Edit tour

Windows Analysis Report
iisutil.dll

Overview

General Information

Sample name:	iisutil.dll
Analysis ID:	1500520
MD5:	6b64382e0d7fe3d455c8065625d91ca3
SHA1:	6111ec178472470244c7027aa46591a94c897b88
SHA256:	4e692aa0c2b858917235b4cc2befe649c1fc3df90d6c42d0f329cde57156d752
Tags:	AdvancedPersistentThreatdll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6328 cmdline: loaddll32.exe "C:\Users\user\Desktop\iisutil.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 404 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3872 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5828 cmdline: rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6260 cmdline: rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@VCDateTime@@@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3608 cmdline: rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6048 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1432 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@VCDateTime@@@@QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4476 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6472 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uuencode MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6592 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uudecode MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6264 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_IISGetCurrentTime@8 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3624 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_GetAllocCounters@0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7172 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteTraceLog MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7180 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLogEx MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLog MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7196 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateLocalRequest MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7204 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateIISUtil MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7212 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SystemTimeToGMT MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7220 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StopIISAdminMonitor MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StartIISAdminMonitor MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipWhite MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7260 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipTo MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7280 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetStringParameterValueInAnyService MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7296 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetFlagsDebugPrintHR MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7376 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetExplicitAccessSettings MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7460 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerTerminate MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7476 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerInitialize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7484 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleWorkItem MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleAdjustTime MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: iisutil.dll

ReversingLabs: Detection: 47%

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E68B9F0 DecryptMemoryPassword,?Resize@STRU@@QAEJK@Z,CryptUnprotectMemory,GetLastError,?SyncWithBuffer@STRU@@QAEXXZ,		0_2_6E68B9F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E68B990 EncryptMemoryPassword,?Resize@STRU@@QAEJK@Z,CryptProtectMemory,GetLastError,		0_2_6E68B990

Source: iisutil.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: iisutil.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:

Binary string: iisutil2.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1901248534.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1935852092.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1923248069.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1912556040.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1821249518.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.1820367402.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1822526151.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1824451320.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1824649221.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000002.1821324744.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.1822440015.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.1821987188.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1821685431.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1822208604.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1824734768.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1822923964.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001E.00000002.1824212283.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.1824823589.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.1824201701.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1825593697.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.1826155339.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000026.00000002.1825944665.000000006E671000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.1826035221.000000006E671000.00000020.00000001.01000000.00000003.sdmp, iisutil.dll

Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: iisutil.dll	String found in binary or memory: http://www.iis.net0

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E696317	0_2_6E696317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E671708	0_2_6E671708
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E695480	0_2_6E695480
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67F3C0	0_2_6E67F3C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E689810	0_2_6E689810
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6711C1	0_2_6E6711C1

Source: C:\Windows\System32\loaddll32.exe

Code function: String function: 6E6865B0 appears 135 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 636

Source: iisutil.dll

Static PE information: invalid certificate

Source: iisutil.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal48.winDLL@104/17@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E6868B0 PuDbgPrintError,GetLastError,FormatMessageA,_snprintf_s,?Append@STRA@@QAEJPBD@Z,?Append@STRA@@QAEJPBD@Z,?Append@STRA@@QAEJPBD@Z,LocalFree,SetLastError,?FreeMemoryInternal@BUFFER@@AAEXXZ,

0_2_6E6868B0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E68A610 DisableTokenBackupPrivilege,AdjustTokenPrivileges,

0_2_6E68A610

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5828
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3608
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3872

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\20092ac3-857a-49d3-a231-0c91b6726372

Jump to behavior

Source: iisutil.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1

Source: iisutil.dll

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iisutil.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 636
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 644
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@VCDateTime@@@@QAE@XZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 636
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 636
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@VCDateTime@@@@QAE@XZ
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uuencode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uudecode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_IISGetCurrentTime@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_GetAllocCounters@0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteTraceLog
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLogEx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLog
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateLocalRequest
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateIISUtil
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SystemTimeToGMT
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StopIISAdminMonitor
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StartIISAdminMonitor
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipWhite
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipTo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetStringParameterValueInAnyService
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetFlagsDebugPrintHR
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetExplicitAccessSettings
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerTerminate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerInitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleWorkItem
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleAdjustTime
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@VCDateTime@@@@QAE@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@VCDateTime@@@@QAE@XZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uuencode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uudecode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_IISGetCurrentTime@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_GetAllocCounters@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteTraceLog	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLogEx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLog	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateLocalRequest	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateIISUtil	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SystemTimeToGMT	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StopIISAdminMonitor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StartIISAdminMonitor	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipWhite	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipTo	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetStringParameterValueInAnyService	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetFlagsDebugPrintHR	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetExplicitAccessSettings	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerTerminate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerInitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleWorkItem	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleAdjustTime	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: iisutil.dll

Static PE information: More than 1221 > 100 exports found

Source: iisutil.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: iisutil.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: iisutil.dll

Static PE information: real checksum: 0x431fa should be: 0x4235b

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E671670 push eax; retf	0_2_6E671671
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E6987C4 push ecx; ret	0_2_6E698888
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 32_2_000FC55C push eax; retf	32_2_000FC55D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 32_2_000FC554 push 40000FF1h; retf	32_2_000FC559
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 32_2_000FC56C push eax; retf	32_2_000FC56D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0067C7B4 push eax; retf	36_2_0067C7B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0067C8BC pushad ; iretd	36_2_0067C8BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_0067C978 pushad ; iretd	36_2_0067C979

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 32_2_000FC984 sldt word ptr [eax]

32_2_000FC984

Source: C:\Windows\System32\loaddll32.exe

API coverage: 0.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E680609 GetSystemInfo,

0_2_6E680609

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E685E5F CreateFileA,GetLastError,sprintf_s,OutputDebugStringA,

0_2_6E685E5F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E695FB0 mov ecx, dword ptr fs:[00000030h]

0_2_6E695FB0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E687ECB GetModuleHandleW,GetProcAddress,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapAlloc,GetLastError,GetSystemInfo,GetProcessHeap,HeapFree,

0_2_6E687ECB

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E68B620 GetSecurityAttributesForSid,LocalFree,SetExplicitAccessSettings,SetEntriesInAclW,SetConsoleTextAttribute,PuDbgPrintError,SetConsoleTextAttribute,InitializeSecurityDescriptor,GetLastError,SetConsoleTextAttribute,SetSecurityDescriptorDacl,GetLastError,SetConsoleTextAttribute,PuDbgPrintError,SetConsoleTextAttribute,

0_2_6E68B620

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E689F47 AllocateAndInitializeSid,GetLastError,LocalFree,FreeSid,LocalAlloc,?FreeMemoryInternal@BUFFER@@AAEXXZ,

0_2_6E689F47

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E6907A0 ?IpmMessageDeleted@IPM_MESSAGE_PIPE@@QAEXPAVIPM_MESSAGE_IMP@@@Z,?WriteLock@CReaderWriterLock3@@QAEXXZ,?WriteUnlock@CReaderWriterLock3@@QAEXXZ,PuDbgPrint,?CreateIpmMessagePipe@IPM_MESSAGE_PIPE@@SGJPAVIPM_MESSAGE_ACCEPTOR@@PBGHPAU_SECURITY_ATTRIBUTES@@PAPAV1@@Z,PuDbgPrint,??0IPM_MESSAGE_PIPE@@AAE@XZ,PuDbgPrint,CreateNamedPipeW,GetLastError,PuDbgPrint,PuDbgPrint,ConnectNamedPipe,GetLastError,PuDbgPrint,CreateFileW,GetLastError,SetNamedPipeHandleState,GetLastError,PuDbgPrint,?ReadMessage@IPM_MESSAGE_PIPE@@AAGJK@Z,CloseHandle,CloseHandle,

0_2_6E6907A0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E68CE30 ?GetTickCount@CDateTime@@QAEHXZ,GetSystemTimeAsFileTime,FileTimeToSystemTime,

0_2_6E68CE30

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E68E9D0 ?Register@CEtwTracer@@QAEKPBU_GUID@@PAG1@Z,GetVersionExW,GetModuleHandleW,GetModuleFileNameW,

0_2_6E68E9D0

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B670 ?Pop@CLockedSingleList@@QAEQAVCSingleListEntry@@XZ,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B670
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B620 ?Push@CSingleList@@QAEXQAVCSingleListEntry@@@Z,	0_2_6E67B620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B610 ?Pop@CSingleList@@QAEQAVCSingleListEntry@@XZ,	0_2_6E67B610
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B6A0 ?Push@CLockedSingleList@@QAEXQAVCSingleListEntry@@@Z,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B6A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67CEB0 ??1CLKRHashTable@@QAE@XZ,?_FreeSubTable@CLKRHashTable@@CG_NPAVCLKRLinearHashTable@@@Z,?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67CEB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B770 ?RemoveTail@CDoubleList@@QAEQAVCListEntry@@XZ,	0_2_6E67B770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67C740 ?_RemoveThisFromGlobalList@CLKRHashTable@@AAEXXZ,?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67C740
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B750 ?RemoveHead@CDoubleList@@QAEQAVCListEntry@@XZ,	0_2_6E67B750
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67C720 ?_InsertThisIntoGlobalList@CLKRHashTable@@AAEXXZ,?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67C720
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B730 ?InsertTail@CDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67B730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B710 ?InsertHead@CDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67B710
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B7C0 ?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B7C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B790 ?RemoveEntry@CDoubleList@@SGXQAVCListEntry@@@Z,	0_2_6E67B790
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E689C40 ?StartListening@MB_BASE_NOTIFICATION_SINK@@QAEJPAUIUnknown@@@Z,CoDisconnectObject,EnterCriticalSection,LeaveCriticalSection,	0_2_6E689C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E689D40 ?StopListening@MB_BASE_NOTIFICATION_SINK@@QAEJPAUIUnknown@@@Z,CoDisconnectObject,EnterCriticalSection,LeaveCriticalSection,	0_2_6E689D40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67CD10 ??0CLKRHashTable@@QAE@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKK_N@Z,strncpy_s,?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,?NumSubTables@CLKRHashTable@@SG?AW4LK_TABLESIZE@@AAK0@Z,?_AllocateSubTableArray@CLKRHashTable@@CGQAPAVCLKRLinearHashTable@@I@Z,?_AllocateSubTable@CLKRHashTable@@CGQAVCLKRLinearHashTable@@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKPAV1@_N@Z,?IsValid@CLKRLinearHashTable@@QBE_NXZ,?_FreeSubTable@CLKRHashTable@@CG_NPAVCLKRLinearHashTable@@@Z,	0_2_6E67CD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E687AC0 ?Alloc@ALLOC_CACHE_HANDLER@@QAEPAXXZ,GetCurrentThreadId,InterlockedPopEntrySList,HeapAlloc,?PopAnyFreeListEntry@ALLOC_CACHE_HANDLER@@AAEPAXXZ,SetLastError,	0_2_6E687AC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E687BB0 ?PopAnyFreeListEntry@ALLOC_CACHE_HANDLER@@AAEPAXXZ,InterlockedPopEntrySList,	0_2_6E687BB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B840 ?HeadNode@CLockedDoubleList@@QBEQBVCListEntry@@XZ,	0_2_6E67B840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B850 ?RemoveHead@CLockedDoubleList@@QAEQAVCListEntry@@XZ,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B850
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B800 ?InsertTail@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B800
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67C0F0 ?_InsertThisIntoGlobalList@CLKRLinearHashTable@@AAEXXZ,?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67C0F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B8C0 ?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B8C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B880 ?Last@CLockedDoubleList@@QAEQAVCListEntry@@XZ,	0_2_6E67B880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67B890 ?RemoveTail@CLockedDoubleList@@QAEQAVCListEntry@@XZ,?WriteLock@CSpinLock@@QAEXXZ,?_Unlock@CSpinLock@@AAEXXZ,	0_2_6E67B890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E67C110 ?_RemoveThisFromGlobalList@CLKRLinearHashTable@@AAEXXZ,?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z,	0_2_6E67C110

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	1 Rundll32	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iisutil.dll	47%	ReversingLabs	Win32.Backdoor.Oceanlotus

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://www.iis.net0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
http://www.iis.net0	iisutil.dll	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500520
Start date and time:	2024-08-28 15:55:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iisutil.dll
Detection:	MAL
Classification:	mal48.winDLL@104/17@0/0
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 253
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 6264 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7236 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7260 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7376 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: iisutil.dll

Simulations

Behavior and APIs

Time	Type	Description
09:56:18	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_74d2292676aa8f3d3b873026bfa4bb114f7744d_7522e4b5_6eb46e90-bbc7-4b96-a46f-f862dbf5ec4a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8625660798290852
Encrypted:	false
SSDEEP:	96:ClZFkH6i1hVywsj94sFmEffwQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNlA:+vi1Owe0BU/wjeTvzuiFiZ24IO8dci
MD5:	3F1A7B7BA11CB0A772ABF67C2DAB7940
SHA1:	FCEB5C9A9EE8A3F285CDB7BB5BA6496210C23333
SHA-256:	697C910700BA9D3BC198A94F55C93ECA1AFC37A4BC69DDA3E8233AB132C02694
SHA-512:	57A74F625616227C5DD1C9A8C0C9EA0C9D8F9DC79B18292EE7FF1B8D1C17F7A30D6A5DD04EC87772C2A818CD1004AA94D0A8CCC20C15B6D67EBD8192ED2FD4F3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.5.9.9.2.6.4.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.6.2.2.7.0.0.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.b.4.6.e.9.0.-.b.b.c.7.-.4.b.9.6.-.a.4.6.f.-.f.8.6.2.d.b.f.5.e.c.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.9.4.6.7.0.0.-.a.9.6.b.-.4.7.a.6.-.a.8.3.8.-.5.f.7.a.2.c.c.c.c.4.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.1.8.-.0.0.0.1.-.0.0.1.4.-.d.6.9.1.-.c.a.0.6.5.2.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_82a4d751d744bbae5b7fe90618e3ca9a2ea43c5_7522e4b5_78808332-d4ee-4bfd-aa0c-5547fff18423\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8626867666641603
Encrypted:	false
SSDEEP:	96:6oFRO6iuQhVyIsj94sFmEfflBQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNZ:3zDixOI10BU/wjeTvzuiF9Z24IO8dci
MD5:	4AB774353A36DEE067773BBD0898C59E
SHA1:	D2A965E53D69EB8F3EE86DEFF289A1CD66548368
SHA-256:	69A073141A9E10DE5C6E57F286A1B9AE658481709900C6518A65716FBDBE5EC4
SHA-512:	E085538D00A564F72BE0BA301E65A1AABB0081091C4EB0F6A677026FFCEDF559EBA337E95DD633117E48B28F38F181C82FD0F3AA81A9DDBEA5CCDE529D96246B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.0.1.6.4.4.7.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.0.7.8.9.4.7.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.8.0.8.3.3.2.-.d.4.e.e.-.4.b.f.d.-.a.a.0.c.-.5.5.4.7.f.f.f.1.8.4.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.1.1.6.6.a.5.-.8.d.5.8.-.4.6.0.2.-.9.e.f.0.-.d.2.5.9.0.d.6.2.e.c.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.2.0.-.0.0.0.1.-.0.0.1.4.-.8.a.e.e.-.2.b.0.3.5.2.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_82a4d751d744bbae5b7fe90618e3ca9a2ea43c5_7522e4b5_cb845ae6-1dbd-4ce9-a86c-5f85bb38b7ec\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8625362526478706
Encrypted:	false
SSDEEP:	96:OwFCEYr6iuhVyHsj94sFmEfflBQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyI:jUSiuOH10BU/wjeTvzuiFiZ24IO8dci
MD5:	EEB0D37160BC1FDE17AE901D878EB7BA
SHA1:	18BA6FE59AA72546045AE95B9245C6F4DF14E8E0
SHA-256:	D5CAAC00EE8BC8024469C8135BF995C27A5831444AA5A097ACEDB9F8F4601F23
SHA-512:	E0B58C75CC50537094C54462519ABB81FC4D3EC430FA25EEAF3E93D77D18E26AFDAB5DB69ECC10AAE2DDCF9D362E2DA2D848EB7C684F006C347CDD2E60EA2C52
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.0.1.9.6.5.0.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.0.6.4.9.6.3.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.8.4.5.a.e.6.-.1.d.b.d.-.4.c.e.9.-.a.8.6.c.-.5.f.8.5.b.b.3.8.b.7.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.2.d.c.6.6.a.-.d.8.3.5.-.4.a.b.d.-.8.d.4.a.-.6.f.1.e.4.b.1.5.9.2.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.c.4.-.0.0.0.1.-.0.0.1.4.-.0.b.f.6.-.2.b.0.3.5.2.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f34569f3e06624e3681d94af4f51e2a47231a897_7522e4b5_6634f637-9abb-48c2-9230-d3f04625b2f1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8625615255868028
Encrypted:	false
SSDEEP:	192:3s5ziBODu0BU/wjeTvzuiFiZ24IO8dci:85ziYDVBU/wjebzuiFiY4IO8dci
MD5:	B7A3042A676E12DA331AA5195FF0B9DA
SHA1:	03CD4F000AF53B9C707F715D56220FC42887A67A
SHA-256:	529F7F2F437335A4F7BFE41B85BE6ABE4A9BE07B9FE777B4D3FDA3A2B4BE7871
SHA-512:	B79996E82FE0998AD1C0CC1D7D8FCAA2E76AD913000BCFBFEA5A35B4F7126ECAD736552A54EB50771793BDC1770DA0CA9227F86F0583018BB0968BC8A0612076
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.3.0.3.7.8.6.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.2.6.9.6.3.4.2.8.4.7.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.3.4.f.6.3.7.-.9.a.b.b.-.4.8.c.2.-.9.2.3.0.-.d.3.f.0.4.6.2.5.b.2.f.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.d.e.d.d.0.1.-.0.a.2.c.-.4.7.1.a.-.a.6.2.e.-.a.d.8.5.a.3.9.9.b.b.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.7.4.-.0.0.0.1.-.0.0.1.4.-.2.c.7.e.-.f.e.0.4.5.2.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB379.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 28 13:56:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42874
Entropy (8bit):	1.9669083771686013
Encrypted:	false
SSDEEP:	96:5q8Npaf6ciO4hFyoPk9pWN4viOLZR5oi75I4v4rbAhW87Bzw6NAILUAcqtJYZECT:33ayN8iddO5H4AgTqtJqECracU90VzQ
MD5:	43EED9DA67E252CE8644E53C7F95561C
SHA1:	223DC2B2214F7ABC372F1A5ADE653744C1BEEDC7
SHA-256:	FCE6D26C68BC9D4BE1B717416959FA6807922ADBE1504F52328C6D00C9BCD9C7
SHA-512:	639039E176F665B889721BDC59BC48EBDFB83439FAB3A95165360450796AE589272DED8116BCDA9C3E69D89B7A2E2B5B668BB7202627E1D51047B2F46D7BC031
Malicious:	false
Preview:	MDMP..a..... .......p,.f........................................v)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T....... ...o,.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB389.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 28 13:56:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44526
Entropy (8bit):	1.914798798466938
Encrypted:	false
SSDEEP:	96:5q8Jj56ciO4hFyoPk9gWN4viOLLsMoi75I4v4rb0c+jUxsq3G9t999XTTB9XT722:3lwN8NdlJO5H4hl3G/TdTBd3qaFsJ4x
MD5:	8BE3818D20647E85D9AA4AC0E3BC331D
SHA1:	C5A0386F3A52BD73FF727ADFDDE49E618BB643D1
SHA-256:	7D9BD701A9E8887DD4EF0C2C9B85BA19E0EBB1217F6123D0254CE830F18EF042
SHA-512:	A8ECD5B9304E8442FB2489066CF0ED099DFF22820F938201FB91BF1773AD3E88709DEB988CE7FDE7933067F9FB220C1846725D99F513E207C9663E82FA750BB8
Malicious:	false
Preview:	MDMP..a..... .......p,.f........................................v)..........T.......8...........T...........`...........................................................................................................eJ......,.......GenuineIntel............T...........o,.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB493.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.6911416385779487
Encrypted:	false
SSDEEP:	192:R6l7wVeJTU6ImJ6Y+aQ62gmfT2qeprt89blcsfeXm:R6lXJA6ImJ6YE62gmfT2qhlvf/
MD5:	572D0D37249A9073EFB992AC5FBF36D0
SHA1:	950DEDF67684A17CCDB17015BE02083BDC43A63C
SHA-256:	B5F57ED51EF5A27BD5270C3F446E7E93EE77EC13CEA3AAD9E1BB9D7B404EC481
SHA-512:	1BD669679A59F7F9564B55B6D7434BC26BF3ECF3B2280EBE6CC72311A5CDE9C0F0D653937483083C686F75886EE68D7195AF547FBBAC2D69FCBC545D841C6906
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB494.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8264
Entropy (8bit):	3.691551793994956
Encrypted:	false
SSDEEP:	192:R6l7wVeJaL6IHx6YVj69gmfT2qeprH89blEsfHbXm:R6lXJ+6IHx6Yh69gmfT2qTl3fi
MD5:	9DD449C0BAAACC8FDAA97F563465C1E6
SHA1:	82658299B883AFC3A47DB34AF68376F1A86B1633
SHA-256:	130A246F07D1C30CFDDF869C4255204E227BB70D3D63CC2FC905709930156E6F
SHA-512:	62907A1F5610F8453A46E41A9D5B1BA7D4C923D470CF5436D815771113322A658C8193831AE28170FF5A4047E22A9B09BDEC8C61086F71744A9D7176A64ABBE9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4C3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.456879526473582
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9y1WpW8VYjfYm8M4JCdPkFFI+q8/Y8rZGScSSd:uIjfxI7YE7VcCJlI7gJ3Sd
MD5:	1CD4A6C83A86A4CE03DBE49BB508FA02
SHA1:	2A3AEE77896638B8C87575CD3A3DCB6EEBD7002E
SHA-256:	FB8CC082A6B0AE40EDECC75114C3CFC2A17FCEDD87CF3FAB08EBF6AA74A5E0CA
SHA-512:	B7821EFD4BCA4935DA23FFEA78F2423049880D08EBD38B8662132E7B0D88AAC2E48DD8CB85D8E947C2EB983166051D44903CB287EA73C2443157E309D4D64F1C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475498" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB541.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.457218166191948
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9y1WpW8VYZYm8M4JCdPkFFn9+q8/Y8oBZGScSld:uIjfxI7YE7V9Jl97BLJ3ld
MD5:	0DD39BB1B7B2983F7C7DEDFFEDE2D5C2
SHA1:	119C1AD3F165620420F433C74A0DC3D0627839F4
SHA-256:	7F743C1203D4DE49C84E602706CA9D777703D91AE6A1571E5308C955BB04A763
SHA-512:	2ACB75079310293336DD0F9F3D460DCBDE034DCE6D1498910B3D8517F6E02D08380F09C812094E43D1B7FF1578F0B3FC0B59EB19132B50D92FB52BEE70B4A9C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475498" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE95.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 28 13:56:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45230
Entropy (8bit):	1.8988283315003536
Encrypted:	false
SSDEEP:	192:AEiVN8BdPRO5H4axqsALtbKayOM6ASy5GoyTmQA3:nwGXPE5HNxGLtbBBAN5G8
MD5:	803E4F112D9C32BE3FDB2BC5DCFB8985
SHA1:	D86302B1CEA2CA4B52837F688334616349803E6A
SHA-256:	FBA835F8F9413E2545F01093982BE1CA968A96B9AB0758324C0FBC57C5C847FA
SHA-512:	953A4FC26C0F3EB06D417E8A39AD7ADFD9F28ED39DE75E49C0BEF1B7F731614F76FA70338CB30ABF1949AFE971BA68BCCA8A1E50DE85B11D3FC481DE10511CA2
Malicious:	false
Preview:	MDMP..a..... .......s,.f........................................v)..........T.......8...........T...........`...N.......................................................................................................eJ......,.......GenuineIntel............T.......t...r,.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF61.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.6916331838193233
Encrypted:	false
SSDEEP:	192:R6l7wVeJPS6Imk6YVa60gmfT2veprG89bOBsfc6m:R6lXJq6Imk6YI60gmfT2vEO6fg
MD5:	2CBF064DF2C5E8EDE8477FDEB502C7EA
SHA1:	122AFE23CE0779B6725952323236541A4F394BCA
SHA-256:	5A8269B11E176E42732DB189B97F3BCF31FE2F0EAAC80EF284293FE746EC07F3
SHA-512:	ADF5935BC0ED2E28EC68CF3595B4911EF284979EB27B65AD9C13F4A03F15BE169D0DDDE6ABE3C8F526E9E649F1CD052DBB0C676F0503A8D43AB1E0FAB7B51671
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF91.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.456186258008709
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9y1WpW8VYQYm8M4JCdPkP6FW+q8/Y80wGScSAd:uIjfxI7YE7VUJlP57JwJ3Ad
MD5:	92D126A49857D6D2D78C929A0FF30677
SHA1:	7B656ED72D81E174BD3E11526F5ECE82192352E3
SHA-256:	E3DCC085823F276F25490169D5B38F9B25C0022674ADE9BDAE54471B41BA2539
SHA-512:	EFB564DD2487B3710C046A6F881D34D937250DEA57CF81E6250BA194D296A81F2CA3292EC5A2CF8A13AEA850DD4A43E9F40C4DA85C12E79421F19472D79EFBF2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475498" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA2E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 28 13:56:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44462
Entropy (8bit):	1.9240627062941225
Encrypted:	false
SSDEEP:	192:FvwN8YdVOO5H4MzIt9lABSAW8R6IPdGRs:uGGVJ5HvIjlABpW4P
MD5:	967693379E8A055328932EB416988C8C
SHA1:	831F5707BCFE8201B00A232331F3974FB75B8913
SHA-256:	4B45C89032A9FBBE0F9945C66A6930EAC9B579E229023EB2E67D214C6900695B
SHA-512:	F48A9ACB604A8998BB018553AE4E4AA9DB6F40525EC1176DDB0A90D5297565523D05682B39CE2C1C0E60C9331B3C12486B29CC892425E715023F4578747DB23A
Malicious:	false
Preview:	MDMP..a..... .......v,.f........................................v)..........T.......8...........T...........`...N.......................................................................................................eJ......,.......GenuineIntel............T...........u,.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.6905225294781303
Encrypted:	false
SSDEEP:	192:R6l7wVeJgD6ImK6YVD6AgmfT2Pepra89bzBsfmxm:R6lXJs6ImK6YR6AgmfT2Poz6fB
MD5:	B697C06302487028275A24C768A87BA2
SHA1:	A874BBFC59FD145BDF271AC5E0DF18CCCA934841
SHA-256:	51E925FF81A592FE1199DEBEC756FE1C64F9CA18523DBEFAB813360BC46D64C9
SHA-512:	2AC118616F336A5F2D60A7C84CD2BF9B0A25AE86543A24707E1FE6B9149A7C95778AF516D309AA9A54AEDCE68655FB15FB4CE64CE56935A6E05883FD363F54A4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA9D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.458995803595598
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9y1WpW8VYWYm8M4JCdPkwFkfk+q8/Y8bGScSDd:uIjfxI7YE7VaJlPfk72J3Dd
MD5:	B4B6EDDC57EEEA17BEC987A1B9E031CB
SHA1:	77883E68C857629F4F3032F9BF82BED0AAF53579
SHA-256:	61E83553DF91E6A6D58DAFE87D4823E9C46F7654802480E1A4085FCA376106D7
SHA-512:	85E173C3FF7BB93531EF7A61DEA9980D360284974BEFD0E3CEAA1298998C638A8AAAF2749794A0659B051D0CCE1852F850D10803CCE1FBC2D4CC18A5E8078CAA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475498" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466247193889612
Encrypted:	false
SSDEEP:	6144:QIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:1XD94+WlLZMM6YFHT+G
MD5:	83FDBF7B939E90610D4C96CB55136154
SHA1:	D128EC066C447F53F2B11CABB94BA9B85455B7D8
SHA-256:	3981F25457FC6721FA3EBCA3FC41D9744A7CF789C593A58BC55DE68713371D45
SHA-512:	8EC9203AF0DE555E8448D18888AF8FB142BC509612BBC7460975F15859FBA9475E757C1AE1C5B6BBDE9EC855A6AE9A09B27B9694F00010319F0F86CBA6A99B41
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV.a.R.................................................................................................................................................................................................................................................................................................................................................w7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy (8bit):	6.771824651783558
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iisutil.dll
File size:	247'440 bytes
MD5:	6b64382e0d7fe3d455c8065625d91ca3
SHA1:	6111ec178472470244c7027aa46591a94c897b88
SHA256:	4e692aa0c2b858917235b4cc2befe649c1fc3df90d6c42d0f329cde57156d752
SHA512:	2d98c6c16f7d3648498df2098d09190f5fb17fc853f807a06d33ba72f499494fe66315da7d9c854dd44030b121a9d0e4966ab4b620ea0034c20307b28a1f1c64
SSDEEP:	6144:vvV/g0FYbSAOSVbzzFUBSkaJPawk60HPs:HV/vP62ADcdHPs
TLSH:	98343B5272961DB2E893A1F47A8E712210ADD0B447E147D35A4A4FEF94803E49F3F2DE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n4...Z...Z...Z.......Z.......Z...[.M.Z.......Z.......Z.......Z.......Z.......Z.......Z.Rich..Z.................PE..L...z.RU...

