Create Interactive Tour

Analysis Report dgiusjeja64_mediasrv.png

Overview

General Information

Sample Name:dgiusjeja64_mediasrv.png (renamed file extension from png to dll)
Analysis ID:370722
MD5:c13860727871a39063e0bb58117919ba
SHA1:4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256:8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll64.exe (PID: 2792 cmdline: loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll' MD5: 8E81A09C7B4484341759E793AC330CB2)
    • rundll32.exe (PID: 5504 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 784 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6108 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5816 cmdline: C:\Windows\system32\WerFault.exe -u -p 6108 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • cmd.exe (PID: 3176 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5448 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1744 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6072 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3396 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4912 cmdline: C:\Windows\system32\WerFault.exe -u -p 3396 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 5812 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6076 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: dgiusjeja64_mediasrv.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: dgiusjeja64_mediasrv.dllVirustotal: Detection: 48%Perma Link
Source: dgiusjeja64_mediasrv.dllMetadefender: Detection: 45%Perma Link
Source: dgiusjeja64_mediasrv.dllReversingLabs: Detection: 78%
Source: dgiusjeja64_mediasrv.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D05B4 FindFirstFileExA,1_2_00007FFB522D05B4
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D03A81_2_00007FFB522D03A8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D53F81_2_00007FFB522D53F8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C16541_2_00007FFB522C1654
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Source: dgiusjeja64_mediasrv.dllBinary or memory string: OriginalFilenameAdobe type6 vs dgiusjeja64_mediasrv.dll
Source: classification engineClassification label: mal56.winDLL@23/8@0/1
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5CD8 GetModuleHandleW,FindResourceW,LoadResource,1_2_00007FFB522C5CD8
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3396
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6108
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4093.tmpJump to behavior
Source: dgiusjeja64_mediasrv.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Source: dgiusjeja64_mediasrv.dllVirustotal: Detection: 48%
Source: dgiusjeja64_mediasrv.dllMetadefender: Detection: 45%
Source: dgiusjeja64_mediasrv.dllReversingLabs: Detection: 78%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll'
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3396 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decraJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decraJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: dgiusjeja64_mediasrv.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dgiusjeja64_mediasrv.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5D8C GetModuleFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,wsprintfA,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,1_2_00007FFB522C5D8C
Source: dgiusjeja64_mediasrv.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\loaddll64.exe TID: 3112Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3112Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D05B4 FindFirstFileExA,1_2_00007FFB522D05B4
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522C9810
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5D8C GetModuleFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,wsprintfA,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,1_2_00007FFB522C5D8C
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D1624 GetProcessHeap,1_2_00007FFB522D1624
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522C9810
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522CE0B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522CE0B4
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C90E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFB522C90E4
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D4FD0 cpuid 1_2_00007FFB522D4FD0
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C93E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FFB522C93E0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection11Virtualization/Sandbox Evasion2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySecurity Software Discovery4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 370722 Sample: dgiusjeja64_mediasrv.png Startdate: 18/03/2021 Architecture: WINDOWS Score: 56 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 cmd.exe 1 7->13         started        15 6 other processes 7->15 process5 17 WerFault.exe 9 9->17         started        20 WerFault.exe 20 9 11->20         started        22 rundll32.exe 13->22         started        dnsIp6 24 192.168.2.1 unknown unknown 17->24

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
SourceDetectionScannerLabelLink
dgiusjeja64_mediasrv.dll49%VirustotalBrowse
dgiusjeja64_mediasrv.dll46%MetadefenderBrowse
dgiusjeja64_mediasrv.dll79%ReversingLabsWin64.Trojan.Phonzy
dgiusjeja64_mediasrv.dll100%AviraHEUR/AGEN.1137903
No Antivirus matches
SourceDetectionScannerLabelLinkDownload
5.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
1.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
12.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
11.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
17.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
14.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
6.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
13.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
15.2.rundll32.exe.7ffb522c0000.1.unpack100%AviraHEUR/AGEN.1137903Download File
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
IP
192.168.2.1

