?), ref: 0027AC81

Part of subcall function 00272F45: _wcslen.LIBCMT ref: 00272F50

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00279EE1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,1ECC3B3C,002A9937,000000FF), ref: 00279F1E
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 0027A0BF

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0027A127
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,1ECC3B3C,002A9937,000000FF), ref: 0027A134
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,1ECC3B3C,002A9937,000000FF), ref: 0027A14A
RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,1ECC3B3C,002A9937,000000FF), ref: 0027A18E
DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,1ECC3B3C,002A9937,000000FF), ref: 0027A196

Strings

UNC\, xrefs: 00279CAB, 00279CB0, 00279CCD
\??\, xrefs: 00279C0B
SeRestorePrivilege, xrefs: 00279BBD
SeCreateSymbolicLinkPrivilege, xrefs: 00279BC7

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3517300771-3508440684
Opcode ID: 723571e9982e6e937160a075133602a186fa73eb4419970b12651ddaf0b5b4b3
Instruction ID: 16c311f833b66b1efacc4708dcb2c4bd7cf254afc3e612928a0e3de5593fc904
Opcode Fuzzy Hash: 723571e9982e6e937160a075133602a186fa73eb4419970b12651ddaf0b5b4b3
Instruction Fuzzy Hash: 173280719203899FDF24DFA8CC85BEE77B8AF19310F108159E94DE7281DB349A58CB61

Function 00291630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0029163A

Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002916BB
EndDialog.USER32(?,00000006), ref: 002916CE
GetDlgItem.USER32(?,0000006C), ref: 002916EA
SetFocus.USER32(00000000), ref: 002916F1

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Part of subcall function 00271DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00271DFC

SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00291763
FindFirstFileW.KERNEL32(?,?), ref: 00291783
FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00291826
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002918AD

Part of subcall function 00271150: _wcslen.LIBCMT ref: 0027115B

Strings

%s %s, xrefs: 00291869, 0029199A
REPLACEFILEDLG, xrefs: 0029164F

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
String ID: %s %s$REPLACEFILEDLG
API String ID: 485132379-439456425
Opcode ID: 0e4ea5a1a34d7b0e8c2c555c3a2d1e4ffc19711fde9f9e2baffff55d73f52e1b
Instruction ID: 0ced29d00111c20e5a039f9da855c6fcf01719c753cf3794435d2036b521d2f0
Opcode Fuzzy Hash: 0e4ea5a1a34d7b0e8c2c555c3a2d1e4ffc19711fde9f9e2baffff55d73f52e1b
Instruction Fuzzy Hash: DFA18E71921219ABEF25EBA4CD4AFEEB77DAF05300F0081D5B209A6182DA715F74CF61

Function 002A480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002A4954

Strings

1#IND, xrefs: 002A5B4C
1#SNAN, xrefs: 002A5B53
1#INF, xrefs: 002A5B61
1#QNAN, xrefs: 002A5B5A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9f3005e02fa71b01a5a4d24eb47663b08d634ad39129fd4693ea8ef0646f8fc7
Instruction ID: 8f45cd37a03ed71a457df27f104f19bbf48162bc2aef988cb9b6ef7f92c16c42
Opcode Fuzzy Hash: 9f3005e02fa71b01a5a4d24eb47663b08d634ad39129fd4693ea8ef0646f8fc7
Instruction Fuzzy Hash: 81C25E71E246298FDF25DE28DD407EAB3B5EB85305F1441EAD80DE7241EB74AE918F40

Function 00273D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0027438C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00274523

Strings

CMT, xrefs: 00274551

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 2172594012-2756464174
Opcode ID: 7b377515b5220640bd8cafb5b6344231114e5082db6caaec40023d126e41d1e1
Instruction ID: 0ab4673d537117d98c5d35f230eba56dff323b41acf8d6da2ef64dfee67f161b
Opcode Fuzzy Hash: 7b377515b5220640bd8cafb5b6344231114e5082db6caaec40023d126e41d1e1
Instruction Fuzzy Hash: AD72F471A203458FCF18EF68C8957EA7BA4BF15300F08857DEC5A9B282DB749964CF61

Function 00296878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00296884
IsDebuggerPresent.KERNEL32 ref: 00296950
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00296970
UnhandledExceptionFilter.KERNEL32(?), ref: 0029697A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: fe3e657dc92d24025a8f20dc2a3e5e412b24ecd003c6c1740fb19d9a18e10070
Instruction ID: aecb83d45ead61ac6b48e372bdc7c0f969d85b660955ba327b77a286d5e02097
Opcode Fuzzy Hash: fe3e657dc92d24025a8f20dc2a3e5e412b24ecd003c6c1740fb19d9a18e10070
Instruction Fuzzy Hash: 943114B5D553199BDF21DFA4D989BCCBBF8BF08300F1040AAE40CAB250EB719A848F44

Function 0027932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0027952D,?,00000040,0027931E,00000001,?,?,?,?,0000001C,00287618,002BE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00279330
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,0027952D,?,00000040,0027931E,00000001,?,?), ref: 00279351
_wcslen.LIBCMT ref: 00279360
LocalFree.KERNEL32(00000000,00000000,00000000,002BE0C8,?,?,0027952D,?,00000040,0027931E,00000001,?,?,?,?,0000001C), ref: 00279373

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorFormatFreeLastLocalMessage_wcslen
String ID:
API String ID: 991192900-0
Opcode ID: 456838714ccd68fd3104578fd95a03466b8d3388c986feeebc512bc3c1158438
Instruction ID: 02d3b78b260e69cca2819ae4d426417d503dc850a1322316bfbad5dde653ff3b
Opcode Fuzzy Hash: 456838714ccd68fd3104578fd95a03466b8d3388c986feeebc512bc3c1158438
Instruction Fuzzy Hash: 92F08275520205FBEB049BA19D05EFF77BCAF86750B208059F506A6190CE709E119A74

Function 00294E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00294D59,0000001C,00294F4E,00000000,?,?,?,?,?,?,?,00294D59,00000004,002C5D84,00294FDE), ref: 00294E25
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00294D59,00000004,002C5D84,00294FDE), ref: 00294E40

Strings

D, xrefs: 00294E34

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 03d70fa99e3d184e8ad2d45f49573b1d164783514c6c2dc9b9f9beab42fdc0a6
Instruction ID: d293d1490bb931c54f30cccfa25a78bab184adc5b474e47706cc388cda20e18d
Opcode Fuzzy Hash: 03d70fa99e3d184e8ad2d45f49573b1d164783514c6c2dc9b9f9beab42fdc0a6
Instruction Fuzzy Hash: E401F732B101096BCF14EE29DC05FEE7BA9AFC4328F0CC125EE59DB254DB34D8128680

Function 0029AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0029535E), ref: 0029ABBC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0029535E), ref: 0029ABC6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0029535E), ref: 0029ABD3

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c49d0f90227ae5ae537f52a45c31fe0291edc062dc532321073d32079da1b0b1
Instruction ID: 45c1d073d52f6c89d1508ec9cc266f5be695cc49ca2b7d06551da406566c0a7b
Opcode Fuzzy Hash: c49d0f90227ae5ae537f52a45c31fe0291edc062dc532321073d32079da1b0b1
Instruction Fuzzy Hash: 9631D2749112299BCF21DF64D9887DCBBB8BF08310F5041EAE81CA7261EB709F918F45

Function 002A1FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 002A218B

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 388bfb4db938cf6bd46dfe43312d3d4c94b4698462ba036feb8da79041a97ef3
Instruction ID: e12625fa972ae55c28a41df6ee14849d17fcf4e90a0dc4ff217d25d239bc690e
Opcode Fuzzy Hash: 388bfb4db938cf6bd46dfe43312d3d4c94b4698462ba036feb8da79041a97ef3
Instruction Fuzzy Hash: 6731047181020AAFCB249E78CC84EFBBBBDDB96314F0401A9F91897251EA319D58CB50

Function 002A4360 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
Instruction ID: fb938721494f8706a8277966ab3d72ed9fbe82a0df0acf3ba97d143fa5263a3d
Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
Instruction Fuzzy Hash: B8024C71E102199BDF14DFA9C8806ADF7F5EF89314F25426AD919E7340DB70AE518B80

Function 0028FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0028FD6A
GetNumberFormatW.KERNEL32(00000400,00000000,?,002B9714,?,?), ref: 0028FDB3

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 563b4276fc4768a292be918edc39e9ff38d307ef045d5b19ab71d8dffb38a403
Instruction ID: 6a4a624754a6f0c720cdf0020b8336e9df47b3caa1594d52ad36e8adc7f2ea28
Opcode Fuzzy Hash: 563b4276fc4768a292be918edc39e9ff38d307ef045d5b19ab71d8dffb38a403
Instruction Fuzzy Hash: 1F118E75221358ABEB00DF60EC49FEAB7F8EF08700F104429F605A7191DA70A998DB64

Function 002748AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON

Download Yara Rule

Strings

CMT, xrefs: 00275131

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: b4fda0099bec0c85d72c224352783c1fb68b983043ae2ca68d34ff9f2e82496d
Instruction ID: 4511e8dcbe62c8eb729d927be485a80386edaa2c9c1db68a9f0ed990d94cc517
Opcode Fuzzy Hash: b4fda0099bec0c85d72c224352783c1fb68b983043ae2ca68d34ff9f2e82496d
Instruction Fuzzy Hash: 0662C871A216559FDF09EF74C881BDD7BA4BF15300F088179EC099B282DB74A968CFA1

Function 002A86D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002A86CD,?,?,00000008,?,?,002A836D,00000000), ref: 002A88FF

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 66412ae72ff13ffeea2a63aabf2a8d6767fb81e93bf3807b4460758f5b1c1575
Instruction ID: 09ef444586b038aac7bda1598c7dd0eb2d654466b35c61ea85d66d612227aeb6
Opcode Fuzzy Hash: 66412ae72ff13ffeea2a63aabf2a8d6767fb81e93bf3807b4460758f5b1c1575
Instruction Fuzzy Hash: 5AB19E3552060ACFD714CF28C48AB65BBE0FF06364F258658E899CF2A1CB35D9A2CB40

Function 00296694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002966AA

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9e4e4b31cfa94bd647a7c3aa8100d02e1a1ee4cc90cca1e6e44c3db2a8daf73b
Instruction ID: fdbb76a69a0c4da7fee49a2d53fc320aebce2657b1b59fab62b3ac6977c7b40f
Opcode Fuzzy Hash: 9e4e4b31cfa94bd647a7c3aa8100d02e1a1ee4cc90cca1e6e44c3db2a8daf73b
Instruction Fuzzy Hash: DC518BB1A212068FEF14CF99E88DBAEBBF0FB48314F24856AC405EB351D7759950CB90

Function 002803BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 002803ED

Part of subcall function 00280469: __EH_prolog3.LIBCMT ref: 00280470

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3Version
String ID:
API String ID: 2775145068-0
Opcode ID: f182c22ba32446156992f6ded6e1a3cb2b72e51e0041ae433ab7a5a15ef4ef4b
Instruction ID: 4aeca34859de60620963b53c3ae396bb1881e343c6e2484c469352ee7afd2db5
Opcode Fuzzy Hash: f182c22ba32446156992f6ded6e1a3cb2b72e51e0041ae433ab7a5a15ef4ef4b
Instruction Fuzzy Hash: F7F0A47486524C8EEFA4FF70BC897D97BA49B15308F004568D60737292DBB4459D9F11