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10025fb0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x5552AF7A [Wed May 13 01:57:14 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	5ebbd30bc18572a08ac81744f48be919

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/04/2014 18:39:00 22/07/2015 18:39:00
Subject Chain	CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	E86019FE85830AC2AE3ADA5322295364
Thumbprint SHA-1:	67B1757863E3EFF760EA9EBB02849AF07D3A8080
Thumbprint SHA-256:	74BF89738D44C4EF0B7602B74A4E533A7CE23C498F00AABD8E783ABC348006FB
Serial:	33000000CA6CD5321235C4E1550001000000CA

Entrypoint Preview

Instruction
push ebp
jmp 00007FAD6132499Dh
push 00000072h
pop esi
cmp si, dx
jne 00007FAD61324F40h
movzx edx, word ptr [eax+06h]
push 0000004Eh
mov esi, dword ptr [esp]
pushfd
push ebx
neg bl
push eax
push edx
cdq
stc
push ecx
bswap ecx
aas
xadd edx, ecx
shr dx, 0005h
cwd
xor edx, edx
mov eax, 0000AE43h
mov ecx, 00000CE6h
div ecx
daa
not ebx
shr edx, 05h
bsr bx, dx
aaa
bts ecx, 03h
xor dx, bx
push ebx
bt cx, 0003h
btc ebx, 06h
stc
aad
lea esp, dword ptr [esp-04h]
pushfd
push edx
bts edx, 00000000h
push eax
mov ax, 0043h
push ecx
mov cx, 00C8h
mul cx
mov eax, 000082E7h
mov ecx, 000099FFh
mul ecx
inc eax
cmc
push ebx
bt bx, 0004h
test dh, 00000031h
aad
cmc
shl ebx, 1
push ebx
mov cx, 0009h
das
aad
mov ax, 00F5h
mov cx, 00A3h
mul cx
mov ecx, dword ptr [esp+08h]
inc ebx
neg ebx
dec dx
inc dl
cmc
not edx
bsf eax, edx
mov edx, dword ptr [esp+10h]
neg ebx
mov ebx, dword ptr [esp+04h]
not ax
mov eax, dword ptr [esp+14h]
push eax
popfd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x28a80	0xed2d	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a3c0	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x3e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3ac00	0x1a90
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3d000	0x1aac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8010	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a000	0x3bc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37000	0x36800	d014059e9e0123d6a5645adc2df746ab	False	0.41050118262614677	Matlab v4 mat-file (little endian) , numeric, rows 268468560, columns 268468576	6.689098834570451	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x38000	0x2000	0x400	42ee6d3065db671551c8a8d444e486ce	False	0.4638671875	data	3.8478501692785216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x3a000	0x2000	0x1a00	fc943a9cb0f065aabff01e0d4ad6c9e2	False	0.41616586538461536	data	5.521731458072127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x1000	0x400	3b8b925f988a17647e0c6384c4e1a1fa	False	0.443359375	data	3.277642671953213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3d000	0x1d58	0x1e00	17d2e8cff8e88857554c6a4830d95aca	False	0.815625	data	6.747155579382523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3c060	0x37c	data	English	United States	0.4730941704035874

Imports

DLL	Import
msvcrt.dll	_onexit, __dllonexit, _unlock, _lock, _initterm, _amsg_exit, _XcptFilter, _callnewh, malloc, free, _wcsnicmp, _vsnprintf, atof, isdigit, strtok, isalnum, isalpha, atoi, tolower, toupper, ??1type_info@@UAE@XZ, wcsstr, _except_handler4_common, _aligned_malloc, _aligned_free, _snprintf_s, swprintf_s, _vsnprintf_s, strrchr, strcpy_s, _purecall, wcsrchr, strcat_s, sprintf_s, isxdigit, strchr, _vscwprintf, iswalnum, memmove, iswxdigit, wcschr, wcsncpy_s, _vsnwprintf_s, strncpy_s, memcpy, _ftol2_sse, _ftol2, strnlen, wcsnlen, _wcsicmp, _CxxThrowException, _wcslwr, _itoa_s, _stricmp, memset
ntdll.dll	RtlCaptureStackBackTrace, RtlGetNtProductType, EtwLogTraceEvent, RtlSetThreadPreferredUILanguages, RtlGetCurrentPeb, RtlUpcaseUnicodeChar, RtlNtStatusToDosError, RtlMultiByteToUnicodeN
KERNEL32.dll	DeleteTimerQueueEx, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDBCSLeadByteEx, GetComputerNameW, LoadLibraryExW, GetLastError, SetLastError, GetCurrentThreadId, LocalAlloc, LocalFree, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetSystemInfo, InitializeCriticalSectionAndSpinCount, Sleep, GetModuleHandleW, GetProcAddress, DebugBreak, CreateSemaphoreExW, WaitForSingleObject, GetTickCount, ReleaseSemaphore, CloseHandle, HeapReAlloc, GetProcessHeap, HeapAlloc, HeapFree, MultiByteToWideChar, CompareStringOrdinal, ExpandEnvironmentStringsW, WideCharToMultiByte, FormatMessageA, GetModuleHandleA, GetSystemDefaultLangID, GetSystemDirectoryW, GetSystemWindowsDirectoryW, GetTempPathW, OutputDebugStringA, DisableThreadLibraryCalls, GetTickCount64, GetLocalTime, GlobalAlloc, GetStdHandle, GlobalFree, CreateFileA, GetWindowsDirectoryA, FlushFileBuffers, WriteFile, GetEnvironmentVariableW, CreateDirectoryW, GetCurrentProcessId, CreateFileW, SetConsoleTextAttribute, CreateEventA, CreateMutexA, CreateTimerQueueTimer, DeleteTimerQueueTimer, InitializeSListHead, QueryDepthSList, InterlockedPopEntrySList, InterlockedPushEntrySList, CreateTimerQueue, GetModuleHandleExW, GetThreadPreferredUILanguages, FreeLibrary, GetCurrentThread, GetCurrentProcess, CreateEventW, CreateThread, SetEvent, OpenProcess, WaitForMultipleObjectsEx, GetSystemTimeAsFileTime, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, FileTimeToLocalFileTime, GetDateFormatA, GetTimeFormatA, GetVersionExW, GetModuleFileNameW, IsDBCSLeadByte, UnregisterWaitEx, ReadFile, GetOverlappedResult, CreateNamedPipeW, ConnectNamedPipe, SetNamedPipeHandleState, DisconnectNamedPipe, CancelIoEx, RegisterWaitForSingleObjectEx, PeekNamedPipe, UnregisterWait, RegisterWaitForSingleObject, GetProcessHeaps, HeapSetInformation, EnumUILanguagesW, GetSystemDefaultUILanguage, LCIDToLocaleName, GetLocaleInfoEx
ADVAPI32.dll	DuplicateTokenEx, RegQueryValueExW, RegCloseKey, RegQueryValueExA, SetSecurityInfo, GetSecurityDescriptorDacl, RegCreateKeyExW, RegSetValueExW, CloseServiceHandle, QueryServiceStatusEx, OpenServiceW, OpenSCManagerW, QueryServiceConfig2W, RegOpenKeyExW, AddAccessDeniedAce, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, OpenProcessToken, LookupAccountSidW, EqualSid, AdjustTokenPrivileges, RegOpenKeyExA, AddAce, GetAce, GetAclInformation, SetKernelObjectSecurity, SetSecurityDescriptorDacl, MakeAbsoluteSD, GetKernelObjectSecurity, SetTokenInformation, AddAccessAllowedAce, InitializeAcl, GetLengthSid, GetTokenInformation, FreeSid, AllocateAndInitializeSid, CreateWellKnownSid, SetThreadToken, ReportEventW, RevertToSelf, OpenThreadToken, DeregisterEventSource, RegisterEventSourceW, RegSetValueExA
USER32.dll	LoadStringW, LoadStringA
ole32.dll	CoUninitialize, CoDisconnectObject, CoInitializeEx
RPCRT4.dll	UuidToStringW, UuidCreate, RpcStringFreeW
CRYPT32.dll	CryptUnprotectMemory, CryptProtectMemory
WS2_32.dll	WSAStartup, GetAddrInfoW, ntohl, WSACleanup, WSAGetLastError, FreeAddrInfoW