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:370722
Start date:18.03.2021
Start time:03:27:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dgiusjeja64_mediasrv.png (renamed file extension from png to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winDLL@23/8@0/1
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 88.2%)
  • Quality average: 66.7%
  • Quality standard deviation: 34.2%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 10
  • Number of non-executed functions: 25
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.145.220, 104.43.193.48, 40.88.32.150, 13.88.21.125
  • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolcus15.cloudapp.net
TimeTypeDescription
03:28:23API Interceptor2x Sleep call for process: WerFault.exe modified
03:28:23API Interceptor2x Sleep call for process: loaddll64.exe modified
No context
No context
No context
No context
No context
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dgi_17f6294235e29bf0f70dfe4296ff405bc6b1d1_92a90526_136c5a94\Report.wer
Process:C:\Windows\System32\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):9708
Entropy (8bit):3.7668416012088124
Encrypted:false
SSDEEP:96:VO+avizJPnyff54ju55NbhfNpXIQcQvc6zcE5cw39XaXz+HbHgSQgJPb7IDV9wOm:VxiizJKff5JHB3Txjmt/u7sVS274lth/
MD5:BEA5176645F9A3E9372F4913A120B8C0
SHA1:50C2215277C7EEB95D146CB1EA56B583A5026F9A
SHA-256:D240E9B6804CAC625884F089A4E4C30A209A86B6B0EA505BA35BB4F056923D97
SHA-512:13020B4F916636C3972484298AD8A4F961328FC7A18234C513155497FAA621415340001DF806D53196C3729F0D5807CA763A992780721B271D9A5F2406AF5CDA
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.5.7.9.8.2.9.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.6.3.6.0.7.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.a.6.2.b.a.b.-.f.9.8.8.-.4.f.9.2.-.b.0.f.8.-.5.5.4.a.1.a.0.d.f.2.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.d.7.c.1.9.4.-.a.c.4.0.-.4.7.3.6.-.b.f.9.f.-.1.b.3.7.c.a.9.a.3.e.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.g.i.u.s.j.e.j.a.6.4._.m.e.d.i.a.s.r.v...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.4.4.-.0.0.0.1.-.0.0.1.7.-.9.3.8.6.-.0.4.6.d.e.1.1.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dgi_17f6294235e29bf0f70dfe4296ff405bc6b1d1_92a90526_16e4498c\Report.wer
Process:C:\Windows\System32\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):9710
Entropy (8bit):3.7652159520242368
Encrypted:false
SSDEEP:96:KasAvieJPnyVf54ju55NbhfNpXIQcQvc6zcE5cw39XaXz+HbHgSQgJPb7IDV9wOM:BRieJKVf5JHB3Txjmt/u7sVS274lthx
MD5:46F7CA54E15B408DFCF128CC72754BF7
SHA1:35EF54139ADA05B7005C9EB5101DDED05AF6F46C
SHA-256:12F47BD95167A0F3F30EFF6D715CFE575459AC083E5FEB85D886E21633298C0F
SHA-512:42BD9B057642EBE44845C927BD810B65A8BECB06FEEEDA5C53F5282026B5EB91756135153D4AAE410B7E7CAF3164254C9E03D4329800E60EFCB5DC612E0CFC31
Malicious:false
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.1.4.0.7.6.8.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.2.0.4.8.3.0.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.3.d.0.5.8.-.4.0.6.6.-.4.9.c.6.-.9.7.c.e.-.2.e.e.1.b.8.5.5.2.6.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.0.c.e.6.a.d.-.0.3.2.d.-.4.2.f.f.-.8.0.f.b.-.5.d.6.e.4.8.6.1.a.a.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.g.i.u.s.j.e.j.a.6.4._.m.e.d.i.a.s.r.v...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.d.c.-.0.0.0.1.-.0.0.1.7.-.a.e.b.e.-.7.1.6.a.e.1.1.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4093.tmp.dmp
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Mar 18 10:28:21 2021, 0x1205a4 type
Category:dropped
Size (bytes):56106
Entropy (8bit):1.6961583181587625
Encrypted:false
SSDEEP:192:6C9hjUiM0ezPjNVHIp23Vtyr893twv4t3kpDu:j9hrYNw23ar88At3eu
MD5:BC7B008F91118403B076CD53AA707992
SHA1:EC64A642D1FF9BE50738F632EEB8B8ECEE6B022C
SHA-256:0FC01A9ED8EEF850A80C74881EEA01D2798DAEC5F2D45F2C1F97C31BEB3CB73D
SHA-512:8DC0685F41CD7D97DC13B9F730CAD60302A4B886AE8E83375B8F24E30B12048A468A0B369B4E240BC8CAFD47A42D3233E0CFE0F9978CDFE5C72903D3552D3AE4
Malicious:false
Preview: MDMP....... .......E+S`...................U...........B..............Lw................Z*....T...........C+S`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1.......................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER41EC.tmp.WERInternalMetadata.xml
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8542
Entropy (8bit):3.696626753721187
Encrypted:false
SSDEEP:192:Rrl7r3GLNi6vi1JtJ6Y394Qgmf2xSxQCprRN89bZlwTfrTm:RrlsNiKi1l6Ytvgmf2xSfqZlkfO
MD5:34A9E1504F78B5F53B043468AC0AB815
SHA1:CE841A8D9235A334812FCC7A0FA46C4BF06CC78B
SHA-256:87414FE6999C3EB42AFCFE6763B582A064BFB4E112AC65784C95443A8A10C121
SHA-512:A0C1B3FCB10206BBB98A16008109CA92990BFD9575E0CB370EBECBB3957CC921A7A5C1877D2D84DCB2AD1A30D953E3FF1A694E8D58417968C9656355E1FC24F4
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.0.8.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B8.tmp.xml
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4782
Entropy (8bit):4.486597621503638
Encrypted:false
SSDEEP:48:cvIwSD8zsSpJgtBI9ZtWSC8Bj8fm8M4JChC4WFjPyq85mgPZESC5SCd:uITfsrcSN2J1kVvCd
MD5:4F7D926A017D7C6FF0BA2E74D839538D
SHA1:7A362315E6F040ED8776A0C2EFFE552D9465A082
SHA-256:63CA678BDB859DCB9EECAED5991A8BE2A04FDCA1E3A9B4420909F9DA50E2CDD0
SHA-512:4BBBE8E889BA0AE5DF5228378D22A78342E1DAAC602739D5BF6ECBA478B517B9B8695FD72C440AAE2BEF034A7568F510BBA749BE9687B750DF2C913A00B67F6B
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="906939" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WER51BA.tmp.dmp
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Mar 18 10:28:26 2021, 0x1205a4 type
Category:dropped
Size (bytes):55938
Entropy (8bit):1.701841087642868
Encrypted:false
SSDEEP:192:+5of8BxNiTMkrCuCI2GBeYXXkaNno82jn03ehtyr893twn+ImeYeM6:wxQTZmGBTNAWr88nXmeYK
MD5:F64ABAB4E69199CAA44A64CFE1335021
SHA1:DBE373A0FC67868CE7B86582477D421DA07852C1
SHA-256:661E2EDD0BA2493257D1E57538EFF30D9627E03414E8A5CDBF07D2C2C86548FD
SHA-512:BE8483CA5B6A5857DCBA7EB6FB01B17C5CB30A84B1879E4E7CB0C8D35E95EEAA53C6F8605D387E924B9C0A41BFC645158D2668231A5AE250B10E3BCACEF59772
Malicious:false
Preview: MDMP....... .......J+S`...................U...........B..............Lw......................T.......D...H+S`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1.......................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER52F3.tmp.WERInternalMetadata.xml
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8724
Entropy (8bit):3.7016813000049003
Encrypted:false
SSDEEP:192:Rrl7r3GLNiald1C6Ysg7gmf2xSxQCprRb89bmAfUf3Cm:RrlsNigd1C6Yr7gmf2xSfcmA8fj
MD5:83D3DF7EFDFA47C630F554E314EA144D
SHA1:FF40BD1FBB7EBE9E9EE365FEB6A989AB8D8FBF56
SHA-256:D1D5217AA21CA039DBD3AB32D1EE292E961A3AE7242D214C860D56C8FDD98B15
SHA-512:4FD0F7C6793AA779EFBF2FD58886A140B4A28C31E8472E5D34740F62367BC74BBDF8966ECDBFB46539B638FC902FA50ABD2FDEE082B98D197AA306C3831D8809
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.9.6.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5381.tmp.xml
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4782
Entropy (8bit):4.488227637363814
Encrypted:false
SSDEEP:48:cvIwSD8zsSpJgtBI9ZtWSC8Bbla8fm8M4JChC4WFd0xyq85mgeZESC5S+d:uITfsrcSNrvJjmBVv+d
MD5:2477F4048BA56DD2AD65297DA475FCB4
SHA1:5F488E06BF427FCEDB27DA556CC4FCBA14A3EB5B
SHA-256:B9D60CA5DA69A7C6E414A744746A6132F3C419F243806A00E227721D0B7A64C4
SHA-512:3EC60CC0602157DBD879E08F56FC32C9433FF11D3EB6AF32754E135D59D84496B3A4C33BD2B607AEBB712EEC861C225C45BE004E93AF2D4DE46E6625D4C7592C
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="906939" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):5.964984823050676
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:dgiusjeja64_mediasrv.dll
File size:140288
MD5:c13860727871a39063e0bb58117919ba
SHA1:4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256:8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512:348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6
SSDEEP:3072:Zyne4kjMlBYj6lLeD9LuLQKwj4UQbcb8cRm2:ZylXfYjeSxLu4R
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^a......^a......^a..............................7.%.............].......].......].........y.....].......Rich...