Function 00275AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

gj, xrefs: 00275BCE

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0fb7b97554207edb3b6600b5a24f1c353cf8755994eb9075bd278463e727e591
Instruction ID: 3717220b70c4f0a87a7d85517a1fe5e743dc3cefc709fda7e88a4de2a4a48599
Opcode Fuzzy Hash: 0fb7b97554207edb3b6600b5a24f1c353cf8755994eb9075bd278463e727e591
Instruction Fuzzy Hash: 08D127B2A083558FC354CF29D88065AFBE2BFC9308F59492EE998D7301D734A955CF86

Function 00296A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00296445), ref: 00296A10

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d7b65915898ddcdf781c7e3c8fa1aee7f259e405d5fdb65a14892080094cfaa9
Instruction ID: 2cf27c4c2bc999e79a6fa9b2d9526e2d35ad843d327f1911f0a815f0251e6890
Opcode Fuzzy Hash: d7b65915898ddcdf781c7e3c8fa1aee7f259e405d5fdb65a14892080094cfaa9
Instruction Fuzzy Hash:

Function 002A2CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 002A2CE0

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 627d09f8d790da750f6f56c87a74e9d6878f34991899b6a7b8875c7e88c8c549
Instruction ID: be3c05e49c73ae0da1baff5d3ea0f417e0d4b47793892104fe19d2922c234eb4
Opcode Fuzzy Hash: 627d09f8d790da750f6f56c87a74e9d6878f34991899b6a7b8875c7e88c8c549
Instruction Fuzzy Hash: 0DA02230302200CFAB008F30BF0C30E3AE8FE022C0308802CA00ACA032EF328020CB00

Function 0028ABC8 Relevance: 1.0, Instructions: 977COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
Instruction ID: 14c6eebb26c172f7d96e2a0a1eed77efbc1a655ab83f6c8ca7d59691c26d32f3
Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
Instruction Fuzzy Hash: 91825C396257458FCB26EF38C4906BABBE1BF51304F18845ED8DB8B386D730A965CB11

Function 00275F39 Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32a93d92f1a8859f61816663a4a5bae4a853f7e7a9264550b35b723bcf3dd97
Instruction ID: ee4e44dcbd6b88dfb85deff15115e9696c7386ec061d8fd49dd138da90bf9fb9
Opcode Fuzzy Hash: b32a93d92f1a8859f61816663a4a5bae4a853f7e7a9264550b35b723bcf3dd97
Instruction Fuzzy Hash: 70823D65D39F995EE303A63484021E7F3A86EF72C9F46D71FF8A431426E721A6C75201

Function 0028C27F Relevance: .9, Instructions: 880COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
Instruction ID: fc91b495d51ad6bb3162ad863f8b12473e217f11c79f410c5e49ca40d4e7b85c
Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
Instruction Fuzzy Hash: CA724D396253858FCB15EF68C4806B9BBE1FF85304F28C56DD89A8B386D330E955CB21

Function 00285214 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
Instruction ID: 5843ba1e25ed36b2c9e9ca9d8110051c5a5bb2c7865796c6618031a6d38443f1
Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
Instruction Fuzzy Hash: 37524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 0028BC05 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4f9e52c56fef58a07884190a0fa14f354ce95af89d88caa20c32ec41693f17
Instruction ID: 3db5226da65098e1252c2ebf386454143d482af41c04803b79afa3d840478cea
Opcode Fuzzy Hash: 0d4f9e52c56fef58a07884190a0fa14f354ce95af89d88caa20c32ec41693f17
Instruction Fuzzy Hash: A11204742257068FD729DF28C8947B9B7E0FF44304F24892EE89AC76C1D774A9A5CB01

Function 002846CF Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0146a88cfea76f6d152ea3192634804c18bdc1bee72a15ee8cb8bbd8a03716
Instruction ID: 1edea6ad4194d6753f730d4fb3cc85cd9703a09790bdc4aae425742a52f16f85
Opcode Fuzzy Hash: 9a0146a88cfea76f6d152ea3192634804c18bdc1bee72a15ee8cb8bbd8a03716
Instruction Fuzzy Hash: 84E15BB45083918FC304CF29E48486ABBF0FB9E300F4A495EF5D497352C235EA1ADB52

Function 0028A222 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7967047c3ab5fa62600ca604883134ab36db279049a5c3a5c6fbbae0bb46a48b
Instruction ID: d13905c448b7afae19db0bb27b07c244cc5f0a526b358c8c7aca59ffaebc3eff
Opcode Fuzzy Hash: 7967047c3ab5fa62600ca604883134ab36db279049a5c3a5c6fbbae0bb46a48b
Instruction Fuzzy Hash: D4917B353293424FEB25EE28C8847AE77D5AF90304F14493EE98A872C2DF7498958753

Function 0029C0D6 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06eec507d1d98aeea3b83bb2f7bfc6407af5e029babf7f4ed9bbeb165b00da68
Instruction ID: dc5ae520229a747fbe96f1b804395c4fecba6e581c9e0ac6755dc1c5b8c0937e
Opcode Fuzzy Hash: 06eec507d1d98aeea3b83bb2f7bfc6407af5e029babf7f4ed9bbeb165b00da68
Instruction Fuzzy Hash: 00619C31A3070A63EE388FA898A27BE3394DF05304F70041AEC4BDF292D6519D72875D

Function 0029BEA7 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: d8366be25450b8a89f1dc2ca9bc77b1b3c1fa3d53feba1c630a7624ff4c153c5
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: DF51B82123074B97DF368E2DAB5A7FE23999B02300F68052AF986C7E82C741DD35CB55

Function 00284D32 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b4d477007a761aa2b7dceaa75b867ef141c6ec7fe2d862e8aeba078cd2b2cc
Instruction ID: 9c937b1b6dec5f3b108b029a254967de96055aa1d554ac90fde9b2cb5be435a6
Opcode Fuzzy Hash: 64b4d477007a761aa2b7dceaa75b867ef141c6ec7fe2d862e8aeba078cd2b2cc
Instruction Fuzzy Hash: 1F5125355193D74FC712FF28C0409AEBFF0AE9A308F0A4999E5D55B282D230E65ACB52

Function 00285F0B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3a9c436ca051746ca4a5bb3c4011d941efda0f9df2e1071bf77b1ae150c101
Instruction ID: 57e4ea16f3b2e3cfaaf37b16f6d115b377141c34f40362be15d3a52c92666536
Opcode Fuzzy Hash: 1b3a9c436ca051746ca4a5bb3c4011d941efda0f9df2e1071bf77b1ae150c101
Instruction Fuzzy Hash: 4F51DEB1A087119FC758CF29D48055AF7E1BF88314F058A2EF899E7740DB30E959CB96

Function 0028A008 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
Instruction ID: 5b4d4439b0f47c56d44c9c9f1734720981cff19d77a2e28deefdc95ff400fcfb
Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
Instruction Fuzzy Hash: C73116B56287068FDB14EF28C85126ABBD0FB95310F14492EE4D9C3782D775E829CF92

Function 00277CBA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
Instruction ID: b85fab2017f921cf5bd23c69ade38c70a82bb7310584fcbc38332b9f67bb411b
Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
Instruction Fuzzy Hash: 7D411930515B11CFC71ADF34D095AA6B7E4FF4A700B1288AFD06A8B261EB30EA04CF59

Function 002992D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d7e9a0ed08d6c7778e8772f70e5afee389ad98ffd1767f33e9ea525b2ec11a52
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0A11087726418343DF148E2ED4B46BAA399EAC633076C43FED1524B6D8D222E9F59908

Function 00283EAA Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00283EEA

Part of subcall function 0027F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0027F6CD

Part of subcall function 002889ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,002BE088,?,00000007,002833E2,?,?,00000050,1ECC2FF4), ref: 00288A0A

_strlen.LIBCMT ref: 00283F0B
SetDlgItemTextW.USER32(?,002B919C,?), ref: 00283F64
GetWindowRect.USER32(?,?), ref: 00283F9A
GetClientRect.USER32(?,?), ref: 00283FA6
GetWindowLongW.USER32(?,000000F0), ref: 00284051
GetWindowRect.USER32(?,?), ref: 00284081
SetWindowTextW.USER32(?,?), ref: 002840B0
GetSystemMetrics.USER32(00000008), ref: 002840B8
GetWindow.USER32(?,00000005), ref: 002840C3
GetWindowRect.USER32(00000000,?), ref: 002840F3
GetWindow.USER32(00000000,00000002), ref: 00284165

Strings

$%s:, xrefs: 00283ED3
CAPTION, xrefs: 00284098
d, xrefs: 00283FC6
qI), xrefs: 00284075, 0028415C

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$qI)
API String ID: 2407758923-2125137076
Opcode ID: 9978ffd7a5937302a5fefcfd11abce5522c180ab3879d746681a452171bfcd0b
Instruction ID: 1be54176db6741ab7d4f9f607ce558dec3872f5d8675bf874e907aae0144ba5a
Opcode Fuzzy Hash: 9978ffd7a5937302a5fefcfd11abce5522c180ab3879d746681a452171bfcd0b
Instruction Fuzzy Hash: 5781AE725193029FD714EF68CD89E6FBBE9EB89704F04091DFA8993290D770E904CB52

Function 002961A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(002C60E0,00000FA0,?,?,00296185), ref: 002961B3
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00296185), ref: 002961BE
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00296185), ref: 002961CF
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002961E1
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002961EF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00296185), ref: 00296212
DeleteCriticalSection.KERNEL32(002C60E0,00000007,?,?,00296185), ref: 00296235
CloseHandle.KERNEL32(00000000,?,?,00296185), ref: 00296245

Strings

SleepConditionVariableCS, xrefs: 002961DB
kernel32.dll, xrefs: 002961CA
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002961B9
WakeAllConditionVariable, xrefs: 002961E7

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 69abedb023755b4ba35fb4d9a7f1e8ace4d17a9c8459cb07df7d28fb17483345
Instruction ID: 2372c0d0450a667cf053a6caf0c1d4fd44e6a59819cd61802b9d1c3cd73fe578
Opcode Fuzzy Hash: 69abedb023755b4ba35fb4d9a7f1e8ace4d17a9c8459cb07df7d28fb17483345
Instruction Fuzzy Hash: D501D470A60312EFCF201FB1BC0DF163AA8FB47B517124511FC19E2250EE61C8218A71

Function 002A37D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002A3816

Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33CE
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33E0
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A33F2
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3404
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3416
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3428
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A343A
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A344C
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A345E
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3470
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3482
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A3494
Part of subcall function 002A33B1: _free.LIBCMT ref: 002A34A6

_free.LIBCMT ref: 002A380B

Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC

_free.LIBCMT ref: 002A382D
_free.LIBCMT ref: 002A3842
_free.LIBCMT ref: 002A384D
_free.LIBCMT ref: 002A386F
_free.LIBCMT ref: 002A3882
_free.LIBCMT ref: 002A3890
_free.LIBCMT ref: 002A389B
_free.LIBCMT ref: 002A38D3
_free.LIBCMT ref: 002A38DA
_free.LIBCMT ref: 002A38F7
_free.LIBCMT ref: 002A390F