Exports

Name	Ordinal	Address
??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ	1	0x10015ca0
??0?$CDataCache@VCDateTime@@@@QAE@XZ	2	0x1001dc30
??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z	3	0x100178e0
??0ASCLOG_DATETIME_CACHE@@QAE@XZ	4	0x100156f0
??0BIG_REF_TRACE@@QAE@XZ	5	0x100263e0
??0BUFFER@@QAE@PAEK@Z	6	0x100081a0
??0BUFFER@@QAE@XZ	7	0x10008180
??0CACHED_DATETIME_FORMATS@@QAE@XZ	8	0x1001da40
??0CCritSec@@QAE@XZ	9	0x1000a0f0
??0CDFTCache@@QAE@XZ	10	0x100155d0
??0CDateTime@@QAE@ABU_FILETIME@@@Z	11	0x1001cde0
??0CDateTime@@QAE@ABU_FILETIME@@ABU_SYSTEMTIME@@@Z	12	0x1001ce00
??0CDateTime@@QAE@ABU_SYSTEMTIME@@@Z	13	0x1001cdb0
??0CDateTime@@QAE@XZ	14	0x100087a0
??0CDoubleList@@QAE@XZ	15	0x1000b6f0
??0CEtwTracer@@QAE@XZ	16	0x1001e980
??0CFakeLock@@QAE@XZ	17	0x100087a0
??0CHUNK_BUFFER@@QAE@XZ	18	0x1001e4f0
??0CLKRHashTable@@QAE@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKK_N@Z	19	0x1000cd10
??0CLKRHashTableStats@@QAE@XZ	20	0x1000b930
??0CLKRHashTable_Iterator@@IAE@PAVCLKRHashTable@@F@Z	21	0x1000bc70
??0CLKRHashTable_Iterator@@QAE@ABV0@@Z	22	0x1000be00
??0CLKRHashTable_Iterator@@QAE@XZ	23	0x1000bca0
??0CLKRLinearHashTable@@AAE@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKPAVCLKRHashTable@@_N@Z	24	0x1000cb50
??0CLKRLinearHashTable@@QAE@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKK_N@Z	25	0x1000caf0
??0CLKRLinearHashTable_Iterator@@IAE@PAVCLKRLinearHashTable@@PAVCNodeClump@@KF@Z	26	0x1000baa0
??0CLKRLinearHashTable_Iterator@@QAE@ABV0@@Z	27	0x1000baf0
??0CLKRLinearHashTable_Iterator@@QAE@XZ	28	0x1000bad0
??0CLockedDoubleList@@QAE@XZ	29	0x1000b8f0
??0CLockedSingleList@@QAE@XZ	30	0x1000b6d0
??0CReaderWriterLock2@@QAE@XZ	31	0x10009b90
??0CReaderWriterLock3@@QAE@XZ	32	0x1000a830
??0CReaderWriterLock@@QAE@XZ	33	0x1000a830
??0CRtlResource@@QAE@XZ	34	0x1000a350
??0CSecurityDispenser@@QAE@XZ	35	0x1001af10
??0CShareLock@@QAE@XZ	36	0x1000a5c0
??0CSharelock@@QAE@HH@Z	37	0x10010f00
??0CSingleList@@QAE@XZ	38	0x1000b5f0
??0CSmallSpinLock@@QAE@XZ	39	0x10009b90
??0CSpinLock@@QAE@XZ	40	0x10009b90
??0EVENT_LOG@@QAE@PBG@Z	41	0x10019130
??0EXTLOG_DATETIME_CACHE@@QAE@XZ	42	0x10015800
??0IPM2_MESSAGE_PIPE@@AAE@XZ	43	0x10022430
??0IPM2_MESSAGE_PIPE@@QAE@ABV0@@Z	44	0x10021ce0
??0IPM_MESSAGE_PIPE@@AAE@XZ	45	0x100206b0
??0IPM_MESSAGE_PIPE@@QAE@ABV0@@Z	46	0x1001fd90
??0LANG_STRING@@QAE@XZ	47	0x10024e60
??0MB@@QAE@PAUIMSAdminBaseW@@@Z	48	0x10011950
??0MB_BASE_NOTIFICATION_SINK@@QAE@XZ	49	0x100199d0
??0MULTISZ@@QAE@ABV0@@Z	50	0x100088f0
??0MULTISZ@@QAE@PAGK@Z	51	0x10008880
??0MULTISZ@@QAE@PBG@Z	52	0x100088b0
??0MULTISZ@@QAE@XZ	53	0x10008840
??0MULTISZA@@QAE@ABV0@@Z	54	0x10014f70
??0MULTISZA@@QAE@PADK@Z	55	0x10008880
??0MULTISZA@@QAE@PBD@Z	56	0x10014f30
??0MULTISZA@@QAE@XZ	57	0x10014f00
??0MULTI_IPM@@QAE@XZ	58	0x10024010
??0STRA@@AAE@ABV0@@Z	59	0x10008810
??0STRA@@AAE@PAD@Z	60	0x10008810
??0STRA@@AAE@PBD@Z	61	0x10008810
??0STRA@@QAE@PADK@Z	62	0x10008cd0
??0STRA@@QAE@XZ	63	0x10008250
??0STRAU@@QAE@AAV0@@Z	64	0x100093a0
??0STRAU@@QAE@PBD@Z	65	0x10009270
??0STRAU@@QAE@PBDH@Z	66	0x100092d0
??0STRAU@@QAE@PBG@Z	67	0x10009340
??0STRAU@@QAE@XZ	68	0x10009220
??0STRU@@AAE@ABV0@@Z	69	0x10008810
??0STRU@@AAE@PAG@Z	70	0x10008810
??0STRU@@AAE@PBG@Z	71	0x10008810
??0STRU@@QAE@PAGK@Z	72	0x10008270
??0STRU@@QAE@XZ	73	0x10008250
??0STRU_PATH@@QAE@G@Z	74	0x10014580
??0STRU_PATH@@QAE@PAGKG@Z	75	0x100145b0
??0TREE_HASH_TABLE@@QAE@ABV0@@Z	76	0x10026ff0
??0TREE_HASH_TABLE@@QAE@H@Z	77	0x10026f80
??0TS_RESOURCE@@QAE@XZ	78	0x1000a290
??0W3_DATETIME_CACHE@@QAE@XZ	79	0x100156d0
??0W3_TRACE_LOG@@QAE@PAVW3_TRACE_LOG_FACTORY@@@Z	80	0x10024a60
??0W3_TRACE_LOG_FACTORY@@AAE@XZ	81	0x100247a0
??1ALLOC_CACHE_HANDLER@@QAE@XZ	82	0x10017990
??1ASCLOG_DATETIME_CACHE@@UAE@XZ	83	0x10015660
??1BIG_REF_TRACE@@QAE@XZ	84	0x10026410
??1BUFFER@@QAE@XZ	85	0x100081d0
??1CACHED_DATETIME_FORMATS@@UAE@XZ	86	0x10015660
??1CCritSec@@QAE@XZ	87	0x1000a120
??1CDoubleList@@QAE@XZ	88	0x10009ba0
??1CEtwTracer@@QAE@XZ	89	0x1001e9c0
??1CFakeLock@@QAE@XZ	90	0x10009ba0
??1CHUNK_BUFFER@@QAE@XZ	91	0x1001e510
??1CLKRHashTable@@QAE@XZ	92	0x1000ceb0
??1CLKRHashTable_Iterator@@QAE@XZ	93	0x1000bdf0
??1CLKRLinearHashTable@@QAE@XZ	94	0x1000ce70
??1CLKRLinearHashTable_Iterator@@QAE@XZ	95	0x1000bb80
??1CLockedDoubleList@@QAE@XZ	96	0x10009ba0
??1CLockedSingleList@@QAE@XZ	97	0x10009ba0
??1CReaderWriterLock2@@QAE@XZ	98	0x10009ba0
??1CReaderWriterLock3@@QAE@XZ	99	0x10009ba0
??1CReaderWriterLock@@QAE@XZ	100	0x10009ba0
??1CRtlResource@@QAE@XZ	101	0x1000a2b0
??1CSecurityDispenser@@QAE@XZ	102	0x1001af60
??1CShareLock@@QAE@XZ	103	0x1000a740
??1CSharelock@@QAE@XZ	104	0x100111e0
??1CSingleList@@QAE@XZ	105	0x10009ba0
??1CSmallSpinLock@@QAE@XZ	106	0x10009ba0
??1CSpinLock@@QAE@XZ	107	0x10009ba0
??1EXTLOG_DATETIME_CACHE@@UAE@XZ	108	0x10015660
??1IPM2_MESSAGE_PIPE@@EAE@XZ	109	0x10022480
??1IPM_MESSAGE_PIPE@@EAE@XZ	110	0x100206f0
??1MB@@QAE@XZ	111	0x100119a0
??1MB_BASE_NOTIFICATION_SINK@@UAE@XZ	112	0x10019a10
??1MULTISZ@@QAE@XZ	113	0x100081d0
??1MULTISZA@@QAE@XZ	114	0x100081d0
??1MULTI_IPM@@QAE@XZ	115	0x100081d0
??1STRA@@QAE@XZ	116	0x100081d0
??1STRAU@@QAE@XZ	117	0x10009810
??1STRU@@QAE@XZ	118	0x100081d0
??1STRU_PATH@@QAE@XZ	119	0x100081d0
??1TREE_HASH_TABLE@@QAE@XZ	120	0x100271c0
??1TS_RESOURCE@@QAE@XZ	121	0x1000a2b0
??1W3_DATETIME_CACHE@@UAE@XZ	122	0x10015660
??1W3_TRACE_LOG@@AAE@XZ	123	0x10024ad0
??1W3_TRACE_LOG_FACTORY@@AAE@XZ	124	0x100247c0
??2CLKRLinearHashTable@@SGPAXI@Z	125	0x1000c5f0
??3CLKRLinearHashTable@@SGXPAX@Z	126	0x1000c610
??4?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAEAAV0@ABV0@@Z	127	0x10015640
??4?$CDataCache@VCDateTime@@@@QAEAAV0@ABV0@@Z	128	0x1001cee0
??4?$CLockBase@$00$00$02$00$02$01@@QAEAAV0@ABV0@@Z	129	0x10008830
??4?$CLockBase@$01$00$00$00$02$01@@QAEAAV0@ABV0@@Z	130	0x10008830
??4?$CLockBase@$02$00$00$00$00$00@@QAEAAV0@ABV0@@Z	131	0x10008830
??4?$CLockBase@$03$00$00$01$02$02@@QAEAAV0@ABV0@@Z	132	0x10008830
??4?$CLockBase@$04$01$00$01$02$02@@QAEAAV0@ABV0@@Z	133	0x10008830
??4?$CLockBase@$05$01$00$01$02$02@@QAEAAV0@ABV0@@Z	134	0x10008830
??4?$CLockBase@$06$01$01$00$02$01@@QAEAAV0@ABV0@@Z	135	0x10008830
??4?$CLockBase@$07$01$01$00$02$01@@QAEAAV0@ABV0@@Z	136	0x10008830
??4?$CLockBase@$08$01$00$00$02$01@@QAEAAV0@ABV0@@Z	137	0x10008830
??4ALLOC_CACHE_HANDLER@@QAEAAV0@ABV0@@Z	138	0x10009890
??4BIG_REF_TRACE@@QAEAAV0@ABV0@@Z	139	0x10008230
??4BUFFER@@QAEAAV0@ABV0@@Z	140	0x10008230
??4CCritSec@@QAEAAV0@ABV0@@Z	141	0x1000a270
??4CDFTCache@@QAEAAV0@ABV0@@Z	142	0x10015640
??4CDateTime@@QAEAAV0@ABV0@@Z	143	0x1000a270
??4CDoubleList@@QAEAAV0@ABV0@@Z	144	0x1000ab90
??4CFakeLock@@QAEAAV0@ABV0@@Z	145	0x10008830
??4CHUNK_BUFFER@@QAEAAV0@ABV0@@Z	146	0x1001e590
??4CLKRHashTableStats@@QAEAAV0@ABV0@@Z	147	0x1000b9f0
??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z	148	0x1000be40
??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z	149	0x1000bb30
??4CLockedDoubleList@@QAEAAV0@ABV0@@Z	150	0x1000b910
??4CLockedSingleList@@QAEAAV0@ABV0@@Z	151	0x1000ab90
??4CReaderWriterLock2@@QAEAAV0@ABV0@@Z	152	0x10009d60
??4CReaderWriterLock3@@QAEAAV0@ABV0@@Z	153	0x1000ab90
??4CReaderWriterLock@@QAEAAV0@ABV0@@Z	154	0x1000ab90
??4CRtlResource@@QAEAAV0@ABV0@@Z	155	0x1000a330
??4CSecurityDispenser@@QAEAAV0@ABV0@@Z	156	0x1001a9c0
??4CSingleList@@QAEAAV0@ABV0@@Z	157	0x10009d60
??4CSmallSpinLock@@QAEAAV0@ABV0@@Z	158	0x10009d60
??4CSpinLock@@QAEAAV0@ABV0@@Z	159	0x10009d60
??4DATETIME_FORMAT_ENTRY@@QAEAAU0@ABU0@@Z	160	0x100155b0
??4EVENT_LOG@@QAEAAV0@ABV0@@Z	161	0x10009d60
??4IPM2_MESSAGE_PIPE@@QAEAAV0@ABV0@@Z	162	0x10021d60
??4IPM_MESSAGE_PIPE@@QAEAAV0@ABV0@@Z	163	0x1001fdf0
??4LANG_STRING@@QAEAAV0@ABV0@@Z	164	0x10009860
??4MB@@QAEAAV0@ABV0@@Z	165	0x1000ab90
??4MULTISZ@@QAEAAV0@ABV0@@Z	166	0x10008cb0
??4MULTISZA@@QAEAAV0@ABV0@@Z	167	0x10008cb0
??4STRA@@AAEAAV0@ABV0@@Z	168	0x10008830
??4STRAU@@QAEAAV0@ABV0@@Z	169	0x10009840
??4STRU@@AAEAAV0@ABV0@@Z	170	0x10008830
??4TREE_HASH_TABLE@@QAEAAV0@ABV0@@Z	171	0x10027030
??4TS_RESOURCE@@QAEAAV0@ABV0@@Z	172	0x1000a330
??4W3_TRACE_LOG@@QAEAAV0@ABV0@@Z	173	0x10024820
??4W3_TRACE_LOG_FACTORY@@QAEAAV0@ABV0@@Z	174	0x100247e0
??8CLKRHashTable_Iterator@@QBE_NABV0@@Z	175	0x1000bd90
??8CLKRLinearHashTable_Iterator@@QBE_NABV0@@Z	176	0x1000bc10
??9CLKRHashTable_Iterator@@QBE_NABV0@@Z	177	0x1000bdc0
??9CLKRLinearHashTable_Iterator@@QBE_NABV0@@Z	178	0x1000bc40
??_7ASCLOG_DATETIME_CACHE@@6B@	179	0x10001fa4
??_7CACHED_DATETIME_FORMATS@@6B@	180	0x10001fb4
??_7EXTLOG_DATETIME_CACHE@@6B@	181	0x10001f9c
??_7IPM2_MESSAGE_PIPE@@6B@	182	0x10002010
??_7IPM_MESSAGE_PIPE@@6B@	183	0x10001ff0
??_7TREE_HASH_TABLE@@6B@	184	0x10002028
??_7W3_DATETIME_CACHE@@6B@	185	0x10001fac
??_FCSharelock@@QAEXXZ	186	0x1000a4c0
??_FSTRU_PATH@@QAEXXZ	187	0x10014570
?ActiveUsers@CSharelock@@QAEHXZ	188	0x1000a4b0
?AddNewBlock@CHUNK_BUFFER@@AAEJK@Z	189	0x1001e830
?AddNodeInternal@TREE_HASH_TABLE@@AAEJPBGKPAXPAUTREE_HASH_NODE@@PAPAU2@@Z	190	0x10027410
?AddObject@MB@@QAEHPBG@Z	191	0x10011cd0
?AddRef@MB_BASE_NOTIFICATION_SINK@@UAGKXZ	192	0x10019a40
?AddTrace@BIG_REF_TRACE@@AAEJPAXHH@Z	193	0x100266a0
?AdjustTokenForAdministrators@CSecurityDispenser@@QAEKPAX@Z	195	0x1001b180
?Alloc@ALLOC_CACHE_HANDLER@@QAEPAXXZ	197	0x10017ac0
?AllocateEntry@BIG_REF_TRACE@@AAEPAU_REF_TRACE_ENTRY@@XZ	200	0x10026830
?AllocateHeadEntry@BIG_REF_TRACE@@AAEPAU_REF_TRACE_HEAD_ENTRY@@PAX@Z	201	0x10026880
?AllocateNode@TREE_HASH_TABLE@@AAEJPBGKPAXPAUTREE_HASH_NODE@@PAPAU2@@Z	202	0x10027070
?AllocateSpace@CHUNK_BUFFER@@QAEJKPAPAD@Z	203	0x1001e5b0
?AllocateSpace@CHUNK_BUFFER@@QAEJKPAPAG@Z	204	0x1001e620
?AllocateSpace@CHUNK_BUFFER@@QAEJKPAPAX@Z	205	0x1001e640
?AllocateSpace@CHUNK_BUFFER@@QAEJPADKPAPAD@Z	206	0x1001e670
?AllocateSpace@CHUNK_BUFFER@@QAEJPAGKPAPAG@Z	207	0x1001e710
?Append@MULTISZ@@QAEHAAVSTRU@@@Z	208	0x100089d0
?Append@MULTISZ@@QAEHPBG@Z	209	0x10008960
?Append@MULTISZ@@QAEHPBGK@Z	210	0x100089a0
?Append@MULTISZA@@QAEHAAVSTRA@@@Z	211	0x100150a0
?Append@MULTISZA@@QAEHPBD@Z	212	0x10014fc0
?Append@MULTISZA@@QAEHPBDK@Z	213	0x10015040
?Append@STRA@@QAEJABV1@@Z	214	0x10008ea0
?Append@STRA@@QAEJPBD@Z	215	0x10008e30
?Append@STRA@@QAEJPBDK@Z	216	0x10008e70
?Append@STRAU@@QAEHAAV1@@Z	217	0x10009540
?Append@STRAU@@QAEHPBD@Z	218	0x10009460
?Append@STRAU@@QAEHPBDK@Z	219	0x100094e0
?Append@STRAU@@QAEHPBG@Z	220	0x100094a0
?Append@STRAU@@QAEHPBGK@Z	221	0x10009510
?Append@STRU@@QAEJABV1@@Z	222	0x10008500
?Append@STRU@@QAEJG@Z	223	0x10008540
?Append@STRU@@QAEJPBG@Z	224	0x10008470
?Append@STRU@@QAEJPBGK@Z	225	0x100084c0
?AppendA@STRU@@QAEJPBD@Z	226	0x100085d0
?AppendA@STRU@@QAEJPBDK@Z	227	0x10008570
?AppendA_ACP@STRU@@QAEJPBD@Z	228	0x10008610
?AppendA_ACP@STRU@@QAEJPBDK@Z	229	0x100085a0
?AppendData@W3_TRACE_LOG_FACTORY@@QAEJPAXK@Z	230	0x100249b0
?AppendW@MULTISZA@@QAEHPBG@Z	231	0x10015000
?AppendW@MULTISZA@@QAEHPBGK@Z	232	0x10015070
?AppendW@STRA@@QAEJPBG@Z	233	0x10008ed0
?AppendW@STRA@@QAEJPBGK@Z	234	0x10008f30
?AppendWSimple@STRA@@QAEJPBGK@Z	235	0x10008f10
?AppendWTruncate@STRA@@QAEJPBG@Z	236	0x10008f70
?AppendWTruncate@STRA@@QAEJPBGK@Z	237	0x10008f50
?Apply@CLKRHashTable@@QAEKP6G?AW4LK_ACTION@@PBXPAX@Z1W4LK_LOCKTYPE@@@Z	238	0x1000dd50
?Apply@CLKRLinearHashTable@@QAEKP6G?AW4LK_ACTION@@PBXPAX@Z1W4LK_LOCKTYPE@@@Z	239	0x1000dce0
?ApplyIf@CLKRHashTable@@QAEKP6G?AW4LK_PREDICATE@@PBXPAX@ZP6G?AW4LK_ACTION@@01@Z1W4LK_LOCKTYPE@@@Z	240	0x1000de70
?ApplyIf@CLKRLinearHashTable@@QAEKP6G?AW4LK_PREDICATE@@PBXPAX@ZP6G?AW4LK_ACTION@@01@Z1W4LK_LOCKTYPE@@@Z	241	0x1000ddf0
?ApplyIf@TREE_HASH_TABLE@@QAEXP6GXPAX0@Z0@Z	242	0x100278a0
?AuxAppend@MULTISZ@@AAEHPBGIH@Z	243	0x10014b60
?AuxAppend@MULTISZA@@AAEHPBEIH@Z	244	0x10015340
?AuxAppend@STRA@@AAEJPBEKK_N@Z	245	0x10012f60
?AuxAppend@STRAU@@AAEHPBDIH@Z	246	0x10013e90
?AuxAppend@STRAU@@AAEHPBGIH@Z	247	0x10014030
?AuxAppend@STRU@@AAEJPBEKK_N@Z	248	0x100123e0
?AuxAppendA@STRU@@AAEJPBEKK_N1@Z	249	0x10012490
?AuxAppendW@MULTISZA@@AAEHPBGIH@Z	250	0x100153f0
?AuxAppendW@STRA@@AAEJPBGKK_N@Z	251	0x10013020
?AuxAppendWSimple@STRA@@AAEJPBGKK_N@Z	252	0x10013130
?AuxAppendWTruncate@STRA@@AAEJPBGKK_N@Z	253	0x10013250
?AuxInit@MULTISZ@@AAEXPBG@Z	254	0x10014ae0
?AuxInit@MULTISZA@@AAEXPBE@Z	255	0x100152d0
?AuxInit@STRAU@@AAEXPBD@Z	256	0x10013d80
?AuxInit@STRAU@@AAEXPBG@Z	257	0x10013e00
?Begin@CLKRHashTable@@QAE?AVCLKRHashTable_Iterator@@XZ	260	0x1000fc70
?Begin@CLKRLinearHashTable@@QAE?AVCLKRLinearHashTable_Iterator@@XZ	261	0x1000f6f0
?BucketIndex@CLKRHashTableStats@@SGJJ@Z	262	0x1000b9b0
?BucketSize@CLKRHashTableStats@@SGJJ@Z	263	0x1000b990
?BucketSizes@CLKRHashTableStats@@SGPBJXZ	264	0x1000b980
?CalcHash@TREE_HASH_TABLE@@QAEKPBG@Z	265	0x10027250
?CalcLength@MULTISZ@@SGKPBGPAK@Z	266	0x100149b0
?CalcLength@MULTISZA@@SGKPBDPAK@Z	267	0x10015210
?ChangeExclusiveLockToSharedLock@CSharelock@@QAEXXZ	268	0x1000a4e0
?ChangeSharedLockToExclusiveLock@CSharelock@@QAEEH@Z	269	0x1000a4f0
?CheckSignature@BIG_REF_TRACE@@ABEHXZ	270	0x10009910
?CheckTable@CLKRHashTable@@QBEHXZ	271	0x1000e530
?CheckTable@CLKRLinearHashTable@@QBEHXZ	272	0x1000e330
?ClaimExclusiveLock@CSharelock@@QAEEH@Z	273	0x1000a520
?ClaimShareLock@CSharelock@@QAEEH@Z	274	0x1000a550
?ClassName@CCritSec@@SGPBGXZ	275	0x1000a260
?ClassName@CFakeLock@@SGPBGXZ	276	0x1000a0e0
?ClassName@CLKRHashTable@@SGPBGXZ	277	0x1000c800
?ClassName@CLKRLinearHashTable@@SGPBGXZ	278	0x1000c140
?ClassName@CReaderWriterLock2@@SGPBGXZ	279	0x1000afd0
?ClassName@CReaderWriterLock3@@SGPBGXZ	280	0x1000b5e0
?ClassName@CReaderWriterLock@@SGPBGXZ	281	0x1000ab80
?ClassName@CRtlResource@@SGPBDXZ	282	0x1000a4a0
?ClassName@CShareLock@@SGPBDXZ	283	0x1000a730
?ClassName@CSmallSpinLock@@SGPBGXZ	284	0x10009d50
?ClassName@CSpinLock@@SGPBGXZ	285	0x1000a000
?Cleanup@ALLOC_CACHE_HANDLER@@SGHH@Z	286	0x10017550
?CleanupAllLookasides@ALLOC_CACHE_HANDLER@@SGXPAXE@Z	287	0x10017850
?CleanupLookaside@ALLOC_CACHE_HANDLER@@QAEXH@Z	288	0x10017a20
?Clear@CLKRHashTable@@QAEXXZ	289	0x1000e6e0
?Clear@CLKRLinearHashTable@@QAEXXZ	290	0x1000c410
?Clear@TREE_HASH_TABLE@@QAEXXZ	291	0x10027200
?ClearBuffer@W3_TRACE_LOG@@QAEXXZ	292	0x10024b80
?Clone@MULTISZ@@QBEHPAV1@@Z	293	0x10008bb0
?Clone@MULTISZA@@QBEHPAV1@@Z	294	0x10015150
?Clone@STRA@@QBEJPAV1@@Z	295	0x100091f0
?Close@MB@@QAEHXZ	296	0x10011a70
?Convert@TS_RESOURCE@@QAEXW4TSRES_CONV_TYPE@@@Z	297	0x1000a2f0
?ConvertExclusiveToShared@CCritSec@@QAEXXZ	298	0x10009ba0
?ConvertExclusiveToShared@CFakeLock@@QAEXXZ	299	0x10009ba0
?ConvertExclusiveToShared@CLKRHashTable@@QBEXXZ	300	0x10010400
?ConvertExclusiveToShared@CLKRLinearHashTable@@QBEXXZ	301	0x1000c5e0
?ConvertExclusiveToShared@CReaderWriterLock2@@QAEXXZ	302	0x1000aee0
?ConvertExclusiveToShared@CReaderWriterLock3@@QAEXXZ	303	0x1000b4e0
?ConvertExclusiveToShared@CReaderWriterLock@@QAEXXZ	304	0x1000aaa0
?ConvertExclusiveToShared@CRtlResource@@QAEXXZ	305	0x1000a3f0
?ConvertExclusiveToShared@CShareLock@@QAEXXZ	306	0x1000a4e0
?ConvertExclusiveToShared@CSmallSpinLock@@QAEXXZ	307	0x10009ba0
?ConvertExclusiveToShared@CSpinLock@@QAEXXZ	308	0x10009ba0
?ConvertSharedToExclusive@CCritSec@@QAEXXZ	309	0x10009ba0
?ConvertSharedToExclusive@CFakeLock@@QAEXXZ	310	0x10009ba0
?ConvertSharedToExclusive@CLKRHashTable@@QBEXXZ	311	0x100103d0
?ConvertSharedToExclusive@CLKRLinearHashTable@@QBEXXZ	312	0x1000c5d0
?ConvertSharedToExclusive@CReaderWriterLock2@@QAEXXZ	313	0x1000aea0
?ConvertSharedToExclusive@CReaderWriterLock3@@QAEXXZ	314	0x1000b420
?ConvertSharedToExclusive@CReaderWriterLock@@QAEXXZ	315	0x1000aa40
?ConvertSharedToExclusive@CRtlResource@@QAEXXZ	316	0x1000a3e0
?ConvertSharedToExclusive@CShareLock@@QAEXXZ	317	0x1000a650
?ConvertSharedToExclusive@CSmallSpinLock@@QAEXXZ	318	0x10009ba0
?ConvertSharedToExclusive@CSpinLock@@QAEXXZ	319	0x10009ba0
?Copy@MULTISZ@@QAEHABV1@@Z	325	0x10008b10
?Copy@MULTISZ@@QAEHPBGK@Z	326	0x10008ac0
?Copy@MULTISZA@@QAEHABV1@@Z	327	0x10015130
?Copy@MULTISZA@@QAEHPBDK@Z	328	0x100150f0
?Copy@STRA@@QAEJABV1@@Z	329	0x10009020
?Copy@STRA@@QAEJPBD@Z	330	0x10008fb0
?Copy@STRA@@QAEJPBDK@Z	331	0x10008ff0
?Copy@STRAU@@QAEHAAV1@@Z	332	0x100096b0
?Copy@STRAU@@QAEHPBD@Z	333	0x100095d0
?Copy@STRAU@@QAEHPBDK@Z	334	0x10009630
?Copy@STRAU@@QAEHPBG@Z	335	0x10009600
?Copy@STRAU@@QAEHPBGK@Z	336	0x10009670
?Copy@STRU@@QAEJABV1@@Z	337	0x100086d0
?Copy@STRU@@QAEJPBG@Z	338	0x10008650
?Copy@STRU@@QAEJPBGK@Z	339	0x100086a0
?Copy@STRU@@QAEJPBV1@@Z	340	0x100086d0
?CopyA@STRU@@QAEJPBD@Z	341	0x10008700
?CopyA@STRU@@QAEJPBDK@Z	342	0x10008760
?CopyA_ACP@STRU@@QAEJPBD@Z	343	0x10008730
?CopyA_ACP@STRU@@QAEJPBDK@Z	344	0x10008780
?CopyBinary@STRA@@QAEJPAXK@Z	345	0x10013bc0
?CopyFormattedData@CDFTCache@@QBEHPBU_SYSTEMTIME@@PAD@Z	346	0x1001d790
?CopyFormattedData@DATETIME_FORMAT_ENTRY@@QBEXPBU_SYSTEMTIME@@PAD@Z	347	0x1001d730
?CopyToBuffer@MULTISZ@@QBEHPAGPAK@Z	348	0x10014ce0
?CopyToBuffer@MULTISZA@@QBEHPADPAK@Z	349	0x100154a0
?CopyToBuffer@STRA@@QBEJPADPAK@Z	350	0x100139e0
?CopyToBuffer@STRU@@QBEJPAGPAK@Z	351	0x10012580
?CopyW@STRA@@QAEJPBG@Z	352	0x10009050
?CopyW@STRA@@QAEJPBGK@Z	353	0x10009090
?CopyWToUTF8Escaped@STRA@@QAEJABVSTRU@@@Z	354	0x10013390
?CopyWToUTF8Escaped@STRA@@QAEJPBG@Z	355	0x10009130
?CopyWToUTF8Escaped@STRA@@QAEJPBGK@Z	356	0x100133b0
?CopyWToUTF8Unescaped@STRA@@QAEJABVSTRU@@@Z	357	0x10013310
?CopyWToUTF8Unescaped@STRA@@QAEJPBG@Z	358	0x10009160
?CopyWToUTF8Unescaped@STRA@@QAEJPBGK@Z	359	0x10013330
?CopyWTruncate@STRA@@QAEJPBG@Z	360	0x100090c0
?CopyWTruncate@STRA@@QAEJPBGK@Z	361	0x10009100
?CreateIpmMessagePipe@IPM2_MESSAGE_PIPE@@SGJPAVIPM2_MESSAGE_ACCEPTOR@@PBGHHKPAU_SECURITY_ATTRIBUTES@@PAPAV1@PAH@Z	362	0x100225e0
?CreateIpmMessagePipe@IPM2_MESSAGE_PIPE@@SGJPAVIPM2_MESSAGE_ACCEPTOR@@PBGHPAU_SECURITY_ATTRIBUTES@@PAPAV1@@Z	363	0x100225b0
?CreateIpmMessagePipe@IPM_MESSAGE_PIPE@@SGJPAVIPM_MESSAGE_ACCEPTOR@@PBGHPAU_SECURITY_ATTRIBUTES@@PAPAV1@@Z	364	0x10020830
?CreateServer@MULTI_IPM@@QAEJPBGKPAU_SECURITY_ATTRIBUTES@@@Z	365	0x10024050
?CreateTraceLog@W3_TRACE_LOG_FACTORY@@QAEJPAPAVW3_TRACE_LOG@@@Z	367	0x10024960
?CreateTraceLogFactory@W3_TRACE_LOG_FACTORY@@SGJPAPAV1@PAX@Z	368	0x10024840
?DateTimeChars@CDFTCache@@QBEKXZ	369	0x1000c810
?DayOfWeek3CharNames@@YGPBDK@Z	370	0x1001d100
?DecrementAcceptorInUse@IPM2_MESSAGE_PIPE@@AAGXXZ	372	0x10022fd0
?DecrementAcceptorInUse@IPM_MESSAGE_PIPE@@AAGXXZ	373	0x10020ea0
?DeleteData@MB@@QAEHPBGKKK@Z	375	0x10011db0
?DeleteIf@CLKRHashTable@@QAEKP6G?AW4LK_PREDICATE@@PBXPAX@Z1@Z	376	0x1000df70
?DeleteIf@CLKRLinearHashTable@@QAEKP6G?AW4LK_PREDICATE@@PBXPAX@Z1@Z	377	0x1000df10
?DeleteIf@TREE_HASH_TABLE@@QAEXP6GHPAX0@Z0@Z	378	0x100277d0
?DeleteKey@CLKRHashTable@@QAE?AW4LK_RETCODE@@K@Z	379	0x1000d5a0
?DeleteKey@CLKRLinearHashTable@@QAE?AW4LK_RETCODE@@K@Z	380	0x1000c200
?DeleteNode@TREE_HASH_TABLE@@AAEXPAUTREE_HASH_NODE@@@Z	381	0x10027110
?DeleteNodeInternal@TREE_HASH_TABLE@@AAEXPAPAUTREE_HASH_NODE@@PAU2@@Z	382	0x100276f0
?DeleteObject@MB@@QAEHPBG@Z	383	0x10011d40
?DeletePath@TREE_HASH_TABLE@@QAEXPBG@Z	384	0x10027770
?DeleteRecord@CLKRHashTable@@QAE?AW4LK_RETCODE@@PBX@Z	385	0x1000d7a0
?DeleteRecord@CLKRLinearHashTable@@QAE?AW4LK_RETCODE@@PBX@Z	386	0x1000c270
?DestroyEventLogSource@EVENT_LOG@@CGXPAU_EVENT_LOG_SOURCE@@@Z	387	0x100194c0
?DestroyIpmMessagePipe@IPM2_MESSAGE_PIPE@@QAGXXZ	388	0x10022960
?DestroyIpmMessagePipe@IPM_MESSAGE_PIPE@@QAGXXZ	389	0x10020bd0
?DestroyTraceLog@W3_TRACE_LOG@@QAEXXZ	390	0x10024aa0
?DestroyTraceLogFactory@W3_TRACE_LOG_FACTORY@@QAEXXZ	391	0x10024900
?DisableEventsCallbackCustomHandler@CEtwTracer@@UAEKXZ	392	0x1000a030
?DisableFreeList@ALLOC_CACHE_HANDLER@@QAEXXZ	393	0x10017c20
?DumpStatsToHtml@ALLOC_CACHE_HANDLER@@SGHPADPAK@Z	395	0x10017620
?EmptyAndFreeHeadEntry@BIG_REF_TRACE@@AAEJPAU_REF_TRACE_HEAD_ENTRY@@@Z	398	0x100268d0
?EnableEventsCallbackCustomHandler@CEtwTracer@@UAEKXZ	399	0x1000a030
?End@CLKRHashTable@@QAE?AVCLKRHashTable_Iterator@@XZ	401	0x1000c890
?End@CLKRLinearHashTable@@QAE?AVCLKRLinearHashTable_Iterator@@XZ	402	0x1000c660
?EnumObjects@MB@@QAEHPBGPAGK@Z	403	0x10011c60
?EnumUILanguagesProc@LANG_STRING@@CGHPAGJ@Z	404	0x10025140
?EqualRange@CLKRHashTable@@QAE_NKAAVCLKRHashTable_Iterator@@0@Z	405	0x100100f0
?EqualRange@CLKRLinearHashTable@@QAE_NKAAVCLKRLinearHashTable_Iterator@@0@Z	406	0x1000fb70
?Equals@MULTISZ@@QAEHPAV1@@Z	407	0x10014d40
?Equals@STRA@@QBE_NABV1@@Z	408	0x10008d00
?Equals@STRA@@QBE_NPBD@Z	409	0x10008d60
?Equals@STRU@@QBE_NABV1@@Z	410	0x100082b0
?Equals@STRU@@QBE_NPBG@Z	411	0x10008310
?EqualsNoCase@STRA@@QBE_NABV1@@Z	412	0x10008db0
?EqualsNoCase@STRA@@QBE_NPBD@Z	413	0x10008de0
?EqualsNoCase@STRU@@QBE_NABV1@@Z	414	0x10008370
?EqualsNoCase@STRU@@QBE_NPBG@Z	415	0x100083b0
?Erase@CLKRHashTable@@QAE_NAAVCLKRHashTable_Iterator@@0@Z	416	0x1000ff50
?Erase@CLKRHashTable@@QAE_NAAVCLKRHashTable_Iterator@@@Z	417	0x1000fe60
?Erase@CLKRLinearHashTable@@QAE_NAAVCLKRLinearHashTable_Iterator@@0@Z	418	0x1000fa30
?Erase@CLKRLinearHashTable@@QAE_NAAVCLKRLinearHashTable_Iterator@@@Z	419	0x1000f980
?Escape@STRA@@QAEJ_N0@Z	420	0x10013640
?Escape@STRU@@QAEJXZ	421	0x10012a30
?EtwTraceEvent@CEtwTracer@@QAAKPBU_GUID@@KZZ	422	0x1001eaa0
?EtwTraceEvent@CEtwTracer@@QAEKPAU_ETW_TRACE_EVENT@@@Z	423	0x1001e8b0
?EtwTraceEvent@CEtwTracer@@QAEKPAU_EVENT_TRACE_HEADER@@@Z	424	0x1001e8d0
?ExpandEnvironmentVariables@STRU@@SGJPBGPAV1@@Z	425	0x10012ec0
?ExpandEnvironmentVariables@STRU_PATH@@QAEJPAG@Z	426	0x100146c0
?ExpandEnvironmentVariables@STRU_PATH@@QAEJXZ	427	0x10014820
?FastAppend@MULTISZ@@QAEHAAVSTRU@@@Z	428	0x10008a70
?FastAppend@MULTISZ@@QAEHPBG@Z	429	0x10008a00
?FastAppend@MULTISZ@@QAEHPBGK@Z	430	0x10008a40
?FastAuxAppend@MULTISZ@@AAEHPBGIH@Z	431	0x10014c20
?FastCopy@MULTISZ@@QAEHABV1@@Z	432	0x10008b80
?FastCopy@MULTISZ@@QAEHPBGK@Z	433	0x10008b30
?FileTimeToGMT@@YGHABU_FILETIME@@PADK@Z	434	0x1001d3f0
?FileTimeToGMTEx@@YGHABU_FILETIME@@PADKK@Z	435	0x1001d440
?Find@CLKRHashTable@@QAE_NKAAVCLKRHashTable_Iterator@@@Z	436	0x1000fff0
?Find@CLKRLinearHashTable@@QAE_NKAAVCLKRLinearHashTable_Iterator@@@Z	437	0x1000fac0
?FindKey@CLKRHashTable@@QBE?AW4LK_RETCODE@@KPAPBX@Z	438	0x1000dab0
?FindKey@CLKRLinearHashTable@@QBE?AW4LK_RETCODE@@KPAPBX@Z	439	0x1000c300
?FindNodeInternal@TREE_HASH_TABLE@@AAEHPBGKPAPAUTREE_HASH_NODE@@PAPAPAU2@@Z	440	0x100272d0
?FindRecord@CLKRHashTable@@QBE?AW4LK_RETCODE@@PBX@Z	441	0x1000dc20
?FindRecord@CLKRLinearHashTable@@QBE?AW4LK_RETCODE@@PBX@Z	442	0x1000c380
?FindRecord@TREE_HASH_TABLE@@QAEXPBGPAPAX@Z	443	0x10027380
?FindRefTraceHeadEntry@BIG_REF_TRACE@@SGPAU_REF_TRACE_HEAD_ENTRY@@PAV1@PAX@Z	444	0x100098d0
?FindString@MULTISZ@@QAEHAAVSTRU@@@Z	445	0x10008c10
?FindString@MULTISZ@@QAEHPBG@Z	446	0x10014a10
?FindString@MULTISZA@@QAEHAAVSTRA@@@Z	447	0x100151a0
?FindString@MULTISZA@@QAEHPBD@Z	448	0x10015260
?FindStringNoCase@MULTISZ@@QAEHAAVSTRU@@@Z	449	0x10008c30
?FindStringNoCase@MULTISZ@@QAEHPBG@Z	450	0x10014a90
?First@CDoubleList@@QBEQAVCListEntry@@XZ	451	0x10009880
?First@CLockedDoubleList@@QAEQAVCListEntry@@XZ	452	0x1000a4b0
?First@MULTISZ@@QBEPBGXZ	453	0x10008c50
?First@MULTISZA@@QBEPBDXZ	454	0x100151c0
?FormatString@STRA@@QAEJKQAPBDPBDK@Z	456	0x10013980
?FormattedBuffer@CDFTCache@@QBEPBDXZ	457	0x10015620
?Free@ALLOC_CACHE_HANDLER@@QAEHPAX@Z	458	0x10017b40
?FreeAllAllocatedSpace@CHUNK_BUFFER@@QAEXXZ	459	0x1001e520
?FreeEntry@BIG_REF_TRACE@@AAEXPAU_REF_TRACE_ENTRY@@@Z	460	0x10026860
?FreeHeadEntry@BIG_REF_TRACE@@AAEXPAU_REF_TRACE_HEAD_ENTRY@@@Z	461	0x100268b0
?FreeMemory@BUFFER@@QAEXXZ	462	0x10012390
?FreeMemoryInternal@BUFFER@@AAEXXZ	463	0x100123c0
?GenerateDateTimeString@ASCLOG_DATETIME_CACHE@@UAEXPAUDATETIME_FORMAT_ENTRY@@PBU_SYSTEMTIME@@@Z	469	0x1001d810
?GenerateDateTimeString@EXTLOG_DATETIME_CACHE@@UAEXPAUDATETIME_FORMAT_ENTRY@@PBU_SYSTEMTIME@@@Z	470	0x1001d910
?GenerateDateTimeString@W3_DATETIME_CACHE@@UAEXPAUDATETIME_FORMAT_ENTRY@@PBU_SYSTEMTIME@@@Z	471	0x1001d9f0
?GetAll@MB@@QAEHPBGKKPAVBUFFER@@PAK2@Z	473	0x10011b40
?GetBucketLockSpinCount@CLKRHashTable@@QBEGXZ	474	0x10010570
?GetBucketLockSpinCount@CLKRLinearHashTable@@QBEGXZ	475	0x10010510
?GetBuffer@MB@@QAEHPBGKKPAVBUFFER@@PAKK@Z	476	0x100117a0
?GetChildPaths@MB@@QAEHPBGPAVBUFFER@@@Z	477	0x10012060
?GetData@MB@@QAEHPBGKKKPAXPAKK@Z	478	0x10011f10
?GetDataPaths@MB@@QAEHPBGKKPAVBUFFER@@@Z	479	0x10011fb0
?GetDataSetNumber@MB@@QAEHPBGPAK@Z	480	0x10011bf0
?GetDefaultSpinAdjustmentFactor@CCritSec@@SGNXZ	481	0x1000a250
?GetDefaultSpinAdjustmentFactor@CFakeLock@@SGNXZ	482	0x1000a0d0
?GetDefaultSpinAdjustmentFactor@CReaderWriterLock2@@SGNXZ	483	0x1000afc0
?GetDefaultSpinAdjustmentFactor@CReaderWriterLock3@@SGNXZ	484	0x1000b5d0
?GetDefaultSpinAdjustmentFactor@CReaderWriterLock@@SGNXZ	485	0x1000ab70
?GetDefaultSpinAdjustmentFactor@CRtlResource@@SGNXZ	486	0x1000a490
?GetDefaultSpinAdjustmentFactor@CShareLock@@SGNXZ	487	0x1000a720
?GetDefaultSpinAdjustmentFactor@CSmallSpinLock@@SGNXZ	488	0x10009d40
?GetDefaultSpinAdjustmentFactor@CSpinLock@@SGNXZ	489	0x10009ff0
?GetDefaultSpinCount@CCritSec@@SGGXZ	490	0x1000a1c0
?GetDefaultSpinCount@CFakeLock@@SGGXZ	491	0x1000a080
?GetDefaultSpinCount@CReaderWriterLock2@@SGGXZ	492	0x1000af30
?GetDefaultSpinCount@CReaderWriterLock3@@SGGXZ	493	0x1000b540
?GetDefaultSpinCount@CReaderWriterLock@@SGGXZ	494	0x1000aae0
?GetDefaultSpinCount@CRtlResource@@SGGXZ	495	0x1000a400
?GetDefaultSpinCount@CShareLock@@SGGXZ	496	0x1000a690
?GetDefaultSpinCount@CSmallSpinLock@@SGGXZ	497	0x10009cb0
?GetDefaultSpinCount@CSpinLock@@SGGXZ	498	0x10009f60
?GetDword@MB@@QAEHPBGKKPAKK@Z	499	0x10011800
?GetDword@MB@@QAEXPBGKKKPAKK@Z	500	0x10011840
?GetFallbackLanguage@LANG_STRING@@QAEJPAPBD@Z	501	0x10025b50
?GetFormattedCurrentDateTime@CACHED_DATETIME_FORMATS@@QAEKPAD@Z	502	0x1001dba0
?GetFormattedDateTime@CACHED_DATETIME_FORMATS@@QAEKPBU_SYSTEMTIME@@PAD@Z	503	0x1001dab0
?GetIisIusrsSID@CSecurityDispenser@@QAEKPAPAX@Z	504	0x1001b0e0
?GetLanguage@LANG_STRING@@QAEJPBDKPAPBDHH@Z	505	0x10025aa0
?GetLanguages@LANG_STRING@@QBEJPAPAPBDPAK@Z	506	0x10025d10
?GetLocalGroupSID@CSecurityDispenser@@QAEKPAPAX@Z	507	0x1001b130
?GetMultisz@MB@@QAEHPBGKKPAVMULTISZ@@K@Z	508	0x10012210
?GetParentLanguage@LANG_STRING@@AAEJPADPAVBUFFER@@@Z	509	0x100259a0
?GetPrime@TREE_HASH_TABLE@@CGKK@Z	510	0x10027a10
?GetSID@CSecurityDispenser@@QAEKW4WELL_KNOWN_SID_TYPE@@PAPAX@Z	511	0x1001afb0
?GetSeperator@STRU_PATH@@AAEGXZ	513	0x100145e0
?GetSpinCount@CCritSec@@QBEGXZ	514	0x1000a1c0
?GetSpinCount@CFakeLock@@QBEGXZ	515	0x1000a030
?GetSpinCount@CReaderWriterLock2@@QBEGXZ	516	0x1000af30
?GetSpinCount@CReaderWriterLock3@@QBEGXZ	517	0x1000b540
?GetSpinCount@CReaderWriterLock@@QBEGXZ	518	0x1000aae0
?GetSpinCount@CRtlResource@@QBEGXZ	519	0x1000a400
?GetSpinCount@CShareLock@@QBEGXZ	520	0x1000a690
?GetSpinCount@CSmallSpinLock@@QBEGXZ	521	0x10009cb0
?GetSpinCount@CSpinLock@@QBEGXZ	522	0x10009f60
?GetStatistics@CLKRHashTable@@QBE?AVCLKRHashTableStats@@XZ	523	0x1000ea60
?GetStatistics@CLKRLinearHashTable@@QBE?AVCLKRHashTableStats@@XZ	524	0x1000e720
?GetStr@MB@@QAEHPBGKKPAVSTRU@@K0@Z	525	0x10012170
?GetString@LANG_STRING@@QAEJIPBDPAPBGPAK@Z	526	0x10025b80
?GetString@LANG_STRING@@QAEJPBDKIPAPBGPAK@Z	527	0x10025cc0
?GetString@MB@@QAEHPBGKKPAGPAKK@Z	528	0x10011880
?GetStringizedIpmOpcode@IPM2_MESSAGE_PIPE@@SGPBGW4IPM2_OPCODE@@@Z	529	0x10021f10
?GetStringizedIpmOpcode@IPM_MESSAGE_PIPE@@SGPBGW4IPM_OPCODE@@@Z	530	0x1001ff90
?GetStringizedWpShutdownOpcode@IPM_MESSAGE_PIPE@@SGPBGW4IPM_WP_SHUTDOWN_MSG@@@Z	531	0x100201f0
?GetSystemChangeNumber@MB@@QAEHPAK@Z	532	0x10011e20
?GetTableLockSpinCount@CLKRHashTable@@QBEGXZ	533	0x10010520
?GetTableLockSpinCount@CLKRLinearHashTable@@QBEGXZ	534	0x1000b540
?GetTickCount@CDateTime@@QAEHXZ	535	0x1001ce30
?HTMLEncode@STRA@@QAEJXZ	539	0x10013a30
?HTMLEncode@STRU@@QAEJXZ	540	0x10012d40
?Hash@BIG_REF_TRACE@@SGKPAX@Z	541	0x100098b0
?HeadNode@CDoubleList@@QBEQBVCListEntry@@XZ	542	0x100087a0
?HeadNode@CLockedDoubleList@@QBEQBVCListEntry@@XZ	543	0x1000b840
?HeaderToInstalledLanguage@LANG_STRING@@AAEJPADKPAPBDH@Z	544	0x10025480
?Increment@CLKRHashTable_Iterator@@QAE_NXZ	545	0x1000bcc0
?Increment@CLKRLinearHashTable_Iterator@@QAE_NXZ	546	0x1000bb90
?IncrementAcceptorInUse@IPM2_MESSAGE_PIPE@@AAGXXZ	547	0x10022fb0
?IncrementAcceptorInUse@IPM_MESSAGE_PIPE@@AAGXXZ	548	0x10020e70
?Indent@W3_TRACE_LOG@@QAEXXZ	549	0x10024800
?Initialize@ALLOC_CACHE_HANDLER@@SGHXZ	550	0x100174a0
?Initialize@BIG_REF_TRACE@@QAEJXZ	551	0x100264b0
?Initialize@CHUNK_BUFFER@@AAEXXZ	552	0x1001e560
?Initialize@EVENT_LOG@@SGJXZ	553	0x10019060
?Initialize@LANG_STRING@@QAEJPAUHINSTANCE__@@K@Z	554	0x10024e80
?Initialize@MULTI_IPM@@QAEJXZ	555	0x1000a030
?Initialize@TREE_HASH_TABLE@@QAEJK@Z	556	0x10027170
?InitializeStatic@BIG_REF_TRACE@@SGJXZ	559	0x10026420
?Insert@CLKRHashTable@@QAE_NPBXAAVCLKRHashTable_Iterator@@_N@Z	560	0x1000fd40
?Insert@CLKRLinearHashTable@@QAE_NPBXAAVCLKRLinearHashTable_Iterator@@_N@Z	561	0x1000f7f0
?InsertHead@CDoubleList@@QAEXQAVCListEntry@@@Z	562	0x1000b710
?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z	563	0x1000b7c0
?InsertNewItem@ALLOC_CACHE_HANDLER@@SGXPAV1@@Z	564	0x10017580
?InsertRecord@CLKRHashTable@@QAE?AW4LK_RETCODE@@PBX_N@Z	565	0x1000d360
?InsertRecord@CLKRLinearHashTable@@QAE?AW4LK_RETCODE@@PBX_N@Z	566	0x1000c170
?InsertRecord@TREE_HASH_TABLE@@QAEJPAX@Z	567	0x10027520
?InsertTail@CDoubleList@@QAEXQAVCListEntry@@@Z	568	0x1000b730
?InsertTail@CLockedDoubleList@@QAEXQAVCListEntry@@@Z	569	0x1000b800
?InstantiatePipe@MULTI_IPM@@AAEJPAU_SECURITY_ATTRIBUTES@@@Z	570	0x100241d0
?IpPrint@ALLOC_CACHE_HANDLER@@QAEHPADPAK@Z	571	0x10017cc0
?IpmMessageCreated@IPM2_MESSAGE_PIPE@@QAGXPAVIPM2_MESSAGE_IMP@@@Z	572	0x10022490
?IpmMessageCreated@IPM_MESSAGE_PIPE@@QAGXPAVIPM_MESSAGE_IMP@@@Z	573	0x10020710
?IpmMessageDeleted@IPM2_MESSAGE_PIPE@@QAEXPAVIPM2_MESSAGE_IMP@@@Z	574	0x10022520
?IpmMessageDeleted@IPM_MESSAGE_PIPE@@QAEXPAVIPM_MESSAGE_IMP@@@Z	575	0x100207a0
?IsCurrentUnicode@STRAU@@QAEHXZ	576	0x100097e0
?IsEmpty@CDoubleList@@QBE_NXZ	577	0x1000b700
?IsEmpty@CLockedDoubleList@@QBE_NXZ	578	0x1000b7b0
?IsEmpty@CLockedSingleList@@QBE_NXZ	579	0x1000b660
?IsEmpty@CSingleList@@QBE_NXZ	580	0x1000b600
?IsEmpty@MULTISZ@@QBEHXZ	581	0x10008940
?IsEmpty@MULTISZA@@QBEHXZ	582	0x10014fb0
?IsEmpty@STRA@@QBE_NXZ	583	0x100082a0
?IsEmpty@STRAU@@QAEHXZ	584	0x10009430
?IsEmpty@STRU@@QBE_NXZ	585	0x100082a0
?IsHit@CDFTCache@@QBEHPBU_SYSTEMTIME@@@Z	586	0x100155f0
?IsHit@DATETIME_FORMAT_ENTRY@@QBEHPBU_SYSTEMTIME@@@Z	587	0x10015570
?IsLocked@CLockedDoubleList@@QBE_NXZ	589	0x10009f30
?IsLocked@CLockedSingleList@@QBE_NXZ	590	0x10009f30
?IsReadLocked@CCritSec@@QBE_NXZ	592	0x1000a010
?IsReadLocked@CFakeLock@@QBE_NXZ	593	0x1000a010
?IsReadLocked@CLKRHashTable@@QBE_NXZ	594	0x10010310
?IsReadLocked@CLKRLinearHashTable@@QBE_NXZ	595	0x1000c570
?IsReadLocked@CReaderWriterLock2@@QBE_NXZ	596	0x1000ae40
?IsReadLocked@CReaderWriterLock3@@QBE_NXZ	597	0x1000ae40
?IsReadLocked@CReaderWriterLock@@QBE_NXZ	598	0x1000aa10
?IsReadLocked@CRtlResource@@QBE_NXZ	599	0x1000a010
?IsReadLocked@CShareLock@@QBE_NXZ	600	0x1000a010
?IsReadLocked@CSmallSpinLock@@QBE_NXZ	601	0x10009c70
?IsReadLocked@CSpinLock@@QBE_NXZ	602	0x10009f30
?IsReadUnlocked@CCritSec@@QBE_NXZ	603	0x1000a010
?IsReadUnlocked@CFakeLock@@QBE_NXZ	604	0x1000a010
?IsReadUnlocked@CLKRHashTable@@QBE_NXZ	605	0x10010390
?IsReadUnlocked@CLKRLinearHashTable@@QBE_NXZ	606	0x1000c5b0
?IsReadUnlocked@CReaderWriterLock2@@QBE_NXZ	607	0x1000ae80
?IsReadUnlocked@CReaderWriterLock3@@QBE_NXZ	608	0x1000ae80
?IsReadUnlocked@CReaderWriterLock@@QBE_NXZ	609	0x1000aa30
?IsReadUnlocked@CRtlResource@@QBE_NXZ	610	0x1000a010
?IsReadUnlocked@CShareLock@@QBE_NXZ	611	0x1000a010
?IsReadUnlocked@CSmallSpinLock@@QBE_NXZ	612	0x10009c90
?IsReadUnlocked@CSpinLock@@QBE_NXZ	613	0x10009f40
?IsUnlocked@CLockedDoubleList@@QBE_NXZ	616	0x10009f40
?IsUnlocked@CLockedSingleList@@QBE_NXZ	617	0x10009f40
?IsUsable@CLKRHashTable@@QBE_NXZ	618	0x1000c840
?IsUsable@CLKRLinearHashTable@@QBE_NXZ	619	0x1000c490
?IsValid@ALLOC_CACHE_HANDLER@@QBEHXZ	620	0x10009880
?IsValid@BUFFER@@QBE_NXZ	621	0x10008220
?IsValid@CLKRHashTable@@QBE_NXZ	622	0x10010490
?IsValid@CLKRHashTable_Iterator@@QBE_NXZ	623	0x1000bcf0
?IsValid@CLKRLinearHashTable@@QBE_NXZ	624	0x1000c4a0
?IsValid@CLKRLinearHashTable_Iterator@@QBE_NXZ	625	0x1000bbc0
?IsValid@IPM2_MESSAGE_PIPE@@QAGHXZ	626	0x10020700
?IsValid@IPM_MESSAGE_PIPE@@QAGHXZ	627	0x10020700
?IsValid@MULTISZ@@QBEHXZ	628	0x10008930
?IsValid@MULTISZA@@QBEHXZ	629	0x10008930
?IsValid@STRA@@QBE_NXZ	630	0x10008220
?IsValid@STRAU@@QAEHXZ	631	0x10009420
?IsWriteLocked@CCritSec@@QBE_NXZ	632	0x1000a010
?IsWriteLocked@CFakeLock@@QBE_NXZ	633	0x1000a010
?IsWriteLocked@CLKRHashTable@@QBE_NXZ	634	0x100102d0
?IsWriteLocked@CLKRLinearHashTable@@QBE_NXZ	635	0x1000c560
?IsWriteLocked@CReaderWriterLock2@@QBE_NXZ	636	0x1000ae20
?IsWriteLocked@CReaderWriterLock3@@QBE_NXZ	637	0x1000b3e0
?IsWriteLocked@CReaderWriterLock@@QBE_NXZ	638	0x1000aa00
?IsWriteLocked@CRtlResource@@QBE_NXZ	639	0x1000a010
?IsWriteLocked@CShareLock@@QBE_NXZ	640	0x1000a010
?IsWriteLocked@CSmallSpinLock@@QBE_NXZ	641	0x10009c70
?IsWriteLocked@CSpinLock@@QBE_NXZ	642	0x10009f30
?IsWriteUnlocked@CCritSec@@QBE_NXZ	643	0x1000a010
?IsWriteUnlocked@CFakeLock@@QBE_NXZ	644	0x1000a010
?IsWriteUnlocked@CLKRHashTable@@QBE_NXZ	645	0x10010350
?IsWriteUnlocked@CLKRLinearHashTable@@QBE_NXZ	646	0x1000c590
?IsWriteUnlocked@CReaderWriterLock2@@QBE_NXZ	647	0x1000ae60
?IsWriteUnlocked@CReaderWriterLock3@@QBE_NXZ	648	0x1000b400
?IsWriteUnlocked@CReaderWriterLock@@QBE_NXZ	649	0x1000aa20
?IsWriteUnlocked@CRtlResource@@QBE_NXZ	650	0x1000a010
?IsWriteUnlocked@CShareLock@@QBE_NXZ	651	0x1000a010
?IsWriteUnlocked@CSmallSpinLock@@QBE_NXZ	652	0x10009c90
?IsWriteUnlocked@CSpinLock@@QBE_NXZ	653	0x10009f40
?Key@CLKRHashTable_Iterator@@QBE?BKXZ	654	0x1000bd50
?Key@CLKRLinearHashTable_Iterator@@QBE?BKXZ	655	0x1000c6e0
?Last@CDoubleList@@QBEQAVCListEntry@@XZ	656	0x1000a4b0
?Last@CLockedDoubleList@@QAEQAVCListEntry@@XZ	657	0x1000b880
?LazyInit@EVENT_LOG@@CGPAXK@Z	658	0x10019390
?LazyInitGetHandleIndex@EVENT_LOG@@CGKPBG@Z	659	0x10019270
?LegacyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAEXJ@Z	660	0x10022d10
?LoadStringW@STRA@@QAEJKPAUHINSTANCE__@@@Z	661	0x10013910
?LoadStringW@STRA@@QAEJKPBDK@Z	662	0x10013850
?Lock@CLockedDoubleList@@QAEXXZ	663	0x1000b640
?Lock@CLockedSingleList@@QAEXXZ	664	0x1000b640