File Icon

Icon Hash:74f0e4ecccdce0e4

General

Entrypoint:0x18000909c
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x60097C8C [Thu Jan 21 13:07:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:d2e26c895718ba9e7941296173fe17d4
Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FB0C4B5A807h
call 00007FB0C4B5AB28h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FB0C4B5A694h
int3
int3
int3
jmp 00007FB0C4B5FC24h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000D003h]
dec eax
mov ecx, ebx
call dword ptr [0000CFF2h]
call dword ptr [0000CF24h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000CFE8h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007FB0C4B66ED7h
test eax, eax
je 00007FB0C4B5A809h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000179D3h]
call 00007FB0C4B5A9CFh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00017ABAh], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00017A4Ah], eax
dec eax
mov eax, dword ptr [00017AA3h]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1f3100x7c.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1f38c0x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x4e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x220000x1698.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000x668.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1d9000x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1d9400x130.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x160000x2b0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x14f800x15000False0.496082124256data6.23821166824IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x160000x9c9a0x9e00False0.417128164557data4.69449342541IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x200000x1be80xa00False0.17578125data2.43767822647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x220000x16980x1800False0.440104166667data4.7780949803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x240000x940x200False0.203125data1.11945956359IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x250000x4e00x600False0.37890625data3.64413638585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x260000x6680x800False0.50341796875data4.92296393674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x250a00x2c0dataEnglishUnited States
RT_MANIFEST0x253600x17dXML 1.0 document textEnglishUnited States
DLLImport
KERNEL32.dllCreateFileW, GetFileSize, ReadFile, SetLastError, CloseHandle, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, OpenThread, SuspendThread, ResumeThread, ReadProcessMemory, WriteProcessMemory, GetModuleFileNameW, GetModuleHandleW, GetModuleHandleExW, GetProcAddress, LoadLibraryExW, LoadResource, LoadLibraryA, LoadLibraryW, FindResourceW, MultiByteToWideChar, CreateToolhelp32Snapshot, Thread32First, Thread32Next, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlPcToFileHeader, RaiseException, RtlUnwindEx, InterlockedFlushSList, GetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, WideCharToMultiByte, ExitProcess, GetModuleFileNameA, GetStringTypeW, GetACP, HeapAlloc, HeapFree, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetStdHandle, GetFileType, HeapSize, HeapReAlloc, SetStdHandle, WriteFile, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx
USER32.dllwsprintfA
NameOrdinalAddress
ServiceMain10x180007e00
SvchostPushServiceGlobals20x1800080c8
decra30x180008828
DescriptionData
LegalCopyrightCopyright (C) Adobe 2020
InternalNameAdobe type
FileVersion2.3.6.7
CompanyNameAdobe type
ProductNameAdobe type
ProductVersion2.3.6.7
FileDescriptionAdobe type
OriginalFilenameAdobe type
Translation0x0809 0x04b0
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Download Network PCAP: filteredfull