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: db24195b1d58858c1edbb83dea619ec6e1122eed13f25056b7f418b655e32a57
Instruction ID: 7a1236adc88e3a7fa3ebf274b6e4470d7f78eb80f2c0e8fc628caa3f9dd9de15
Opcode Fuzzy Hash: db24195b1d58858c1edbb83dea619ec6e1122eed13f25056b7f418b655e32a57
Instruction Fuzzy Hash: E6317031524306AFEF20EE39D885B5AB3E9EF02310F15486AF458D7151DE79EE64CB10

Function 0028D912 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0028D919

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

_wcslen.LIBCMT ref: 0028D97B
_wcslen.LIBCMT ref: 0028D99A
_wcslen.LIBCMT ref: 0028D9B6
_strlen.LIBCMT ref: 0028DA14
GlobalAlloc.KERNEL32(00000040,?,00000000,002AD9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 0028DA2D

Strings

<html>, xrefs: 0028D95F
</html>, xrefs: 0028D9B0, 0028D9B5, 0028D9BD
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 0028D937
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 0028D976, 0028D982

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _wcslen$AllocGlobalH_prolog3__strlen
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 763716685-1533471033
Opcode ID: ae84d3ad529840beaa559cfb18d845d630fe87f9abbb6990af6c1c31de23a251
Instruction ID: 918898fc1313f084bae4ea6409fe9d35bc3e5d64fa4e05af9002a75dab1b077c
Opcode Fuzzy Hash: ae84d3ad529840beaa559cfb18d845d630fe87f9abbb6990af6c1c31de23a251
Instruction Fuzzy Hash: 7A514E75D21219AFEB04EBA0CC46BEEBBB9EF05310F140019E505AB1C1DB705E69CBA5

Function 00293796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 002937C4
GetClassNameW.USER32(00000000,?,00000080), ref: 002937F0

Part of subcall function 00288DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00280E3F,?,?,?,00000046,00281ECE,00000046,?,exe,00000046), ref: 00288DBA

GetWindowLongW.USER32(00000000,000000F0), ref: 0029380C
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00293823
GetObjectW.GDI32(00000000,00000018,?), ref: 00293837
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00293860
DeleteObject.GDI32(00000000), ref: 00293867
GetWindow.USER32(00000000,00000002), ref: 00293870

Strings

STATIC, xrefs: 002937F6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 976869f067bed7dc4b33de9e5312745b137cd43339c1f0e57d2d7802c10585e1
Instruction ID: afcd0e01dc44012fdb44f8d096be631704dd4942e7247bee03f2d13d6b635927
Opcode Fuzzy Hash: 976869f067bed7dc4b33de9e5312745b137cd43339c1f0e57d2d7802c10585e1
Instruction Fuzzy Hash: 742134721553117BEA20AF24AC4AFEF73ACBF45700F010024FA15A60D1DB708A154BA5

Function 0029FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0029FF25

Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC

_free.LIBCMT ref: 0029FF31
_free.LIBCMT ref: 0029FF3C
_free.LIBCMT ref: 0029FF47
_free.LIBCMT ref: 0029FF52
_free.LIBCMT ref: 0029FF5D
_free.LIBCMT ref: 0029FF68
_free.LIBCMT ref: 0029FF73
_free.LIBCMT ref: 0029FF7E
_free.LIBCMT ref: 0029FF8C

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3bb4e09757117a3348387c487007ff8a8417a6e2c1d36bfc3a8f0d5c73024e87
Instruction ID: ab708fd698aa0a4ca1713a88262efbf0a717c5bbf6b74ab110219207f5176c9d
Opcode Fuzzy Hash: 3bb4e09757117a3348387c487007ff8a8417a6e2c1d36bfc3a8f0d5c73024e87
Instruction Fuzzy Hash: 1C11B37612424CBFCF41EF94C982CDD3BA9EF09350B1144A1BA089F222DA75EE60DF80

Function 00299AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00299BD0
___TypeMatch.LIBVCRUNTIME ref: 00299CDE
_UnwindNestedFrames.LIBCMT ref: 00299E30
CallUnexpected.LIBVCRUNTIME ref: 00299E4B
_abort.LIBCMT ref: 00299E50

Strings

csm, xrefs: 00299AEE
csm, xrefs: 00299B5B
csm, xrefs: 00299C07

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 38d4b5b9b9891d0caea89a72cb63d3aff87e5337d0bb61431f7e946274cdc697
Instruction ID: 22e69350dee76452fefe5c2250167e5f12b1e1d0ca14b9f20c53e585b4b878d8
Opcode Fuzzy Hash: 38d4b5b9b9891d0caea89a72cb63d3aff87e5337d0bb61431f7e946274cdc697
Instruction Fuzzy Hash: 81B16E7582020ADFCF15EFA8D9819AEB7B5FF04324F14445EE8056B212D735DAA1CFA2

Function 0027D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027D99A
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0027D9BF
GetLongPathNameW.KERNEL32(?,?,?), ref: 0027DA11
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0027DA34
GetShortPathNameW.KERNEL32(?,?,?), ref: 0027DA84
MoveFileW.KERNEL32(-00000040,-00000028), ref: 0027DC9F
MoveFileW.KERNEL32(-00000028,-00000040), ref: 0027DCEC

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Strings

rtmp, xrefs: 0027DBB8

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
String ID: rtmp
API String ID: 2388273531-870060881
Opcode ID: fd5e62e1e06c654355a21dfa0fc17b71e3cbe87fbf448fbdd438608e4988fe23
Instruction ID: 869050aedd0140228300cec72a345b8176a6579edec0ba105aa8d8609ea2272a
Opcode Fuzzy Hash: fd5e62e1e06c654355a21dfa0fc17b71e3cbe87fbf448fbdd438608e4988fe23
Instruction Fuzzy Hash: 3CB13671921218DACF21EFA4CC89BDDBBB9BF15305F548099E40DA7251DB309BA9CF60

Function 00281E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00281E5B
_wcslen.LIBCMT ref: 00281E87

Strings

sfx, xrefs: 00281ED2
.rar, xrefs: 00281E81, 00281E86, 00281E8E
exe, xrefs: 00281EAB
rar, xrefs: 00281F2E, 00281FC9, 00281FCE, 00281FD6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3__wcslen
String ID: .rar$exe$rar$sfx
API String ID: 3251556500-630704357
Opcode ID: 48f0668986f82ae2d0f06cda1bc50b747b43cbcda8c62428219c60b83f5a2016
Instruction ID: a1d588bf96b6eebfb11bcd6ebad35d23202d4c10b8166cec47151e5f79f11ba0
Opcode Fuzzy Hash: 48f0668986f82ae2d0f06cda1bc50b747b43cbcda8c62428219c60b83f5a2016
Instruction Fuzzy Hash: 47711538A22714DBCB21FFA8C941AADB3F8BF58710F20451AF4819B6D1DB715976CB50

Function 002906D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

EndDialog.USER32(?,00000001), ref: 00290720
SendMessageW.USER32(?,00000080,00000001,000103EB), ref: 00290747
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,2E050D7E), ref: 00290760
GetDlgItem.USER32(?,00000065), ref: 0029077C
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00290790
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002907A6

Strings

J), xrefs: 002907AD
LICENSEDLG, xrefs: 002906E4

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: MessageSend$Item$DialogTextWindow
String ID: LICENSEDLG$J)
API String ID: 3077722735-2388866260
Opcode ID: a29c80fe38aa40797082c04302337e69e02d0abc1b3700184a125e8168b8b58c
Instruction ID: 21c24a20b7e67d4fe2818af4586ffd79ada4975a3607db7f2d936fb940504839
Opcode Fuzzy Hash: a29c80fe38aa40797082c04302337e69e02d0abc1b3700184a125e8168b8b58c
Instruction Fuzzy Hash: BB21F431264209BFDA106FA5ED8DFEB7B6DEF46795F010104F604A6090C7A1B9618F31

Function 002953D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,002804AB,002804AD,00000000,00000000,1ECC2FF4,00000001,00000000,00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295459
MultiByteToWideChar.KERNEL32(00000000,00000000,002804AB,?,00000000,00000000,?,?,0028038C,?,00000004,002804AB), ref: 002954D4
SysAllocString.OLEAUT32(00000000), ref: 002954DF
_com_issue_error.COMSUPP ref: 00295508
_com_issue_error.COMSUPP ref: 00295512
GetLastError.KERNEL32(80070057,1ECC2FF4,00000001,00000000,00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295517
_com_issue_error.COMSUPP ref: 0029552A
GetLastError.KERNEL32(00000000,?,0028038C,?,00000004,002804AB,ROOT\CIMV2), ref: 00295540
_com_issue_error.COMSUPP ref: 00295553

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 70f52c3837bfec40db2a8050b40cd9a2e6a05df8608a7df1f84b220a93d107d8
Instruction ID: 05714e15c500a4dc45b2d35104ca7be5739d1716bd1753ab20f379d968ce5164
Opcode Fuzzy Hash: 70f52c3837bfec40db2a8050b40cd9a2e6a05df8608a7df1f84b220a93d107d8
Instruction Fuzzy Hash: B7413B71B20625ABCF11DF68DC45BAEBBE8EF44710F504229F909E7241DB35D850CBA4

Function 00280469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00280470

Part of subcall function 00280360: __EH_prolog3.LIBCMT ref: 00280367

VariantClear.OLEAUT32(?), ref: 002805FA

Strings

Windows 10, xrefs: 002805E2
Name, xrefs: 002805D3
ROOT\CIMV2, xrefs: 0028049B
SELECT * FROM Win32_OperatingSystem, xrefs: 0028050C
WQL, xrefs: 0028051E

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3$ClearVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 4196654922-3505469590
Opcode ID: 376d09a1528f37ccd5600b7088c8467271ea5f8a9986ee6684af2e9fded2ed6c
Instruction ID: f8b5a46efdb604e1388e14d35b9435cbee5d3337d2635110410a85ebf8614689
Opcode Fuzzy Hash: 376d09a1528f37ccd5600b7088c8467271ea5f8a9986ee6684af2e9fded2ed6c
Instruction Fuzzy Hash: 15616B74A21219AFDB54EFA4DC99EAEB7B8FF49310B14045CF502A72A0CB30AD15CF60

Function 0028E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0028E085
_wcslen.LIBCMT ref: 0028E1B7

Strings

</style>, xrefs: 0028E1E5
, xrefs: 0028E1AA, 0028E1B6, 0028E1BE
<style>, xrefs: 0028E1C8
<br>, xrefs: 0028E199
</p>, xrefs: 0028E183

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_wcslen
String ID: $</p>$</style>$<br>$<style>
API String ID: 3746244732-3393513139
Opcode ID: 3da78299d21f32aa0b71e37b98c71078d456bd60f1a9d22f8f92e8f1158340d1
Instruction ID: 53c08f0dafedf756e27f48071493b0029eb42225e8554d2463e0c8ecebcf8748
Opcode Fuzzy Hash: 3da78299d21f32aa0b71e37b98c71078d456bd60f1a9d22f8f92e8f1158340d1
Instruction Fuzzy Hash: 1651463DB3221393DF30BE24881577AB3A6AF65741F5A4019FD85AB2C1EB759DB08390

Function 0028E265 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0028E26C
ShowWindow.USER32(?,00000000,00000038), ref: 0028E294
GetWindowRect.USER32(?,?), ref: 0028E2D8
ShowWindow.USER32(?,00000005,?,00000000), ref: 0028E373
ShowWindow.USER32(00000000,00000005), ref: 0028E394