?Lock@TS_RESOURCE@@QAEXW4TSRES_LOCK_TYPE@@@Z	665	0x1000a2c0
?LockType@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_LOCKTYPE@@XZ	666	0x1000c150
?LockType@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_LOCKTYPE@@XZ	667	0x100105a0
?LockType@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_LOCKTYPE@@XZ	668	0x10010590
?LockType@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_LOCKTYPE@@XZ	669	0x100105b0
?LockType@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_LOCKTYPE@@XZ	670	0x100105c0
?LockType@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_LOCKTYPE@@XZ	671	0x100105d0
?LockType@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_LOCKTYPE@@XZ	672	0x100105e0
?LockType@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_LOCKTYPE@@XZ	673	0x100105f0
?LockType@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_LOCKTYPE@@XZ	674	0x10010600
?LogEvent@EVENT_LOG@@QAEXKGQAPBGK@Z	675	0x10019190
?LogEventPrivate@EVENT_LOG@@AAEXKGGQAPBGK@Z	676	0x10019540
?MaxSize@CLKRHashTable@@QBEKXZ	681	0x10010460
?MaxSize@CLKRLinearHashTable@@QBEKXZ	682	0x1000c450
?MessagePipeCompletion@IPM2_MESSAGE_PIPE@@SGXPAXE@Z	683	0x10023a10
?MessagePipeCompletion@IPM_MESSAGE_PIPE@@SGXPAXE@Z	684	0x10021740
?Month3CharNames@@YGPBDK@Z	685	0x1001d120
?MultiKeys@CLKRHashTable@@QBE_NXZ	686	0x1000c160
?MultiKeys@CLKRLinearHashTable@@QBE_NXZ	687	0x1000c160
?MutexType@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_RW_MUTEX@@XZ	688	0x1000c150
?MutexType@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_RW_MUTEX@@XZ	689	0x1000c150
?MutexType@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_RW_MUTEX@@XZ	690	0x1000c150
?MutexType@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_RW_MUTEX@@XZ	691	0x1000c150
?MutexType@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_RW_MUTEX@@XZ	692	0x100105a0
?MutexType@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_RW_MUTEX@@XZ	693	0x100105a0
?MutexType@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_RW_MUTEX@@XZ	694	0x100105a0
?MutexType@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_RW_MUTEX@@XZ	695	0x100105a0
?MutexType@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_RW_MUTEX@@XZ	696	0x100105a0
?Next@MULTISZ@@QBEPBGPBG@Z	697	0x10008c70
?Next@MULTISZA@@QBEPBDPBD@Z	698	0x100151e0
?NormalizeUrl@@YGJPAD@Z	699	0x1001efa0
?NormalizeUrlW@@YGJPAG@Z	700	0x1001f110
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z	701	0x10022bc0
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z	702	0x10020df0
?NtLargeIntegerTimeToLocalSystemTime@@YGHPBT_LARGE_INTEGER@@PAU_SYSTEMTIME@@@Z	703	0x1001d330
?NtLargeIntegerTimeToSystemTime@@YGHABT_LARGE_INTEGER@@PAU_SYSTEMTIME@@@Z	704	0x1001d4b0
?NtSystemTimeToLargeInteger@@YGHPBU_SYSTEMTIME@@PAT_LARGE_INTEGER@@@Z	705	0x1001d500
?NumSubTables@CLKRHashTable@@QBEHXZ	706	0x1000c810
?NumSubTables@CLKRHashTable@@SG?AW4LK_TABLESIZE@@AAK0@Z	707	0x1000cf10
?NumSubTables@CLKRLinearHashTable@@QBEHXZ	708	0x1000c150
?NumSubTables@CLKRLinearHashTable@@SG?AW4LK_TABLESIZE@@AAK0@Z	709	0x1000cf00
?OffsetSeconds@CDFTCache@@QBEHXZ	710	0x10015610
?Open@MB@@QAEHKPBGK@Z	711	0x100119f0
?Open@MB@@QAEHPBGK@Z	712	0x10011930
?PathAppend@STRU_PATH@@QAEJPBG@Z	713	0x10014660
?PathAppend@STRU_PATH@@QAEJPBGK@Z	714	0x100145f0
?PerLockSpin@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	715	0x100105a0
?PerLockSpin@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	716	0x100105a0
?PerLockSpin@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	717	0x1000c150
?PerLockSpin@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	718	0x10010590
?PerLockSpin@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	719	0x10010590
?PerLockSpin@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	720	0x10010590
?PerLockSpin@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	721	0x100105a0
?PerLockSpin@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	722	0x100105a0
?PerLockSpin@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_PERLOCK_SPIN@@XZ	723	0x100105a0
?PipeClosed@MULTI_IPM@@QAEJPAVIPM_INSTANCE@@@Z	724	0x10024560
?PipeConnected@MULTI_IPM@@QAEJXZ	725	0x10024460
?PipeDisconnected@MULTI_IPM@@QAEJXZ	726	0x10024520
?Pop@CLockedSingleList@@QAEQAVCSingleListEntry@@XZ	727	0x1000b670
?Pop@CSingleList@@QAEQAVCSingleListEntry@@XZ	728	0x1000b610
?PopAnyFreeListEntry@ALLOC_CACHE_HANDLER@@AAEPAXXZ	729	0x10017bb0
?Print@ALLOC_CACHE_HANDLER@@QAEXXZ	730	0x10017c70
?PrivateQueryStr@STRAU@@AAEPAGH@Z	731	0x10014230
?Push@CLockedSingleList@@QAEXQAVCSingleListEntry@@@Z	732	0x1000b6a0
?Push@CSingleList@@QAEXQAVCSingleListEntry@@@Z	733	0x1000b620
?QueryAdminBase@MB@@QBEPAUIMSAdminBaseW@@XZ	734	0x10009880
?QueryBuffer@STRU@@QAEPAVBUFFER@@XZ	735	0x100087a0
?QueryCB@MULTISZ@@QBEIXZ	736	0x100083f0
?QueryCB@MULTISZA@@QBEIXZ	737	0x10008400
?QueryCB@STRA@@QBEKXZ	738	0x10008400
?QueryCB@STRAU@@QAEIH@Z	739	0x10009710
?QueryCB@STRU@@QBEKXZ	740	0x100083f0
?QueryCBA@STRAU@@QAEIXZ	741	0x10009730
?QueryCBW@STRAU@@QAEIXZ	742	0x10009760
?QueryCCH@MULTISZ@@QBEIXZ	743	0x10008400
?QueryCCH@MULTISZA@@QBEIXZ	744	0x10008400
?QueryCCH@STRA@@QBEKXZ	745	0x10008400
?QueryCCH@STRAU@@QAEIXZ	746	0x10009790
?QueryCCH@STRU@@QBEKXZ	747	0x10008400
?QueryDepthForAllSLists@ALLOC_CACHE_HANDLER@@AAEKXZ	748	0x10017c30
?QueryEnableLevel@CEtwTracer@@QAEKXZ	749	0x10008400
?QueryFlags@CEtwTracer@@QAEKXZ	750	0x1001e960
?QueryHandle@MB@@QBEKXZ	752	0x1000a4b0
?QueryHeapAllocCount@CHUNK_BUFFER@@QAEKXZ	753	0x1001e550
?QueryInterface@MB_BASE_NOTIFICATION_SINK@@UAGJABU_GUID@@PAPAX@Z	754	0x10019ac0
?QueryMultiAcceptor@MULTI_IPM@@QAEPAVMULTI_IPM_ACCEPTOR@@XZ	756	0x10024000
?QueryOutstandingAllocationCount@ALLOC_CACHE_HANDLER@@QBEKXZ	757	0x10017bf0
?QueryProviderGUID@CEtwTracer@@QAEPBU_GUID@@XZ	758	0x1001e970
?QueryPtr@BUFFER@@QBEPAXXZ	759	0x100081e0
?QuerySize@BUFFER@@QBEKXZ	760	0x100081f0
?QuerySize@STRA@@QBEKXZ	761	0x100081f0
?QuerySize@STRU@@QBEKXZ	762	0x100081f0
?QuerySizeCCH@STRA@@QBEKXZ	763	0x100081f0
?QuerySizeCCH@STRU@@QBEKXZ	764	0x10008410
?QueryStats@ALLOC_CACHE_HANDLER@@QAEXPAUALLOC_CACHE_STATISTICS@@@Z	765	0x10017d20
?QueryStr@MULTISZ@@QBEPAGXZ	766	0x100081e0
?QueryStr@MULTISZA@@QBEPADXZ	767	0x100081e0
?QueryStr@STRA@@QAEPADXZ	768	0x100081e0
?QueryStr@STRA@@QBEPBDXZ	769	0x100081e0
?QueryStr@STRAU@@QAEPAGH@Z	770	0x100097c0
?QueryStr@STRU@@QAEPAGXZ	771	0x100081e0
?QueryStr@STRU@@QBEPBGXZ	772	0x100081e0
?QueryStrA@MULTISZ@@QBEPAGXZ	773	0x100081e0
?QueryStrA@STRAU@@QAEPADXZ	774	0x10014210
?QueryStrW@STRAU@@QAEPAGXZ	775	0x10014220
?QueryStringCount@MULTISZ@@QBEKXZ	776	0x10008ba0
?QueryStringCount@MULTISZA@@QBEKXZ	777	0x10008ba0
?QueryTraceHandle@CEtwTracer@@QAE_KXZ	778	0x1001e950
?QueueType@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_QUEUE_TYPE@@XZ	779	0x10010590
?QueueType@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_QUEUE_TYPE@@XZ	780	0x10010590
?QueueType@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_QUEUE_TYPE@@XZ	781	0x1000c150
?QueueType@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_QUEUE_TYPE@@XZ	782	0x10010590
?QueueType@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_QUEUE_TYPE@@XZ	783	0x10010590
?QueueType@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_QUEUE_TYPE@@XZ	784	0x10010590
?QueueType@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_QUEUE_TYPE@@XZ	785	0x10010590
?QueueType@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_QUEUE_TYPE@@XZ	786	0x10010590
?QueueType@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_QUEUE_TYPE@@XZ	787	0x10010590
?Read@?$CDataCache@VCDateTime@@@@QBE_NAAVCDateTime@@@Z	788	0x1001dc40
?ReadLock@CCritSec@@QAEXXZ	790	0x1000a130
?ReadLock@CFakeLock@@QAEXXZ	791	0x10009ba0
?ReadLock@CLKRHashTable@@QBEXXZ	792	0x10010240
?ReadLock@CLKRLinearHashTable@@QBEXXZ	793	0x1000c530
?ReadLock@CReaderWriterLock2@@QAEXXZ	794	0x1000acb0
?ReadLock@CReaderWriterLock3@@QAEXXZ	795	0x1000b190
?ReadLock@CReaderWriterLock@@QAEXXZ	796	0x1000a8a0
?ReadLock@CRtlResource@@QAEXXZ	797	0x1000a390
?ReadLock@CShareLock@@QAEXXZ	798	0x1000a5f0
?ReadLock@CSmallSpinLock@@QAEXXZ	799	0x10009bb0
?ReadLock@CSpinLock@@QAEXXZ	800	0x10009e80
?ReadLock@TREE_HASH_TABLE@@QAEXXZ	801	0x10026fd0
?ReadMessage@IPM2_MESSAGE_PIPE@@AAGJK@Z	802	0x10023030
?ReadMessage@IPM_MESSAGE_PIPE@@AAGJK@Z	803	0x10020f30
?ReadOrWriteLock@CCritSec@@QAE_NXZ	805	0x1000a140
?ReadOrWriteLock@CFakeLock@@QAE_NXZ	806	0x1000a010
?ReadOrWriteLock@CReaderWriterLock3@@QAE_NXZ	807	0x1000b1e0
?ReadOrWriteLock@CSpinLock@@QAE_NXZ	808	0x10009ed0
?ReadOrWriteUnlock@CCritSec@@QAEX_N@Z	809	0x1000a180
?ReadOrWriteUnlock@CFakeLock@@QAEX_N@Z	810	0x1000a020
?ReadOrWriteUnlock@CReaderWriterLock3@@QAEX_N@Z	811	0x1000b3c0
?ReadOrWriteUnlock@CSpinLock@@QAEX_N@Z	812	0x10009f20
?ReadUnlock@CCritSec@@QAEXXZ	815	0x1000a170
?ReadUnlock@CFakeLock@@QAEXXZ	816	0x10009ba0
?ReadUnlock@CLKRHashTable@@QBEXXZ	817	0x100102a0
?ReadUnlock@CLKRLinearHashTable@@QBEXXZ	818	0x1000c550
?ReadUnlock@CReaderWriterLock2@@QAEXXZ	819	0x1000ade0
?ReadUnlock@CReaderWriterLock3@@QAEXXZ	820	0x1000ade0
?ReadUnlock@CReaderWriterLock@@QAEXXZ	821	0x1000a9e0
?ReadUnlock@CRtlResource@@QAEXXZ	822	0x1000a320
?ReadUnlock@CShareLock@@QAEXXZ	823	0x1000a5a0
?ReadUnlock@CSmallSpinLock@@QAEXXZ	824	0x10009c40
?ReadUnlock@CSpinLock@@QAEXXZ	825	0x10009e20
?ReadUnlock@TREE_HASH_TABLE@@QAEXXZ	826	0x10026fe0
?ReallocStorage@BUFFER@@AAE_NK@Z	827	0x10012310
?RecalcLen@MULTISZ@@QAEXXZ	828	0x10008bf0
?RecalcLen@MULTISZA@@QAEXXZ	829	0x10015180
?Record@CLKRHashTable_Iterator@@QBEPBXXZ	830	0x1000bd30
?Record@CLKRLinearHashTable_Iterator@@QBEPBXXZ	831	0x1000bbf0
?Recursion@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_RECURSION@@XZ	832	0x10010590
?Recursion@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_RECURSION@@XZ	833	0x1000c150
?Recursion@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_RECURSION@@XZ	834	0x1000c150
?Recursion@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_RECURSION@@XZ	835	0x1000c150
?Recursion@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_RECURSION@@XZ	836	0x1000c150
?Recursion@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_RECURSION@@XZ	837	0x1000c150
?Recursion@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_RECURSION@@XZ	838	0x100105a0
?Recursion@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_RECURSION@@XZ	839	0x100105a0
?Recursion@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_RECURSION@@XZ	840	0x1000c150
?Register@CEtwTracer@@QAEKPBU_GUID@@PAG1@Z	841	0x1001e9d0
?RegisterAcceptor@MULTI_IPM@@QAEJPAVMULTI_IPM_ACCEPTOR@@@Z	842	0x10024100
?RehashTableIfNeeded@TREE_HASH_TABLE@@AAEXXZ	843	0x10027920
?Release@MB_BASE_NOTIFICATION_SINK@@UAGKXZ	844	0x10019a60
?ReleaseExclusiveLock@CSharelock@@QAEXXZ	845	0x1000a580
?ReleaseShareLock@CSharelock@@QAEXXZ	846	0x1000a5a0
?RemoveEntry@CDoubleList@@SGXQAVCListEntry@@@Z	847	0x1000b790
?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z	848	0x1000b8c0
?RemoveHead@CDoubleList@@QAEQAVCListEntry@@XZ	849	0x1000b750
?RemoveHead@CLockedDoubleList@@QAEQAVCListEntry@@XZ	850	0x1000b850
?RemoveItem@ALLOC_CACHE_HANDLER@@SGXPAV1@@Z	851	0x100175d0
?RemoveTail@CDoubleList@@QAEQAVCListEntry@@XZ	852	0x1000b770
?RemoveTail@CLockedDoubleList@@QAEQAVCListEntry@@XZ	853	0x1000b890
?RemoveTrailingPath@STRU_PATH@@QAEXXZ	854	0x10014690
?RemoveWhitespace@LANG_STRING@@AAEJPBDKPAPAD@Z	855	0x10025400
?Reset@MULTISZ@@QAEXXZ	857	0x10008aa0
?Reset@MULTISZA@@QAEXXZ	858	0x100150d0
?Reset@STRA@@QAEXXZ	859	0x10008e20
?Reset@STRAU@@QAEXXZ	860	0x100095a0
?Reset@STRU@@QAEXXZ	861	0x10008420
?ResetLookasideCleanupInterval@ALLOC_CACHE_HANDLER@@SGHXZ	862	0x10017820
?Resize@BUFFER@@QAE_NK@Z	863	0x100122b0
?Resize@BUFFER@@QAE_NKK@Z	864	0x100122d0
?Resize@STRA@@QAEJK@Z	865	0x10008440
?Resize@STRU@@QAEJK@Z	866	0x10008440
?ResizeW@STRAU@@QAEHK@Z	867	0x100097f0
?RetrieveSystemDir@STRU_PATH@@QAEJXZ	868	0x10014830
?RetrieveTempDir@STRU_PATH@@QAEJXZ	869	0x10014930
?RetrieveWindowsDir@STRU_PATH@@QAEJXZ	870	0x100148b0
?SAFE_snwprintf@@YAJPAVSTRU@@PBGZZ	871	0x10012c80
?SafeCopy@STRAU@@QAEHPBD@Z	872	0x100142b0
?SafeCopy@STRAU@@QAEHPBG@Z	873	0x10014360
?Save@MB@@QAEHXZ	874	0x10011ae0
?Seconds@CDFTCache@@QBEGXZ	879	0x10015630
?SetAutoResetAfterDisconnect@IPM2_MESSAGE_PIPE@@QAEXH@Z	880	0x10022f90
?SetBlocking@W3_TRACE_LOG@@QAEXH@Z	881	0x10024b00
?SetBucketLockSpinCount@CLKRHashTable@@QAEXG@Z	882	0x10010540
?SetBucketLockSpinCount@CLKRLinearHashTable@@QAEXG@Z	883	0x100104f0
?SetBuffering@W3_TRACE_LOG@@QAEXH@Z	884	0x10024b40
?SetData@MB@@QAEHPBGKKKPAXKK@Z	885	0x10011e80
?SetDefaultSpinAdjustmentFactor@CCritSec@@SGXN@Z	886	0x1000a210
?SetDefaultSpinAdjustmentFactor@CFakeLock@@SGXN@Z	887	0x1000a090
?SetDefaultSpinAdjustmentFactor@CReaderWriterLock2@@SGXN@Z	888	0x1000af80
?SetDefaultSpinAdjustmentFactor@CReaderWriterLock3@@SGXN@Z	889	0x1000b590
?SetDefaultSpinAdjustmentFactor@CReaderWriterLock@@SGXN@Z	890	0x1000ab30
?SetDefaultSpinAdjustmentFactor@CRtlResource@@SGXN@Z	891	0x1000a450
?SetDefaultSpinAdjustmentFactor@CShareLock@@SGXN@Z	892	0x1000a6e0
?SetDefaultSpinAdjustmentFactor@CSmallSpinLock@@SGXN@Z	893	0x10009d00
?SetDefaultSpinAdjustmentFactor@CSpinLock@@SGXN@Z	894	0x10009fb0
?SetDefaultSpinCount@CCritSec@@SGXG@Z	895	0x1000a1d0
?SetDefaultSpinCount@CFakeLock@@SGXG@Z	896	0x1000a040
?SetDefaultSpinCount@CReaderWriterLock2@@SGXG@Z	897	0x1000af40
?SetDefaultSpinCount@CReaderWriterLock3@@SGXG@Z	898	0x1000b550
?SetDefaultSpinCount@CReaderWriterLock@@SGXG@Z	899	0x1000aaf0
?SetDefaultSpinCount@CRtlResource@@SGXG@Z	900	0x1000a410
?SetDefaultSpinCount@CShareLock@@SGXG@Z	901	0x1000a6a0
?SetDefaultSpinCount@CSmallSpinLock@@SGXG@Z	902	0x10009cc0
?SetDefaultSpinCount@CSpinLock@@SGXG@Z	903	0x10009f70
?SetDword@MB@@QAEHPBGKKKK@Z	904	0x100118b0
?SetLen@STRA@@QAE_NK@Z	907	0x10009190
?SetLen@STRAU@@QAEHK@Z	908	0x10014140
?SetLen@STRU@@QAE_NK@Z	909	0x100087e0
?SetLocalTime@ASCLOG_DATETIME_CACHE@@QAEXPAU_SYSTEMTIME@@@Z	910	0x10015730
?SetLookasideCleanupInterval@ALLOC_CACHE_HANDLER@@SGHXZ	911	0x10017790
?SetPipeState@IPM2_MESSAGE_PIPE@@AAE?AW4IPM2_PIPE_STATE@@W42@@Z	912	0x10021cc0
?SetSpinCount@CCritSec@@QAE_NG@Z	913	0x1000a1a0
?SetSpinCount@CCritSec@@SGKPAU_RTL_CRITICAL_SECTION@@K@Z	914	0x10010a70
?SetSpinCount@CFakeLock@@QAE_NG@Z	915	0x10009ca0
?SetSpinCount@CReaderWriterLock2@@QAE_NG@Z	916	0x10009ca0
?SetSpinCount@CReaderWriterLock3@@QAE_NG@Z	917	0x10009ca0
?SetSpinCount@CReaderWriterLock@@QAE_NG@Z	918	0x10009ca0
?SetSpinCount@CRtlResource@@QAE_NG@Z	919	0x1000a1a0
?SetSpinCount@CShareLock@@QAE_NG@Z	920	0x1000a670
?SetSpinCount@CSmallSpinLock@@QAE_NG@Z	921	0x10009ca0
?SetSpinCount@CSpinLock@@QAE_NG@Z	922	0x10009ca0
?SetString@MB@@QAEHPBGKK0K@Z	923	0x100118e0
?SetSystemTime@EXTLOG_DATETIME_CACHE@@QAEXPAU_SYSTEMTIME@@@Z	925	0x10015840
?SetTableLockSpinCount@CLKRHashTable@@QAEXG@Z	926	0x1000a020
?SetTableLockSpinCount@CLKRLinearHashTable@@QAEXG@Z	927	0x1000a020
?SetTime@CDateTime@@QAEHABU_FILETIME@@@Z	928	0x1001ce80
?SetTime@CDateTime@@QAEHABU_SYSTEMTIME@@@Z	929	0x1001ce50
?SetValid@BUFFER@@QAEX_N@Z	930	0x10008200
?Shutdown@MULTI_IPM@@QAEJXZ	931	0x10024130
?ShutdownNotify@MB_BASE_NOTIFICATION_SINK@@UAGJXZ	932	0x10019b50
?SinkNotify@MB_BASE_NOTIFICATION_SINK@@UAGJKQAU_MD_CHANGE_OBJECT_W@@@Z	933	0x10019bc0
?Size@CLKRHashTable@@QBEKXZ	934	0x10010430
?Size@CLKRLinearHashTable@@QBEKXZ	935	0x1000c440
?SleepWaitingForLock@CSharelock@@AAEEH@Z	938	0x10010f90
?SplitCommaDelimitedString@@YGJPBGHHPAVMULTISZ@@@Z	939	0x10014dd0
?StartListening@MB_BASE_NOTIFICATION_SINK@@QAEJPAUIUnknown@@@Z	941	0x10019c40
?StartNamedPipe@IPM2_MESSAGE_PIPE@@AAEJPAH@Z	942	0x10022d90
?StopListening@MB_BASE_NOTIFICATION_SINK@@QAEJPAUIUnknown@@@Z	944	0x10019d40
?StringTimeToFileTime@@YGHPBDPAT_LARGE_INTEGER@@@Z	945	0x1001d540
?SyncWithBuffer@STRA@@QAEXXZ	946	0x100091c0
?SyncWithBuffer@STRU@@QAEXXZ	947	0x100087b0
?SynchronizedShutdownNotify@MB_BASE_NOTIFICATION_SINK@@UAGJXZ	948	0x10019b40
?SystemTimeToGMTEx@@YGHABU_SYSTEMTIME@@PADKK@Z	950	0x1001d380
?Terminate@BIG_REF_TRACE@@QAEJXZ	951	0x10026540
?Terminate@EVENT_LOG@@SGXXZ	952	0x100190b0
?Terminate@LANG_STRING@@QAEJXZ	953	0x10025270
?TerminateStatic@BIG_REF_TRACE@@SGJXZ	955	0x10026480
?TimerCallback@W3_TRACE_LOG_FACTORY@@CGXPAXE@Z	956	0x10024a10
?Trace@W3_TRACE_LOG@@QAAJPBGZZ	957	0x10024bb0
?TraceCreate@BIG_REF_TRACE@@QAEJPAX@Z	958	0x10026640
?TraceDelete@BIG_REF_TRACE@@QAEJPAX@Z	959	0x100267d0
?TraceDereference@BIG_REF_TRACE@@QAEJPAX@Z	960	0x10026680
?TraceEnabled@CEtwTracer@@QAEHK@Z	961	0x1001e910
?TracePerUrlEnabled@CEtwTracer@@QAEHXZ	962	0x1001e940
?TraceReference@BIG_REF_TRACE@@QAEJPAX@Z	963	0x10026660
?TryConvertSharedToExclusive@CReaderWriterLock3@@QAE_NXZ	964	0x1000b490
?TryReadLock@CCritSec@@QAE_NXZ	965	0x1000a160
?TryReadLock@CFakeLock@@QAE_NXZ	966	0x1000a010
?TryReadLock@CReaderWriterLock2@@QAE_NXZ	967	0x1000ad50
?TryReadLock@CReaderWriterLock3@@QAE_NXZ	968	0x1000ad50
?TryReadLock@CReaderWriterLock@@QAE_NXZ	969	0x1000a950
?TryReadLock@CRtlResource@@QAE_NXZ	970	0x1000a3c0
?TryReadLock@CShareLock@@QAE_NXZ	971	0x1000a620
?TryReadLock@CSmallSpinLock@@QAE_NXZ	972	0x10009c00
?TryReadLock@CSpinLock@@QAE_NXZ	973	0x10009ee0
?TryReadOrWriteLock@CReaderWriterLock3@@QAE_NAA_N@Z	974	0x1000b240
?TryWriteLock@CCritSec@@QAE_NXZ	975	0x10010a30
?TryWriteLock@CFakeLock@@QAE_NXZ	976	0x1000a010
?TryWriteLock@CReaderWriterLock2@@QAE_NXZ	977	0x1000ad00
?TryWriteLock@CReaderWriterLock3@@QAE_NXZ	978	0x1000b2b0
?TryWriteLock@CReaderWriterLock@@QAE_NXZ	979	0x1000a8f0
?TryWriteLock@CRtlResource@@QAE_NXZ	980	0x1000a3a0
?TryWriteLock@CShareLock@@QAE_NXZ	981	0x1000a600
?TryWriteLock@CSmallSpinLock@@QAE_NXZ	982	0x10009c00
?TryWriteLock@CSpinLock@@QAE_NXZ	983	0x10009ee0
?UlCleanAndCopyUrl@@YGJPADKPAKPAGPAPAG@Z	984	0x1001f910
?UnRegister@CEtwTracer@@QAEKXZ	985	0x1001ea80
?Undent@W3_TRACE_LOG@@QAEXXZ	986	0x10024810
?Unescape@STRA@@QAEJXZ	987	0x100133e0
?Unescape@STRU@@QAEJXZ	988	0x100125e0
?UnescapeOnly@STRA@@QAEJXZ	989	0x10013410
?UnescapeOnly@STRU@@QAEJXZ	990	0x10012620
?Unlock@CLockedDoubleList@@QAEXXZ	991	0x1000b650
?Unlock@CLockedSingleList@@QAEXXZ	992	0x1000b650
?Unlock@TS_RESOURCE@@QAEXXZ	993	0x1000a320
?UpdateMaxSpins@CSharelock@@QAEEH@Z	994	0x10010fd0
?UpdateMaxUsers@CSharelock@@QAEEH@Z	995	0x10010ff0
?ValidHeaderCharacters@LANG_STRING@@AAEHPBD@Z	996	0x10025330
?ValidLanguage@LANG_STRING@@AAEHPBD@Z	997	0x10025390
?ValidSignature@CLKRHashTable@@QBE_NXZ	998	0x1000c820
?ValidSignature@CLKRLinearHashTable@@QBE_NXZ	999	0x1000c500
?VerifyState@BUFFER@@ABEXXZ	1000	0x10009ba0
?WaitForExclusiveLock@CSharelock@@AAEEH@Z	1001	0x10011030
?WaitForShareLock@CSharelock@@AAEEH@Z	1002	0x100110e0
?WaitType@?$CLockBase@$00$00$02$00$02$01@@SG?AW4LOCK_WAIT_TYPE@@XZ	1003	0x1000c150
?WaitType@?$CLockBase@$01$00$00$00$02$01@@SG?AW4LOCK_WAIT_TYPE@@XZ	1004	0x1000c150
?WaitType@?$CLockBase@$02$00$00$00$00$00@@SG?AW4LOCK_WAIT_TYPE@@XZ	1005	0x1000c150
?WaitType@?$CLockBase@$03$00$00$01$02$02@@SG?AW4LOCK_WAIT_TYPE@@XZ	1006	0x100105a0
?WaitType@?$CLockBase@$04$01$00$01$02$02@@SG?AW4LOCK_WAIT_TYPE@@XZ	1007	0x100105a0
?WaitType@?$CLockBase@$05$01$00$01$02$02@@SG?AW4LOCK_WAIT_TYPE@@XZ	1008	0x100105a0
?WaitType@?$CLockBase@$06$01$01$00$02$01@@SG?AW4LOCK_WAIT_TYPE@@XZ	1009	0x1000c150
?WaitType@?$CLockBase@$07$01$01$00$02$01@@SG?AW4LOCK_WAIT_TYPE@@XZ	1010	0x1000c150
?WaitType@?$CLockBase@$08$01$00$00$02$01@@SG?AW4LOCK_WAIT_TYPE@@XZ	1011	0x1000c150
?WakeAllSleepers@CSharelock@@AAEXXZ	1012	0x10011190
?Write@?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE_NABUDATETIME_FORMAT_ENTRY@@@Z	1013	0x1001dbf0
?Write@?$CDataCache@VCDateTime@@@@QAE_NABVCDateTime@@@Z	1014	0x1001dc80
?WriteLock@CCritSec@@QAEXXZ	1015	0x1000a130
?WriteLock@CFakeLock@@QAEXXZ	1016	0x10009ba0
?WriteLock@CLKRHashTable@@QAEXXZ	1017	0x10010210
?WriteLock@CLKRLinearHashTable@@QAEXXZ	1018	0x1000c520
?WriteLock@CReaderWriterLock2@@QAEXXZ	1019	0x1000ac60
?WriteLock@CReaderWriterLock3@@QAEXXZ	1020	0x1000b100
?WriteLock@CReaderWriterLock@@QAEXXZ	1021	0x1000a850
?WriteLock@CRtlResource@@QAEXXZ	1022	0x1000a380
?WriteLock@CShareLock@@QAEXXZ	1023	0x1000a5e0
?WriteLock@CSmallSpinLock@@QAEXXZ	1024	0x10009bb0
?WriteLock@CSpinLock@@QAEXXZ	1025	0x10009e80
?WriteLock@TREE_HASH_TABLE@@QAEXXZ	1026	0x10026fb0
?WriteMessage@IPM2_MESSAGE_PIPE@@QAEJW4IPM2_OPCODE@@HKKPAXK1@Z	1027	0x10023270
?WriteMessage@IPM2_MESSAGE_PIPE@@QAEJW4IPM2_OPCODE@@KKPAXK1@Z	1028	0x10023240
?WriteMessage@IPM2_MESSAGE_PIPE@@QAGJW4IPM2_OPCODE@@KPAX@Z	1029	0x10023210
?WriteMessage@IPM_MESSAGE_PIPE@@QAGJW4IPM_OPCODE@@KPAX@Z	1030	0x10021100
?WriteUnlock@CCritSec@@QAEXXZ	1031	0x1000a170
?WriteUnlock@CFakeLock@@QAEXXZ	1032	0x10009ba0
?WriteUnlock@CLKRHashTable@@QBEXXZ	1033	0x10010270
?WriteUnlock@CLKRLinearHashTable@@QBEXXZ	1034	0x1000c540
?WriteUnlock@CReaderWriterLock2@@QAEXXZ	1035	0x1000ad90
?WriteUnlock@CReaderWriterLock3@@QAEXXZ	1036	0x1000b340
?WriteUnlock@CReaderWriterLock@@QAEXXZ	1037	0x1000a9a0
?WriteUnlock@CRtlResource@@QAEXXZ	1038	0x1000a320
?WriteUnlock@CShareLock@@QAEXXZ	1039	0x1000a640
?WriteUnlock@CSmallSpinLock@@QAEXXZ	1040	0x10009c40
?WriteUnlock@CSpinLock@@QAEXXZ	1041	0x10009e20
?WriteUnlock@TREE_HASH_TABLE@@QAEXXZ	1042	0x10026fc0
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z	1043	0x1000c680
?_AddRefRecord@CLKRLinearHashTable@@ABEXPBXH@Z	1044	0x1000c070
?_AllocateNodeClump@CLKRLinearHashTable@@CGQAVCNodeClump@@XZ	1045	0x1000ee20
?_AllocateSegment@CLKRLinearHashTable@@ABEQAVCSegment@@XZ	1046	0x1000ee80
?_AllocateSegmentDirectory@CLKRLinearHashTable@@CGQAVCDirEntry@@I@Z	1047	0x1000ed80
?_AllocateSubTable@CLKRHashTable@@CGQAVCLKRLinearHashTable@@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKPAV1@_N@Z	1048	0x1000f010
?_AllocateSubTableArray@CLKRHashTable@@CGQAPAVCLKRLinearHashTable@@I@Z	1049	0x1000efc0
?_Apply@CLKRLinearHashTable@@AAEKP6G?AW4LK_ACTION@@PBXPAX@Z1W4LK_LOCKTYPE@@AAW4LK_PREDICATE@@@Z	1050	0x1000dff0
?_ApplyIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@ZP6G?AW4LK_ACTION@@01@Z1W4LK_LOCKTYPE@@AAW42@@Z	1051	0x1000e020
?_Bucket@CLKRLinearHashTable@@ABEPAVCBucket@@K@Z	1052	0x1000bf60
?_BucketAddress@CLKRLinearHashTable@@ABEKK@Z	1053	0x1000be80
?_CalcKeyHash@CLKRHashTable@@ABEKK@Z	1054	0x1000c7a0
?_CalcKeyHash@CLKRLinearHashTable@@ABEKK@Z	1055	0x1000bfd0
?_Clear@CLKRLinearHashTable@@AAEX_N@Z	1056	0x1000e570
?_CmpExch@CReaderWriterLock2@@AAE_NJJ@Z	1057	0x1000a770
?_CmpExch@CReaderWriterLock3@@AAE_NJJ@Z	1058	0x1000a770
?_CmpExch@CReaderWriterLock@@AAE_NJJ@Z	1059	0x1000a770
?_Contract@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@XZ	1060	0x1000f3c0
?_CurrentThreadId@CReaderWriterLock3@@CGJXZ	1061	0x10009d80
?_CurrentThreadId@CSmallSpinLock@@CGJXZ	1062	0x10009b40
?_CurrentThreadId@CSpinLock@@CGJXZ	1063	0x10009d80
?_DeleteIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@Z1AAW42@@Z	1064	0x1000e1f0
?_DeleteKey@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@KK@Z	1065	0x1000d420
?_DeleteNode@CLKRLinearHashTable@@AAE_NPAVCBucket@@AAPAVCNodeClump@@1AAH@Z	1066	0x1000d860
?_DeleteRecord@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PBXK@Z	1067	0x1000d640
?_EqualKeys@CLKRLinearHashTable@@ABE_NKK@Z	1068	0x1000c030
?_Erase@CLKRLinearHashTable@@AAE_NAAVCLKRLinearHashTable_Iterator@@K@Z	1069	0x1000f8b0
?_Expand@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@XZ	1070	0x1000f090
?_ExtractKey@CLKRHashTable@@ABE?BKPBX@Z	1071	0x1000c760
?_ExtractKey@CLKRLinearHashTable@@ABE?BKPBX@Z	1072	0x1000bf90
?_FindBucket@CLKRLinearHashTable@@ABEPAVCBucket@@K_N@Z	1073	0x1000cfa0
?_FindKey@CLKRLinearHashTable@@ABE?AW4LK_RETCODE@@KKPAPBXPAVCLKRLinearHashTable_Iterator@@@Z	1074	0x1000d970
?_FindRecord@CLKRLinearHashTable@@ABE?AW4LK_RETCODE@@PBXK@Z	1075	0x1000db60
?_FreeNodeClump@CLKRLinearHashTable@@CG_NPAVCNodeClump@@@Z	1076	0x1000ee50
?_FreeSegment@CLKRLinearHashTable@@ABE_NPAVCSegment@@@Z	1077	0x1000ef60
?_FreeSegmentDirectory@CLKRLinearHashTable@@AAE_NXZ	1078	0x1000ede0
?_FreeSubTable@CLKRHashTable@@CG_NPAVCLKRLinearHashTable@@@Z	1079	0x1000f060
?_FreeSubTableArray@CLKRHashTable@@CG_NPAPAVCLKRLinearHashTable@@@Z	1080	0x1000eff0
?_H0@CLKRLinearHashTable@@ABEKK@Z	1081	0x1000bec0
?_H0@CLKRLinearHashTable@@CGKKK@Z	1082	0x1000bea0
?_H1@CLKRLinearHashTable@@ABEKK@Z	1083	0x1000bf00
?_H1@CLKRLinearHashTable@@CGKKK@Z	1084	0x1000bee0
?_Increment@CLKRHashTable_Iterator@@IAE_N_N@Z	1085	0x1000fcb0
?_Increment@CLKRLinearHashTable_Iterator@@IAE_N_N@Z	1086	0x1000f740
?_Initialize@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@P6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX0H@ZPBDNK@Z	1087	0x1000cbb0
?_InsertRecord@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PBXK_NPAVCLKRLinearHashTable_Iterator@@@Z	1088	0x1000d130
?_InsertThisIntoGlobalList@CLKRHashTable@@AAEXXZ	1089	0x1000c720
?_InsertThisIntoGlobalList@CLKRLinearHashTable@@AAEXXZ	1090	0x1000c0f0
?_IsLocked@CSpinLock@@ABE_NXZ	1091	0x10009e60
?_IsNodeCompact@CLKRLinearHashTable@@ABEHQAVCBucket@@@Z	1092	0x1000cff0
?_IsValidIterator@CLKRHashTable@@ABE_NABVCLKRHashTable_Iterator@@@Z	1093	0x1000c850
?_IsValidIterator@CLKRLinearHashTable@@ABE_NABVCLKRLinearHashTable_Iterator@@@Z	1094	0x1000c630
?_Lock@CSpinLock@@AAEXXZ	1095	0x10009de0
?_LockSpin@CReaderWriterLock2@@AAEX_N@Z	1096	0x10010c10
?_LockSpin@CReaderWriterLock3@@AAEXW4SPIN_TYPE@1@@Z	1097	0x10010d70
?_LockSpin@CReaderWriterLock@@AAEX_N@Z	1098	0x10010ab0
?_LockSpin@CSmallSpinLock@@AAEXXZ	1099	0x10010810
?_LockSpin@CSpinLock@@AAEXXZ	1100	0x10010920
?_MergeRecordSets@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PAVCBucket@@PAVCNodeClump@@1@Z	1101	0x1000f5f0
?_PredTrue@CLKRLinearHashTable@@CG?AW4LK_PREDICATE@@PBXPAX@Z	1102	0x1000c130
?_ReadLockSpin@CReaderWriterLock2@@AAEXXZ	1103	0x1000abb0
?_ReadLockSpin@CReaderWriterLock3@@AAEXW4SPIN_TYPE@1@@Z	1104	0x1000afe0
?_ReadLockSpin@CReaderWriterLock@@AAEXXZ	1105	0x1000a760
?_ReadMemoryBarrier@?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@KGXXZ	1106	0x10009ba0
?_ReadMemoryBarrier@?$CDataCache@VCDateTime@@@@KGXXZ	1107	0x10009ba0
?_ReadOrWriteLock@CLKRLinearHashTable@@ABE_NXZ	1108	0x1000c0b0
?_ReadOrWriteUnlock@CLKRLinearHashTable@@ABEX_N@Z	1109	0x1000c0c0
?_ReadSequence@?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@IBEJXZ	1110	0x10015c90
?_ReadSequence@?$CDataCache@VCDateTime@@@@IBEJXZ	1111	0x1001dce0
?_RemoveThisFromGlobalList@CLKRHashTable@@AAEXXZ	1112	0x1000c740
?_RemoveThisFromGlobalList@CLKRLinearHashTable@@AAEXXZ	1113	0x1000c110
?_SegIndex@CLKRLinearHashTable@@ABEKK@Z	1114	0x1000bf40
?_Segment@CLKRLinearHashTable@@ABEAAPAVCSegment@@K@Z	1115	0x1000bf20
?_SetSegVars@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@W4LK_TABLESIZE@@K@Z	1116	0x1000ec10
?_SetSequence@?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@IAEJJ@Z	1117	0x1001dcc0
?_SetSequence@?$CDataCache@VCDateTime@@@@IAEJJ@Z	1118	0x1001dcf0
?_SplitRecordSet@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PAVCNodeClump@@0KKK0@Z	1119	0x1000f280
?_SubTable@CLKRHashTable@@ABEPAVCLKRLinearHashTable@@K@Z	1120	0x1000d0a0
?_SubTableIndex@CLKRHashTable@@ABEHPAVCLKRLinearHashTable@@@Z	1121	0x1000d0f0
?_TryLock@CSmallSpinLock@@AAE_NXZ	1122	0x10009b50
?_TryLock@CSpinLock@@AAE_NXZ	1123	0x10009d90
?_TryReadLock@CReaderWriterLock2@@AAE_NXZ	1124	0x1000ac10
?_TryReadLock@CReaderWriterLock3@@AAE_NXZ	1125	0x1000ad50
?_TryReadLock@CReaderWriterLock@@AAE_NXZ	1126	0x1000a7e0
?_TryReadLockRecursive@CReaderWriterLock3@@AAE_NXZ	1127	0x1000b0b0
?_TryWriteLock2@CReaderWriterLock3@@AAE_NXZ	1128	0x1000b070
?_TryWriteLock@CReaderWriterLock2@@AAE_NJ@Z	1129	0x1000abc0
?_TryWriteLock@CReaderWriterLock3@@AAE_NJ@Z	1130	0x1000aff0
?_TryWriteLock@CReaderWriterLock@@AAE_NXZ	1131	0x1000a7a0
?_Unlock@CSpinLock@@AAEXXZ	1132	0x10009e20
?_WriteLockSpin@CReaderWriterLock2@@AAEXXZ	1133	0x10010bc0
?_WriteLockSpin@CReaderWriterLock3@@AAEXXZ	1134	0x10010d20
?_WriteLockSpin@CReaderWriterLock@@AAEXXZ	1135	0x1000a750
?s_aBucketSizes@?1??BucketSizes@CLKRHashTableStats@@SGPBJXZ@4QBJB	1136	0x100021e8
?sm_Primes@TREE_HASH_TABLE@@0PAKA	1137	0x10038160
?sm_cEventLogSource@EVENT_LOG@@0KA	1138	0x10039260
?sm_csItems@ALLOC_CACHE_HANDLER@@0U_RTL_CRITICAL_SECTION@@A	1139	0x10038650
?sm_csLock@EVENT_LOG@@0U_RTL_CRITICAL_SECTION@@A	1140	0x10038698
?sm_dblDfltSpinAdjFctr@CCritSec@@1NA	1141	0x10038060
?sm_dblDfltSpinAdjFctr@CFakeLock@@1NA	1142	0x10038070
?sm_dblDfltSpinAdjFctr@CReaderWriterLock2@@1NA	1143	0x10038020
?sm_dblDfltSpinAdjFctr@CReaderWriterLock3@@1NA	1144	0x10038010
?sm_dblDfltSpinAdjFctr@CReaderWriterLock@@1NA	1145	0x10038030
?sm_dblDfltSpinAdjFctr@CRtlResource@@1NA	1146	0x10038050
?sm_dblDfltSpinAdjFctr@CShareLock@@1NA	1147	0x10038040
?sm_dblDfltSpinAdjFctr@CSmallSpinLock@@1NA	1148	0x10038090
?sm_dblDfltSpinAdjFctr@CSpinLock@@1NA	1149	0x10038080
?sm_fHonorPageHeap@ALLOC_CACHE_HANDLER@@0HA	1150	0x100380a0
?sm_fInitCsItems@ALLOC_CACHE_HANDLER@@0HA	1151	0x10039238
?sm_fLockInitialized@EVENT_LOG@@0HA	1152	0x1003925c
?sm_fPageHeapEnabled@ALLOC_CACHE_HANDLER@@0HA	1153	0x1003922c
?sm_hHeap@ALLOC_CACHE_HANDLER@@0PAXA	1154	0x10039230
?sm_hTimer@ALLOC_CACHE_HANDLER@@0PAXA	1155	0x10039234
?sm_lItemsHead@ALLOC_CACHE_HANDLER@@0U_LIST_ENTRY@@A	1156	0x10038648
?sm_llGlobalList@CLKRHashTable@@0VCLockedDoubleList@@A	1157	0x1003828c
?sm_llGlobalList@CLKRLinearHashTable@@0VCLockedDoubleList@@A	1158	0x10038280
?sm_nFillPattern@ALLOC_CACHE_HANDLER@@0JA	1159	0x100380a4
?sm_pEventLogSource@EVENT_LOG@@0PAU_EVENT_LOG_SOURCE@@A	1160	0x10039264
?sm_pachBigRefTrace@BIG_REF_TRACE@@0PAVALLOC_CACHE_HANDLER@@A	1161	0x10039130
?sm_palloc@CLKRLinearHashTable@@1PAVALLOC_CACHE_HANDLER@@A	1162	0x100385f0
?sm_wDefaultSpinCount@CCritSec@@1GA	1163	0x10038068
?sm_wDefaultSpinCount@CFakeLock@@1GA	1164	0x10038078
?sm_wDefaultSpinCount@CReaderWriterLock2@@1GA	1165	0x10038028
?sm_wDefaultSpinCount@CReaderWriterLock3@@1GA	1166	0x10038018
?sm_wDefaultSpinCount@CReaderWriterLock@@1GA	1167	0x10038038
?sm_wDefaultSpinCount@CRtlResource@@1GA	1168	0x10038058
?sm_wDefaultSpinCount@CShareLock@@1GA	1169	0x10038048
?sm_wDefaultSpinCount@CSmallSpinLock@@1GA	1170	0x10038098
?sm_wDefaultSpinCount@CSpinLock@@1GA	1171	0x10038088
AddWpgToTokenDefaultDacl	194	0x1001a0c0
AdjustTokenIntegrityLevel	196	0x10010670
AllocateAndCreateWellKnownAcl	198	0x1001ac00
AllocateAndCreateWellKnownSid	199	0x1001a9e0
Base64Decode	258	0x10027b90
Base64Encode	259	0x10027a40
ConvertToFileSystemElement	320	0x10026a80
ConvertToXmlEscapedString	321	0x10011370
ConvertToXmlEscapedStringQuickly	322	0x10011510
ConvertToXmlEscapedStringQuicklyA	323	0x100115c0
ConvertUnicodeToMultiByte	324	0x10014540
CreateRefTraceLog	1174	0x10009930
CreateSubkey	366	0x1001e340
CreateTraceLog	1175	0x10009a10
DebugPrintHR	371	0x10024d20
DecryptMemoryPassword	374	0x1001b9f0
DestroyRefTraceLog	1176	0x10009950
DestroyTraceLog	1177	0x10009aa0
DisableTokenBackupPrivilege	394	0x1001a610
DupTokenAddAccess	396	0x1001ba70
DupTokenWithSameImpersonationLevel	397	0x1001a590
EncryptMemoryPassword	400	0x1001b990
FlipSlashes	455	0x100128d0
FreeSecurityAttributes	464	0x1001b8b0
FreeTokenSID	465	0x1001b5f0
FreeTokenUserSID	466	0x1001b5f0
FreeWellKnownAcl	467	0x1001abd0
FreeWellKnownSid	468	0x1001abd0
GenerateNameWithGUID	472	0x1001b8e0
GetCurrentTimeInSeconds	1179	0x10018f60
GetSecurityAttributesForSid	512	0x1001b620
GetTokenSID	536	0x1001b530
GetTokenUserSID	537	0x1001bf70
GrantWpgAccessToToken	538	0x1001a0a0
IISExpressPrintTrace	1180	0x10016e60
IISExpressPrintTraceError	1181	0x10017020
IISGetPlatformType	1183	0x10018f30
IISInitializeCriticalSection	1184	0x10010650
IISSetCriticalSectionSpinCount	1185	0x10010640
InetAcquireResourceExclusive	1186	0x10018b10
InetAcquireResourceShared	1187	0x100189f0
InetConvertExclusiveToShared	1188	0x10018e80
InetConvertSharedToExclusive	1189	0x10018d00
InetDeleteResource	1190	0x10018ef0
InetInitializeResource	1191	0x10018960
InetReleaseResource	1192	0x10018c60
InitializeIISUtil	1193	0x10015aa0
InitializeLocalRequest	557	0x10026cf0
InitializeSdFromProcessToken	558	0x1001a7e0
IrtlTrace	1194	0x10011220
IsLocalRequest	588	0x10026e50
IsPathUnc	591	0x100269b0
IsSSLReportingBackwardCompatibilityMode	614	0x1000a030
IsStringEqualOrdinalIgnoreCase	615	0x100129f0
LookupTokenAccountName	677	0x1001a710
MakeAllProcessHeapsLFH	678	0x10024c80
MakePathCanonicalizationProof	679	0x10012910
MakePathCanonicalizationProofNt	680	0x10012990
PuCloseDbgMemoryLog	1195	0x10016150
PuCloseDbgPrintFile	1196	0x10016050
PuCreateDebugPrintsObject	1197	0x10015cb0
PuDbgAssertFailed	1198	0x10016ac0
PuDbgCaptureContext	1199	0x1000a020
PuDbgCreateEvent	1200	0x100172b0
PuDbgCreateMutex	1201	0x10017400
PuDbgCreateSemaphore	1202	0x100172e0
PuDbgDump	1203	0x10016a00
PuDbgPrint	1204	0x100165b0
PuDbgPrintAssertFailed	1205	0x10016b00
PuDbgPrintCurrentTime	1206	0x10016b30
PuDbgPrintError	1207	0x100168b0
PuDbgPrintW	1208	0x10016770
PuDeleteDebugPrintsObject	1209	0x10015db0
PuGetDbgOutputFlags	1210	0x10015e40
PuLoadDebugFlagsFromReg	1211	0x10016ce0
PuLoadDebugFlagsFromRegStr	1212	0x10016d40
PuOpenDbgMemoryLog	1213	0x100160f0
PuOpenDbgPrintFile	1214	0x10015f10
PuReOpenDbgPrintFile	1215	0x10016010
PuSaveDebugFlagsInReg	1216	0x10016da0
PuSetDbgOutputFlags	1217	0x10015e10
QueryFlagsDebugPrintHR	751	0x10024e30
QueryLocalizedResourceString	755	0x10026c50
ReadDwordParameterValueFromAnyService	789	0x1001dd80
ReadMultiStringParameterValueFromAnyService	804	0x1001e130
ReadRegDword	813	0x1001dd10
ReadStringParameterValueFromAnyService	814	0x1001dff0
RemoveWorkItem	856	0x10018310
ResetTraceLog	1218	0x10009b10
ScheduleAdjustTime	875	0x100183d0
ScheduleWorkItem	876	0x10018200
SchedulerInitialize	877	0x100180e0
SchedulerTerminate	878	0x10018180
SetExplicitAccessSettings	905	0x1001aed0
SetFlagsDebugPrintHR	906	0x10024e40
SetStringParameterValueInAnyService	924	0x1001dec0
SkipTo	936	0x100128a0
SkipWhite	937	0x10012870
StartIISAdminMonitor	940	0x1001c140
StopIISAdminMonitor	943	0x1001c2e0
SystemTimeToGMT	949	0x1001d220
TerminateIISUtil	1219	0x10015c00
TerminateLocalRequest	954	0x10026e00
WriteRefTraceLog	1220	0x10009960
WriteRefTraceLogEx	1221	0x10009990
WriteTraceLog	1222	0x10009ad0
_GetAllocCounters@0	1178	0x1000a010
_IISGetCurrentTime@8	1182	0x1001d030
uudecode	1172	0x100196d0
uuencode	1173	0x10019810