TimestampSource PortDest PortSource IPDest IP
Mar 18, 2021 03:28:06.743639946 CET4919953192.168.2.38.8.8.8
Mar 18, 2021 03:28:06.792882919 CET53491998.8.8.8192.168.2.3
Mar 18, 2021 03:28:07.858115911 CET5062053192.168.2.38.8.8.8
Mar 18, 2021 03:28:07.907428980 CET53506208.8.8.8192.168.2.3
Mar 18, 2021 03:28:08.198206902 CET6493853192.168.2.38.8.8.8
Mar 18, 2021 03:28:08.260333061 CET53649388.8.8.8192.168.2.3
Mar 18, 2021 03:28:09.008719921 CET6015253192.168.2.38.8.8.8
Mar 18, 2021 03:28:09.070564032 CET53601528.8.8.8192.168.2.3
Mar 18, 2021 03:28:10.029464006 CET5754453192.168.2.38.8.8.8
Mar 18, 2021 03:28:10.081621885 CET53575448.8.8.8192.168.2.3
Mar 18, 2021 03:28:11.711374044 CET5598453192.168.2.38.8.8.8
Mar 18, 2021 03:28:11.761574984 CET53559848.8.8.8192.168.2.3
Mar 18, 2021 03:28:12.671669960 CET6418553192.168.2.38.8.8.8
Mar 18, 2021 03:28:12.720829010 CET53641858.8.8.8192.168.2.3
Mar 18, 2021 03:28:13.601628065 CET6511053192.168.2.38.8.8.8
Mar 18, 2021 03:28:13.650913954 CET53651108.8.8.8192.168.2.3
Mar 18, 2021 03:28:14.552200079 CET5836153192.168.2.38.8.8.8
Mar 18, 2021 03:28:14.612628937 CET53583618.8.8.8192.168.2.3
Mar 18, 2021 03:28:15.439805984 CET6349253192.168.2.38.8.8.8
Mar 18, 2021 03:28:15.488965988 CET53634928.8.8.8192.168.2.3
Mar 18, 2021 03:28:16.674350023 CET6083153192.168.2.38.8.8.8
Mar 18, 2021 03:28:16.733551979 CET53608318.8.8.8192.168.2.3
Mar 18, 2021 03:28:17.465131998 CET6010053192.168.2.38.8.8.8
Mar 18, 2021 03:28:17.514431000 CET53601008.8.8.8192.168.2.3
Mar 18, 2021 03:28:18.638439894 CET5319553192.168.2.38.8.8.8
Mar 18, 2021 03:28:18.688126087 CET53531958.8.8.8192.168.2.3
Mar 18, 2021 03:28:19.762321949 CET5014153192.168.2.38.8.8.8
Mar 18, 2021 03:28:19.814367056 CET53501418.8.8.8192.168.2.3
Mar 18, 2021 03:28:20.900608063 CET5302353192.168.2.38.8.8.8
Mar 18, 2021 03:28:20.961081982 CET53530238.8.8.8192.168.2.3
Mar 18, 2021 03:28:22.073633909 CET4956353192.168.2.38.8.8.8
Mar 18, 2021 03:28:22.131145000 CET53495638.8.8.8192.168.2.3
Mar 18, 2021 03:28:23.350117922 CET5135253192.168.2.38.8.8.8
Mar 18, 2021 03:28:23.412517071 CET53513528.8.8.8192.168.2.3
Mar 18, 2021 03:28:27.705600977 CET5934953192.168.2.38.8.8.8
Mar 18, 2021 03:28:27.757694960 CET53593498.8.8.8192.168.2.3
Mar 18, 2021 03:28:35.908370018 CET5708453192.168.2.38.8.8.8
Mar 18, 2021 03:28:35.959269047 CET53570848.8.8.8192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Start time:03:28:13
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:16
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:20
Start date:18/03/2021
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Imagebase:0x7ff69c760000
File size:494488 bytes
MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Start time:03:28:23
Start date:18/03/2021
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Imagebase:0x7ff77d8b0000
File size:273920 bytes
MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:23
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:23
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:23
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:24
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:03:28:24
Start date:18/03/2021
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Imagebase:0x7ff782fd0000
File size:69632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Start time:03:28:25
Start date:18/03/2021
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 3396 -s 316
Imagebase:0x7ff69c760000
File size:494488 bytes
MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Disassembly

Code Analysis

Executed Functions

APIs
    • Part of subcall function 00007FFB522C5C00: GetModuleHandleExW.KERNEL32 ref: 00007FFB522C5C2D
  • GetModuleFileNameW.KERNEL32 ref: 00007FFB522C5DD9
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Module$FileHandleName
  • String ID: H$P
  • API String ID: 4146042529-457946424
  • Opcode ID: c11e67cda226e33ab0c2ec329f425071d661d6026e06821d1286f2060fb93744
  • Instruction ID: 9bbcabfdc8588b5896d3b8c67792a1a891f999953a01ebb66c87cc13492c8e4b
  • Opcode Fuzzy Hash: c11e67cda226e33ab0c2ec329f425071d661d6026e06821d1286f2060fb93744
  • Instruction Fuzzy Hash: 85B25CAA50EAC690EA60EB21F8443BA73A0FBC8750F444135DA8D53B5DDFBED944CB01
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Thread$CloseCurrent$ChangeFindHandleNextNotificationOpenProcessResumeSuspendThread32
  • String ID:
  • API String ID: 422360741-0
  • Opcode ID: 240822dd8ec6ae273013ab4e396858d76656afeb097bd536c47157ecfb7d0bf7
  • Instruction ID: 532c7e27afefecdac6d47bc3f811ca90acc5e1672ba22ff3a023942e83b997c2
  • Opcode Fuzzy Hash: 240822dd8ec6ae273013ab4e396858d76656afeb097bd536c47157ecfb7d0bf7
  • Instruction Fuzzy Hash: FC21457590EA4182E660EB30F84413A7760FB847A5F488334E69E42AECDF7DDC458B00
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
  • String ID:
  • API String ID: 2904100720-0
  • Opcode ID: 22c27d3ef037607b7beddb80dc241b06f5364ae693d075f9d9042dd8cd85c3bc
  • Instruction ID: 503b8f74eaa40de6f9c4dfd6845c3bb84f091b3a51255a5472fefcc1644bac28
  • Opcode Fuzzy Hash: 22c27d3ef037607b7beddb80dc241b06f5364ae693d075f9d9042dd8cd85c3bc
  • Instruction Fuzzy Hash: 2281C3E8E0E64366FA51BB35DC812B92291AF45780F4C8035EA0C6779EDEBFED458701
Uniqueness