Strings

RarHtmlClassName, xrefs: 0028E334
gI), xrefs: 0028E2E5, 0028E319

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Window$Show$H_prolog3_Rect
String ID: RarHtmlClassName$gI)
API String ID: 950582801-1431589318
Opcode ID: d158ed4b226c52aa727216e00aec581c4bf0529b418ab76e0117a8f5bd8451f2
Instruction ID: 17f09e8aca02569279d576464ecd3a3bfbb155e448d8c0911c5c7e4f02631d50
Opcode Fuzzy Hash: d158ed4b226c52aa727216e00aec581c4bf0529b418ab76e0117a8f5bd8451f2
Instruction Fuzzy Hash: DD416A71911205EFDF11AFA4EC89EAE7BB8EF48300F154056F908AB195DB709D61CF60

Function 0028F1EC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0028F1F5
GetObjectW.GDI32(?,00000018,?), ref: 0028F224
ReleaseDC.USER32(00000000,?), ref: 0028F2BC

Strings

vK), xrefs: 0028F28A
NK), xrefs: 0028F2A9, 0028F2B0
DK), xrefs: 0028F202, 0028F20F
lK), xrefs: 0028F255, 0028F262, 0028F296, 0028F2A2

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ObjectRelease
String ID: DK)$NK)$lK)$vK)
API String ID: 1429681911-3427292663
Opcode ID: 30d320d4948e9b480a57caf209a05276d5b28ce597cb7af554f17514b79b3145
Instruction ID: c84cdd7288e503bf740580bdda953e79ef48ea212ef0fa91dd073f249e46c165
Opcode Fuzzy Hash: 30d320d4948e9b480a57caf209a05276d5b28ce597cb7af554f17514b79b3145
Instruction Fuzzy Hash: 3F21E6B610C314AFD7019FA1EC4CE6BBFA9FB89351F040929FE4592220D67199558F62

Function 00294D5F Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00294DDA,00294D3D,00294FDE), ref: 00294D76
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00294D8C
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00294DA1

Strings

KERNEL32.DLL, xrefs: 00294D71
p],, xrefs: 00294DB2
ReleaseSRWLockExclusive, xrefs: 00294D96
AcquireSRWLockExclusive, xrefs: 00294D86

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$p],
API String ID: 667068680-2660665386
Opcode ID: dc471c4615f2fb3078951bfcfbe53b69e8c4aab618415fd6e97cad84a8c409fb
Instruction ID: c5c8db4cbbc207ae027ccc3b99a459e0d7564a3ff5e77f5582baca4cae8ea5ec
Opcode Fuzzy Hash: dc471c4615f2fb3078951bfcfbe53b69e8c4aab618415fd6e97cad84a8c409fb
Instruction Fuzzy Hash: 57F0C239631B23AB0F617EB46C88F7722D8AE077593110139D602D2680EA50DCB386F0

Function 00287818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0028783D

Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF

FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00287860
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00287872
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00287883
SystemTimeToFileTime.KERNEL32(?,?), ref: 00287893
SystemTimeToFileTime.KERNEL32(?,?), ref: 002878A3
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002878DE
__aullrem.LIBCMT ref: 00287984

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: e9a6397e884f0bead76af10329b38255852077923ec31b422accc72a794e0bc2
Instruction ID: 7622184e7b53d079675936882d07b63294697d396b7733747040912d193d3116
Opcode Fuzzy Hash: e9a6397e884f0bead76af10329b38255852077923ec31b422accc72a794e0bc2
Instruction Fuzzy Hash: 8F5155B1508305AFD710DF64D88496BFBE9FF88314F108A2EF59AD2250E738E958CB52

Function 00292B26 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 291COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00292B66

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Part of subcall function 00280BF3: _wcslen.LIBCMT ref: 00280C03

EndDialog.USER32(?,00000001), ref: 00292EDA

Strings

, xrefs: 00292E88
@set:user, xrefs: 00292D20
\S,, xrefs: 00292BE2
\S,, xrefs: 00292EB8

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _wcslen$DialogPathTemp
String ID: $@set:user$\S,$\S,
API String ID: 2172748170-1925104358
Opcode ID: 602622f81256ef74b6835b9095eddff8207670a8eca65aa2e2374343a0e305ca
Instruction ID: efa4367d79ae8302c5a337cd36f1d885d25427a3433ffc4decdc77c739ee3c3a
Opcode Fuzzy Hash: 602622f81256ef74b6835b9095eddff8207670a8eca65aa2e2374343a0e305ca
Instruction Fuzzy Hash: ECC14C30C21269EADF24EBA4DC45BDDBBB8AF15300F4440DAE449B3292DB705B99CF61

Function 00280E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00280E50
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00280E85
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00280EC4
_wcslen.LIBCMT ref: 00280ED4
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00280F51
GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00280F93
_wcslen.LIBCMT ref: 00280FA3

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FullNamePath$_wcslen$H_prolog3_
String ID:
API String ID: 840513527-0
Opcode ID: f9ed3f7e1c062b674905f4ccc555193a981fe5bfa7c47be25bf078b16367a36d
Instruction ID: bc98cc631352dee69e4ef6bed387b2adc3727b88319052d0435d4dcb0d8b2c2f
Opcode Fuzzy Hash: f9ed3f7e1c062b674905f4ccc555193a981fe5bfa7c47be25bf078b16367a36d
Instruction Fuzzy Hash: 54618C75D21209ABDF14EFA8DC84AEEBBBDAF85710F14410AF814E7281DB34D965CB60

Function 002A6239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,002A69AE,?,00000000,?,00000000,00000000), ref: 002A627B
__fassign.LIBCMT ref: 002A62F6
__fassign.LIBCMT ref: 002A6311
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 002A6337
WriteFile.KERNEL32(?,?,00000000,002A69AE,00000000,?,?,?,?,?,?,?,?,?,002A69AE,?), ref: 002A6356
WriteFile.KERNEL32(?,?,00000001,002A69AE,00000000,?,?,?,?,?,?,?,?,?,002A69AE,?), ref: 002A638F

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e014f3cd93e490c59deef3ea2de20d328fdba43d914cb91ad8570ac61396380f
Instruction ID: 3276d791669e32144a1c35384ce2d76bd7c080f50e02ea4542f4747b6baf7191
Opcode Fuzzy Hash: e014f3cd93e490c59deef3ea2de20d328fdba43d914cb91ad8570ac61396380f
Instruction Fuzzy Hash: CE510770E10249DFDF10CFA8D849AEEBBF8EF0A710F18455AE542E3291EB709951CB50

Function 002993C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002993F7
___except_validate_context_record.LIBVCRUNTIME ref: 002993FF
_ValidateLocalCookies.LIBCMT ref: 00299488
__IsNonwritableInCurrentImage.LIBCMT ref: 002994B3
_ValidateLocalCookies.LIBCMT ref: 00299508

Strings

csm, xrefs: 0029949D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b1b16fd19422a03e5fcf2f0fb77fd73efc943c1c858e89cf48779031e824c2fb
Instruction ID: 528560eb3624a905b4e9a61d52d201cc97af7540dd34545058f788f39fcf1ea0
Opcode Fuzzy Hash: b1b16fd19422a03e5fcf2f0fb77fd73efc943c1c858e89cf48779031e824c2fb
Instruction Fuzzy Hash: 8341A634A20209AFCF11DF6CC885ADEBBB5BF45324F148159E8149B352D731A9A6CF91

Function 002A3554 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 002A3518: _free.LIBCMT ref: 002A3541

_free.LIBCMT ref: 002A35A2

Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC

_free.LIBCMT ref: 002A35AD
_free.LIBCMT ref: 002A35B8
_free.LIBCMT ref: 002A360C
_free.LIBCMT ref: 002A3617
_free.LIBCMT ref: 002A3622
_free.LIBCMT ref: 002A362D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
Instruction ID: f255889465f9bb19393dfbb8ffef78d86408ecf1710d7868eb8a9afc2afd5b3e
Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
Instruction Fuzzy Hash: EC11DD71960B04BBD934FBB4CC47FCBB79C5F0A700F804C15B29966152DE79B6294B90

Function 002A1609 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0029C5A2,0029C5A2,?,?,?,002A185A,00000001,00000001,C5E85006), ref: 002A1663
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002A185A,00000001,00000001,C5E85006,?,?,?), ref: 002A16E9
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002A17E3
__freea.LIBCMT ref: 002A17F0

Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440

__freea.LIBCMT ref: 002A17F9
__freea.LIBCMT ref: 002A181E

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e6e938ea6b31de5ad81206c40e57477ac7666d571efc6178fcb4de446170ae80
Instruction ID: ae4e27919da6ffec6572f5e5cb2b6b14b5081d5420ae6e704d4f0a3bb51e4e46
Opcode Fuzzy Hash: e6e938ea6b31de5ad81206c40e57477ac7666d571efc6178fcb4de446170ae80
Instruction Fuzzy Hash: CE519572620216AFEB258F64DC85EBBB7AAEB46770F154229FD04D6140EF74DC70CA50

Function 00287AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00287B06

Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF

LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B2A
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00287B44
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00287B57
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B67
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00287B77

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: aa658f5ca1a2d62489591811c63cda11ca0a4165406027b665a08fd3ceed09fa
Instruction ID: 577eccb84797389c976718d4816a480fabd178b75bcf517588907ff9eb4241a4
Opcode Fuzzy Hash: aa658f5ca1a2d62489591811c63cda11ca0a4165406027b665a08fd3ceed09fa
Instruction Fuzzy Hash: 2941387A2183159FC704DFA8D88499BB7E8FF98714F04491EF999C7210EB30D949CBA6

Function 0028F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,1ECC2FF4,?,?,?,?,002AAA27,000000FF), ref: 0028F38A
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F399
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F3A7
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,002AAA27,000000FF), ref: 0028F3B5
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,002AAA27,000000FF), ref: 0028F3D0
GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,002AAA27,000000FF), ref: 0028F3FA

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Time$System$File$Format$DateLocalSpecific
String ID:
API String ID: 909090443-0
Opcode ID: c31a3e644db90368498d14f438a83ab0f0fc0250732d37c44035202579e618eb
Instruction ID: b5aa7d4cfa44f8017a355d99dfebacb505a5b27ccfa2a556cea7996b36ff081c
Opcode Fuzzy Hash: c31a3e644db90368498d14f438a83ab0f0fc0250732d37c44035202579e618eb
Instruction Fuzzy Hash: 0731FDB2510189AFDB11DFA4DD45EEF77ACFF59710F00412AF90AD6241EB74AA14CB60

Function 00292F8D Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002931A4

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Strings

S,, xrefs: 00292FF6
0, xrefs: 00293261
.lnk, xrefs: 0029319E, 002931A3, 002931AB
lnk, xrefs: 00293165

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _wcslen
String ID: .lnk$0$lnk$S,
API String ID: 176396367-3971810066
Opcode ID: 72e7df791779e69f6e41efb3c1d0051d151b3e13880d9f3d45653be5f01b6f73
Instruction ID: f150c7f57d015c47b71ce9a041f7898803dc7260d93f2a937793c84b253655a7
Opcode Fuzzy Hash: 72e7df791779e69f6e41efb3c1d0051d151b3e13880d9f3d45653be5f01b6f73
Instruction Fuzzy Hash: 32E11871D212599FDF24DBA4CC85BDDB7B8BF08300F1044AAE409A7291DB349BA8CF64

Function 0029977A Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00299771,002996CC,00296A64), ref: 00299788
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00299796
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002997AF
SetLastError.KERNEL32(00000000,00299771,002996CC,00296A64), ref: 00299801