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\iisutil.dll"
Imagebase:	0xca0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",#1
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 636
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:55:59
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 644
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:56:02
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0?$CDataCache@VCDateTime@@@@QAE@XZ
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:56:02
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 636
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:56:05
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iisutil.dll,??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:56:05
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 636
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE@XZ
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0?$CDataCache@VCDateTime@@@@QAE@XZ
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uuencode
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",uudecode
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_IISGetCurrentTime@8
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",_GetAllocCounters@0
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteTraceLog
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLogEx
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",WriteRefTraceLog
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateLocalRequest
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",TerminateIISUtil
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SystemTimeToGMT
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StopIISAdminMonitor
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",StartIISAdminMonitor
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:56:08
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipWhite
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SkipTo
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetStringParameterValueInAnyService
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetFlagsDebugPrintHR
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SetExplicitAccessSettings
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerTerminate
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",SchedulerInitialize
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleWorkItem
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:56:09
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iisutil.dll",ScheduleAdjustTime
Imagebase:	0x820000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.6%
Total number of Nodes:	22
Total number of Limit Nodes:	6

Executed Functions

Function 6E696317 Relevance: 13.2, APIs: 1, Strings: 6, Instructions: 979
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 6E696B9A

Strings

api., xrefs: 6E696B86
Appe, xrefs: 6E696B68
ndW, xrefs: 6E696B72
Path, xrefs: 6E696B5E
shlw, xrefs: 6E696B7C
dll, xrefs: 6E696B90

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: LibraryLoad
String ID: Appe$Path$api.$dll$ndW$shlw
API String ID: 1029625771-3557965621
Opcode ID: 70f1d6bfe61cf298835833942421f9d9ed132b639d4280f8b83783f8e97fda65
Instruction ID: 4bd9811aaeded156c55fc664ce367f93692db05e003ca861b015272e96517f51
Opcode Fuzzy Hash: 70f1d6bfe61cf298835833942421f9d9ed132b639d4280f8b83783f8e97fda65
Instruction Fuzzy Hash: C4423AB56182039FDB04DF94CC94EEBB3FAEB98700F10892CF69597290D775A846C762

Function 6E696830 Relevance: 28.4, APIs: 1, Strings: 15, Instructions: 404
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,?,?,?,?,?,?,00000001,?,00000001,?,?,?,?,00000000), ref: 6E697637

Strings

RtlD, xrefs: 6E697517
ileS, xrefs: 6E6968E1
sBuf, xrefs: 6E697535
ecom, xrefs: 6E697521
ntdl, xrefs: 6E697502
l.dl, xrefs: 6E697509
eroM, xrefs: 6E696915
GetF, xrefs: 6E6968D7
ize, xrefs: 6E6968EB
l, xrefs: 6E697510
emor, xrefs: 6E6974D6
RtlZ, xrefs: 6E69690B
y, xrefs: 6E6974E0
fer, xrefs: 6E69753F
pres, xrefs: 6E69752B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateFile
String ID: GetF$RtlD$RtlZ$ecom$emor$eroM$fer$ileS$ize$l$l.dl$ntdl$pres$sBuf$y
API String ID: 823142352-2981927602
Opcode ID: 380366e957e14ca05d15938fe2a848a4e049c472b1582f8fe30be5e8e25873e8
Instruction ID: 3b2862da892be7bc9c28acb1f4529e5518d4e9e228865ceeb94fe50d5a3d00e0
Opcode Fuzzy Hash: 380366e957e14ca05d15938fe2a848a4e049c472b1582f8fe30be5e8e25873e8
Instruction Fuzzy Hash: 27D1DFB5904206AFDB10DFA4CC84BDEBBF9EB88310F00896DF559A7250D734AA55CF62

Function 6E696860 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 195
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,?,?,?,?,?,?,00000001,?,00000001,?,?,?,?,00000000), ref: 6E697637

Strings

RtlD, xrefs: 6E697517
ileS, xrefs: 6E6968E1
sBuf, xrefs: 6E697535
ecom, xrefs: 6E697521
ntdl, xrefs: 6E697502
l.dl, xrefs: 6E697509
eroM, xrefs: 6E696915
GetF, xrefs: 6E6968D7
ize, xrefs: 6E6968EB
l, xrefs: 6E697510
emor, xrefs: 6E6974D6
RtlZ, xrefs: 6E69690B
y, xrefs: 6E6974E0
fer, xrefs: 6E69753F
pres, xrefs: 6E69752B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateFile
String ID: GetF$RtlD$RtlZ$ecom$emor$eroM$fer$ileS$ize$l$l.dl$ntdl$pres$sBuf$y
API String ID: 823142352-2981927602
Opcode ID: 741a9a556caba2610e0f526890064e831d5865cca449a66ecffa4be8b656c3a9
Instruction ID: 8c693f035fcfafd83c2e9159f637096a105f341687f3a0ab984d5f2dc7ca2089
Opcode Fuzzy Hash: 741a9a556caba2610e0f526890064e831d5865cca449a66ecffa4be8b656c3a9
Instruction Fuzzy Hash: DC51C2B190421A9FDB10DF94CC84BDEBBFDFB88300F10896DE659A7240D7359A568F62

Function 6E696880 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 183
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,?,?,?,?,?,?,00000001,?,00000001,?,?,?,?,00000000), ref: 6E697637

Strings

RtlD, xrefs: 6E697517
ileS, xrefs: 6E6968E1
sBuf, xrefs: 6E697535
ecom, xrefs: 6E697521
ntdl, xrefs: 6E697502
l.dl, xrefs: 6E697509
eroM, xrefs: 6E696915
GetF, xrefs: 6E6968D7
ize, xrefs: 6E6968EB
l, xrefs: 6E697510
emor, xrefs: 6E6974D6
RtlZ, xrefs: 6E69690B
y, xrefs: 6E6974E0
fer, xrefs: 6E69753F
pres, xrefs: 6E69752B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateFile
String ID: GetF$RtlD$RtlZ$ecom$emor$eroM$fer$ileS$ize$l$l.dl$ntdl$pres$sBuf$y
API String ID: 823142352-2981927602
Opcode ID: c84994f600bd8547888de1f61d564d79a8ee3461bffd37b6b46f39b559841746
Instruction ID: 989b0707a604c4b14abe55c9eecea4c7841f6442a6ff71acccc0e09b6d52a306
Opcode Fuzzy Hash: c84994f600bd8547888de1f61d564d79a8ee3461bffd37b6b46f39b559841746
Instruction Fuzzy Hash: 8A51BFB190421A9FDB10DF94CC80BEEB7FDFB88304F10896DE659A7240D7359A558F62

Function 6E6968B0 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 163
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,?,?,?,?,?,?,00000001,?,00000001,?,?,?,?,00000000), ref: 6E697637

Strings

RtlD, xrefs: 6E697517
ileS, xrefs: 6E6968E1
sBuf, xrefs: 6E697535
ecom, xrefs: 6E697521
ntdl, xrefs: 6E697502
l.dl, xrefs: 6E697509
eroM, xrefs: 6E696915
GetF, xrefs: 6E6968D7
ize, xrefs: 6E6968EB
l, xrefs: 6E697510
emor, xrefs: 6E6974D6
RtlZ, xrefs: 6E69690B
y, xrefs: 6E6974E0
fer, xrefs: 6E69753F
pres, xrefs: 6E69752B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateFile
String ID: GetF$RtlD$RtlZ$ecom$emor$eroM$fer$ileS$ize$l$l.dl$ntdl$pres$sBuf$y
API String ID: 823142352-2981927602
Opcode ID: 4cb8bc7ccdfe840423dbdae73b488ce9436a89939f7437dec38d074358264513
Instruction ID: cc141be1f93cfebfe8b1bc5389765d48f1e72f020880adfa9c41e8f9fd945273
Opcode Fuzzy Hash: 4cb8bc7ccdfe840423dbdae73b488ce9436a89939f7437dec38d074358264513
Instruction Fuzzy Hash: 4F517DB190421AAFDB20CF94CC80BDEB7FDFB48304F10896DE659A7250D735AA558F62

Function 6E697520 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 125
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,?,?,?,?,?,?,00000001,?,00000001,?,?,?,?,00000000), ref: 6E697637

Strings

sBuf, xrefs: 6E697535
fer, xrefs: 6E69753F
ecom, xrefs: 6E697521
pres, xrefs: 6E69752B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateFile
String ID: ecom$fer$pres$sBuf
API String ID: 823142352-3854289201
Opcode ID: b161d28154ae0b4287558cd9a8fd11d870dcb4a018036578e6d6dda904ec6e24
Instruction ID: 3a5729650794161be72cc98632f381b19758eae9f214c1abb5945000dec4b400
Opcode Fuzzy Hash: b161d28154ae0b4287558cd9a8fd11d870dcb4a018036578e6d6dda904ec6e24
Instruction Fuzzy Hash: 0E3191B1904206AFDB11DF98CC80A9FB7FDEB88304F004A1DF655A3250D735AA568B62

Non-executed Functions

Function 6E6907A0 Relevance: 58.1, APIs: 21, Strings: 12, Instructions: 326
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6907AD

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6907D7
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000036A,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x,00000000,00000000), ref: 6E6909A5
ConnectNamedPipe.KERNEL32(?,00000020,00000000), ref: 6E6909D6
GetLastError.KERNEL32 ref: 6E6909E0
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000037D,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x,00000000), ref: 6E690A26
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000030D,IPM_MESSAGE_PIPE::IpmMessageDeleted,IPM_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d), ref: 6E69080C

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Part of subcall function 6E6913AE: ?IpmMessageCreated@IPM_MESSAGE_PIPE@@QAGXPAVIPM_MESSAGE_IMP@@@Z.IISUTIL(?,00000000,?,?,00000000,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E6913EE
Part of subcall function 6E6913AE: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000652,IPM_MESSAGE_IMP::CreateMessage,IPM_MESSAGE_PIPE::CreateMessage failed allocation of IPM_MESSAGE_IMP, hr = %x,8007000E,?,?,00000000,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E691439

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000330,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S,?), ref: 6E69087B
??0IPM_MESSAGE_PIPE@@AAE@XZ.IISUTIL ref: 6E6908A2
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000345,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x,8007000E), ref: 6E6908DE
CreateNamedPipeW.KERNEL32(?,40080003,00000006,00000001,00001000,00001000,00000000,?), ref: 6E690916
GetLastError.KERNEL32 ref: 6E690925
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000360,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x,00000000), ref: 6E690962
CloseHandle.KERNEL32(00000000,00000000,00000010), ref: 6E690B76
CloseHandle.KERNEL32(?,00000000,00000010), ref: 6E690B89

Strings

IPM_MESSAGE_PIPE::CreateIpmMessagePipe, xrefs: 6E690866, 6E6908C9, 6E69094D, 6E690990, 6E690A11, 6E690A91, 6E690AE2, 6E690B3C
IPM_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x, xrefs: 6E690B37
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x, xrefs: 6E69098B
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateFile, hr = %x, xrefs: 6E690A8C
IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S, xrefs: 6E690861
IPM_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x, xrefs: 6E690ADD
IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x, xrefs: 6E6908C4
IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x, xrefs: 6E690A0C
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690801, 6E690870, 6E6908D3, 6E690957, 6E69099A, 6E690A1B, 6E690AEC
IPM_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d, xrefs: 6E6907F2
IPM_MESSAGE_PIPE::IpmMessageDeleted, xrefs: 6E6907F7
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x, xrefs: 6E690948

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$ErrorLast$CloseHandleLock3@@NamedPipeReaderWriteWriter$ConnectCreateCreated@CurrentFreeInternal@Lock@MemoryMessageP@@@ThreadUnlock@
String ID: IPM_MESSAGE_PIPE::CreateIpmMessagePipe$IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S$IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateFile, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x$IPM_MESSAGE_PIPE::IpmMessageDeleted$IPM_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 3811500834-3680292098
Opcode ID: 28737a994bd9bf0a68bc0a8cb7764bb749ba88ec465cb9bc374777e838e31f7a
Instruction ID: 529db2e2c30716fddbe8f019c6318fb7a74db94b638e7b5b41ffc4c90eed112c
Opcode Fuzzy Hash: 28737a994bd9bf0a68bc0a8cb7764bb749ba88ec465cb9bc374777e838e31f7a
Instruction Fuzzy Hash: C2B17E71550702ABDB518FA9CC18F4F7BA9AF42328F000619F854AB3D2E771E901DBE5

Function 6E68B620 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 208COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000), ref: 6E68B685
SetExplicitAccessSettings.IISUTIL(00000000,C0000000,00000001,?), ref: 6E68B6C1
SetEntriesInAclW.ADVAPI32(00000001,00000000,00000000,?), ref: 6E68B6D0
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B6F6
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,000004AF,GetSecurityAttributesForSid,00000000,Setting ACE's into ACL failed.), ref: 6E68B727
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68B73C
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 6E68B784
GetLastError.KERNEL32 ref: 6E68B78E
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B7AC
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6E68B7DD
GetLastError.KERNEL32 ref: 6E68B7E7
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B809
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,000004D3,GetSecurityAttributesForSid,00000000,Setting the DACL on the security descriptor failed), ref: 6E68B83A
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68B84F

Strings

Setting ACE's into ACL failed., xrefs: 6E68B70C
Setting the DACL on the security descriptor failed, xrefs: 6E68B81F
GetSecurityAttributesForSid, xrefs: 6E68B712, 6E68B7C8, 6E68B825
Initializing the security descriptor failed, xrefs: 6E68B7C2
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68B71C, 6E68B82F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Error$DescriptorLastPrintSecurity$AccessDaclEntriesExplicitFreeInitializeLocalSettings
String ID: GetSecurityAttributesForSid$Initializing the security descriptor failed$Setting ACE's into ACL failed.$Setting the DACL on the security descriptor failed$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 1450439229-3523800810
Opcode ID: df6a688f25945d8a282cba1562008d6df0f4851c35a0ef00ac66f199f7698ac0
Instruction ID: 642d3bf53de8317cd5cbd1e08459e5e082d0fe64c71e2a58172d5c2ce4dc899e
Opcode Fuzzy Hash: df6a688f25945d8a282cba1562008d6df0f4851c35a0ef00ac66f199f7698ac0
Instruction Fuzzy Hash: CB613A75684B02BFFB614FA9CC08B5F7BA4AB02724F004429F6489F2E4C770A84197B9

Function 6E687ECB Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 178memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,00000000), ref: 6E687EFC
GetProcAddress.KERNEL32(00000000,GetLogicalProcessorInformationEx), ref: 6E687F10
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687F35
GetProcessHeap.KERNEL32(00000008,?), ref: 6E687F4A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687F51
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E687F74
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687F7B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E687FA2
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687FA9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687FC9
GetProcessHeap.KERNEL32(00000008,?), ref: 6E687FF1
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E687FF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E688023
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E688071
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E68808E
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E687E40), ref: 6E688095

Strings

kernel32, xrefs: 6E687EF7
@~hn, xrefs: 6E68809B
GetLogicalProcessorInformationEx, xrefs: 6E687F0A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Heap$Process$ErrorFreeLast$Alloc$AddressHandleInfoModuleProcSystem
String ID: @~hn$GetLogicalProcessorInformationEx$kernel32
API String ID: 68409348-523606640
Opcode ID: 58bdb4c7342ada9390b40521dc6152229d6fbd57d4cdb8d077fe6df1dfba2dd3
Instruction ID: 78ed8ffe5d42118e0a4ac8af4dd7476bae702e01fc2c38b3426b8569470cc0f8
Opcode Fuzzy Hash: 58bdb4c7342ada9390b40521dc6152229d6fbd57d4cdb8d077fe6df1dfba2dd3
Instruction Fuzzy Hash: E851C272E40B15AFCB509FFA8858B6F7BB9EF46751F00452AF945D6340DA35A8408A70

Function 6E67F3C0 Relevance: 24.2, APIs: 16, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F3DA

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F3EA
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F42F
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F453
?_AllocateNodeClump@CLKRLinearHashTable@@CGQAVCNodeClump@@XZ.IISUTIL(?,00000002), ref: 6E67F4A2
?_AllocateNodeClump@CLKRLinearHashTable@@CGQAVCNodeClump@@XZ.IISUTIL(?,00000002), ref: 6E67F4B5
?_FreeNodeClump@CLKRLinearHashTable@@CG_NPAVCNodeClump@@@Z.IISUTIL(00000000,?,00000002), ref: 6E67F4BF
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F4F7
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F4FF

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: NodeReaderWriteWriter$Lock2@@$Clump@HashLinearLock@Table@@Unlock@$AllocateClump@@Lock3@@$Clump@@@CurrentFreeThread
String ID:
API String ID: 550167008-0
Opcode ID: d09ff5fcf3d13c01ed5cc7a9cc8499473e8acb8af245c8f4aad44dba8fce2ddf
Instruction ID: 9e25186ead6da3b9a388eba0d9f2bab438e6ac34bdc6eecd7f486331fe7d3a57
Opcode Fuzzy Hash: d09ff5fcf3d13c01ed5cc7a9cc8499473e8acb8af245c8f4aad44dba8fce2ddf
Instruction Fuzzy Hash: 79715E71A102158FDFA8DFA8C4D09AE77B5FF55714B2104A9DC029F24AEB30E852CF84

Function 6E695480 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 401COMMON

Download Yara Rule

APIs

?ValidLanguage@LANG_STRING@@AAEHPBD@Z.IISUTIL(?), ref: 6E695721

Strings

, xrefs: 6E695859
, xrefs: 6E6957E7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Language@Valid
String ID: $
API String ID: 226154044-227171996
Opcode ID: 5d1716b8f22c2299d058a0686b30edf0b423e2ac64b4211cad6381311cce7682
Instruction ID: ea4d2a2bbd7fbdd289bf70b9921651811ec0cdebc49d9f90bc1136f4df4b8a26
Opcode Fuzzy Hash: 5d1716b8f22c2299d058a0686b30edf0b423e2ac64b4211cad6381311cce7682
Instruction Fuzzy Hash: 26E1E271A083838FE315CF68C89079BBBE2FF86315F10486EE49997251E730D945DBA2

Function 6E6868B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6E6868FF

Part of subcall function 6E686247: strrchr.MSVCRT ref: 6E686259
Part of subcall function 6E686247: GetCurrentThreadId.KERNEL32 ref: 6E686284
Part of subcall function 6E686247: sprintf_s.MSVCRT ref: 6E686292
Part of subcall function 6E686247: _vsnprintf_s.MSVCRT ref: 6E6862B5
Part of subcall function 6E686247: ?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E6862CA

FormatMessageA.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 6E686957
_snprintf_s.MSVCRT ref: 6E686975
?Append@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E68698F
?Append@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E68699C
?Append@STRA@@QAEJPBD@Z.IISUTIL(6E672974), ref: 6E6869AA
LocalFree.KERNEL32(00000000), ref: 6E6869C5
SetLastError.KERNEL32(?), ref: 6E6869CF
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6869E0

Part of subcall function 6E68643D: WriteFile.KERNEL32(00000100,?,?,?,00000000,?,?,?), ref: 6E6864B2
Part of subcall function 6E68643D: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6864C6

Strings

Error(%x): , xrefs: 6E68696B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@Free$ErrorInternal@LastMemory$CurrentFileFormatLocalMessageResize@ThreadWrite_snprintf_s_vsnprintf_ssprintf_sstrrchr
String ID: Error(%x):
API String ID: 91136814-2058922034
Opcode ID: 5f9ccb7863f41eda35ef9cb50812ceae753f3b7561f83296fb174bf4977cc861
Instruction ID: 8b25d726402e2e28047881fced17584f18ff27ca56d372324fb7445810d42c74
Opcode Fuzzy Hash: 5f9ccb7863f41eda35ef9cb50812ceae753f3b7561f83296fb174bf4977cc861
Instruction Fuzzy Hash: 88317271414346AFCB15CF54C844AEFBBE9FF85304F00892DF595822A0DB70E948CBA6