Uniqueness Score: -1.00%

APIs
  • type_info::_name_internal_method.LIBCMTD ref: 00007FFB522C7E49
  • type_info::_name_internal_method.LIBCMTD ref: 00007FFB522C7EC1
  • type_info::_name_internal_method.LIBCMTD ref: 00007FFB522C7EF9
  • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FFB522C7F3E
  • LoadLibraryA.KERNELBASE ref: 00007FFB522C7F4D
    • Part of subcall function 00007FFB522C3D78: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FFB522C3D93
    • Part of subcall function 00007FFB522C5D8C: GetModuleFileNameW.KERNEL32 ref: 00007FFB522C5DD9
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: type_info::_name_internal_method$Concurrency::details::EmptyQueue::StructuredWork$FileLibraryLoadModuleName
  • String ID: c:\wi
  • API String ID: 1944567989-3062891356
  • Opcode ID: 2a00b4fb9cc373f5368e67e0bd96a488ae51a62ddc5356e58b8ba60f411dcf55
  • Instruction ID: 668e22b90b934fb8b8496fb2a53bf2f815779e5474e28b3520b33207d8ba8e36
  • Opcode Fuzzy Hash: 2a00b4fb9cc373f5368e67e0bd96a488ae51a62ddc5356e58b8ba60f411dcf55
  • Instruction Fuzzy Hash: E341FBB651EA82A1DA60EB20FC913EEB3A0FBC4344F445035E68D52B6EDE6DD955CB00
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFB522CECC3), ref: 00007FFB522D1499
  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFB522CECC3), ref: 00007FFB522D14FB
  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFB522CECC3), ref: 00007FFB522D1535
  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFB522CECC3), ref: 00007FFB522D155F
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ByteCharEnvironmentMultiStringsWide$Free
  • String ID:
  • API String ID: 1557788787-0
  • Opcode ID: 656937178c964e2f99adc1a59c82dcaf2e6e3fed45ab7c693e96c41d50456bcc
  • Instruction ID: ad16dcb832814d1e967ac358b3ec0109ee1bbba3ce72598464877b4aabf3288f
  • Opcode Fuzzy Hash: 656937178c964e2f99adc1a59c82dcaf2e6e3fed45ab7c693e96c41d50456bcc
  • Instruction Fuzzy Hash: 06218275F1A79281F720AF26E840129A7A4BB54BD0B4C4134DE9E27F98DF7DE8568700
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: File$CreateSize
  • String ID:
  • API String ID: 2791376181-0
  • Opcode ID: b63d4bd5333d130c34c8f955f1bd0a3c97b530c731097b421b7c0a48f50cb688
  • Instruction ID: b3e6432d3211ac266e0a3c11b0a51b36cb2e34859f9b1fd80dbd1f05dbf733cf
  • Opcode Fuzzy Hash: b63d4bd5333d130c34c8f955f1bd0a3c97b530c731097b421b7c0a48f50cb688
  • Instruction Fuzzy Hash: 9331217A509B8182E760DF25F85536EB760F7C5790F548125DADD83BA8CFBDD4048B00
Uniqueness

Uniqueness Score: -1.00%

APIs
  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB522C8CC4
    • Part of subcall function 00007FFB522C93A0: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFB522C93A9
  • __GSHandlerCheckCommon.LIBCMT ref: 00007FFB522C8D03
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: CheckCommonConcurrency::cancel_current_taskHandlerstd::bad_alloc::bad_alloc
  • String ID:
  • API String ID: 1129182631-0
  • Opcode ID: 77c5488cb35aff37b004578d651180d6463828d0df22adc12fd1c7325ad4dd42
  • Instruction ID: a67f1f4a41024dce2c30b9cc1f571d8c55982c1234a5ab7eb29cc663a847a696
  • Opcode Fuzzy Hash: 77c5488cb35aff37b004578d651180d6463828d0df22adc12fd1c7325ad4dd42
  • Instruction Fuzzy Hash: A611EBA5A17A8595EB18BB32DC411B96250AF54FD0F0C9130EE1C1BFDACE7DD951C740
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlAllocateHeap.NTDLL(?,?,00000000,00007FFB522CF9C9,?,?,?,00007FFB522CDCC0,?,?,?,00007FFB522CD9C2), ref: 00007FFB522D0371
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: AllocateHeap
  • String ID:
  • API String ID: 1279760036-0
  • Opcode ID: 01428dcc92b392ad442e05265c8ed89192c382fced377f7c8f552a721f6fb12f
  • Instruction ID: d1ded671c86f7b722f0c576ba52e3d52f6f286ef8b6e7c073afeac9e41ef519f
  • Opcode Fuzzy Hash: 01428dcc92b392ad442e05265c8ed89192c382fced377f7c8f552a721f6fb12f
  • Instruction Fuzzy Hash: 93F044E8B0F60283FF9476B5DC412B401805F89780F8C5530CD0D4E7AADD9EEE8A8211
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: AllocateHeap
  • String ID:
  • API String ID: 1279760036-0
  • Opcode ID: 9514d728e01eeb0380a4ff4dcd5516f50d135d0abdc68e3cfc0df6abe06152fb
  • Instruction ID: 0a93658e8a1d720d2c7d97f3d1feb784d6326bb187f7b703ae93a854d682a932
  • Opcode Fuzzy Hash: 9514d728e01eeb0380a4ff4dcd5516f50d135d0abdc68e3cfc0df6abe06152fb
  • Instruction Fuzzy Hash: 0FF05E98F0F64250FE64B672DD012B411805F447A0F1C4632DD2E553DAEEEEFD818510
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ByteCharMultiWide
  • String ID:
  • API String ID: 626452242-0
  • Opcode ID: 7a57a99deecc2ad34af25d610fd8bcbe7fdbf944830b49635d0c0f14f86b2a60
  • Instruction ID: d1d023445dce2c1bc98bf2c1bed7ddc999e0f0492601af3fa3eaa317c19c0eb5
  • Opcode Fuzzy Hash: 7a57a99deecc2ad34af25d610fd8bcbe7fdbf944830b49635d0c0f14f86b2a60
  • Instruction Fuzzy Hash: 85E06576629F8086D7509F25F84021EB761F788794F405125FACE17B9CCF7CC0108B00
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
  • String ID:
  • API String ID: 1239891234-0
  • Opcode ID: 754c8cb3f064e27f2e59e65a7daff3b833e772667b911e56e00fef6a3bfd68e4
  • Instruction ID: b629a7192a77ab6a79c86bbe420b6fedfe29215ab9ecf73575cb060a0fe1ca52
  • Opcode Fuzzy Hash: 754c8cb3f064e27f2e59e65a7daff3b833e772667b911e56e00fef6a3bfd68e4
  • Instruction Fuzzy Hash: C131A276619B8196E760DF34EC402AE33A0FB88754F584135EA8D53B98DF7DC95ACB00
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
  • String ID:
  • API String ID: 2933794660-0
  • Opcode ID: 71a88c1b13b5597c804504f4867a2804b3ad67cfc1fb11cca1afe07ca0c788b9
  • Instruction ID: 4ccbb2250e66637bceff2ca2281ef4a6571ff815481e89f2ebc7d6aac7f3b966
  • Opcode Fuzzy Hash: 71a88c1b13b5597c804504f4867a2804b3ad67cfc1fb11cca1afe07ca0c788b9
  • Instruction Fuzzy Hash: 31117076A06F018AEB10DF70EC452B433A4FB0C758F481A31EA9D42798DF7DD5998340
Uniqueness