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8bdcbd7900418b3ce0167e36facbee18913c96e8ca6612d68325d7bedb74385e
Instruction ID: a997bca44873ae2bcd753075456dee5d5e9c379c8d81d7ab09291bc7377ba840
Opcode Fuzzy Hash: 8bdcbd7900418b3ce0167e36facbee18913c96e8ca6612d68325d7bedb74385e
Instruction Fuzzy Hash: 6F01D4B21393129EAE242FBD7CE95AAA7C4EB02375731033DF620550E0EF514CA0E581

Function 002A0005 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0029B581,?,002BE088,?,0029AE80,?,002BE088,?,00000007), ref: 002A0009
_free.LIBCMT ref: 002A003C
_free.LIBCMT ref: 002A0064
SetLastError.KERNEL32(00000000,002BE088,?,00000007), ref: 002A0071
SetLastError.KERNEL32(00000000,002BE088,?,00000007), ref: 002A007D
_abort.LIBCMT ref: 002A0083

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 670ea17caa62b96c39d9360aa5a116731e1ec27b7d920bef2363296eee46e328
Instruction ID: fa928b74e0c822d5a7f17ac510398db998c4a9c16091e48503e3025653a304a4
Opcode Fuzzy Hash: 670ea17caa62b96c39d9360aa5a116731e1ec27b7d920bef2363296eee46e328
Instruction Fuzzy Hash: 4CF0C836134A01E7C62237347D8EF2B2A559FC3771F360114F618D21D2EE759C729A24

Function 00293FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00293FDB
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00293FF5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00294006
TranslateMessage.USER32(?), ref: 00294010
DispatchMessageW.USER32(?), ref: 0029401A
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00294025

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 9dbb6b3fa064e25a841948a5ec4731b04b3cfb615665c43977b44bdde0b43eb8
Instruction ID: 80d03ed0e5cad2d88457964fdc1d6eca0a3f5853a1171e4013f38cf29c294873
Opcode Fuzzy Hash: 9dbb6b3fa064e25a841948a5ec4731b04b3cfb615665c43977b44bdde0b43eb8
Instruction Fuzzy Hash: 2FF04F72A0111ABBCF206FA1EC4CEDF7F6DEF42391B008011FA06E2050E6349552CBE0

Function 00292493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000066), ref: 002926A9
SendMessageW.USER32(00000000,00000143,00000000,002C5380), ref: 002926D6
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00292702

Strings

ProgramFilesDir, xrefs: 002925E0
Software\Microsoft\Windows\CurrentVersion, xrefs: 002925F4

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: MessageSend$Item
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3888421826-2634093826
Opcode ID: 9e5b72743888b74262d74deb6aa15d81b64daa843ff1fb801d2165df487f4d61
Instruction ID: 853bab2282c9ec78deaa075c55a9c1716ac2cfc898e1917472a87f6d9e8a2b3c
Opcode Fuzzy Hash: 9e5b72743888b74262d74deb6aa15d81b64daa843ff1fb801d2165df487f4d61
Instruction Fuzzy Hash: EC815E31920259EEDF24EBE4C891FEDB778AF18310F545099E509B7181DB706BA9CF60

Function 0027A300 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027A307
GetLastError.KERNEL32(00000054,?,?,?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049), ref: 0027A427

Part of subcall function 0027AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0027AC2E
Part of subcall function 0027AC11: GetLastError.KERNEL32 ref: 0027AC72
Part of subcall function 0027AC11: CloseHandle.KERNEL32(?), ref: 0027AC81

Strings

SeSecurityPrivilege, xrefs: 0027A341
K), xrefs: 0027A389, 0027A3CD
SeRestorePrivilege, xrefs: 0027A356

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege$K)
API String ID: 2235100918-3651858649
Opcode ID: 0d5af36fbf85f95e5ea72de2443f76396ec64754b632b8dc6756b93b2c3aa548
Instruction ID: da97e31bb07610b8db17fd7de4287a20c5fb544db44e04d661a4ca2f5a1c232e
Opcode Fuzzy Hash: 0d5af36fbf85f95e5ea72de2443f76396ec64754b632b8dc6756b93b2c3aa548
Instruction Fuzzy Hash: 69417370E20219ABDF14EFE8E899BEDB7B8AF48314F04801EF505B7241DB7599548F25

Function 0028DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0028DC9C
_wcslen.LIBCMT ref: 0028DD61
_wcslen.LIBCMT ref: 0028DDAC

Strings

<br>, xrefs: 0028DD5C, 0028DD68
 , xrefs: 0028DDA7, 0028DDB3

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _wcslen$H_prolog3
String ID:  $<br>
API String ID: 1035939448-26742755
Opcode ID: d4606c007d23917a0fcbebbc7c413d2ef81441c9553c53928d21a1b24de85e57
Instruction ID: 81dff6ed67796ebbc1b5b0566b6c659514e09a13ccc2c2c8a508a9aae6bcdcb7
Opcode Fuzzy Hash: d4606c007d23917a0fcbebbc7c413d2ef81441c9553c53928d21a1b24de85e57
Instruction Fuzzy Hash: 8A416F3AB612119BDB15AF54C881B3D7336FF95704F60842AE4068F2C1EBB19DA6CBD1

Function 002901DD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002901E4
_wcslen.LIBCMT ref: 002902BF

Strings

VL), xrefs: 00290201
`L), xrefs: 00290227, 00290290
BL), xrefs: 002902EB

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_wcslen
String ID: BL)$VL)$`L)
API String ID: 3746244732-3221003899
Opcode ID: 5df4bbf87d17d03148c0f15822b83d3f044657af83b87ee621c4012f7a595daa
Instruction ID: f52ca1effff2c2c4c8b1871ade406186740eb870ca92b78247d36e5dde793609
Opcode Fuzzy Hash: 5df4bbf87d17d03148c0f15822b83d3f044657af83b87ee621c4012f7a595daa
Instruction Fuzzy Hash: E2410871A2110AAFDF04DFA8DD899EE77B9FF09314B104119F855AB2A1DB309E20CB64

Function 0028FA79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 0028FEA7: GetCurrentProcess.KERNEL32(00020008,?), ref: 0028FEB6
Part of subcall function 0028FEA7: GetLastError.KERNEL32 ref: 0028FEE1

CreateDirectoryW.KERNEL32(?,?), ref: 0028FB23
LocalFree.KERNEL32(?), ref: 0028FB31

Strings

tL), xrefs: 0028FADA
.L), xrefs: 0028FAE9
8L), xrefs: 0028FAFC

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID: .L)$8L)$tL)
API String ID: 1077098981-630498960
Opcode ID: 4956e262f5eaf1394471d0813c4d4378d8721dabded32cabdd2063d7234ef5e6
Instruction ID: f5172845ff8987174576782d22597b75bc3ff4cfdfd4780eb52e59ec11179bd2
Opcode Fuzzy Hash: 4956e262f5eaf1394471d0813c4d4378d8721dabded32cabdd2063d7234ef5e6
Instruction Fuzzy Hash: 6921E6B590120A9BDF10DFA5E9889EEBBF8FF48314F10452AE815E3150D7349A15CBA0

Function 00293D64 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00293D6B

Strings

Software\WinRAR SFX, xrefs: 00293DC4
jL), xrefs: 00293E01
LL), xrefs: 00293DCE
BL), xrefs: 00293E0A

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_
String ID: BL)$LL)$Software\WinRAR SFX$jL)
API String ID: 2427045233-653404485
Opcode ID: 1819d2be661f9ebd17f0a7fa0c0e76cd1b3002a512befd8413a7cc556d2f9240
Instruction ID: 58d42b6fd13733af99525461b9d63cbc92ace688d17316417081c4b071c24ab0
Opcode Fuzzy Hash: 1819d2be661f9ebd17f0a7fa0c0e76cd1b3002a512befd8413a7cc556d2f9240
Instruction Fuzzy Hash: 1D214D71920219EBDF20DFA5EC89EEEBBB9FF88710F10441AF541A2150D7709A94CB60

Function 002907E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 002907F5
GetObjectW.GDI32(00000000,00000018,?), ref: 0029081A
DeleteObject.GDI32(00000000), ref: 0029084C
DeleteObject.GDI32(00000000), ref: 0029086F

Part of subcall function 0028EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00290845,00000066), ref: 0028EBE6
Part of subcall function 0028EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EBFD
Part of subcall function 0028EBD3: LoadResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC14
Part of subcall function 0028EBD3: LockResource.KERNEL32(00000000,?,?,?,00290845,00000066), ref: 0028EC23
Part of subcall function 0028EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC3E
Part of subcall function 0028EBD3: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00290845,00000066), ref: 0028EC4F
Part of subcall function 0028EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028ECB8
Part of subcall function 0028EBD3: GlobalUnlock.KERNEL32(00000000), ref: 0028ECD7
Part of subcall function 0028EBD3: GlobalFree.KERNEL32(00000000), ref: 0028ECDE

Strings

], xrefs: 00290822

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 762a74612c1678482b0b5b7e860a3b2e435e6ea95a27ebffc976c62915dce279
Instruction ID: 0f508befa31bd0296161a22158bb90ac7a18849885003c993b94067ea739a71b
Opcode Fuzzy Hash: 762a74612c1678482b0b5b7e860a3b2e435e6ea95a27ebffc976c62915dce279
Instruction Fuzzy Hash: 1001F93666121AABEF117B64AC49E7F367ABF80B55F060024F900A72D1DF718C254BE1

Function 0029ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0029ECE0,00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002), ref: 0029ED4F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0029ED62
FreeLibrary.KERNEL32(00000000,?,?,?,0029ECE0,00000000,?,0029EC80,00000000,002B6F40,0000000C,0029EDD7,00000000,00000002), ref: 0029ED85

Strings

CorExitProcess, xrefs: 0029ED5A
mscoree.dll, xrefs: 0029ED48

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 078f0ae4d16bf10f4b8bab1ac5e09b37d2ba5270f311e779ec3defac7591985c
Instruction ID: 4f54c6ae2a288691594ba71b88bc6968cf40622e88838b6b46a7bdbcbe2e3e20
Opcode Fuzzy Hash: 078f0ae4d16bf10f4b8bab1ac5e09b37d2ba5270f311e779ec3defac7591985c
Instruction Fuzzy Hash: 74F03C70A20219FBCF159FA4EC09BAEBFB9EB09725F110168E805A2250CF354A90CB90

Function 0029631E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,002962BB,00000064), ref: 00296341
LeaveCriticalSection.KERNEL32(002C60E0,?,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029634B
WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029635C
EnterCriticalSection.KERNEL32(002C60E0,?,002962BB,00000064,?,?,?,?,00000000,002AA75D,000000FF), ref: 00296363

Strings

`,, xrefs: 00296345

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: `,
API String ID: 3269011525-3004470232
Opcode ID: 7e96ceb69f04e12a0baf9517aaf4daf73e52878ce89a98a183bd025f756088e4
Instruction ID: 46258e40043828622efb823900a1380cafd6bf6e4ef4d307be537b195fd2f1f5
Opcode Fuzzy Hash: 7e96ceb69f04e12a0baf9517aaf4daf73e52878ce89a98a183bd025f756088e4
Instruction Fuzzy Hash: 3AE04831661234FFCB111F90FC0DF9D7F68FB06B91B154155F90AB6160CB6259209BD9