Function 6E689F47 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,6E6A9270,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx), ref: 6E689F90
GetLastError.KERNEL32 ref: 6E689F9A
LocalFree.KERNEL32(?), ref: 6E689FB9
FreeSid.ADVAPI32(?), ref: 6E689FCF
LocalAlloc.KERNEL32(00000000,0000001C), ref: 6E689FE0
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68A017

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E689F59
, xrefs: 6E689F83

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Free$Local$AllocAllocateErrorInitializeInternal@LastMemory
String ID: $inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 4180450256-1771132495
Opcode ID: 2d7b0a3360e257aab457734ee03c615fa24d9eb6de1cecafb623888ca19239b4
Instruction ID: 5fae1744a299deb8d36c15b3a081cf1503788e22d07343e4208966ca0c538ca7
Opcode Fuzzy Hash: 2d7b0a3360e257aab457734ee03c615fa24d9eb6de1cecafb623888ca19239b4
Instruction Fuzzy Hash: 5E216271D806199BDB508FAAD88869FBBB8BB06308F10406EE909E7381D7719904CB94

Function 6E67CD10 Relevance: 10.6, APIs: 7, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

strncpy_s.MSVCRT ref: 6E67CD4D
?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67CD5F

Part of subcall function 6E67B7C0: ?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B7C9
Part of subcall function 6E67B7C0: ?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B7E2

?NumSubTables@CLKRHashTable@@SG?AW4LK_TABLESIZE@@AAK0@Z.IISUTIL(?,?), ref: 6E67CDA5
?_AllocateSubTableArray@CLKRHashTable@@CGQAPAVCLKRLinearHashTable@@I@Z.IISUTIL(?,?,?), ref: 6E67CDB5
?_AllocateSubTable@CLKRHashTable@@CGQAVCLKRLinearHashTable@@PBDP6G?BKPBX@ZP6GKK@ZP6G_NKK@ZP6GX1H@ZNKPAV1@_N@Z.IISUTIL(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 6E67CDFA
?IsValid@CLKRLinearHashTable@@QBE_NXZ.IISUTIL(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 6E67CE0F
?_FreeSubTable@CLKRHashTable@@CG_NPAVCLKRLinearHashTable@@@Z.IISUTIL(?,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 6E67CE4A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$Table@@$Linear$AllocateLock@@SpinTable@$Array@DoubleEntry@@@FreeHead@InsertListList@@Lock@LockedTableTable@@@Tables@Unlock@V1@_Valid@Writestrncpy_s
String ID:
API String ID: 925649478-0
Opcode ID: cfd6c559ef5479aef4059f9ed07af259ee7ce59dea816089e8d92e1290e8dbcf
Instruction ID: db10c26c9c76fec8195efb37cd5dfeb22221062eea3061e9c2a67f780b9c574d
Opcode Fuzzy Hash: cfd6c559ef5479aef4059f9ed07af259ee7ce59dea816089e8d92e1290e8dbcf
Instruction Fuzzy Hash: 1241C272500B069FCF30CFA9C854A97BBF9EF49764B100B1EE8A68A5A0D730F545CB91

Function 6E685E5F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Critical Error: Unable to Open File %s. Error = %d, xrefs: 6E685EC8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID: Critical Error: Unable to Open File %s. Error = %d
API String ID: 0-3932740230
Opcode ID: 9904ff4028356ddc36320659ae8aa1fb70fcdb5bdd3186ae37604a076e2b0b7f
Instruction ID: cda9f7c686eff6af9ef2a013413e757fdd7ef785abe55e8cabe387e24d772b0f
Opcode Fuzzy Hash: 9904ff4028356ddc36320659ae8aa1fb70fcdb5bdd3186ae37604a076e2b0b7f
Instruction Fuzzy Hash: 45112B71A80600BBC7309AB9CC0CB9B7368DB46720F000B56F777E72C0DA706905CAA8

Function 6E687AC0 Relevance: 7.5, APIs: 5, Instructions: 39memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6E687ACF
InterlockedPopEntrySList.KERNEL32(?,?,?,6E67EE2B,6E67F1E1), ref: 6E687AE1
HeapAlloc.KERNEL32(00000000,?,00000000,?,6E67EE2B,6E67F1E1), ref: 6E687AF8
?PopAnyFreeListEntry@ALLOC_CACHE_HANDLER@@AAEPAXXZ.IISUTIL(?,6E67EE2B,6E67F1E1), ref: 6E687B0C

Part of subcall function 6E687BB0: InterlockedPopEntrySList.KERNEL32(?,00000000,00000000,6E687B11,?,6E67EE2B,6E67F1E1), ref: 6E687BD1

SetLastError.KERNEL32(00000008,?,6E67EE2B,6E67F1E1), ref: 6E687B19

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: List$EntryInterlocked$AllocCurrentEntry@ErrorFreeHeapLastThread
String ID:
API String ID: 3069642763-0
Opcode ID: bceea31fd8a41f862227d7bc3625e1abd76b8be9bd7a47d5632e6a24699f2db8
Instruction ID: 1789019fd25e6597bf37959c3264ff5ce84f1eaa4bdadfa7b6c30f31addaa7aa
Opcode Fuzzy Hash: bceea31fd8a41f862227d7bc3625e1abd76b8be9bd7a47d5632e6a24699f2db8
Instruction Fuzzy Hash: A2F0D132A41D22ABC7660FAAC848B1BB772FF86711F058916E805D7280CB30FC118BE0

Function 6E68B9F0 Relevance: 6.0, APIs: 4, Instructions: 45encryptionCOMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(?), ref: 6E68BA0D

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

CryptUnprotectMemory.CRYPT32(?,?,00000000), ref: 6E68BA32
GetLastError.KERNEL32 ref: 6E68BA3C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastResize@$CryptMemoryUnprotect
String ID:
API String ID: 1651209821-0
Opcode ID: 2295dbe547b11f43b9d5451d7d4a9be874b2eb3b8ed730de5b62927bb3959668
Instruction ID: 8c86a43c3ce1c386b489c2c1d3f0208db9db8e4481da1b08ed5efd8c8888b218
Opcode Fuzzy Hash: 2295dbe547b11f43b9d5451d7d4a9be874b2eb3b8ed730de5b62927bb3959668
Instruction Fuzzy Hash: 50F0C236600021E7DB111AEBCC48B9BBB6DFF86364B154126FD4DEA224D721E91096F9

Function 6E689D40 Relevance: 4.6, APIs: 3, Instructions: 90COMMON

Download Yara Rule

APIs

CoDisconnectObject.OLE32(?,00000000), ref: 6E689DFF
EnterCriticalSection.KERNEL32(?,?,00000000), ref: 6E689E09
LeaveCriticalSection.KERNEL32(?), ref: 6E689E14

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$DisconnectEnterLeaveObject
String ID:
API String ID: 1925910550-0
Opcode ID: da2f480b416d2b5eb47906b966ac3d35a5967db01f7d848648ccf2dfc999d259
Instruction ID: d5945500c27609f6d16588491abba7467d8b737def9328130ab8bb878072da93
Opcode Fuzzy Hash: da2f480b416d2b5eb47906b966ac3d35a5967db01f7d848648ccf2dfc999d259
Instruction Fuzzy Hash: CB316B35A00A05AFCB05DFA9C8989AEB7B9FF1E215710816AE50AD7310DB30BD01CB94

Function 6E689C40 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

CoDisconnectObject.OLE32(?,00000000,?,?), ref: 6E689CD2
EnterCriticalSection.KERNEL32(?), ref: 6E689D06
LeaveCriticalSection.KERNEL32 ref: 6E689D14

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$DisconnectEnterLeaveObject
String ID:
API String ID: 1925910550-0
Opcode ID: 8d69fa2992ee6763f07230debf83b56f3e3eb579f9196ed0dceffde681318b77
Instruction ID: becc75f52debf2e036dc9c09578000496a47e3e924c23b185078aa4d77047c1f
Opcode Fuzzy Hash: 8d69fa2992ee6763f07230debf83b56f3e3eb579f9196ed0dceffde681318b77
Instruction Fuzzy Hash: 69315E35A00A05AFCB15DFA9C898A5EBBF8FF5E305710416AE506D7350CB30BD05CB64

Function 6E68E9D0 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(00000114), ref: 6E68EA0E
GetModuleHandleW.KERNEL32(?), ref: 6E68EA32
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6E68EA49

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Module$FileHandleNameVersion
String ID:
API String ID: 2739136918-0
Opcode ID: ea7744069d3d0682664be4f069e9877e4c3f0a8331299e207b949b1ba7e9d37b
Instruction ID: 847a4690ea8ff491512e062cd0a409e2e41733ac678560690cf404f7f58eca7a
Opcode Fuzzy Hash: ea7744069d3d0682664be4f069e9877e4c3f0a8331299e207b949b1ba7e9d37b
Instruction Fuzzy Hash: 9711A335940619ABDB11CFA9CC48AABB7B8FB06B14F04456EA91596240CBB4EB44CBF0

Function 6E68B990 Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(?), ref: 6E68B9A9

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

CryptProtectMemory.CRYPT32(?,?,00000000), ref: 6E68B9B8
GetLastError.KERNEL32 ref: 6E68B9C2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastResize@$CryptMemoryProtect
String ID:
API String ID: 3944735817-0
Opcode ID: b9a4970a61a0eef246bc768be29aab4c4b77cad67f58dd1a16ac257d7c0e98e2
Instruction ID: 01c24b1ce5b33ca31e189828d9e7fa6a874598a2a14cdc2dd135ca0f0f5ebd61
Opcode Fuzzy Hash: b9a4970a61a0eef246bc768be29aab4c4b77cad67f58dd1a16ac257d7c0e98e2
Instruction Fuzzy Hash: 51F0A93664013567AA100AAB9C04B9BBB9CAF832B9B1A0023E949E7215D620EC20D6F4

Function 6E67CEB0 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

?_FreeSubTable@CLKRHashTable@@CG_NPAVCLKRLinearHashTable@@@Z.IISUTIL(?), ref: 6E67CEC3

Part of subcall function 6E67F060: ??1CLKRLinearHashTable@@QAE@XZ.IISUTIL(?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 6E67F06E
Part of subcall function 6E67F060: ?Free@ALLOC_CACHE_HANDLER@@QAEHPAX@Z.IISUTIL(00000000,?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 6E67F07C

?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67CEE0

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$LinearTable@@$DoubleEntry@Entry@@@FreeFree@ListList@@LockedRemoveTable@Table@@@
String ID:
API String ID: 762604774-0
Opcode ID: 6adecccd7eba9e57de960a66b147084638846c077bf183d2cf6d479114cedd8d
Instruction ID: 4e09570d1e7961b897b145b1884740eb74efecd4fdbd2838620afc0fc36af6b2
Opcode Fuzzy Hash: 6adecccd7eba9e57de960a66b147084638846c077bf183d2cf6d479114cedd8d
Instruction Fuzzy Hash: C3E09232500B018ECB315F99D804C97BBFABFC43603110F2EE0A64B664DB30B8869B94

Function 6E67B7C0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B7C9

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B7E2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: cdf7edcc4721913e593d83f000f6a803c015c705089a9f82f63e2af00cdee839
Instruction ID: b9d9a4bbcb24f90d4534f41a238223a5813f79907b95f93ea5a20c005e543031
Opcode Fuzzy Hash: cdf7edcc4721913e593d83f000f6a803c015c705089a9f82f63e2af00cdee839
Instruction Fuzzy Hash: D3E0ECB62012169BC724DF9AD400886FFEEEFD5365316C52AE5588B310CA71E841CBD4

Function 6E67B800 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B809

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B823

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 47f2937a9bfa15dbcf19c22756b27a82dd191e4f1b1df0939b6e03c470f1349b
Instruction ID: c9441e4a108eb52aa895990db518833da37f23cfac458ee5ad592301313cf11a
Opcode Fuzzy Hash: 47f2937a9bfa15dbcf19c22756b27a82dd191e4f1b1df0939b6e03c470f1349b
Instruction Fuzzy Hash: 31E0ECB62016159B8724DF9AD500887FBEEEFD5765306C52AE5188B710CA70EC41CBD4

Function 6E67B850 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B857

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B86B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 117911bc1c8c8fdece0f0ca1e292eb9649562f07eabafb58d3c26043889a9a0d
Instruction ID: 63b277673f5fdb8b5f938485802faacbae84f8fffc20cec8320e963ab92f1449
Opcode Fuzzy Hash: 117911bc1c8c8fdece0f0ca1e292eb9649562f07eabafb58d3c26043889a9a0d
Instruction Fuzzy Hash: 83D09EB63015119B8B249F9A9580886FBEAFFC82A632AC569E55897301C730EC15C7E4

Function 6E67B890 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B897

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B8AB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 850fafd878bd9456adbaa324ffe704646eaae6ef1945259cc62187c8b830b42e
Instruction ID: 7fdd74c162097c9ba4baa9e6b0e258ecbca79afdd0d2befbda52c7a390a06479
Opcode Fuzzy Hash: 850fafd878bd9456adbaa324ffe704646eaae6ef1945259cc62187c8b830b42e
Instruction Fuzzy Hash: 82D09EB63015115B8B249F9A9480886FBEAFFC82A632AC569E55897301C730EC55C7E4

Function 6E67B670 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B676

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B689

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 7b2f699f42becfdc3b79a9df36e334925653a2022c507d1279d004040d09fe2b
Instruction ID: ca28353bae7744de9bcf287819d508e5d92bbc3de40087708b2ce56b0ffe18b5
Opcode Fuzzy Hash: 7b2f699f42becfdc3b79a9df36e334925653a2022c507d1279d004040d09fe2b
Instruction Fuzzy Hash: 55D0C936305A11474A389A5AA41089BA7AB9FC1A69317882EA13987744CB31EC02C7D4

Function 6E67B8C0 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B8C8

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B8DC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 589f2c836230985c183dbfd9788a27f3f4f64b9483a139190579ed9e27da4b99
Instruction ID: 16b9b7bfb93fa5e7d7edaff4f273bab2b8b64758cc51c449f64018469bec456a
Opcode Fuzzy Hash: 589f2c836230985c183dbfd9788a27f3f4f64b9483a139190579ed9e27da4b99
Instruction Fuzzy Hash: 29D0C9762013149F8724DFA9D044C96BBEEEFC93A5306C4A6E9188F311CA71EC40DBD8

Function 6E67B6A0 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B6A8

Part of subcall function 6E679E80: GetCurrentThreadId.KERNEL32 ref: 6E679E90
Part of subcall function 6E679E80: ?_Lock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E679EBC

?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B6BA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$Lock@$CurrentThreadUnlock@Write
String ID:
API String ID: 3103023372-0
Opcode ID: 0008d66b0fd5d5d24853d5339562adcaba1b8e36cd42939bfcfcd8b80901c392
Instruction ID: 4320f82c6dda11e3c446c4a971c99fd703f452e87fb91e54b766876ad9820fd0
Opcode Fuzzy Hash: 0008d66b0fd5d5d24853d5339562adcaba1b8e36cd42939bfcfcd8b80901c392
Instruction Fuzzy Hash: F8D0C9762017145B8724DFA9D040897BBEEDFC97A5301C82AE9698B700CA71EC40C7D8

Function 6E68CE30 Relevance: 3.0, APIs: 2, Instructions: 11timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6E68CE36
FileTimeToSystemTime.KERNEL32(?,?), ref: 6E68CE41

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 7fe60be588fe6f8f710ab48946bdf52348ea4f0a0499917dfa6c9870d2db0aab
Instruction ID: 2b5ed80a9ad02071cc71da712834d05f7fff5b141e733431e620b2b59fd2e3bf
Opcode Fuzzy Hash: 7fe60be588fe6f8f710ab48946bdf52348ea4f0a0499917dfa6c9870d2db0aab
Instruction Fuzzy Hash: 02C04C36445866AB5B51561AE81CCDF365DEE872153094457F41682200DB646D4387A5

Function 6E689810 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E689842

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Resize@
String ID:
API String ID: 3195250795-0
Opcode ID: d88143538ab0ff969140f36a746c5c12bb4bc9d1d3f2cc1328d70ac5719e646f
Instruction ID: 0b6cfa8d25ce50a4768de7055a718836b5c1a9aec71b95fad06c027422c9c10a
Opcode Fuzzy Hash: d88143538ab0ff969140f36a746c5c12bb4bc9d1d3f2cc1328d70ac5719e646f
Instruction Fuzzy Hash: 4541292260C2D24ED71A8F7988613B7BFF1AF4A214F1C85EED1EACB283D164D645C760

Function 6E687BB0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

InterlockedPopEntrySList.KERNEL32(?,00000000,00000000,6E687B11,?,6E67EE2B,6E67F1E1), ref: 6E687BD1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: EntryInterlockedList
String ID:
API String ID: 1742685442-0
Opcode ID: 326feeacae563ba80a3cc41c0c74995ef92d3a1dfd41941ea5ba4dee2a53029f
Instruction ID: e5c786acd0dfaa04744d6ea632578097aa491844af451a3c0188a41794c7948f
Opcode Fuzzy Hash: 326feeacae563ba80a3cc41c0c74995ef92d3a1dfd41941ea5ba4dee2a53029f
Instruction Fuzzy Hash: 99E0CD3270091257C7689F29D96496B7BE7EFC17103164C2ED493D7654D630F882C6B0

Function 6E68A610 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 6E68A628

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d07f3f2d48c062a2fd53c002c6cd4abd7a7f88a652105fb75a098f0f9868eb59
Instruction ID: 8ef228b9bbc6cb80cc0cf01fd802e4ad612825f6bbb9dc0440fbbd81bc329f1d
Opcode Fuzzy Hash: d07f3f2d48c062a2fd53c002c6cd4abd7a7f88a652105fb75a098f0f9868eb59
Instruction Fuzzy Hash: 26D012B15741057F7F485B5ADC0FC7B3B5DD785610710412DB90981240FAE1FC50D574

Function 6E680609 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6E68061E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2c193db3986a3e39e53a25e2051618d6dadcafd531930f4f01931c62f1dda3a2
Instruction ID: b05eca89fcd8e30d34c37d3cb1c29cc38691c78a8ac4fc526f5e58daa0326eac
Opcode Fuzzy Hash: 2c193db3986a3e39e53a25e2051618d6dadcafd531930f4f01931c62f1dda3a2
Instruction Fuzzy Hash: F0D09E71D446495B8B44EAAE994995E77F8E74A310B100555EC08D3301EA71F8618B91

Function 6E67C0F0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67C0FF

Part of subcall function 6E67B7C0: ?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B7C9
Part of subcall function 6E67B7C0: ?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B7E2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$DoubleEntry@@@Head@InsertListList@@Lock@LockedUnlock@Write
String ID:
API String ID: 3066587126-0
Opcode ID: 5df2d80a4f6e881c1e5db245005d22393b048779a8dcc7aa07ea5dc07b884095
Instruction ID: a93694c686afe4efdd99652403eff40103e56347b51ac4758696cf93b2bc1efb
Opcode Fuzzy Hash: 5df2d80a4f6e881c1e5db245005d22393b048779a8dcc7aa07ea5dc07b884095
Instruction Fuzzy Hash: 6BB092748101089ACE90AAA0C04879037AE6B45309F900ABDC0118A165C739D44ACB84

Function 6E67C110 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67C11F

Part of subcall function 6E67B8C0: ?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B8C8
Part of subcall function 6E67B8C0: ?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B8DC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$DoubleEntry@Entry@@@ListList@@Lock@LockedRemoveUnlock@Write
String ID:
API String ID: 371056203-0
Opcode ID: 58f84376a7f3278744b4fc33518b411bf72b8a61970347592dc7a75d97576d78
Instruction ID: 894fecfd611a49aef8874d6cdd4627acc6b216a9c09021e9f8b3dc478d8d7733
Opcode Fuzzy Hash: 58f84376a7f3278744b4fc33518b411bf72b8a61970347592dc7a75d97576d78
Instruction Fuzzy Hash: 2AB092B89001089ACE90DAA0C01879033EA6B46318F900BB8C0614A155C739D40A8A44

Function 6E67C740 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67C749

Part of subcall function 6E67B8C0: ?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B8C8
Part of subcall function 6E67B8C0: ?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B8DC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$DoubleEntry@Entry@@@ListList@@Lock@LockedRemoveUnlock@Write
String ID:
API String ID: 371056203-0
Opcode ID: 53b3eca84f0b4527f703db180b228cfb4bcb1ec2433374df6d8ea47fb921ac3a
Instruction ID: 82c705e1b6a2bfca7cdf7e4978435f8269be706569e19355e29b172f015e0545
Opcode Fuzzy Hash: 53b3eca84f0b4527f703db180b228cfb4bcb1ec2433374df6d8ea47fb921ac3a
Instruction Fuzzy Hash: EDA022E8800008038CC0ABF0C008822338F2EC82083C00FEAC8008B202CB38C8020880

Function 6E67C720 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

?InsertHead@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67C729

Part of subcall function 6E67B7C0: ?WriteLock@CSpinLock@@QAEXXZ.IISUTIL ref: 6E67B7C9
Part of subcall function 6E67B7C0: ?_Unlock@CSpinLock@@AAEXXZ.IISUTIL ref: 6E67B7E2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock@@Spin$DoubleEntry@@@Head@InsertListList@@Lock@LockedUnlock@Write
String ID:
API String ID: 3066587126-0
Opcode ID: 883856aeff6cb831589d40cc3397550961a4b10fe6079c7f834f0b0708a3a4b6
Instruction ID: 9cba267e9e1a79b92b156ad393a67a606601b9a0787c759e3b3c15fbbf3c876e
Opcode Fuzzy Hash: 883856aeff6cb831589d40cc3397550961a4b10fe6079c7f834f0b0708a3a4b6
Instruction Fuzzy Hash: 26A022A8800008038CC0ABF0C0088223B8F2EC82083C00FAEC8008B202CB38C8020AC0

Function 6E671708 Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85731804242188c6e8ff3d912810eb23021d82255b175de6e76382704d9d5916
Instruction ID: ba12e42afa13c41b7f13df4a26a555603f3bc7cdf4082a483e6f3583a6c156fa
Opcode Fuzzy Hash: 85731804242188c6e8ff3d912810eb23021d82255b175de6e76382704d9d5916
Instruction Fuzzy Hash: BE5209B645E3C18FD7838B7488656917FB1AF1722475B41EAC091CF0B3F2AA4D4ADB21

Function 6E6711C1 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d34b8d5cad0ff99ab17f8d2f3e8ca092e2b5c25c9d6850ffa02526c59a70c4
Instruction ID: 0cd7ea678f0593b2cceb5d592927d4067a76918c54b6f3e14aa72392b20a36d6
Opcode Fuzzy Hash: 46d34b8d5cad0ff99ab17f8d2f3e8ca092e2b5c25c9d6850ffa02526c59a70c4
Instruction Fuzzy Hash: CB128B8A94E7C01FE3038B74A8697957F716B67119F0F81DBC4C18F5A7E2584A1AD322

Function 6E695FB0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b120f72ce68837ec969ebe1abb7ed7cd7c9e71e667e18d0dac4e603ea16670b4
Instruction ID: 8134123dbf5dc763572cb4c5758f5cfa564bdcbb99db019fb5cad81b3900d684
Opcode Fuzzy Hash: b120f72ce68837ec969ebe1abb7ed7cd7c9e71e667e18d0dac4e603ea16670b4
Instruction Fuzzy Hash: B3415BB0508202DFDB04EF58C841AE6B3FAEB9A705F10882DE6858B2C1D335E856D751

Function 6E67B730 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d2bd2761c35d176874d8493522375eec8bc71abcd6e17c4676ae6cfeaf5a2c
Instruction ID: 4f496b4e164a29e3a63025a93ff04b5228de38187106bd2bf7f9eb2151a51fc1
Opcode Fuzzy Hash: 10d2bd2761c35d176874d8493522375eec8bc71abcd6e17c4676ae6cfeaf5a2c
Instruction Fuzzy Hash: 8DD002B5505309AF8305CF4AD140812FFE9FFDA714729C1AAE90C8B312D632E852CBE4

Function 6E67B710 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9ae4645df7feb5698650b5cd808bbf00a7ecda50034fb9f5d7693bbef0fd22
Instruction ID: 840e37fa690e360ea2c19bec0f50f2e74c7db752de9cce15b8c1b866bbc90074
Opcode Fuzzy Hash: 4d9ae4645df7feb5698650b5cd808bbf00a7ecda50034fb9f5d7693bbef0fd22
Instruction Fuzzy Hash: 96D002B55457099F8305CF5AD144812FFE9FFD9714725C1AAE50C8B321D631E851CB94

Function 6E67B790 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c48861c2045492b1d63f8fc05ebecf939e3e0550d9f29d1f8eea93f0aaa7dfb
Instruction ID: 14a0e89861125df3400a8f1b0079183f4adf05d18daaf85160705aa295e8f7c4
Opcode Fuzzy Hash: 3c48861c2045492b1d63f8fc05ebecf939e3e0550d9f29d1f8eea93f0aaa7dfb
Instruction Fuzzy Hash: 75C04C751053089F8304CF59D145C11BFE9EB9D710715C0A9E90D8B321D631FC11DB54

Function 6E67B620 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa091b25e91dfd32a06d093f7cb5afc4c5d56cf5a3aa7ae309463a06d3040bf
Instruction ID: e896dac0a74b269b4f8691cd36cf17344f62543c5dfb1052aab1a1d7dd154043
Opcode Fuzzy Hash: ffa091b25e91dfd32a06d093f7cb5afc4c5d56cf5a3aa7ae309463a06d3040bf
Instruction Fuzzy Hash: 31C09B751443089F8301CF59D040C127BE9EBD97147208065E5084B310D631F851CB94

Function 6E67B610 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c4cd95b71a15ad74036dbaa8140210854385fe0608265aba2fd627e1758bef
Instruction ID: ec6646266323f1d57d887da013528a9e75175c072932cf68b5b1351eaac2554c
Opcode Fuzzy Hash: 96c4cd95b71a15ad74036dbaa8140210854385fe0608265aba2fd627e1758bef
Instruction Fuzzy Hash: 6BB002742066058FAF55CF65C45051137A5EF8764577485D8D511CF27CD731D842DB50

Function 6E67B770 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b97a28c81027c2528430ecb9b62109b34c4428d10ecb9c675701e31a21b7736
Instruction ID: 34d856ee8714595046c7eaf294010b71e3b81132768da76e557b5966fc8a5182
Opcode Fuzzy Hash: 7b97a28c81027c2528430ecb9b62109b34c4428d10ecb9c675701e31a21b7736
Instruction Fuzzy Hash: 15C008B86056019F8709CF08D294811BBE1AB8A305369C1D9E5094B36AC732E842DA84

Function 6E67B750 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46054da1a579d439bea7993efbea5311bcd5f60d79edb67d88dfb2cb0810b4ae
Instruction ID: 4783f985e98a1e2f3c3bf5cf3854a5f5972d9e0e2eeeb0d917e337cdfc54406d
Opcode Fuzzy Hash: 46054da1a579d439bea7993efbea5311bcd5f60d79edb67d88dfb2cb0810b4ae
Instruction Fuzzy Hash: 42C008B86456019F8709CF18D194811BBA1AB8A705365C1D9E5094B369C732E842DA44

Function 6E67B840 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590fa9606339d91f6952edfa1d22c0b38a63cd7deba1dc780a2ec985f9353e30
Instruction ID: 17e927d61d23e454c05833a8063c1185178a583739840ab099a4030506dc705a
Opcode Fuzzy Hash: 590fa9606339d91f6952edfa1d22c0b38a63cd7deba1dc780a2ec985f9353e30
Instruction Fuzzy Hash:

Function 6E67B880 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fb1ba5481726698f2ad1f94f15e15d593eb57c9377e0e89fe66612efc19fee
Instruction ID: f0090e94b4ccc01061f09ccea5d40c33de993ea4ce201153cfb203873c56f6ed
Opcode Fuzzy Hash: e1fb1ba5481726698f2ad1f94f15e15d593eb57c9377e0e89fe66612efc19fee
Instruction Fuzzy Hash:

Function 6E68BA70 Relevance: 70.4, APIs: 30, Strings: 10, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.ADVAPI32(?,00000006,00000000,00000000,?), ref: 6E68BAE3
GetLastError.KERNEL32 ref: 6E68BAF1
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BB18
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,0000062A,DupTokenAddAccess,00000000,Failed to get size of default token), ref: 6E68BB49
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68BB5E
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E68BB71
GetLastError.KERNEL32(?), ref: 6E68BB7A
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BB9C
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000648,DupTokenAddAccess,00000000,Failed to resize the buffer for default dacl to %d,?), ref: 6E68BBD1
GetTokenInformation.ADVAPI32(?,00000006,?,?,?), ref: 6E68BC02
GetLastError.KERNEL32 ref: 6E68BC0C
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BC2E
SetEntriesInAclW.ADVAPI32(?,00000000,?,?), ref: 6E68BCE5
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BD0B
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,000006A3,DupTokenAddAccess,00000000,Error initializing SD), ref: 6E68BD3C
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68BD51
LocalFree.KERNEL32(?), ref: 6E68BD70
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 6E68BD95
GetLastError.KERNEL32 ref: 6E68BD9F
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BDBD
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 6E68BDF4
GetLastError.KERNEL32 ref: 6E68BDFE
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BE20
DuplicateTokenEx.ADVAPI32(?,02000000,?,00000002,00000002,?), ref: 6E68BE76
GetLastError.KERNEL32 ref: 6E68BE80
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BEA2
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68BEF9
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000639,DupTokenAddAccess,8007006E,Did not get an error when we expected to ( changed the error to this hr ) ), ref: 6E68BF1E
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68BF33
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68BF49

Strings

Failed to get the default token, xrefs: 6E68BC44
Failed to resize the buffer for default dacl to %d, xrefs: 6E68BBB6
Unable to duplicate the cached anonymous token, xrefs: 6E68BEB8
Failed to get size of default token, xrefs: 6E68BB2E
Did not get an error when we expected to ( changed the error to this hr ) , xrefs: 6E68BEFF
Error initializing SD, xrefs: 6E68BDD3
Failed to set entries in token, xrefs: 6E68BD21
Failed to set DACL in SD, xrefs: 6E68BE36
DupTokenAddAccess, xrefs: 6E68BB34, 6E68BBBC, 6E68BC4A, 6E68BD27, 6E68BDD9, 6E68BE3C, 6E68BEBE, 6E68BF09
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68BB3E, 6E68BBC6, 6E68BD31, 6E68BF13

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Error$Last$Print$Token$DescriptorFreeInformationSecurity$DaclDuplicateEntriesInitializeInternal@LocalMemoryResize@
String ID: Did not get an error when we expected to ( changed the error to this hr ) $DupTokenAddAccess$Error initializing SD$Failed to get size of default token$Failed to get the default token$Failed to resize the buffer for default dacl to %d$Failed to set DACL in SD$Failed to set entries in token$Unable to duplicate the cached anonymous token$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 3301935359-3355207890
Opcode ID: 16b46ebf773964aaf44f86ead3849a523602ece030fb4ee2b8a89ee125937986
Instruction ID: ff3b70668a5d9eb5ce5a9b27631bba049b5b930751e2d25a8563651f8e65ddfe
Opcode Fuzzy Hash: 16b46ebf773964aaf44f86ead3849a523602ece030fb4ee2b8a89ee125937986
Instruction Fuzzy Hash: FDD13975984701BFEB118FAACC48FAF77E4FB46704F000929F9489B3A1D771A8058BA5

Function 6E693A10 Relevance: 68.7, APIs: 27, Strings: 12, Instructions: 433
pipewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnregisterWait.KERNEL32(?), ref: 6E693A44
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000007C7,IPM2_MESSAGE_PIPE::MessagePipeCompletion,IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion called with pv = %p,?), ref: 6E693A94
?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E693AB4
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E693AC9
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,8007006D), ref: 6E693AD7
?DecrementAcceptorInUse@IPM2_MESSAGE_PIPE@@AAGXXZ.IISUTIL(?), ref: 6E693AF2
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 6E693B16
GetLastError.KERNEL32 ref: 6E693B20
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E693B8D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000007FF,IPM2_MESSAGE_PIPE::MessagePipeCompletion,Case IPM2_MESSAGE_IMP_CONNECT m_pAcceptor->PipeConnected failed hr=0x%08x,00000000), ref: 6E693BAE
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E693BC3
GetLastError.KERNEL32 ref: 6E693BDA
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000008A3,IPM2_MESSAGE_PIPE::MessagePipeCompletion,******** Chunked reallocating size = %d,?), ref: 6E693C78
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000083D,IPM2_MESSAGE_PIPE::MessagePipeCompletion,********ERROR_MORE_DATA path, dwNumBytesTransferred=%d,?), ref: 6E693D21
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00000000,?), ref: 6E693D3D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000084A,IPM2_MESSAGE_PIPE::MessagePipeCompletion,********dwRemaining = %d,?), ref: 6E693D78
GetLastError.KERNEL32 ref: 6E693D89
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000862,IPM2_MESSAGE_PIPE::MessagePipeCompletion,********reallocating size = %d,?), ref: 6E693DEE
GetOverlappedResult.KERNEL32(?,?,?,00000001,00000000,?,?), ref: 6E693E52
GetLastError.KERNEL32 ref: 6E693E60
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E693E7F

Part of subcall function 6E693797: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000075B,IsReadDataOk,data type + data size validation failed on: %d %d,00000000,?,6E693E94,?), ref: 6E69385E