Uniqueness Score: -1.00%

APIs
  • _invalid_parameter_noinfo.LIBCMT ref: 00007FFB522D03D8
    • Part of subcall function 00007FFB522CE310: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFB522CE2BE), ref: 00007FFB522CE319
    • Part of subcall function 00007FFB522CE310: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFB522CE2BE), ref: 00007FFB522CE33D
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
  • String ID: *?$.
  • API String ID: 4036615347-3972193922
  • Opcode ID: bf703d4ba0a5300b2396a80e2e360ab60e7a246f05470b970302ec60750788b2
  • Instruction ID: 8bf033f39b8407f3971bd391e99aec1fbd711900a8b704259eff435f8d79f1af
  • Opcode Fuzzy Hash: bf703d4ba0a5300b2396a80e2e360ab60e7a246f05470b970302ec60750788b2
  • Instruction Fuzzy Hash: 4B5125BAB06A9585FB10EF72DC004BD63A0FB44BD4B884531DE0D17B99DEBDE9068301
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: FindHandleModuleResource
  • String ID:
  • API String ID: 3537982541-0
  • Opcode ID: ef0cb43d0b0b914ceed9812b415a76eb91b90fab091b929c15f73094a7d8567e
  • Instruction ID: 5be65f012b2d3fc8e362e628117a3f04b9077da636f66ba924ed2ba9d4929257
  • Opcode Fuzzy Hash: ef0cb43d0b0b914ceed9812b415a76eb91b90fab091b929c15f73094a7d8567e
  • Instruction Fuzzy Hash: 8811727A61DB44D5D760EB20F44832AB7A0F7C8B94F045534EA8E93B68DF7DC4558B00
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ErrorLast
  • String ID: $F$F
  • API String ID: 1452528299-854791169
  • Opcode ID: 48adae33b272014a3bd7f8830bee2b4f37bd5b46737dc88d6f0e5e0ad2e58fc3
  • Instruction ID: 7024581cc2f8b8bde308e279bf05944cfcd86392e086414d9d71f87e8897c081
  • Opcode Fuzzy Hash: 48adae33b272014a3bd7f8830bee2b4f37bd5b46737dc88d6f0e5e0ad2e58fc3
  • Instruction Fuzzy Hash: E0623A7660CAC08BD375CB29E4917AAB7E2F7CC704F088275EA8DC3759DA6DD9418E04
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID:
  • String ID: .
  • API String ID: 0-248832578
  • Opcode ID: dfb931dcdcb52707f80f69852d9993084529fb4caf18dc04cc70c36f3e1e9c03
  • Instruction ID: 5c2bfffa72a04cb782569ba2528df34ea6dd287bbc41af739e4082fe481aca9c
  • Opcode Fuzzy Hash: dfb931dcdcb52707f80f69852d9993084529fb4caf18dc04cc70c36f3e1e9c03
  • Instruction Fuzzy Hash: 65312DB6B1969145F760AB32DC047B96A91BB84BE4F4C8331DE6C07BD9CE7DDA068700
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ExceptionRaise_clrfp
  • String ID:
  • API String ID: 15204871-0
  • Opcode ID: 5ae4a7528835b0b49a8857f053ceb908ad3c7ca174dc3f779df86203497436de
  • Instruction ID: f3b4c6bb36a1c7d15c28a86696954faffbfeb296bb17b96e8e8619bc4d7fc358
  • Opcode Fuzzy Hash: 5ae4a7528835b0b49a8857f053ceb908ad3c7ca174dc3f779df86203497436de
  • Instruction Fuzzy Hash: 49B16DBB601B858BE715DF29C8453683BA0F744B48F198925DE5D837A8CBBED866C700
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: HeapProcess
  • String ID:
  • API String ID: 54951025-0
  • Opcode ID: 3df011ddc12baa2c3128e701586635ecc8eddd8f7ea25679bb33931082fcf9de
  • Instruction ID: 8bbad83d436e4c841fb934cc0de2ee18df3c6fae6a9ad243af7046c660f2ab7c
  • Opcode Fuzzy Hash: 3df011ddc12baa2c3128e701586635ecc8eddd8f7ea25679bb33931082fcf9de
  • Instruction Fuzzy Hash: 88B09268E07B02C2FB083B22EC8622422A4BF5CB00F988038C40C41324DEBD28EA9700
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 2099b7a1a2efcb4201043d6fcdd22443e0d0e00dd72625e0276361dabbd7f190
  • Instruction ID: 3a2b43fe7fb9e8156b43d513f5b682725519ca92bab0c13a6024a485bef8cb15
  • Opcode Fuzzy Hash: 2099b7a1a2efcb4201043d6fcdd22443e0d0e00dd72625e0276361dabbd7f190
  • Instruction Fuzzy Hash: 37F044B5A192558AEB989F2EE8126397790F70C3C0F84843DD58987A08D67D98619F04
Uniqueness