Function 00285094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00286C5E: __EH_prolog3_GS.LIBCMT ref: 00286C65
Part of subcall function 00286C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00286C9A

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002850B3
GetProcAddress.KERNEL32(002C51F8,CryptUnprotectMemory), ref: 002850C3

Strings

Crypt32.dll, xrefs: 0028509D
CryptUnprotectMemory, xrefs: 002850B9
CryptProtectMemory, xrefs: 002850AD

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressProc$DirectoryH_prolog3_System
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 270589589-1753850145
Opcode ID: f236efca2b80c38e3d61f671288f7c66a46484334425ce1e35e7fa91e5721f50
Instruction ID: 9bf38c890ba58e165a612127b41a27eb4a334f3cbe9119fa61f9a9419266fc62
Opcode Fuzzy Hash: f236efca2b80c38e3d61f671288f7c66a46484334425ce1e35e7fa91e5721f50
Instruction Fuzzy Hash: 12E04F74821B12DFD7306F74EC0D7467ED46F1B704F20882EA4D993580DEB5E4608B50

Function 0029985A Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00299921
___AdjustPointer.LIBCMT ref: 00299944
_abort.LIBCMT ref: 00299992
___AdjustPointer.LIBCMT ref: 002999E0

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: e46993260421128de9247c2f16bb29d235999988a5b09e7bcfe7cfe1d7a586cd
Instruction ID: e86b09fa13eff71e831df7ff255a397b6d5e39054d4c1aff36dea9e8f34e4821
Opcode Fuzzy Hash: e46993260421128de9247c2f16bb29d235999988a5b09e7bcfe7cfe1d7a586cd
Instruction Fuzzy Hash: E751E272A21202AFEF289F58D845BBAB3A4FF41320F14452DEC0547291E772ECE4CB90

Function 0027F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0027F3C5
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,0027B749,?,?,?,?,?,?), ref: 0027F450
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0027F4A7
SetFileTime.KERNEL32(?,?,?,?), ref: 0027F569
CloseHandle.KERNEL32(?), ref: 0027F570

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: File$Create$CloseH_prolog3_HandleTime
String ID:
API String ID: 4002707884-0
Opcode ID: e42e7d52b761ef99b546c1bb8993163572ee5bab838b4a5e9b8610586598ad51
Instruction ID: 3b6dbb7f6532a97994e9ca23b0559c4a44a3528c86b9677e2014525806b6aaf8
Opcode Fuzzy Hash: e42e7d52b761ef99b546c1bb8993163572ee5bab838b4a5e9b8610586598ad51
Instruction Fuzzy Hash: 4E51D330A24249ABDF10DFE8D945BEEBBB5AF09310F244129F545F72C0D7349A55CB24

Function 002A2BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002A2BE9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002A2C0C

Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002A2C32
_free.LIBCMT ref: 002A2C45
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A2C54

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 08e08cbdfe34ef24ed84dc1ffe2c85a54c410c9b86697cd345eb4afc0134886e
Instruction ID: c5819671ccc1209c45cbbb22366518a2db84e675265e5db82acc277284c5d076
Opcode Fuzzy Hash: 08e08cbdfe34ef24ed84dc1ffe2c85a54c410c9b86697cd345eb4afc0134886e
Instruction Fuzzy Hash: 8101F772721211BF37251A7E6C8CC7F7A6EDEC7B71326012AF908D2111EE60CC1595B0

Function 002A0089 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0029535E,0029535E,?,002A01D8,002A0451,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?), ref: 002A008E
_free.LIBCMT ref: 002A00C3
_free.LIBCMT ref: 002A00EA
SetLastError.KERNEL32(00000000,?,0029535E), ref: 002A00F7
SetLastError.KERNEL32(00000000,?,0029535E), ref: 002A0100

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 70584ee590ce23f916f0e7df5ce4c12aa5e9c227cbed207159a2e63a5141436a
Instruction ID: 9bf425394de4498842212c6ede9adfe660bf522a417077db25dbfc6949f379df
Opcode Fuzzy Hash: 70584ee590ce23f916f0e7df5ce4c12aa5e9c227cbed207159a2e63a5141436a
Instruction Fuzzy Hash: C40128721747026787222B747DCAF2B256ADFC3371B310129F505A3592EEB08C755520

Function 002A34AF Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002A34C7

Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC

_free.LIBCMT ref: 002A34D9
_free.LIBCMT ref: 002A34EB
_free.LIBCMT ref: 002A34FD
_free.LIBCMT ref: 002A350F

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6fd48032457e0f4fd4d57580899d482a18dd49eea346bacd232feab3a8a67151
Instruction ID: 2115b58eeaf54168045691fadefb375f23ef9fe3b891548051a86494187df67a
Opcode Fuzzy Hash: 6fd48032457e0f4fd4d57580899d482a18dd49eea346bacd232feab3a8a67151
Instruction Fuzzy Hash: 77F01D32528301BB8A20EF68F8CAC1A77D9AB467107690C46F508E7901CFB4FDA0CB60

Function 0029F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0029F7DE

Part of subcall function 002A03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?), ref: 002A03EA
Part of subcall function 002A03D4: GetLastError.KERNEL32(?,?,002A3546,?,00000000,?,00000000,?,002A356D,?,00000007,?,?,002A396A,?,?), ref: 002A03FC

_free.LIBCMT ref: 0029F7F0
_free.LIBCMT ref: 0029F803
_free.LIBCMT ref: 0029F814
_free.LIBCMT ref: 0029F825

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66a1eb3da41fefb1d00eb818eb50e5e4f39fdc6e30c5e0100c08f199228ce4a7
Instruction ID: ff56a816033ab66e92efc22a53ab3dcf38ded025973d5aa4b621f762dd5ed719
Opcode Fuzzy Hash: 66a1eb3da41fefb1d00eb818eb50e5e4f39fdc6e30c5e0100c08f199228ce4a7
Instruction Fuzzy Hash: 69F089704203109BDF51AF24BD4EC54BFA1FB1AB243010A9BF515A7671CB7A5861CF81

Function 0028EF21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 0028EBAA: GetDC.USER32(00000000), ref: 0028EBAE
Part of subcall function 0028EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028EBB9
Part of subcall function 0028EBAA: ReleaseDC.USER32(00000000,00000000), ref: 0028EBC4

GetObjectW.GDI32(?,00000018,?), ref: 0028EF65

Part of subcall function 0028F1EC: GetDC.USER32(00000000), ref: 0028F1F5
Part of subcall function 0028F1EC: GetObjectW.GDI32(?,00000018,?), ref: 0028F224
Part of subcall function 0028F1EC: ReleaseDC.USER32(00000000,?), ref: 0028F2BC

Strings

kJ), xrefs: 0028F1CE
(, xrefs: 0028F0BA

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ObjectRelease$CapsDevice
String ID: ($kJ)
API String ID: 1061551593-342208659
Opcode ID: de2e15a0fd40e8ab530295fc4a60e0221d97e526515aaa77e499fe8aadfe14a1
Instruction ID: a6c3ed54b5dae4cf595379c6833a93f1da25300da10f738482a5165081af6394
Opcode Fuzzy Hash: de2e15a0fd40e8ab530295fc4a60e0221d97e526515aaa77e499fe8aadfe14a1
Instruction Fuzzy Hash: E79102756183159FC750DF65D848A6BBBE9FF89B00F10491EF98AD3260CB70A905CF62

Function 0029EE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\x11.exe,00000104), ref: 0029EE6A
_free.LIBCMT ref: 0029EF35
_free.LIBCMT ref: 0029EF3F

Strings

C:\Users\user\Desktop\x11.exe, xrefs: 0029EE61, 0029EE68, 0029EE97, 0029EECF

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\x11.exe
API String ID: 2506810119-676683206
Opcode ID: 87744945d10a3d15a2d62166f86e1192b86e07d82e38d6ed8eeebd0c25b98046
Instruction ID: 12cbf9ed87ad7d21eb250f4486e746ac50477b72fa59e5d76eb91ddd24fd6b6f
Opcode Fuzzy Hash: 87744945d10a3d15a2d62166f86e1192b86e07d82e38d6ed8eeebd0c25b98046
Instruction Fuzzy Hash: 86317E71A24258AFCF21DF999C89D9EBBFCEF89310F1540A6F80497201DBB19E54CB91

Function 00299E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00299E7B
_abort.LIBCMT ref: 00299F86

Strings

RCC, xrefs: 00299E95
MOC, xrefs: 00299E8D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: cf42a125538c90ff095cfb4285b8fa16d63878b8c77385c1230bb4c9523366a3
Instruction ID: e2e7611fa1ef34051d12640ad05645806a3f83fc6bc8637d2aeef64c2a39b5b0
Opcode Fuzzy Hash: cf42a125538c90ff095cfb4285b8fa16d63878b8c77385c1230bb4c9523366a3
Instruction Fuzzy Hash: 9D414A7191020AAFCF16DF98CD81AEEBBB5BF48314F148159FA05A7251D33699A0DF50

Function 0028338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0028340E
_strncpy.LIBCMT ref: 00283459

Part of subcall function 002889ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,002BE088,?,00000007,002833E2,?,?,00000050,1ECC2FF4), ref: 00288A0A

Strings

$%s, xrefs: 00283403
@%s, xrefs: 002833F8

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 46d7d504bc61f1788293a40ddf78204d307710c592eb832b8491867f2959d013
Instruction ID: cfcefa6063db6870aa0014da81ebd7d1a7986c7bd6d1fea58bfb4c0890ec8a5e
Opcode Fuzzy Hash: 46d7d504bc61f1788293a40ddf78204d307710c592eb832b8491867f2959d013
Instruction Fuzzy Hash: 2121D27652170EABDB11EEA8CD45EAE7BE8FB05700F040125FA10D72C1DB31EA24CB60

Function 0028F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0028F8F7

Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

EndDialog.USER32(?,00000001), ref: 0028F99F
SetDlgItemTextW.USER32(?,00000066,00000000), ref: 0028F9E1

Strings

ASKNEXTVOL, xrefs: 0028F909

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ItemText$DialogH_prolog3_Window
String ID: ASKNEXTVOL
API String ID: 2321058237-3402441367
Opcode ID: 060a8e4db52d4c356ec3edbafb731f4731aa119319fd0188879ee002221a0208
Instruction ID: 0294f5c1e4ac3680fd0d77fadf53780f83d60bf6742362dd66252f1605eefa63
Opcode Fuzzy Hash: 060a8e4db52d4c356ec3edbafb731f4731aa119319fd0188879ee002221a0208
Instruction Fuzzy Hash: C2218F35622115BFDB50FFA8DE4AFA937A8AF0A300F104025F5059B2E1C770AA74CF21

Function 00287445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000,0028ABB6,?), ref: 00287484
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000), ref: 0028748E
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0027FEBD,00000008,00000004,00282D42,?,?,?,?,00000000), ref: 0028749E

Strings

Thread pool initialization failed., xrefs: 002874B6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b2c5d481dc857af4fb9be199d0bcee0e9ec04b14b492157b27070003ed5d4664
Instruction ID: f77b5dbea7b536dba642ac140e0ba1087693646858dd631808c47322c6b6efe6
Opcode Fuzzy Hash: b2c5d481dc857af4fb9be199d0bcee0e9ec04b14b492157b27070003ed5d4664
Instruction Fuzzy Hash: 9E110AB1615709AFD3316F769C889A7FFECEB55744F20482EF1DAC3240DAB099908B50