?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E693EEC
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000008F7,IPM2_MESSAGE_PIPE::MessagePipeCompletion,IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion issuing read,?), ref: 6E693F52
?ReadMessage@IPM2_MESSAGE_PIPE@@AAGJK@Z.IISUTIL(?,00000002), ref: 6E693F5C
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000902,IPM2_MESSAGE_PIPE::MessagePipeCompletion,IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion ReadMessage failed hr=%x,00000000,?,00000002), ref: 6E693F8D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000911,IPM2_MESSAGE_PIPE::MessagePipeCompletion,IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion disconnecting, hr=%x,00000000), ref: 6E693FDE
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,00000000), ref: 6E693FE8

Strings

, xrefs: 6E693EBF
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E693A89, 6E693BA3, 6E693C6D, 6E693D16, 6E693D6D, 6E693DE3, 6E693F47, 6E693F82, 6E693FD3
Case IPM2_MESSAGE_IMP_CONNECT m_pAcceptor->PipeConnected failed hr=0x%08x, xrefs: 6E693B94
********ERROR_MORE_DATA path, dwNumBytesTransferred=%d, xrefs: 6E693D07
IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion issuing read, xrefs: 6E693F38
********reallocating size = %d, xrefs: 6E693DD4
IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion disconnecting, hr=%x, xrefs: 6E693FC4
IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion ReadMessage failed hr=%x, xrefs: 6E693F73
******** Chunked reallocating size = %d, xrefs: 6E693C5E
IPM2_MESSAGE_PIPE::MessagePipeCompletion, xrefs: 6E693A7F, 6E693B99, 6E693C63, 6E693D0C, 6E693D63, 6E693DD9, 6E693F3D, 6E693F78, 6E693FC9
********dwRemaining = %d, xrefs: 6E693D5E
IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion called with pv = %p, xrefs: 6E693A7A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$Read$ErrorLastLock3@@ReaderWriter$PipeUnlock@$AttributeConsoleDisconnected@NotifyOverlappedResultText$AcceptorDecrementLock@Message@NamedPeekUnregisterUse@Wait
String ID: $******** Chunked reallocating size = %d$********ERROR_MORE_DATA path, dwNumBytesTransferred=%d$********dwRemaining = %d$********reallocating size = %d$Case IPM2_MESSAGE_IMP_CONNECT m_pAcceptor->PipeConnected failed hr=0x%08x$IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion ReadMessage failed hr=%x$IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion called with pv = %p$IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion disconnecting, hr=%x$IPM2_MESSAGE_PIPE::IPM2_MESSAGE_PIPECompletion issuing read$IPM2_MESSAGE_PIPE::MessagePipeCompletion$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 946714851-1744075510
Opcode ID: 0839241fc393893107829b05b98fbbb048feda39213c8599460b0d76c5b2b5aa
Instruction ID: adf1ef91edbfe06c628314fb5a553e82025a8917abe31b5dde93a0b6a889a3ef
Opcode Fuzzy Hash: 0839241fc393893107829b05b98fbbb048feda39213c8599460b0d76c5b2b5aa
Instruction Fuzzy Hash: C7E1F5316947039FCB11DFA9C888A1EBBE5BF99314F04462AF455AB351DB30E805DBD1

Function 6E691740 Relevance: 63.4, APIs: 26, Strings: 10, Instructions: 418
pipewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnregisterWaitEx.KERNEL32(?,00000000), ref: 6E691771
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000742,IPM_MESSAGE_PIPE::MessagePipeCompletion,IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion called with pv = %p,?), ref: 6E6917B1
?IncrementAcceptorInUse@IPM_MESSAGE_PIPE@@AAGXXZ.IISUTIL(?), ref: 6E6917BE
?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6917D8
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6917ED
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(8007006D,8007006D), ref: 6E6917FB
?DecrementAcceptorInUse@IPM_MESSAGE_PIPE@@AAGXXZ.IISUTIL(?), ref: 6E691817
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 6E69183B
GetLastError.KERNEL32 ref: 6E691845
GetLastError.KERNEL32 ref: 6E69188D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000814,IPM_MESSAGE_PIPE::MessagePipeCompletion,******** Chunked reallocating size = %d,?), ref: 6E69192B
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E691BBB
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000086A,IPM_MESSAGE_PIPE::MessagePipeCompletion,IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion issuing read,?), ref: 6E691C11
?ReadMessage@IPM_MESSAGE_PIPE@@AAGJK@Z.IISUTIL(00000000,00000000), ref: 6E691C1F
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000875,IPM_MESSAGE_PIPE::MessagePipeCompletion,IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion ReadMessage failed hr=%x,00000000,00000000,00000000), ref: 6E691C50
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000884,IPM_MESSAGE_PIPE::MessagePipeCompletion,IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion disconnecting, hr=%x,00000000), ref: 6E691CA5
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,00000000), ref: 6E691CAF

Strings

IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion called with pv = %p, xrefs: 6E691797
********ERROR_MORE_DATA path, dwNumBytesTransferred=%d, xrefs: 6E6919BD
********reallocating size = %d, xrefs: 6E691A92
IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion ReadMessage failed hr=%x, xrefs: 6E691C36
IPM_MESSAGE_PIPE::MessagePipeCompletion, xrefs: 6E69179C, 6E691916, 6E6919C2, 6E691A1B, 6E691A97, 6E691BFC, 6E691C3B, 6E691C90
******** Chunked reallocating size = %d, xrefs: 6E691911
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E6917A6, 6E691920, 6E6919CC, 6E691A25, 6E691AA1, 6E691C06, 6E691C45, 6E691C9A
********dwRemaining = %d, xrefs: 6E691A16
IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion disconnecting, hr=%x, xrefs: 6E691C8B
IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion issuing read, xrefs: 6E691BF7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$Read$Lock3@@ReaderWriter$AcceptorDisconnected@ErrorLastNotifyPipeUnlock@Use@$DecrementIncrementLock@Message@OverlappedResultUnregisterWait
String ID: ******** Chunked reallocating size = %d$********ERROR_MORE_DATA path, dwNumBytesTransferred=%d$********dwRemaining = %d$********reallocating size = %d$IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion ReadMessage failed hr=%x$IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion called with pv = %p$IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion disconnecting, hr=%x$IPM_MESSAGE_PIPE::IPM_MESSAGE_PIPECompletion issuing read$IPM_MESSAGE_PIPE::MessagePipeCompletion$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 1100216728-4167337853
Opcode ID: 5619b3b05aeb8aa1139f17113b274020f8368247475ebe3935af653930066b29
Instruction ID: ad10544c33854459e207881bd22cdfcf0542e062222c3befad38216db547a3f4
Opcode Fuzzy Hash: 5619b3b05aeb8aa1139f17113b274020f8368247475ebe3935af653930066b29
Instruction Fuzzy Hash: 42E104316546039FCB00CFE9C884A5EB7E9BF8A358F118619F854AB351D730E809ABD6

Function 6E68B180 Relevance: 56.3, APIs: 22, Strings: 10, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.ADVAPI32(?,00000006,00000000,00000000,?), ref: 6E68B1E8
GetLastError.KERNEL32 ref: 6E68B1F6
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B21D
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E68B250
GetLastError.KERNEL32(?), ref: 6E68B259
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B27B
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,0000036F,CSecurityDispenser::AdjustTokenForAdministrators,00000000,Failed to resize the buffer for default dacl to %d,?), ref: 6E68B2B0
GetTokenInformation.ADVAPI32(?,00000006,?,?,?), ref: 6E68B2DE
GetLastError.KERNEL32 ref: 6E68B2E8
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B30A
?GetSID@CSecurityDispenser@@QAEKW4WELL_KNOWN_SID_TYPE@@PAPAX@Z.IISUTIL(0000001A,?), ref: 6E68B34B
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B370
SetEntriesInAclW.ADVAPI32(00000001,?,?), ref: 6E68B3D3
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B3F9
SetTokenInformation.ADVAPI32(?,00000006,?,00000004), ref: 6E68B431
GetLastError.KERNEL32 ref: 6E68B43F
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B461
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B4A2
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000360,CSecurityDispenser::AdjustTokenForAdministrators,8007006E,Did not get an error when we expected to ( changed the error to this hr ) ), ref: 6E68B4C7
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68B4DC
LocalFree.KERNEL32(?), ref: 6E68B4EC
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68B507

Strings

CSecurityDispenser::AdjustTokenForAdministrators, xrefs: 6E68B239, 6E68B29B, 6E68B326, 6E68B38C, 6E68B415, 6E68B47D, 6E68B4B2
Failed to get the default token, xrefs: 6E68B320
Failed to resize the buffer for default dacl to %d, xrefs: 6E68B295
Failed to get size of default token, xrefs: 6E68B233
Did not get an error when we expected to ( changed the error to this hr ) , xrefs: 6E68B4A8
Failed to set entries in token, xrefs: 6E68B40F
, xrefs: 6E68B1BA
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68B2A5, 6E68B4BC
Getting Admin Sid Failed, xrefs: 6E68B386
Failed to reset token's default actl, xrefs: 6E68B477

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Error$Last$InformationToken$FreePrint$Dispenser@@EntriesInternal@LocalMemoryResize@Security
String ID: $CSecurityDispenser::AdjustTokenForAdministrators$Did not get an error when we expected to ( changed the error to this hr ) $Failed to get size of default token$Failed to get the default token$Failed to reset token's default actl$Failed to resize the buffer for default dacl to %d$Failed to set entries in token$Getting Admin Sid Failed$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 4207089084-130352297
Opcode ID: e7ec76550aec3fda4cf21fc28befcf5ab360483588ad8fe4b6ee31db6a02626a
Instruction ID: ee9411fb23b4314e202be9f1567475a939c23de0e02c8822980c02947e539a2d
Opcode Fuzzy Hash: e7ec76550aec3fda4cf21fc28befcf5ab360483588ad8fe4b6ee31db6a02626a
Instruction Fuzzy Hash: C1910475A84741AFEB219F9ACC09B6F7BE4BB07704F00492DFA449B3A5C7709805CBA5

Function 6E6925E0 Relevance: 56.3, APIs: 22, Strings: 10, Instructions: 255
pipefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(?,40000003,00000006,?,00001000,00001000,00000000,?), ref: 6E6926EF
GetLastError.KERNEL32 ref: 6E6926FA
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E692729
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000338,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,Pipe %S failed create, hr = 0x%08x Pipestate=%d ,?,00000000,?), ref: 6E69274E
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E692763
?StartNamedPipe@IPM2_MESSAGE_PIPE@@AAEJPAH@Z.IISUTIL(?), ref: 6E69277D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000307,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,Pipe %S failed connect, hr = %x,?,00000000,?), ref: 6E6927B5
CreateFileW.KERNEL32(?,00120183,00000000,00000000,00000003,40100000,00000000), ref: 6E6927D4
GetLastError.KERNEL32 ref: 6E6927E5
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E692814
SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000), ref: 6E692844
GetLastError.KERNEL32 ref: 6E69284E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000345,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,IPM2_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x,00000000), ref: 6E69288B
?ReadMessage@IPM2_MESSAGE_PIPE@@AAGJK@Z.IISUTIL(00000000,00000020), ref: 6E6928BB
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000002AC,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,IPM2_MESSAGE_PIPE::CreateMessagePipe called name=%S,?), ref: 6E69262C

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6E692648
GetProcAddress.KERNEL32(00000000,CancelIoEx), ref: 6E692658
??0IPM2_MESSAGE_PIPE@@AAE@XZ.IISUTIL ref: 6E692671
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000002D4,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,Failed allocation of IPM2_MESSAGE_PIPE, hr = %x,8007000E), ref: 6E6926AD
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000359,IPM2_MESSAGE_PIPE::CreateIpmMessagePipe,IPM2_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x,00000000,00000000,00000020), ref: 6E6928EA
CloseHandle.KERNEL32(?,00000000,00000020), ref: 6E692905
CloseHandle.KERNEL32(?,00000000), ref: 6E692918

Strings

Pipe %S failed create, hr = 0x%08x Pipestate=%d , xrefs: 6E692734, 6E69281F
kernel32.dll, xrefs: 6E692643
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E692621, 6E6926A2, 6E692743, 6E6927AA, 6E692880, 6E6928DF
IPM2_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x, xrefs: 6E6928D0
Failed allocation of IPM2_MESSAGE_PIPE, hr = %x, xrefs: 6E692693
IPM2_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x, xrefs: 6E692871
IPM2_MESSAGE_PIPE::CreateMessagePipe called name=%S, xrefs: 6E692612
IPM2_MESSAGE_PIPE::CreateIpmMessagePipe, xrefs: 6E692617, 6E692698, 6E692739, 6E6927A0, 6E692824, 6E692876, 6E6928D5
Pipe %S failed connect, hr = %x, xrefs: 6E69279B
CancelIoEx, xrefs: 6E692652

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$ErrorLast$Handle$AttributeConsoleNamedText$CloseCreatePipe$AddressFileFreeInternal@MemoryMessage@ModulePipe@ProcReadStartState
String ID: CancelIoEx$Failed allocation of IPM2_MESSAGE_PIPE, hr = %x$IPM2_MESSAGE_PIPE::CreateIpmMessagePipe$IPM2_MESSAGE_PIPE::CreateMessagePipe called name=%S$IPM2_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x$IPM2_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x$Pipe %S failed connect, hr = %x$Pipe %S failed create, hr = 0x%08x Pipestate=%d $inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx$kernel32.dll
API String ID: 148341849-1555549979
Opcode ID: 3c7471cf453c3e3ffdbeab0c0a3858a0ff61592e31d9cf5fe29e7ba693adc547
Instruction ID: af70a42adfb0387fe6bb480b1cfa1e5cb51bd51991daa5ec4a5eeed307d8c7b7
Opcode Fuzzy Hash: 3c7471cf453c3e3ffdbeab0c0a3858a0ff61592e31d9cf5fe29e7ba693adc547
Instruction Fuzzy Hash: 64912971980602ABDF224FAADC48F5E3FA5EB87325F000615F9149B3D2D730E915EBA5

Function 6E68AC00 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 192
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndCreateWellKnownSid.IISUTIL(?,?), ref: 6E68AC40

Part of subcall function 6E68A9E0: CreateWellKnownSid.ADVAPI32(?,00000000,00000000,?), ref: 6E68AA11
Part of subcall function 6E68A9E0: SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AA34
Part of subcall function 6E68A9E0: PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000077,AllocateAndCreateWellKnownSid,8007000E,Failed to allocate space for SID), ref: 6E68AA56
Part of subcall function 6E68A9E0: SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68AA6B

SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AC66
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000108,AllocateAndCreateWellKnownAcl,00000000,Creating SID failed ( SidType = %d ),?), ref: 6E68AC9A
GetLengthSid.ADVAPI32(?), ref: 6E68ACAB
GlobalAlloc.KERNEL32(00000000,-00000010), ref: 6E68ACC4
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68ACF1
InitializeAcl.ADVAPI32(00000000,?,00000002), ref: 6E68AD17
GetLastError.KERNEL32 ref: 6E68AD21
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AD43
AddAccessAllowedAce.ADVAPI32(00000000,00000002,?,?), ref: 6E68AD7E
GetLastError.KERNEL32 ref: 6E68AD8C
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68ADAE
AddAccessDeniedAce.ADVAPI32(00000000,00000002,?,?), ref: 6E68ADD9
GetLastError.KERNEL32 ref: 6E68ADE3
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AE05
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AE55
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,0000012A,AllocateAndCreateWellKnownAcl,80070216,Arithematic overflow detected.), ref: 6E68AE7A
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68AE8F
FreeWellKnownSid.IISUTIL(?), ref: 6E68AE9A
FreeWellKnownSid.IISUTIL(?), ref: 6E68AEA9

Strings

Failure adding the access allowed ace to the acl, xrefs: 6E68ADC4
Failure allocating space for the acl, xrefs: 6E68ACF7
AllocateAndCreateWellKnownAcl, xrefs: 6E68AC85, 6E68AD01, 6E68AD5F, 6E68ADCA, 6E68AE21, 6E68AE65
Arithematic overflow detected., xrefs: 6E68AE5B
Failure initializing the acl, xrefs: 6E68AD59
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68AC8F, 6E68AE6F
Creating SID failed ( SidType = %d ), xrefs: 6E68AC7F
Failure adding the access denied ace to the acl, xrefs: 6E68AE1B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Error$KnownWell$LastPrint$AccessCreateFree$AllocAllocateAllowedDeniedGlobalInitializeLength
String ID: AllocateAndCreateWellKnownAcl$Arithematic overflow detected.$Creating SID failed ( SidType = %d )$Failure adding the access allowed ace to the acl$Failure adding the access denied ace to the acl$Failure allocating space for the acl$Failure initializing the acl$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 3439426854-1319502507
Opcode ID: 69cb38722d4a0278d0c60357a964f3dce7dfac51e2ff5c4079104c41419fc155
Instruction ID: 628884378102f8fcdfa52e84b8c79caad6f886a386edfcd102ef42df67f383e1
Opcode Fuzzy Hash: 69cb38722d4a0278d0c60357a964f3dce7dfac51e2ff5c4079104c41419fc155
Instruction Fuzzy Hash: 6461E3319C4602AFEFA15F9ACC0CB5F37A5AB02701F004A25FA14AB3D1C774A845DB75

Function 6E68C823 Relevance: 47.4, APIs: 18, Strings: 9, Instructions: 191
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,80000000), ref: 6E68C852
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68C85F
OpenServiceW.ADVAPI32(00000000,IISADMIN,80000000), ref: 6E68C8A1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68C8AD
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 6E68C8F0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68C8FA
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000319,GetProcessHandleForInetinfo,Failed querying the iisadmin service for it's process info, hr = %08x, BytesNeeded = %d,00000000,?), ref: 6E68C93A
OpenProcess.KERNEL32(00100000,00000000,?), ref: 6E68C954
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 6E68C970
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000364,GetProcessHandleForInetinfo,Process id for the process we got and the current inetinfo process don't match, trying again ), ref: 6E68C9B3
CloseHandle.KERNEL32(00000000), ref: 6E68C9BC
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,0000035A,GetProcessHandleForInetinfo,Process id for the process we got and the current inetinfo process don't match, failing the hookup ), ref: 6E68C9EA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68C9FC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA07
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA15
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA2E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA64
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000335,GetProcessHandleForInetinfo,Could not open the inetinfo process, hr = %08x,00000000), ref: 6E68CA9D

Strings

Could not open the scm manager, hr = %08x, xrefs: 6E68C882
Could not open the iisadmin service,hr = %08x, xrefs: 6E68C8D0
IISADMIN, xrefs: 6E68C89B
Process id for the process we got and the current inetinfo process don't match, failing the hookup , xrefs: 6E68C9D0
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C92F, 6E68C9A8, 6E68C9DF, 6E68CA92
GetProcessHandleForInetinfo, xrefs: 6E68C887, 6E68C8D5, 6E68C925, 6E68C99E, 6E68C9D5, 6E68CA55, 6E68CA88
Failed querying the iisadmin service for it's process info, hr = %08x, BytesNeeded = %d, xrefs: 6E68C920, 6E68CA50
Process id for the process we got and the current inetinfo process don't match, trying again , xrefs: 6E68C999
Could not open the inetinfo process, hr = %08x, xrefs: 6E68CA83

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastService$CloseHandlePrint$Open$QueryStatus$ManagerProcess
String ID: Could not open the iisadmin service,hr = %08x$Could not open the inetinfo process, hr = %08x$Could not open the scm manager, hr = %08x$Failed querying the iisadmin service for it's process info, hr = %08x, BytesNeeded = %d$GetProcessHandleForInetinfo$IISADMIN$Process id for the process we got and the current inetinfo process don't match, failing the hookup $Process id for the process we got and the current inetinfo process don't match, trying again $inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 131433210-3257642626
Opcode ID: 96cf6ea2af2296c19b23f6c0740d95744354775820374ebbd646953250aa2fe1
Instruction ID: 7e3fc76d40e6497439c29293bdb587f6b1a8be2730f6020ef83ab990b697ee64
Opcode Fuzzy Hash: 96cf6ea2af2296c19b23f6c0740d95744354775820374ebbd646953250aa2fe1
Instruction Fuzzy Hash: DA51F776D40B69ABDF218EDA9C0CB5F7BB89B06314F014252FC15BB341D7719801CAB1

Function 6E692960 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 176sleeppipeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6E692A41
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000003C0,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d,?,00000000), ref: 6E692A73
CloseHandle.KERNEL32(?), ref: 6E692A7E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000398,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM2_MESSAGE_PIPE::DestroyMessagePipe called this=%p,?), ref: 6E6929B2

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6929BD
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6929D4
DisconnectNamedPipe.KERNEL32(?), ref: 6E6929DF
GetLastError.KERNEL32 ref: 6E6929ED
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000003AD,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling DisconnectNamedPipe on handle %p, GetLastError: %d,?,00000000), ref: 6E692A1C
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E692A8E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000003D0,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d,000000FF), ref: 6E692AC7
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E692AD2
Sleep.KERNEL32(00000064), ref: 6E692ADE
GetLastError.KERNEL32 ref: 6E692B06
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000003E8,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d,?,00000000), ref: 6E692B38
Sleep.KERNEL32(000003E8), ref: 6E692B45
CloseHandle.KERNEL32(?), ref: 6E692B5A
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E692B66
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E692B78
CloseHandle.KERNEL32(?), ref: 6E692B83
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,8007006D), ref: 6E692B8F

Strings

IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d, xrefs: 6E692AAD
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E6929A7, 6E692A11, 6E692A68, 6E692ABC, 6E692B2D
IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling DisconnectNamedPipe on handle %p, GetLastError: %d, xrefs: 6E692A02
IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d, xrefs: 6E692A59, 6E692B1E
IPM2_MESSAGE_PIPE::DestroyMessagePipe called this=%p, xrefs: 6E692998
IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe, xrefs: 6E69299D, 6E692A07, 6E692A5E, 6E692AB2, 6E692B23

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$ErrorLastPrint$CloseHandleLock@Unlock@$PipeSleep$DisconnectDisconnected@FreeInternal@MemoryNamedNotify
String ID: IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe$IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d$IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe error calling DisconnectNamedPipe on handle %p, GetLastError: %d$IPM2_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d$IPM2_MESSAGE_PIPE::DestroyMessagePipe called this=%p$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 4206194910-1441660730
Opcode ID: 7b630b6f2c49deb36a60626725559a1c8b9b475e2320053b02e96b8e20448094
Instruction ID: 52955f6764810c01232a3b264292ccba8cf200b601ace931a480d5ff1cb21e72
Opcode Fuzzy Hash: 7b630b6f2c49deb36a60626725559a1c8b9b475e2320053b02e96b8e20448094
Instruction Fuzzy Hash: 7D515C31940A43AFDB219FDAEC88F5E7B68AF03318F000615F8215B2D1D7307855D7A5

Function 6E690BD0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 155pipesleepCOMMON

Download Yara Rule

APIs

CancelIoEx.KERNEL32(?,00000000), ref: 6E690C77
GetLastError.KERNEL32 ref: 6E690C81
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000417,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM_MESSAGE_PIPE::DestroyMessagePipe called this=%p,?), ref: 6E690C21

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690C2E
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690C3C
DisconnectNamedPipe.KERNEL32(?), ref: 6E690C48
GetLastError.KERNEL32 ref: 6E690C52
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000043B,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d,?,00000000), ref: 6E690CB3
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690CBD
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000445,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d,?), ref: 6E690CFA
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690D04
CancelIoEx.KERNEL32(?,00000000), ref: 6E690D1E
GetLastError.KERNEL32 ref: 6E690D28
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000045C,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe,IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d,?,00000000), ref: 6E690D5A
Sleep.KERNEL32(000003E8), ref: 6E690D67
CloseHandle.KERNEL32(?), ref: 6E690D7C
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690D87
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690D9C
CloseHandle.KERNEL32(?), ref: 6E690DA7
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,8007006D), ref: 6E690DB3

Strings

IPM_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d, xrefs: 6E690CE0
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690C16, 6E690CA8, 6E690CEF, 6E690D4F
IPM_MESSAGE_PIPE::DestroyIpmMessagePipe, xrefs: 6E690C0C, 6E690C68, 6E690C9E, 6E690CE5, 6E690D45
IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d, xrefs: 6E690C99, 6E690D40
IPM_MESSAGE_PIPE::DestroyMessagePipe called this=%p, xrefs: 6E690C07
IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling DisconnectNamedPipe on handle %p, GetLastError: %d, xrefs: 6E690C63

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$ErrorLast$Print$Lock@Unlock@$CancelCloseHandlePipe$DisconnectDisconnected@FreeInternal@MemoryNamedNotifySleep
String ID: IPM_MESSAGE_PIPE::DestroyIpmMessagePipe$IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling CancelIOEx on handle %p, GetLastError: %d$IPM_MESSAGE_PIPE::DestroyIpmMessagePipe error calling DisconnectNamedPipe on handle %p, GetLastError: %d$IPM_MESSAGE_PIPE::DestroyIpmMessagePipe waiting for messages to drain, %d$IPM_MESSAGE_PIPE::DestroyMessagePipe called this=%p$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 582471946-1513557762
Opcode ID: 17dbf1c5705cb6581c9cede6e1bc3d557990411dcd6456ff5623e54beffc91f6
Instruction ID: 176f81f9c26e9ab69b813d7f573c4dee86293d99c20a3b01f5185a03e06a3f3d
Opcode Fuzzy Hash: 17dbf1c5705cb6581c9cede6e1bc3d557990411dcd6456ff5623e54beffc91f6
Instruction Fuzzy Hash: 39514C30650642ABDF905FE9CC48F6F7B69AB43328F004619F861673D2E7307855E6EA

Function 6E6941D0 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 188pipewindowCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,00000097,MULTI_IPM::InstantiatePipe,Instatiating new pipe. _dwNumPipeInstances: %d, _dwMaxPipeInstances: %d,?,?,?,00000000,?), ref: 6E694229
?DestroyIpmMessagePipe@IPM2_MESSAGE_PIPE@@QAGXXZ.IISUTIL(00000000,00000000,?,00000001,00000000,?,?,?), ref: 6E694409
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,000000F3,MULTI_IPM::InstantiatePipe,Instatiating new pipe result hr=0x%08X,00000000,00000000,?,00000001,00000000,?,?,?), ref: 6E694437

Strings

inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E69421E, 6E69431C, 6E6943D0, 6E69442C
IPM2_MESSAGE_PIPE::InstantiatePipe SetIpmPipe FAILED hr=0x%08x , xrefs: 6E69430D
Instatiating new pipe result hr=0x%08X, xrefs: 6E69441D
IPM2_MESSAGE_PIPE::InstantiatePipe PipeConnected FAILED hr=0x%08x , xrefs: 6E6943C1
MULTI_IPM::InstantiatePipe, xrefs: 6E694214, 6E6942D9, 6E694312, 6E6943C6, 6E694422
IPM2_MESSAGE_PIPE::InstantiatePipe CreateIpmMessagePipe FAILED hr=0x%08x , xrefs: 6E6942D4
Instatiating new pipe. _dwNumPipeInstances: %d, _dwMaxPipeInstances: %d, xrefs: 6E69420F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$DestroyMessagePipe@
String ID: IPM2_MESSAGE_PIPE::InstantiatePipe CreateIpmMessagePipe FAILED hr=0x%08x $IPM2_MESSAGE_PIPE::InstantiatePipe PipeConnected FAILED hr=0x%08x $IPM2_MESSAGE_PIPE::InstantiatePipe SetIpmPipe FAILED hr=0x%08x $Instatiating new pipe result hr=0x%08X$Instatiating new pipe. _dwNumPipeInstances: %d, _dwMaxPipeInstances: %d$MULTI_IPM::InstantiatePipe$inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 3359274405-401772816
Opcode ID: 5953f2b8cc54e86bbfa33a1c9f64d631ab60aef7b8892035df524923210d5cd0
Instruction ID: 87974e21b027857e2d1f22b3c043964e9fd067154ccfb3aa1168ca84f01d60a8
Opcode Fuzzy Hash: 5953f2b8cc54e86bbfa33a1c9f64d631ab60aef7b8892035df524923210d5cd0
Instruction Fuzzy Hash: 67611330540203AFEF118FA9C888B6DBBA5FB06705F04456AF9145B3A2D7B0A852EBD4

Function 6E68C543 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 178COMMON

Download Yara Rule

APIs

?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68C7C8

Part of subcall function 6E68C3BE: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\INetStp,00000000,00020019,?), ref: 6E68C3DD
Part of subcall function 6E68C3BE: RegQueryValueExW.ADVAPI32(?,EnableRestart,00000000,?,?,?), ref: 6E68C403
Part of subcall function 6E68C3BE: RegCloseKey.ADVAPI32(?), ref: 6E68C420

QueryServiceConfig2W.ADVAPI32(?,00000002,?,00000100,?), ref: 6E68C5F3
GetLastError.KERNEL32 ref: 6E68C601
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E68C61C
GetLastError.KERNEL32(?), ref: 6E68C625
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,0000024E,DetermineIISResetState,( 2 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d,00000000,?), ref: 6E68C668
QueryServiceConfig2W.ADVAPI32(?,00000002,?,00000100,?,?), ref: 6E68C691
GetLastError.KERNEL32 ref: 6E68C69B
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000276,DetermineIISResetState,IISAdmin pFailureActions = %S ,?), ref: 6E68C763
_wcslwr.MSVCRT ref: 6E68C76E
wcsstr.MSVCRT ref: 6E68C77E
wcsstr.MSVCRT ref: 6E68C792

Strings

DetermineIISResetState, xrefs: 6E68C653, 6E68C6C9, 6E68C6FF, 6E68C74E
Failed to resize the buffer to the appropriate size, hr = %08x attempted size = %d, xrefs: 6E68C64E
/start, xrefs: 6E68C78A
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C65D, 6E68C758
( 1 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d, xrefs: 6E68C6C4
IISAdmin pFailureActions = %S , xrefs: 6E68C749
iisreset, xrefs: 6E68C774
( 2 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d, xrefs: 6E68C6FA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastQuery$Config2PrintServicewcsstr$CloseFreeInternal@MemoryOpenResize@Value_wcslwr
String ID: ( 1 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d$( 2 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d$/start$DetermineIISResetState$Failed to resize the buffer to the appropriate size, hr = %08x attempted size = %d$IISAdmin pFailureActions = %S $iisreset$inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 349368357-3380552656
Opcode ID: eabcc259068bd6a8fba1b8de97c2642f116405ae2824a9ad46c8761e28bbc3b9
Instruction ID: c1ba8c57d7aa35fb788c4c8a67a30e678db5c0adef3e9cbab2828764028aef27
Opcode Fuzzy Hash: eabcc259068bd6a8fba1b8de97c2642f116405ae2824a9ad46c8761e28bbc3b9
Instruction Fuzzy Hash: CC51EA31940219AFDF214FE6CC84BDABBB4FB57354F0042A5E5866A251D77099C1CFA2

Function 6E68A9E0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

CreateWellKnownSid.ADVAPI32(?,00000000,00000000,?), ref: 6E68AA11
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AA34
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000077,AllocateAndCreateWellKnownSid,8007000E,Failed to allocate space for SID), ref: 6E68AA56
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68AA6B
GetLastError.KERNEL32 ref: 6E68AA7A
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AAA1
GlobalAlloc.KERNEL32(00000000,?), ref: 6E68AAD3
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AAF9
CreateWellKnownSid.ADVAPI32(?,00000000,00000000,?), ref: 6E68AB20
GetLastError.KERNEL32 ref: 6E68AB2E
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68AB4C
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,00000087,AllocateAndCreateWellKnownSid,00000000,Creating SID failed ( SidType = %d ),?), ref: 6E68AB80
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68AB95
GlobalFree.KERNEL32(00000000), ref: 6E68ABAC

Strings

Creating a sid worked with no memory allocated for it. ( This is not good ), xrefs: 6E68AA3A
AllocateAndCreateWellKnownSid, xrefs: 6E68AA44, 6E68AAC0, 6E68AB09, 6E68AB6B
Getting the SID length failed, can't create the sid (Type = %d), xrefs: 6E68AABA
Failed to allocate space for SID, xrefs: 6E68AAFF
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68AA4B, 6E68AB75
Creating SID failed ( SidType = %d ), xrefs: 6E68AB65

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Error$CreateGlobalKnownLastPrintWell$AllocFree
String ID: AllocateAndCreateWellKnownSid$Creating SID failed ( SidType = %d )$Creating a sid worked with no memory allocated for it. ( This is not good )$Failed to allocate space for SID$Getting the SID length failed, can't create the sid (Type = %d)$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 3610720312-4015455122
Opcode ID: 2dd33dcc5fbf545cae05ccdc1327bc5cf6361fc1a952778ef67e91db0bd07d10
Instruction ID: c08c598589f0f13a853e8ffe4bf3bdeac834c098ddc6d28933bcc4bef7d149a0
Opcode Fuzzy Hash: 2dd33dcc5fbf545cae05ccdc1327bc5cf6361fc1a952778ef67e91db0bd07d10
Instruction Fuzzy Hash: 7B41E4315C4541BFEF625E9ACC0CF6B7BA5AB12751F004126FD08AB3E1C770A8518BA4

Function 6E689540 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?), ref: 6E68955C
GetCurrentThread.KERNEL32 ref: 6E68956F
OpenThreadToken.ADVAPI32(00000000,?,?,?), ref: 6E689576
GetLastError.KERNEL32(?,?,?), ref: 6E689580
GetLastError.KERNEL32(?,?,?), ref: 6E68959A
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,000001E5,EVENT_LOG::LogEventPrivate,Could not retrieve thread impersonation token ( Error %lu),00000000,?,?,?), ref: 6E6895BB

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

RevertToSelf.ADVAPI32(?,?,?), ref: 6E6895C8
?LazyInit@EVENT_LOG@@CGPAXK@Z.IISUTIL(?,?,?,?), ref: 6E6895D4
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,000001F5,EVENT_LOG::LogEventPrivate,Attempt to log with no event source,?,?,?,?), ref: 6E68960E
ReportEventW.ADVAPI32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 6E689636
GetLastError.KERNEL32(?,?,?), ref: 6E689658
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,00000211,EVENT_LOG::LogEventPrivate,Cannot report event for %p, error %lu,?,00000000,?,?,?), ref: 6E68967D
SetThreadToken.ADVAPI32(00000000,00000000), ref: 6E689692
CloseHandle.KERNEL32(00000000), ref: 6E68969C
SetLastError.KERNEL32(?), ref: 6E6896AF