Uniqueness Score: -1.00%

APIs
  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFB522CD3DB,?,?,?,00007FFB522CB15E,?,?,?,00007FFB522CB119), ref: 00007FFB522CD25B
  • GetLastError.KERNEL32(?,?,00000000,00007FFB522CD3DB,?,?,?,00007FFB522CB15E,?,?,?,00007FFB522CB119), ref: 00007FFB522CD269
  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFB522CD3DB,?,?,?,00007FFB522CB15E,?,?,?,00007FFB522CB119), ref: 00007FFB522CD293
  • FreeLibrary.KERNEL32(?,?,00000000,00007FFB522CD3DB,?,?,?,00007FFB522CB15E,?,?,?,00007FFB522CB119), ref: 00007FFB522CD2D9
  • GetProcAddress.KERNEL32(?,?,00000000,00007FFB522CD3DB,?,?,?,00007FFB522CB15E,?,?,?,00007FFB522CB119), ref: 00007FFB522CD2E5
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Library$Load$AddressErrorFreeLastProc
  • String ID: api-ms-
  • API String ID: 2559590344-2084034818
  • Opcode ID: 979b7ecae63117dee44a3656a1d36a45a39504cd05045cdd5aec934fa911ae99
  • Instruction ID: 712308235d6bddca6456562140c847b28166d7e6857eeeb9110507c4da2c5874
  • Opcode Fuzzy Hash: 979b7ecae63117dee44a3656a1d36a45a39504cd05045cdd5aec934fa911ae99
  • Instruction Fuzzy Hash: 9231E1B9A0B642A1FE11BB22EC016B46394BF04BA0F4D0131DE1D1B38DDFBEE8458300
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID:
  • API String ID: 3215553584-0
  • Opcode ID: 0c0de88f04cc25f1b421ce6fc685c94513c7646738ec1a3927c949cd91ecf752
  • Instruction ID: d22c288fb0232b80addba16dcf08f217f3a0602df86870ba35ac271366ca20a5
  • Opcode Fuzzy Hash: 0c0de88f04cc25f1b421ce6fc685c94513c7646738ec1a3927c949cd91ecf752
  • Instruction Fuzzy Hash: 1191C4EAA0A65295FB60AB30DC4127966A5BF40BB4F184235DE5D227DDDFBEDC42C300
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
  • String ID: csm$csm$csm
  • API String ID: 3523768491-393685449
  • Opcode ID: 09d0e3005aa01aed46cb737277f968802232812658b1e532ddf793118e14e603
  • Instruction ID: 4e03776121c236a5ae58de4cbb84202072f146d87c9617ddbd5f133ab53d56f4
  • Opcode Fuzzy Hash: 09d0e3005aa01aed46cb737277f968802232812658b1e532ddf793118e14e603
  • Instruction Fuzzy Hash: 02E1B2BB90A6869AE710AF34D8443AD77A0FB44748F184135DA8CA775DCFBEE885C740
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: AddressFreeHandleLibraryModuleProc
  • String ID: CorExitProcess$mscoree.dll
  • API String ID: 4061214504-1276376045
  • Opcode ID: cb6e17d5885f19baeb44245bd940c544eceda2df2dbffaed8d497888fb4ee891
  • Instruction ID: c3c5b9397d9893e583958b4816226b2095a8c95a180189916ae2c105aa8ebe15
  • Opcode Fuzzy Hash: cb6e17d5885f19baeb44245bd940c544eceda2df2dbffaed8d497888fb4ee891
  • Instruction Fuzzy Hash: D7F03CBAA1AA4291FF44AB31F8842792360BF88790F8C5035DD0F46768DEADD889C700
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: _invalid_parameter_noinfo
  • String ID:
  • API String ID: 3215553584-0
  • Opcode ID: 8491e4bad257f16e555dcb3316224df54d2d65f00063d7bc016a334fd18d2cdc
  • Instruction ID: c9d24d7ad6ae649eb5e19836dc834b94892ca2250b363dae688b0636fbd1ea9b
  • Opcode Fuzzy Hash: 8491e4bad257f16e555dcb3316224df54d2d65f00063d7bc016a334fd18d2cdc
  • Instruction Fuzzy Hash: E581B5BAA1A65285F760AB75DC406BC36A0BB44758F484135CE4E1B799CFBEEC4BC700
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
  • String ID:
  • API String ID: 3659116390-0
  • Opcode ID: 97126d1e4600126576d003b324917621246bd52a143cf41d6b80b72f1a38cfed
  • Instruction ID: 167ac66f35a594b20518f158c8b0afff8abecc92ac7a3583451df59558705120
  • Opcode Fuzzy Hash: 97126d1e4600126576d003b324917621246bd52a143cf41d6b80b72f1a38cfed
  • Instruction Fuzzy Hash: 8C51E1B6A19A5189F714DB75E8443AC3770BB48B98F088135DE4A07B9CDF7DD94ACB00
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetProcAddress.KERNEL32(?,?,FFFFFFFF,00007FFB522D0013,?,?,00000000,00007FFB522CFA83,?,?,?,00007FFB522CF47D), ref: 00007FFB522CFE5A
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: AddressProc
  • String ID:
  • API String ID: 190572456-0
  • Opcode ID: 58799e4de07c97cd00531aac7aecfed56510b7524f655275dbf1186f41961520
  • Instruction ID: ee3ea092a0f3257f03ae7de73c076071515ab0c3ab5b1b996542aa4f1c744f51
  • Opcode Fuzzy Hash: 58799e4de07c97cd00531aac7aecfed56510b7524f655275dbf1186f41961520
  • Instruction Fuzzy Hash: B841E4E9B0FA02A1FA15AB22EC045B56391BF04BD0F0D4536DD1D5B78DDEBEE8468340
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: _set_statfp
  • String ID:
  • API String ID: 1156100317-0
  • Opcode ID: b7664432e41ba77913d69028e7edc508c49d41399d74719a20a153286b896ad0
  • Instruction ID: 963817c74a3e295f1932a480f59e57377417e070018392a6310eeae45475fe49
  • Opcode Fuzzy Hash: b7664432e41ba77913d69028e7edc508c49d41399d74719a20a153286b896ad0
  • Instruction Fuzzy Hash: 7511B2BEE1A64361F6683274EC4537A21416F88360F1C4634ED7D0A5DFCEEEAC4A9200
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: CallEncodePointerTranslator