Function 0029406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 002940CB
REPLACEFILEDLG, xrefs: 002940B8, 002940F2

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 2aeb3759577ad1268be4927c3760b7bea2ef68d6654b1348485e20206bfa9836
Instruction ID: 9482f93cd117057b89b529a8ad7d72a99c8ba6df40f5b688043b73fa867001b5
Opcode Fuzzy Hash: 2aeb3759577ad1268be4927c3760b7bea2ef68d6654b1348485e20206bfa9836
Instruction Fuzzy Hash: F4117C30224311ABDF14AF19FC48E267BE8E75A381B040929F646D3220D671E8E6DF61

Function 00271E44 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00283EAA: _swprintf.LIBCMT ref: 00283EEA
Part of subcall function 00283EAA: _strlen.LIBCMT ref: 00283F0B
Part of subcall function 00283EAA: SetDlgItemTextW.USER32(?,002B919C,?), ref: 00283F64
Part of subcall function 00283EAA: GetWindowRect.USER32(?,?), ref: 00283F9A
Part of subcall function 00283EAA: GetClientRect.USER32(?,?), ref: 00283FA6

GetDlgItem.USER32(00000000,00003021), ref: 00271E88
SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

Strings

0, xrefs: 00271E47
gI), xrefs: 00271E78

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$gI)
API String ID: 2622349952-1724040823
Opcode ID: e52e7a024fe4d91dfd235a99ef1594d9dbe44c38a4b0df0a057813b636041c2d
Instruction ID: acf19a1b8188c855780c07e48d6b7001f3c048f8b753008b8c5cf1c9b077b4b2
Opcode Fuzzy Hash: e52e7a024fe4d91dfd235a99ef1594d9dbe44c38a4b0df0a057813b636041c2d
Instruction Fuzzy Hash: EDF0AF30524249A7DF251F65ED0AEEA3B98AF15344F088154FC4C545E1C7B4CAB0DF50

Function 0029A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0029A843,00000000,?,002C6150,?,?,?,0029A9E6,00000004,InitializeCriticalSectionEx,002AF7F4,InitializeCriticalSectionEx), ref: 0029A89F
GetLastError.KERNEL32(?,0029A843,00000000,?,002C6150,?,?,?,0029A9E6,00000004,InitializeCriticalSectionEx,002AF7F4,InitializeCriticalSectionEx,00000000,?,0029A79D), ref: 0029A8A9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0029A8D1

Strings

api-ms-, xrefs: 0029A8B6

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c7d51a48a92ac0eacb8e682a47d57789b97a480b4205aa083edeb13f85b1e042
Instruction ID: 90c9f5474c46aaf98d0cf034eb7b014d30e279af869eccd9e04208d8543f9c45
Opcode Fuzzy Hash: c7d51a48a92ac0eacb8e682a47d57789b97a480b4205aa083edeb13f85b1e042
Instruction Fuzzy Hash: DFE04F30290306B7EF201FA0ED0AB183A59AF11B91F200430FD0DA84E0DF619825AAD6

Function 002A07EA Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002A0875
__alldvrm.LIBCMT ref: 002A0A76
__alldvrm.LIBCMT ref: 002A0A98

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
Instruction ID: f879e9fd6a474630c1c6f78ddcf1301a6910e1a85b8911796538ac3d58448d12
Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
Instruction Fuzzy Hash: 7CA14971E207879FEB11CF28C8D17AEBBE4EF57350F144169E5859B282CA788D51CB90

Function 002A3638 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,002A0481,?,00000000,?,00000001,?,?,00000001,002A0481,?), ref: 002A3685
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002A370E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0029DBD1,?), ref: 002A3720
__freea.LIBCMT ref: 002A3729

Part of subcall function 002A040E: RtlAllocateHeap.NTDLL(00000000,0029535E,?,?,00296C16,?,?,?,?,?,00295269,0029535E,?,?,?,?), ref: 002A0440

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7e46c24878a9d93a2aae51f673c1f6b1e4b71e88443c973e6df44efc94f7dab5
Instruction ID: f0f37b15eaadde86728f9e653958311b86562ae6b856e630f4da1a44336a1a3b
Opcode Fuzzy Hash: 7e46c24878a9d93a2aae51f673c1f6b1e4b71e88443c973e6df44efc94f7dab5
Instruction Fuzzy Hash: 5C31A0B1A2020AABDF25DF64DC85DAEBBE9EB45750F140169FC04D6250EB35CE60CB90

Function 0028126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00281273

Part of subcall function 0028067E: GetVersionExW.KERNEL32(?), ref: 002806AF

FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0027350C,1ECC301C,00000000,?,?,002743F5,?,?,?,00000000), ref: 0028129A
FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 002812D4
_wcslen.LIBCMT ref: 002812DF

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FoldString$H_prolog3Version_wcslen
String ID:
API String ID: 535866816-0
Opcode ID: ea20e61e7b3a7a57264a3f68e5e5f36328efba13b53ade9c73327ac57649de58
Instruction ID: bcfc0ca59766f9bb0367e87ecac8957b616c0d5466a3dc0878c5d2ab34bc4000
Opcode Fuzzy Hash: ea20e61e7b3a7a57264a3f68e5e5f36328efba13b53ade9c73327ac57649de58
Instruction Fuzzy Hash: E2119471A22126ABDB01AFA98D49A6F7B6DAF05720F200205B810E72C1CB309971CBF1

Function 002862CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002862D4
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 002862EB
ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00286328
_wcslen.LIBCMT ref: 00286338

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: EnvironmentExpandStrings$H_prolog3_wcslen
String ID:
API String ID: 3741103063-0
Opcode ID: be43d1155240f42b5fdbd03c46020c6a1d59a2fb09f1e928b987beca49423af3
Instruction ID: ebdbcbae695ba8a62c1f024c54a611a675ee0125ca017928d6dc77ac64701013
Opcode Fuzzy Hash: be43d1155240f42b5fdbd03c46020c6a1d59a2fb09f1e928b987beca49423af3
Instruction Fuzzy Hash: 6811A074A2221AAF9F00AFA89D899BFF779BF45714714415DB411A7280DB34AE20CBA4

Function 002A19E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue), ref: 002A1A16
GetLastError.KERNEL32(?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue,002B0DD0,FlsSetValue,00000000,00000364,?,002A00D7), ref: 002A1A22
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002A198B,00000000,00000000,00000000,00000000,?,002A1B88,00000006,FlsSetValue,002B0DD0,FlsSetValue,00000000), ref: 002A1A30

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8167a16c6576258445c03afbb4d45a8ddef4842318f77f090e52aafd5443e7dd
Instruction ID: ce2990beaf76a0993d09753b8b4e886e909df0810eeeec5ffea43342d0b7e83c
Opcode Fuzzy Hash: 8167a16c6576258445c03afbb4d45a8ddef4842318f77f090e52aafd5443e7dd
Instruction Fuzzy Hash: AA01F7366662239BC7218EA8AC48A57779CAF077B1F254620FD0AD3242CF20D830C6E0

Function 00281309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00281310
GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,1ECC2FF4,?,?,?,00000000,002AA279,000000FF), ref: 00281319
GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,002AA279,000000FF), ref: 00281348
_wcslen.LIBCMT ref: 00281351

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CurrentDirectory$H_prolog3_wcslen
String ID:
API String ID: 19219720-0
Opcode ID: 05ca42ff9b440ebe14d8e76cde77f6a44022fc956b293405aa374dba201e56b8
Instruction ID: 1ea53ceddc621a09d8798e65299c06e179e34920535aa696cb88ed48a3da1d74
Opcode Fuzzy Hash: 05ca42ff9b440ebe14d8e76cde77f6a44022fc956b293405aa374dba201e56b8
Instruction Fuzzy Hash: 9A01DB75D20126BB8B10AFF89D058BFBB7DAF86710B104609F515E7281CF348921CBE0

Function 0028EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0028EB77
GetDeviceCaps.GDI32(00000000,00000058), ref: 0028EB86
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0028EB94
ReleaseDC.USER32(00000000,00000000), ref: 0028EBA2

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8350f8df71bdf71e04ebe2c7ed726d60cee94c7ec0fb675a2d6780174e9a8d44
Instruction ID: a42e29e95c674e2ea4e470583def374be1cd4433272617051e2c795131c80f72
Opcode Fuzzy Hash: 8350f8df71bdf71e04ebe2c7ed726d60cee94c7ec0fb675a2d6780174e9a8d44
Instruction Fuzzy Hash: A7E0123194AF70ABD7211B71BD0DF873E54AF19B53F050181FB05AA1D0CAB084408FD0

Function 00287C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00288294

Part of subcall function 002714A7: _wcslen.LIBCMT ref: 002714B8

Part of subcall function 0029087E: __EH_prolog3_GS.LIBCMT ref: 00290885
Part of subcall function 0029087E: GetLastError.KERNEL32(0000001C,00288244,?,00000000,00000086,?,1ECC2FF4,?,?,?,?,?,00000000,002AA75D,000000FF), ref: 0029089D
Part of subcall function 0029087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,002AA75D,000000FF), ref: 002908D6

Strings

%ls, xrefs: 00287CF7

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
String ID: %ls
API String ID: 1279724102-3246610740
Opcode ID: 3132d95d8145615e89fa90c8711a5ca7bb59f9440af6f5263d7d75672cba28b7
Instruction ID: 5f111fc64bfade45bbac1b801c1c612a5edde86e3743fe6b18f0ef7f12e8966a
Opcode Fuzzy Hash: 3132d95d8145615e89fa90c8711a5ca7bb59f9440af6f5263d7d75672cba28b7
Instruction Fuzzy Hash: 28B19F34825209EBDB24FF54CD56EAE7BB5BF15304F208419F846261E1DBB1AA74EF80

Function 00291F82 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00281309: __EH_prolog3.LIBCMT ref: 00281310
Part of subcall function 00281309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002817FB,?,?,\\?\,1ECC2FF4,?,?,?,00000000,002AA279,000000FF), ref: 00281319

Part of subcall function 00281AD1: __EH_prolog3_GS.LIBCMT ref: 00281AD8

Part of subcall function 0027F763: __EH_prolog3_GS.LIBCMT ref: 0027F76A

Part of subcall function 0027F58B: __EH_prolog3_GS.LIBCMT ref: 0027F592
Part of subcall function 0027F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,0027A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0027F5A8
Part of subcall function 0027F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,0027D303,?,?,?,?,?,?,?,1ECC2FF4,00000049), ref: 0027F5EB

MoveFileW.KERNEL32(?,?), ref: 002922BE
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 002922D8

Part of subcall function 002814CC: __EH_prolog3_GS.LIBCMT ref: 002814D3

Strings

.tmp, xrefs: 0029222B

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FileH_prolog3_$AttributesMove$CurrentDirectoryH_prolog3
String ID: .tmp
API String ID: 3107500630-2986845003
Opcode ID: 87582706cd94d1945d690ab9d9b1d9df34dfc8139769a23d96fc91fc0f3c0628
Instruction ID: a127971ef5725a5654508f60d31d3d517091b0c274249a495b53c10e1e59079b
Opcode Fuzzy Hash: 87582706cd94d1945d690ab9d9b1d9df34dfc8139769a23d96fc91fc0f3c0628
Instruction Fuzzy Hash: 06C1DF71C20268DADF65EFA4C885BDDB7B8BF09300F5041EAE54DA2241DB345BA9CF20