  • String ID: MOC$RCC
  • API String ID: 3544855599-2084237596
  • Opcode ID: e65f63bc687f83906f53310297e8780cae4a6411aba946573e1f5d2790d6cfad
  • Instruction ID: 0606ad21ff4d98ed1ceb8c75b763df8c11a22a2c5d63d39ea79ccbeac506d6a8
  • Opcode Fuzzy Hash: e65f63bc687f83906f53310297e8780cae4a6411aba946573e1f5d2790d6cfad
  • Instruction Fuzzy Hash: 1A91B0B7A097859AE710EB74E8802AD77B0FB04788F184139EA8C67758DF7DD595C700
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ByteCharErrorFileLastMultiWideWrite
  • String ID: U
  • API String ID: 2456169464-4171548499
  • Opcode ID: 162316b6671ae675fe4181b81f88fba2ef0edc5d2dd7749930cd7135a98a9c5e
  • Instruction ID: 1d81c683a5227c60122825cf209586856bbf6dfb9d9a64e51ebfc209e1b226d0
  • Opcode Fuzzy Hash: 162316b6671ae675fe4181b81f88fba2ef0edc5d2dd7749930cd7135a98a9c5e
  • Instruction Fuzzy Hash: 2C41D476B1A64182EB209F25EC043B9B7A0FB98794F444031EE4D9B798DFBDD906C740
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: Process$CurrentMemoryWrite
  • String ID:
  • API String ID: 4081199588-0
  • Opcode ID: 9c0d1998630683d894bfee9a8911b0d12361bf926d06c4dbe384b2eea5d31280
  • Instruction ID: 1863720b8f7b56db650420a9c1f6f85ec9cf45abef05a83eb89c072c06fd01fd
  • Opcode Fuzzy Hash: 9c0d1998630683d894bfee9a8911b0d12361bf926d06c4dbe384b2eea5d31280
  • Instruction Fuzzy Hash: 9E210ABA619B8582E650DB65F84066AB3A4FB8D790F504031EA8D53B28DF7DD509CB00
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: __except_validate_context_record
  • String ID: csm$csm
  • API String ID: 1467352782-3733052814
  • Opcode ID: 591a5de2414413676dc845dadd1a0765c6230c952e115803dda7612d24b31784
  • Instruction ID: 6bd95184ac6f1e3ee55509137aec8f08bef456224218450b377b60847fdd533a
  • Opcode Fuzzy Hash: 591a5de2414413676dc845dadd1a0765c6230c952e115803dda7612d24b31784
  • Instruction Fuzzy Hash: DC71B3BB90A68196DB209F35E85427D7BA0EB04F88F188135DE4C6BB8DCBBDD851C705
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: CreateFrameInfo__except_validate_context_record
  • String ID: csm
  • API String ID: 2558813199-1018135373
  • Opcode ID: 49c25071bb3f5b2a3a5688f2717286df5c0869e1b24e49aa4a3898a2be375829
  • Instruction ID: 3960e87d7c2c36b25bbbe4a6c2784475e364c18a7d72a9a314042c5e63a5657a
  • Opcode Fuzzy Hash: 49c25071bb3f5b2a3a5688f2717286df5c0869e1b24e49aa4a3898a2be375829
  • Instruction Fuzzy Hash: 0651A0BBA1A74596D620EF25E84126E77A8F788B90F180134DB8D53B59CFBDD860CB00
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: FileModuleName_invalid_parameter_noinfo
  • String ID: C:\Windows\SYSTEM32\rundll32.exe
  • API String ID: 3307058713-2484965969
  • Opcode ID: 673f1962a47899f98b4d2dbb6b1b4325e7dba8bc830f4d2fc4bca72432d8bf7a
  • Instruction ID: 96b54c15e7ce06a2b07135c73c06ccfa3d1459a8d78e1fa6e9b8447524af4c0c
  • Opcode Fuzzy Hash: 673f1962a47899f98b4d2dbb6b1b4325e7dba8bc830f4d2fc4bca72432d8bf7a
  • Instruction Fuzzy Hash: BD41B0BAA0AA4295E725EF32DC400BC67A4FF44BC4B494032ED4E17799CEBEED418300
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: FileHandleType
  • String ID: @
  • API String ID: 3000768030-2766056989
  • Opcode ID: 7ebe169a86a84151e0403cd721eb4abd3864680fd723f3da4140789dc54d4a94
  • Instruction ID: 6a6d39eadf2d77765a93c468e6a64ecdcd7bfaa2a8749134af14d9971f42ed15
  • Opcode Fuzzy Hash: 7ebe169a86a84151e0403cd721eb4abd3864680fd723f3da4140789dc54d4a94
  • Instruction Fuzzy Hash: 65214FBAA1964241FB609B36D8941792751EB85764B280335DA6E06BE8CF6EDC86D300
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFB522C93DF), ref: 00007FFB522C9EA4
  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFB522C93DF), ref: 00007FFB522C9EEA
Strings
Memory Dump Source
  • Source File: 00000001.00000002.205914091.00007FFB522C1000.00000020.00020000.sdmp, Offset: 00007FFB522C0000, based on PE: true
  • Associated: 00000001.00000002.205897888.00007FFB522C0000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205929025.00007FFB522D6000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205941760.00007FFB522E0000.00000004.00020000.sdmp Download File
  • Associated: 00000001.00000002.205945398.00007FFB522E2000.00000002.00020000.sdmp Download File
  • Associated: 00000001.00000002.205979661.00007FFB522E5000.00000002.00020000.sdmp Download File
Similarity
  • API ID: ExceptionFileHeaderRaise
  • String ID: csm
  • API String ID: 2573137834-1018135373
  • Opcode ID: 67c667b576a4fe2f4dc7d09171f10ac400abc68247b75c69d3875e029ada04d1
  • Instruction ID: 12a65a305e6bde7b35430f873673580e82279d1bac47f5bcf3c4e75b2a0b3dac
  • Opcode Fuzzy Hash: 67c667b576a4fe2f4dc7d09171f10ac400abc68247b75c69d3875e029ada04d1
  • Instruction Fuzzy Hash: DC118CB6A09B4182EB619F25F94026977A0FB88B84F1C8231DE8C07B68DF7DD851CB00
Uniqueness

Uniqueness Score: -1.00%