Function 002A28A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 002A246B: GetOEMCP.KERNEL32(00000000,?,?,002A26F4,?), ref: 002A2496

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,002A2739,?,00000000), ref: 002A2914
GetCPInfo.KERNEL32(00000000,9'*,?,?,?,002A2739,?,00000000), ref: 002A2927

Strings

9'*, xrefs: 002A2922, 002A2925

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CodeInfoPageValid
String ID: 9'*
API String ID: 546120528-3582295230
Opcode ID: 6077cd9c64cafb54c737221056a0b0188009a07d195c3377ffb59000122c051f
Instruction ID: e198f761580667a4354117987af403d9a251463ab66c180574954177f9ae0c88
Opcode Fuzzy Hash: 6077cd9c64cafb54c737221056a0b0188009a07d195c3377ffb59000122c051f
Instruction Fuzzy Hash: C5512570A20343DFDB25CF39C8416BBFBE5EF42700F24406ED09687252DA35999ACB90

Function 002A1E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002A1FD4

Part of subcall function 0029ACBB: IsProcessorFeaturePresent.KERNEL32(00000017,0029AC8D,0029535E,?,?,00000000,0029535E,00000016,?,?,0029AC9A,00000000,00000000,00000000,00000000,00000000), ref: 0029ACBD
Part of subcall function 0029ACBB: GetCurrentProcess.KERNEL32(C0000417,?,0029535E), ref: 0029ACDF
Part of subcall function 0029ACBB: TerminateProcess.KERNEL32(00000000,?,0029535E), ref: 0029ACE6

Strings

*?, xrefs: 002A1EAB
., xrefs: 002A218B

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
Instruction ID: bc03a55445a367a01642377ce306e7e962c9cdb9ae980aaf21c40b4d1594ea0d
Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
Instruction Fuzzy Hash: A851C075E1021AAFDF14CFA8C881AADB7B5FF59320F24416AE844E7340EB719E21CB50

Function 002A2543 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 002A2568

Strings

}**, xrefs: 002A255A
, xrefs: 002A25AD

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Info
String ID: $}**
API String ID: 1807457897-3226082957
Opcode ID: c851cd05edc7bf4b50b93ce8bc53647e69e39fd3f298d3ec974a46e38c8fa4e7
Instruction ID: f8384498bb5d11b7c115207f2a2164163438c494ce469455d569ffa874c67ed4
Opcode Fuzzy Hash: c851cd05edc7bf4b50b93ce8bc53647e69e39fd3f298d3ec974a46e38c8fa4e7
Instruction Fuzzy Hash: 2F413B70915248DFDF268E28CC84BF6BBEDEB46704F1404ECE58A86142D6359A69CF60

Function 0027F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 002879F7: GetSystemTime.KERNEL32(?,00000000), ref: 00287A0F
Part of subcall function 002879F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00287A1D

Part of subcall function 002879A0: __aulldiv.LIBCMT ref: 002879A9

__aulldiv.LIBCMT ref: 0027F162
GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,1ECC2FF4,?,?,00000000,?,00000000,002A9F3D,000000FF), ref: 0027F169

Part of subcall function 00271150: _wcslen.LIBCMT ref: 0027115B

Strings

.rartemp, xrefs: 0027F1D8

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
String ID: .rartemp
API String ID: 3789791499-2558811017
Opcode ID: 102b6688540c45ba751a596345df6cb1c83b40f2e3a93a06b7f6aa3ab1086800
Instruction ID: ee1f83fc3b31ead917be12e7bc7f3a3b54aab6694229daf106d0dc9dc71b30e8
Opcode Fuzzy Hash: 102b6688540c45ba751a596345df6cb1c83b40f2e3a93a06b7f6aa3ab1086800
Instruction Fuzzy Hash: B2418371920249ABDF14EF64CC45EEEB7B8EF54310F508169F91993282EB349B68CF60

Function 0028DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0028DAD5

Part of subcall function 00280360: __EH_prolog3.LIBCMT ref: 00280367

Strings

about:blank, xrefs: 0028DBD3
Shell.Explorer, xrefs: 0028DB11

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3
String ID: Shell.Explorer$about:blank
API String ID: 431132790-874089819
Opcode ID: 689fee82622843cd6b434b9f823e688f5bf7fbb93d7d6135a1f6b29a49a372a4
Instruction ID: cec248d37ca8f9bfa044ca5a85a118f7d0feb1de00a4bc692f5be0a8a88591ef
Opcode Fuzzy Hash: 689fee82622843cd6b434b9f823e688f5bf7fbb93d7d6135a1f6b29a49a372a4
Instruction Fuzzy Hash: 08417E786212028FDF48EFA4D895B6A77B1BF89704F15806DE8069B2D2DF70AD14CF50

Function 0028D7EB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0028D7F2
ShowWindow.USER32(?,00000005), ref: 0028D8E8

Strings

qI), xrefs: 0028D8DD

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: H_prolog3_ShowWindow
String ID: qI)
API String ID: 4203566401-3380328277
Opcode ID: f1a82f4a5c693c4f08198405dbb3c7055b29cf63feab24938cc95ae323e9f2ce
Instruction ID: f59db453b2d169e650ba7ece24bf6295329c5aefefae96c3ba0a18c471902cd0
Opcode Fuzzy Hash: f1a82f4a5c693c4f08198405dbb3c7055b29cf63feab24938cc95ae323e9f2ce
Instruction Fuzzy Hash: FC414F35A21629AFDB05EFA4DC88E9DBBB5FF0D310B044018F905A72A0DB71AD25CF90

Function 00290110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00271E44: GetDlgItem.USER32(00000000,00003021), ref: 00271E88
Part of subcall function 00271E44: SetWindowTextW.USER32(00000000,002AC6C8), ref: 00271E9E

EndDialog.USER32(?,00000001), ref: 0029017B
SetDlgItemTextW.USER32(?,00000067,?), ref: 002901B9

Strings

GETPASSWORD1, xrefs: 00290148

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: fe655c0e678b7c8270d9c6b9fc92df68faf00ade9c5025210a39927561cf51e8
Instruction ID: 7d7a8be80a02ba412ca0f9de26f3cda32c4db7094f7199ba15dba7809704b2cf
Opcode Fuzzy Hash: fe655c0e678b7c8270d9c6b9fc92df68faf00ade9c5025210a39927561cf51e8
Instruction Fuzzy Hash: E21108B26643197FDA209F289C89FFB77ACEB85700F000429F74DA3180C770A8518B76

Function 00285109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00285094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002850B3
Part of subcall function 00285094: GetProcAddress.KERNEL32(002C51F8,CryptUnprotectMemory), ref: 002850C3

GetCurrentProcessId.KERNEL32(?,00000200,?,00285104), ref: 00285197

Strings

CryptProtectMemory failed, xrefs: 0028514E
CryptUnprotectMemory failed, xrefs: 0028518F

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: cade798766e128f647dcfabf83e75b7bfbfda83c437b2537b91e3359f62deb49
Instruction ID: cb778de9da51d875ccbdd5a8c9536f29d8b55b27e1329be077cbec0e15b7256e
Opcode Fuzzy Hash: cade798766e128f647dcfabf83e75b7bfbfda83c437b2537b91e3359f62deb49
Instruction Fuzzy Hash: D5110335A22E35ABDB11BF24EC08B6E3B69AF41760B108115FC095B2C1DB70AD618BD5

Function 0028FEA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 0028FEB6
GetLastError.KERNEL32 ref: 0028FEE1

Strings

$L), xrefs: 0028FF16

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: CurrentErrorLastProcess
String ID: $L)
API String ID: 335030130-3732647755
Opcode ID: 694ad49962ea7077518beb83564596132c44e08b988726e20a322b0c870068b9
Instruction ID: 7cee594843a5bbcb202ddf389c3fb7b5f3cd20d0b8d52f1fd7e80e6468f5bbed
Opcode Fuzzy Hash: 694ad49962ea7077518beb83564596132c44e08b988726e20a322b0c870068b9
Instruction Fuzzy Hash: 69012976555209BFDF11AFA0AD89EEE7B6DEB1A350F100065F601D20A0EB718E50AB64

Function 002875ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,0028770A,?,?,0028777F,?,?,?,?,?,00287769), ref: 002875F3
GetLastError.KERNEL32(?,?,0028777F,?,?,?,?,?,00287769), ref: 002875FF

Part of subcall function 002792EB: __EH_prolog3_GS.LIBCMT ref: 002792F2

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00287608

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: ErrorH_prolog3_LastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 2419225763-2248577382
Opcode ID: cf797f9a8f8e8646af755367ab4af089ff6813c431f7a23c376b79a71120858a
Instruction ID: e0575d1e5511218f25d4dba57623fcb1dad1fe341455977f2d17b403430cc7f8
Opcode Fuzzy Hash: cf797f9a8f8e8646af755367ab4af089ff6813c431f7a23c376b79a71120858a
Instruction Fuzzy Hash: 73D05E3152D931B7D91037686C0ECEE390D9B23730F714754FA39652E6DE2008A146AD

Function 00283E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,1ECC2FF4), ref: 00283E65
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00283E73

Strings

RTL, xrefs: 00283E6D

Memory Dump Source

Source File: 00000000.00000002.2122614246.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.2122516653.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122785956.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002B9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122820760.00000000002C2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2123143394.00000000002C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 8f301c717f845a26e019ee801062374c616f8bb3a69ad018d8f9c289e236306c
Instruction ID: 13861e3d394c5fb476f3d03290887a2f21c0f4aff4606b29863db7b5109d879f
Opcode Fuzzy Hash: 8f301c717f845a26e019ee801062374c616f8bb3a69ad018d8f9c289e236306c
Instruction Fuzzy Hash: 41C0803175071097E73417717C0DB432D585F17B15F15045CB505990C0DDE5D4508BD0

Analysis Process: k1.exePID: 6480, Parent PID: 6400COMMON

Non-executed Functions

Function 01107FF0 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 01108035
GetCurrentProcessId.KERNEL32 ref: 01108040
GetCurrentThreadId.KERNEL32 ref: 01108049
GetTickCount.KERNEL32 ref: 01108051
QueryPerformanceCounter.KERNEL32 ref: 0110805E

Memory Dump Source

Source File: 00000002.00000002.3366787145.0000000000EF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00EF0000, based on PE: true

Associated: 00000002.00000002.3366766124.0000000000EF0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3366925699.000000000110A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3366925699.0000000001128000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3366959151.0000000001129000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3367078194.0000000001330000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3367092895.0000000001331000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3367106112.0000000001332000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3367119507.0000000001335000.00000002.00000001.01000000.00000009.sdmpDownload File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: cd4e50871ce1b84376be2397e3deaae051754c4662a572f4309cc6364f0aff0f
Instruction ID: d74c83dde371005fb319d4db5d1207fd0f1b980db3a04ec6d3102040bb3e6859
Opcode Fuzzy Hash: cd4e50871ce1b84376be2397e3deaae051754c4662a572f4309cc6364f0aff0f
Instruction Fuzzy Hash: 6A118C36B16B1486FB158B25F804396A2A0B7497B4F0806709E9C427A4DB3CC686C344

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\k1.exe

C:\Users\user\Desktop\poolworker.config.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: x11.exePID: 6400, Parent PID: 4004

General

Chronological Activities

Analysis Process: k1.exePID: 6480, Parent PID: 6400

General

Chronological Activities

Windows Analysis Report
x11.exe