Strings

Could not retrieve thread impersonation token ( Error %lu), xrefs: 6E6895A1
EVENT_LOG::LogEventPrivate, xrefs: 6E6895A6, 6E6895F9, 6E689668
inetsrv\iis\iisrearc\core\common\util\eventlog.cxx, xrefs: 6E6895B0, 6E689603, 6E689672
Cannot report event for %p, error %lu, xrefs: 6E689663
Attempt to log with no event source, xrefs: 6E6895F4

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$PrintThread$Token$CloseCurrentEventFreeHandleInit@Internal@LazyMemoryOpenReportRevertSelf
String ID: Attempt to log with no event source$Cannot report event for %p, error %lu$Could not retrieve thread impersonation token ( Error %lu)$EVENT_LOG::LogEventPrivate$inetsrv\iis\iisrearc\core\common\util\eventlog.cxx
API String ID: 301185258-667825942
Opcode ID: 8275504e0b9c6b2971ece6d5a9e8271a85bb24a646e7fda2fb5a86825a6cfec2
Instruction ID: 84a0a20d8fc715c12f611bf95f99685c9feb043053f15f26610319db0814d6be
Opcode Fuzzy Hash: 8275504e0b9c6b2971ece6d5a9e8271a85bb24a646e7fda2fb5a86825a6cfec2
Instruction Fuzzy Hash: 4231F332880601BFEF225EE5CC0CB9F7B65EB4371DF004015FA58AA291D7319994CBB2

Function 6E693270 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 282pipeCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000060A,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d,?,?,?), ref: 6E693327
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000613,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x,00000000,?), ref: 6E69336D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000062B,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d,8007000E,?), ref: 6E6933EF
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,6E69322C,?,00000000,00000000,00000000), ref: 6E693465

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,6E69322C,?,00000000,00000000,00000000), ref: 6E693477

Part of subcall function 6E67B190: ?_LockSpin@CReaderWriterLock3@@AAEXW4SPIN_TYPE@1@@Z.IISUTIL(00000002), ref: 6E67B1C7

?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,6E69322C,?,00000000,00000000,00000000), ref: 6E69348B
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(-00000010,?,?,?,?,?,?,?,?,?,?,?,?,6E69322C,?,00000000), ref: 6E69352B
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(-00000010,?,?,?,?,?,?,?,?,?,?,?,?,6E69322C,?,00000000), ref: 6E693534
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000689,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage failed Ipm2WriteFile, hr = %x,00000000,-00000010,?), ref: 6E693561
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000005F6,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage failed, hr = %x,80070216), ref: 6E6935C5
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,80070216), ref: 6E6935D2

Strings

IPM2_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d, xrefs: 6E6933D5
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E69331C, 6E693362, 6E6933E4, 6E693556, 6E6935BA
IPM2_MESSAGE_PIPE::WriteMessage failed Ipm2WriteFile, hr = %x, xrefs: 6E693547
IPM2_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x, xrefs: 6E693353
IPM2_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d, xrefs: 6E69330D
IPM2_MESSAGE_PIPE::WriteMessage, xrefs: 6E693312, 6E693358, 6E6933DA, 6E69354C, 6E6935B0
IPM2_MESSAGE_PIPE::WriteMessage failed, hr = %x, xrefs: 6E6935AB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriter$Print$ReadUnlock@$Lock@Write$CurrentDisconnected@E@1@@LockNotifyPipeSpin@Thread
String ID: IPM2_MESSAGE_PIPE::WriteMessage$IPM2_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d$IPM2_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x$IPM2_MESSAGE_PIPE::WriteMessage failed Ipm2WriteFile, hr = %x$IPM2_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d$IPM2_MESSAGE_PIPE::WriteMessage failed, hr = %x$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 3080751804-1616068644
Opcode ID: dc1fe7309a836260b0f2e835846846e49a31d6a87e510f369d3932bbbf265b1d
Instruction ID: 4ffd3bb22b8451e8001c1ec01efb1e7a82ebfe9f82d15167e726515f6a5cf16f
Opcode Fuzzy Hash: dc1fe7309a836260b0f2e835846846e49a31d6a87e510f369d3932bbbf265b1d
Instruction Fuzzy Hash: C2A1C075A543429FCB00CFA9C888A5F7BE5EF89318F04491DF8589B396DB30E905CB96

Function 6E691FFB Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 199pipefileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000000C7,Ipm2ReadFileChunked,Ipm2ReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,00000000,?,?,00000000), ref: 6E69204D

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6E6920BA
GetLastError.KERNEL32 ref: 6E6920C8
GetOverlappedResult.KERNEL32(?,00000001,00000000,00000001), ref: 6E6920DF
GetLastError.KERNEL32 ref: 6E6920ED
GetLastError.KERNEL32 ref: 6E6920F7
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00000000,?), ref: 6E69212D
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00000000,?), ref: 6E692161

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E692042, 6E6921CC, 6E692248
Error ReadFile, hFile=%d, dwBufferPos=%d, dwBytesToRead=%d, hr=%x, xrefs: 6E692239
Ipm2ReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E692033
Ipm2ReadFileChunked, xrefs: 6E692038, 6E6921C2, 6E69223E
Error GetOverlappedResult, hFile=%d, dwBytesToRead=%d, hr=%x, xrefs: 6E6921BD

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$NamedPeekPipe$FileFreeInternal@MemoryOverlappedPrintReadResult
String ID: Error GetOverlappedResult, hFile=%d, dwBytesToRead=%d, hr=%x$Error ReadFile, hFile=%d, dwBufferPos=%d, dwBytesToRead=%d, hr=%x$Ipm2ReadFileChunked$Ipm2ReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2984855063-1593789147
Opcode ID: 26a38ab816f5e3edede6f5efa88e7444998bd7376cd01ac53b51fb0f625796e9
Instruction ID: f47f9a36b2e22d727f4b8702087d1fc890af0bbfd5ab7f2dab581a37afc54c7c
Opcode Fuzzy Hash: 26a38ab816f5e3edede6f5efa88e7444998bd7376cd01ac53b51fb0f625796e9
Instruction Fuzzy Hash: 3251F672D50106AFDF10CEE6EC48EAF7B78BB46354F10811AF915EB244D731EA51ABA0

Function 6E68E130 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 6E68E18E
RegQueryValueExW.ADVAPI32(80000002,?,00000000,?,00000000,?), ref: 6E68E1C2
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68E1F5
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx,00000212,ReadMultiStringParameterValueFromAnyService,00000000,Inetinfo: Failed reading registry value ), ref: 6E68E216
SetConsoleTextAttribute.KERNEL32(?,00000007,00000000), ref: 6E68E22B
RegCloseKey.ADVAPI32(00000000,?), ref: 6E68E307
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?), ref: 6E68E31D

Strings

inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx, xrefs: 6E68E20B
Inetinfo: Failed reading registry value , xrefs: 6E68E1FB, 6E68E2CF
, xrefs: 6E68E17F
Key was not of string type , xrefs: 6E68E262
ReadMultiStringParameterValueFromAnyService, xrefs: 6E68E201, 6E68E268, 6E68E2D5

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$CloseErrorFreeInternal@MemoryOpenPrintQueryValue
String ID: $Inetinfo: Failed reading registry value $Key was not of string type $ReadMultiStringParameterValueFromAnyService$inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx
API String ID: 3846944524-749063332
Opcode ID: f1949d01150be1bd4a2f1c194c4afae2217984397dfc2b1fe216c4cbc1be1891
Instruction ID: b6c85fdeaf5f2e5c5ab4d01d5dc35f6fcf9541c91b056f399878c298f64d43d3
Opcode Fuzzy Hash: f1949d01150be1bd4a2f1c194c4afae2217984397dfc2b1fe216c4cbc1be1891
Instruction Fuzzy Hash: EF51C331544351AFEB21CFDACC18F6BBBE4FF86314F004929B994972A1D3749815CBA5

Function 6E692D90 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 145pipewindowCOMMON

Download Yara Rule

APIs

SetConsoleTextAttribute.KERNEL32(?,00000004,00000000,?,00000001,?), ref: 6E692DE7
ConnectNamedPipe.KERNEL32(000000FF,-00000020,00000000,?,00000001,?), ref: 6E692E11
GetLastError.KERNEL32 ref: 6E692E1F
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E692E62
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000004C9,IPM2_MESSAGE_PIPE::StartNamedPipe,IPM2_MESSAGE_PIPE::StartNamedPipe failed ConnectNamedPipe, hr = 0x%08x,00000000), ref: 6E692E83
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E692E98
?ReadMessage@IPM2_MESSAGE_PIPE@@AAGJK@Z.IISUTIL(?,00000020), ref: 6E692EAE
SetConsoleTextAttribute.KERNEL32(?,00000004,00000020), ref: 6E692ECF
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000004E0,IPM2_MESSAGE_PIPE::StartNamedPipe,IPM2_MESSAGE_PIPE::StartNamedPipe failed ReadMessage hr=0x%08x,00000000), ref: 6E692EF0
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E692F05
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000004E9,IPM2_MESSAGE_PIPE::StartNamedPipe,IPM2_MESSAGE_PIPE::StartNamedPipe pipe connected.,00000020), ref: 6E692F38

Strings

IPM2_MESSAGE_PIPE::StartNamedPipe failed ConnectNamedPipe, hr = 0x%08x, xrefs: 6E692E69
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E692E78, 6E692EE5, 6E692F2D
IPM2_MESSAGE_PIPE::StartNamedPipe, xrefs: 6E692DF3, 6E692E6E, 6E692EDB, 6E692F23
IPM2_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = 0x%08x, xrefs: 6E692DEE
IPM2_MESSAGE_PIPE::StartNamedPipe pipe connected., xrefs: 6E692F1E
IPM2_MESSAGE_PIPE::StartNamedPipe failed ReadMessage hr=0x%08x, xrefs: 6E692ED6

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$Print$ConnectErrorLastMessage@NamedPipeRead
String ID: IPM2_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = 0x%08x$IPM2_MESSAGE_PIPE::StartNamedPipe$IPM2_MESSAGE_PIPE::StartNamedPipe failed ConnectNamedPipe, hr = 0x%08x$IPM2_MESSAGE_PIPE::StartNamedPipe failed ReadMessage hr=0x%08x$IPM2_MESSAGE_PIPE::StartNamedPipe pipe connected.$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2021720771-547569221
Opcode ID: 335a8835f03af017d19e022e4fd00a2f3b98ddf2dbb8dbc40a5bace09d4ccf7f
Instruction ID: 8948bd0a94e5b2052571736639254626ddd24a4146bbd947dd7d54dc06047362
Opcode Fuzzy Hash: 335a8835f03af017d19e022e4fd00a2f3b98ddf2dbb8dbc40a5bace09d4ccf7f
Instruction Fuzzy Hash: DD5127315C0642AFEF128FA9DC48F6D3BA5EB47301F044525FA099B3E2D730A816DBA4

Function 6E686B5E Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(TRACE_LEVEL,?,00000020), ref: 6E686B9B
_wcsicmp.MSVCRT ref: 6E686BBC
_wcsicmp.MSVCRT ref: 6E686BD6
_wcsicmp.MSVCRT ref: 6E686BF0
_wcsicmp.MSVCRT ref: 6E686C0A
_wcsicmp.MSVCRT ref: 6E686C24
_wcsicmp.MSVCRT ref: 6E686C3E
_wcsicmp.MSVCRT ref: 6E686C54
_wcsicmp.MSVCRT ref: 6E686C6A
_wcsicmp.MSVCRT ref: 6E686C80
_wcsicmp.MSVCRT ref: 6E686C96

Strings

TRACE_LEVEL, xrefs: 6E686B96
info, xrefs: 6E686BB6
warn, xrefs: 6E686BEA
none, xrefs: 6E686C4E
debug, xrefs: 6E686C7A
error, xrefs: 6E686C1E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: TRACE_LEVEL$debug$error$info$none$warn
API String ID: 198002717-2033551335
Opcode ID: 30b76d50c620be9dee02bdbec31c4c3dccc7cca8273ee6775799ee5867f30198
Instruction ID: 5cc1ff48ab49801047ef777343d84eb6473d80ae62feb593fc8488ccf25033ce
Opcode Fuzzy Hash: 30b76d50c620be9dee02bdbec31c4c3dccc7cca8273ee6775799ee5867f30198
Instruction Fuzzy Hash: 663183B6528703AAEB549FE6DC19A9F7BECEB46260F10481BF055C2290EF30E4448725

Function 6E685AA0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 112COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E6A915C), ref: 6E685AB4
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,00000113,InitializeIISUtil,InitializeIISUtil, %d %s,?,initializing), ref: 6E685AFE
SchedulerInitialize.IISUTIL ref: 6E685B1B
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,0000011C,InitializeIISUtil,Initializing Scheduler Failed), ref: 6E685B3F
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,00000121,InitializeIISUtil,Scheduler Initialized), ref: 6E685B6E
?SetLookasideCleanupInterval@ALLOC_CACHE_HANDLER@@SGHXZ.IISUTIL ref: 6E685B76
SetLastError.KERNEL32(00000000), ref: 6E685B92
InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A9290,000003E8), ref: 6E685BA4
GetLastError.KERNEL32 ref: 6E685BAE
SetLastError.KERNEL32(00000000), ref: 6E685BD0
LeaveCriticalSection.KERNEL32(6E6A915C), ref: 6E685BEC

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E685AC6, 6E685AF7, 6E685B38, 6E685B67
InitializeIISUtil, %d %s, xrefs: 6E685AEC
initializing, xrefs: 6E685ADC, 6E685AEA
Scheduler Initialized, xrefs: 6E685B5C
Initializing Scheduler Failed, xrefs: 6E685B2D
InitializeIISUtil, xrefs: 6E685ABF, 6E685AF1, 6E685B32, 6E685B61

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalErrorLastPrintSection$Initialize$CleanupCountEnterInterval@LeaveLookasideSchedulerSpin
String ID: InitializeIISUtil$InitializeIISUtil, %d %s$Initializing Scheduler Failed$Scheduler Initialized$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx$initializing
API String ID: 352279520-2167416157
Opcode ID: 866fc632af26e66754aa227ff456c3d64ed68eef364c2b91b35f2ff5909caa35
Instruction ID: 8843ef261ae1fcf11290deb4a6725d492581110d918fbf50699694b9238e7836
Opcode Fuzzy Hash: 866fc632af26e66754aa227ff456c3d64ed68eef364c2b91b35f2ff5909caa35
Instruction Fuzzy Hash: 1731E571A906426BDF206AFA9D5CE9F7B9CDB1375CB010525FC02EB391EB11DC4182B5

Function 6E68A7E0 Relevance: 28.7, APIs: 19, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000), ref: 6E68A803
OpenProcessToken.ADVAPI32(00000000), ref: 6E68A80A
GetLastError.KERNEL32 ref: 6E68A814
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 6E68A82E
GetLastError.KERNEL32 ref: 6E68A838
GetTokenInformation.ADVAPI32(00000000,00000005(TokenIntegrityLevel),00000000,00000000,?), ref: 6E68A856
GetLastError.KERNEL32 ref: 6E68A860
LocalAlloc.KERNEL32(00000040,?), ref: 6E68A886
CloseHandle.KERNEL32(00000000), ref: 6E68A973
LocalFree.KERNEL32(00000000), ref: 6E68A982
LocalFree.KERNEL32(00000000), ref: 6E68A991

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastLocalToken$FreeInformationProcess$AllocCloseCurrentHandleOpen
String ID:
API String ID: 2743938992-0
Opcode ID: 28b3869bbf051b13decd90b7fbbf890a2a19adadae3e78c8cb8e9c7f7056e01f
Instruction ID: 7d8aa68bf04b92dd8727477a8b6f584e60892d7f5166b92656096ed531de36c9
Opcode Fuzzy Hash: 28b3869bbf051b13decd90b7fbbf890a2a19adadae3e78c8cb8e9c7f7056e01f
Instruction Fuzzy Hash: 8C519E32E90609EFEF518FA9CC49BAEBBB8FF06725F114056F911E6280D7349904CB60

Function 6E691100 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 209pipeCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000005A1,IPM_MESSAGE_PIPE::WriteMessage,IPM_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d,?,?,?), ref: 6E69117C
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000005AA,IPM_MESSAGE_PIPE::WriteMessage,IPM_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x,00000000,00000000), ref: 6E6911C3
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000005BD,IPM_MESSAGE_PIPE::WriteMessage,IPM_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d,8007000E,?,00000000), ref: 6E691229
?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000), ref: 6E69127A

Part of subcall function 6E67B190: ?_LockSpin@CReaderWriterLock3@@AAEXW4SPIN_TYPE@1@@Z.IISUTIL(00000002), ref: 6E67B1C7

?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000), ref: 6E69128D
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,00000000), ref: 6E6912F7
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000611,IPM_MESSAGE_PIPE::WriteMessage,IPM_MESSAGE_PIPE::WriteMessage failed IpmWriteFile, hr = %x,00000000,?,?,00000000), ref: 6E691324
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000058C,IPM_MESSAGE_PIPE::WriteMessage,IPM_MESSAGE_PIPE::WriteMessage failed, hr = %x,80070216), ref: 6E69138D
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,80070216), ref: 6E691399

Strings

IPM_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d, xrefs: 6E691162
IPM_MESSAGE_PIPE::WriteMessage failed, hr = %x, xrefs: 6E691373
IPM_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d, xrefs: 6E69120F
IPM_MESSAGE_PIPE::WriteMessage failed IpmWriteFile, hr = %x, xrefs: 6E69130A
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E691171, 6E6911B8, 6E69121E, 6E691319, 6E691382
IPM_MESSAGE_PIPE::WriteMessage, xrefs: 6E691167, 6E6911AE, 6E691214, 6E69130F, 6E691378
IPM_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x, xrefs: 6E6911A9

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$Lock3@@ReaderWriter$Read$Unlock@$Disconnected@E@1@@LockLock@NotifyPipeSpin@
String ID: IPM_MESSAGE_PIPE::WriteMessage$IPM_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d$IPM_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x$IPM_MESSAGE_PIPE::WriteMessage failed IpmWriteFile, hr = %x$IPM_MESSAGE_PIPE::WriteMessage failed allocation of WriteBuffer, hr = %x, size=%d$IPM_MESSAGE_PIPE::WriteMessage failed, hr = %x$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 2512574523-2280398163
Opcode ID: 8948c99b5f40c44aa8d1a5ecbbd1dfbd63bc47d1c655694459ccd8eae5c0301d
Instruction ID: 96a6070aa2b21adb3fcedb4107d9b96863f28b4ee79b5728730f68de380da6b8
Opcode Fuzzy Hash: 8948c99b5f40c44aa8d1a5ecbbd1dfbd63bc47d1c655694459ccd8eae5c0301d
Instruction Fuzzy Hash: 4671F371910606AFCB01CF99CC40B9A77B9BF01328F158619F824AB791E730E954DBD5

Function 6E69030E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 146fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6E69046D
GetLastError.KERNEL32 ref: 6E690477
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000197,IpmReadFileChunked,IpmReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,?,?,?,00000000,?), ref: 6E69035C

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

ReadFile.KERNEL32(?,00010000,00010000,?,?,?,?,00000000,?), ref: 6E6903C2
GetLastError.KERNEL32 ref: 6E6903CC
GetOverlappedResult.KERNEL32(?,00000001,?,00000001), ref: 6E6903E9
GetLastError.KERNEL32 ref: 6E690403
GetLastError.KERNEL32 ref: 6E69040D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000001CE,IpmReadFileChunked,Error GetOverlappedResult, hFile=%d, dwBytesToRead=%d, hr=%x,?,?,80004005), ref: 6E690463
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000001E0,IpmReadFileChunked,Error ReadFile, hFile=%d, dwBufferPos=%d, dwBytesToRead=%d, hr=%x,?,?,?,80004005), ref: 6E6904CA

Strings

IpmReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E690342
Error ReadFile, hFile=%d, dwBufferPos=%d, dwBytesToRead=%d, hr=%x, xrefs: 6E6904B0
IpmReadFileChunked, xrefs: 6E690347, 6E69044E, 6E6904B5
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690351, 6E690458, 6E6904BF
Error GetOverlappedResult, hFile=%d, dwBytesToRead=%d, hr=%x, xrefs: 6E690449

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Print$FileFreeInternal@MemoryOverlappedReadResult
String ID: Error GetOverlappedResult, hFile=%d, dwBytesToRead=%d, hr=%x$Error ReadFile, hFile=%d, dwBufferPos=%d, dwBytesToRead=%d, hr=%x$IpmReadFileChunked$IpmReadFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 165636462-1264284293
Opcode ID: 2726286a8f6a84c712b580049bd6f8e78f82c62c80e86a952018953eb0aed4b1
Instruction ID: e548d132818137d545db47778b98bb138142320737acc492ddd6f147037f49d3
Opcode Fuzzy Hash: 2726286a8f6a84c712b580049bd6f8e78f82c62c80e86a952018953eb0aed4b1
Instruction Fuzzy Hash: 2C41F372D5010BEBEF508EDACC44AAE7B75BB52B54F00416AF850BB340E731AD91EB90

Function 6E687020 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 131fileCOMMON

Download Yara Rule

APIs

?Copy@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E6870C8
EnterCriticalSection.KERNEL32(6E6A8630), ref: 6E6870E7
CreateDirectoryW.KERNEL32(?,00000000), ref: 6E687103
GetCurrentProcessId.KERNEL32 ref: 6E687109
swprintf_s.MSVCRT ref: 6E68711C
?Append@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E68712E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,00000080,00000000), ref: 6E687159
WriteFile.KERNEL32(FFFFFFFF,?,?,?,00000000), ref: 6E68717C
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68718F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6E6871AE
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E6871C1
LeaveCriticalSection.KERNEL32(6E6A8630), ref: 6E6871C8
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6871D8
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6871E7

Part of subcall function 6E686328: _vsnprintf_s.MSVCRT ref: 6E686345
Part of subcall function 6E686328: ?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E68635A

Strings

%d.log, xrefs: 6E687110

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: File$AttributeConsoleCreateCriticalFreeInternal@MemorySectionTextWrite$Append@Copy@CurrentDirectoryEnterLeaveProcessResize@_vsnprintf_sswprintf_s
String ID: %d.log
API String ID: 1930024764-3129118065
Opcode ID: ee1cfcbbbed477588def2f064d2b68109c2db440fbca7f2303245f5b00f2ebf6
Instruction ID: 959d08f7286749319153ede7d2a03958a7b6435db436148262f3ed390b54756c
Opcode Fuzzy Hash: ee1cfcbbbed477588def2f064d2b68109c2db440fbca7f2303245f5b00f2ebf6
Instruction Fuzzy Hash: 14518671548745AFDB10DFA4C848A9F7BE8FF86354F040D1AF694C72A0D731A944CB66

Function 6E68E340 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000001,000F003F,?,?,?), ref: 6E68E373
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68E39A
GetSecurityDescriptorDacl.ADVAPI32(?,00000002,00000002,?), ref: 6E68E3F2
GetLastError.KERNEL32 ref: 6E68E3FC
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68E41E
SetSecurityInfo.ADVAPI32(?,00000004,00000004,00000000,00000000,00000002,00000000), ref: 6E68E45B
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68E47D
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx,00000292,CreateSubkey,00000000,Setting DACL on registry key failed), ref: 6E68E4AE
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68E4C3
RegCloseKey.ADVAPI32(?), ref: 6E68E4D3

Strings

inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx, xrefs: 6E68E4A3
Setting DACL on registry key failed, xrefs: 6E68E493
CreateSubkey, xrefs: 6E68E3B6, 6E68E43A, 6E68E499
Creating/opening registry key failed, xrefs: 6E68E3B0
Getting DACL to apply to registry key failed, xrefs: 6E68E434

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$ErrorSecurity$CloseCreateDaclDescriptorInfoLastPrint
String ID: CreateSubkey$Creating/opening registry key failed$Getting DACL to apply to registry key failed$Setting DACL on registry key failed$inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx
API String ID: 3476584905-1944681403
Opcode ID: d431c9d7f730af3838be85cb985762860e58e11db27576e2b63f81dea19c7a75
Instruction ID: 866bcaf9afcc065241c35b5631e97c560a74e622a2f58ce57581f62d5f0c297a
Opcode Fuzzy Hash: d431c9d7f730af3838be85cb985762860e58e11db27576e2b63f81dea19c7a75
Instruction Fuzzy Hash: C541EB71A84611FFEB118E95CC48F6F7799EB42754F00052AFA5897251C370AC458BF5

Function 6E68870F Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 106timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6E68871D
DeleteTimerQueueTimer.KERNEL32(?,?,00000000,?,00000000,?,6E6883B0), ref: 6E688758
GetLastError.KERNEL32(?,00000000,?,6E6883B0), ref: 6E688762
SetConsoleTextAttribute.KERNEL32(?,00000004,?,00000000,?,6E6883B0), ref: 6E688785
GetLastError.KERNEL32(?,00000000,?,6E6883B0), ref: 6E688791
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,000003CA,TIMER::Terminate,00000000,DeleteTimerQueueTimer failed! Queue=0x%p, Timer=0x%p,?,?,?,00000000,?,6E6883B0), ref: 6E6887C2
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E6887D7
DeleteTimerQueueTimer.KERNEL32(?,?,000000FF,?,00000000,?,6E6883B0), ref: 6E6887EE
SetConsoleTextAttribute.KERNEL32(?,00000004,?,00000000,?,6E6883B0), ref: 6E68880E
GetLastError.KERNEL32(?,00000000,?,6E6883B0), ref: 6E68881A
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,000003E5,TIMER::Terminate,00000000,DeleteTimerQueueTimer failed! Queue=0x%p, Timer=0x%p,?,?,?,00000000,?,6E6883B0), ref: 6E68884B
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E688860

Strings

inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E6887B7, 6E688840
TIMER::Terminate, xrefs: 6E6887AD, 6E688836
DeleteTimerQueueTimer failed! Queue=0x%p, Timer=0x%p, xrefs: 6E6887A7, 6E688830

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Error$AttributeConsoleTextTimer$Last$DeletePrintQueue$CurrentThread
String ID: DeleteTimerQueueTimer failed! Queue=0x%p, Timer=0x%p$TIMER::Terminate$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 1732115667-3466387691
Opcode ID: 6499c3b28c4631759d3de0819d812f5d0e0a63fa5c6f850e3b9e75c87dc1b0ba
Instruction ID: 329b6ada114942ed9675bee3caca454a56f1787a48cd45e144bf202d5ae221ed
Opcode Fuzzy Hash: 6499c3b28c4631759d3de0819d812f5d0e0a63fa5c6f850e3b9e75c87dc1b0ba
Instruction Fuzzy Hash: 75419370540501AFEB125F6ACC4DF2ABBB5FB06315F044225F5199B3B1D730B865DBA4

Function 6E693030 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 139pipeCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000056C,IPM2_MESSAGE_PIPE::ReadMessage,IPM2_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d,8007000E,?,00000000,?,?,00000000), ref: 6E693113
?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000,?,?,00000000), ref: 6E693132
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000,?,?,00000000), ref: 6E69313F
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000556,IPM2_MESSAGE_PIPE::ReadMessage,IPM2_MESSAGE_PIPE::ReadMessage called with size=%d,?,?,?,00000000), ref: 6E693081

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000055F,IPM2_MESSAGE_PIPE::ReadMessage,IPM2_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x,00000000,00000000,?,?,00000000), ref: 6E6930C9
?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,00000000,?,?), ref: 6E6931E2

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E693076, 6E6930BE, 6E693108, 6E6931A1
IPM2_MESSAGE_PIPE::ReadMessage called with size=%d, xrefs: 6E693067
IPM2_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d, xrefs: 6E6930F9
IPM2_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x, xrefs: 6E6930AF
IPM2_MESSAGE_PIPE::ReadMessage failed Ipm2ReadFile, hr = %x, xrefs: 6E693192
IPM2_MESSAGE_PIPE::ReadMessage, xrefs: 6E69306C, 6E6930B4, 6E6930FE, 6E693197

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$ErrorLastLock3@@ReadReaderWriter$Disconnected@FreeInternal@Lock@MemoryNotifyPipeUnlock@
String ID: IPM2_MESSAGE_PIPE::ReadMessage$IPM2_MESSAGE_PIPE::ReadMessage called with size=%d$IPM2_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x$IPM2_MESSAGE_PIPE::ReadMessage failed Ipm2ReadFile, hr = %x$IPM2_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 1207811579-291838951
Opcode ID: bd0535b2123086ec8c909e122fe33e6749a5ca564b808ee9417c546d759169f9
Instruction ID: 4c0fdb53964e996bf23e86e0ede5fe6d8a0315ffdf306335596a40ef198943b1
Opcode Fuzzy Hash: bd0535b2123086ec8c909e122fe33e6749a5ca564b808ee9417c546d759169f9
Instruction Fuzzy Hash: 34412835590A469BCF11CF99CC4CF4F7BA5AB86315F008519EC181B3E6DB30A905DBD5

Function 6E690F30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137pipeCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000527,IPM_MESSAGE_PIPE::ReadMessage,IPM_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d,8007000E,?,00000000,?,?,00000000), ref: 6E69100F
?ReadLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000,?,?,00000000), ref: 6E69102E
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000,?,?,00000000), ref: 6E69103C
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000511,IPM_MESSAGE_PIPE::ReadMessage,IPM_MESSAGE_PIPE::ReadMessage called with size=%d,?,?,?,00000000), ref: 6E690F76

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000051A,IPM_MESSAGE_PIPE::ReadMessage,IPM_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x,00000000,00000000,?,?,00000000), ref: 6E690FBD
?NotifyPipeDisconnected@IPM_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(00000000,00000000,?,?,00000000,?,?,00000000), ref: 6E6910E9

Strings

IPM_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x, xrefs: 6E690FA3
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690F6B, 6E690FB2, 6E691004, 6E691098
IPM_MESSAGE_PIPE::ReadMessage called with size=%d, xrefs: 6E690F5C
IPM_MESSAGE_PIPE::ReadMessage failed IpmReadFile, hr = %x, xrefs: 6E691089
IPM_MESSAGE_PIPE::ReadMessage, xrefs: 6E690F61, 6E690FA8, 6E690FFA, 6E69108E
IPM_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d, xrefs: 6E690FF5

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$ErrorLastLock3@@ReadReaderWriter$Disconnected@FreeInternal@Lock@MemoryNotifyPipeUnlock@
String ID: IPM_MESSAGE_PIPE::ReadMessage$IPM_MESSAGE_PIPE::ReadMessage called with size=%d$IPM_MESSAGE_PIPE::ReadMessage failed CreateMessage, hr = %x$IPM_MESSAGE_PIPE::ReadMessage failed IpmReadFile, hr = %x$IPM_MESSAGE_PIPE::ReadMessage failed allocation of Read Buffer, hr = %x, size = %d$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 1207811579-2472648992
Opcode ID: a936e511836f3f53058123946cc3a3433f50d963ab6b1b17a27dde42b02d3107
Instruction ID: 17844aa0bb3fb07c708287ecacf3a901add4190a1becc47eb5c2f2e41d98e3e8
Opcode Fuzzy Hash: a936e511836f3f53058123946cc3a3433f50d963ab6b1b17a27dde42b02d3107
Instruction Fuzzy Hash: 4C4118319243825BDF20CEE6CC00B5F77A8AF42318F15495DE8546B392EB31EA099BE5

Function 6E688D00 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 106synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000), ref: 6E688D21
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688D44
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688D76
WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 6E688D89
sprintf_s.MSVCRT ref: 6E688DA8
OutputDebugStringA.KERNEL32(?), ref: 6E688DB8
sprintf_s.MSVCRT ref: 6E688DD0
OutputDebugStringA.KERNEL32(?), ref: 6E688DE0
EnterCriticalSection.KERNEL32(00000000), ref: 6E688DEC
sprintf_s.MSVCRT ref: 6E688E48
OutputDebugStringA.KERNEL32(?), ref: 6E688E58

Strings

%08p::[InetConvertSharedToExclusive] WaitForSingleObject Failed, xrefs: 6E688E37
%08p::[InetConvertSharedToExclusive] Re-Waiting, xrefs: 6E688DBF
%08p::[InetConvertSharedToExclusive] Sem timeout, xrefs: 6E688D97

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$DebugOutputStringsprintf_s$EnterLeave$ObjectSingleWait
String ID: %08p::[InetConvertSharedToExclusive] Re-Waiting$%08p::[InetConvertSharedToExclusive] Sem timeout$%08p::[InetConvertSharedToExclusive] WaitForSingleObject Failed
API String ID: 3396701503-631394334
Opcode ID: dcf8e85e7bb085e8c36cde8eb3b8c7f83d674ba109c7dab7f4c0ab4970a0105d
Instruction ID: d1e625b97ffc8fddc2b8e1e8592b5968947d62c9c4aa5a969353adefb8bef88b
Opcode Fuzzy Hash: dcf8e85e7bb085e8c36cde8eb3b8c7f83d674ba109c7dab7f4c0ab4970a0105d
Instruction Fuzzy Hash: 8241B671940B04DFC720DFA9C98CB9A77F8FB0A320F900A59E55686690C734F985CFA4

Function 6E688B10 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000), ref: 6E688B31
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688B6D
WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 6E688B80
sprintf_s.MSVCRT ref: 6E688B9F
OutputDebugStringA.KERNEL32(?), ref: 6E688BAF
sprintf_s.MSVCRT ref: 6E688BC7
OutputDebugStringA.KERNEL32(?), ref: 6E688BD7
sprintf_s.MSVCRT ref: 6E688BF5
OutputDebugStringA.KERNEL32(?), ref: 6E688C05
EnterCriticalSection.KERNEL32(00000000), ref: 6E688C0C
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688C32

Strings

%08p::[InetAcquireResourceExclusive] Re-Waiting, xrefs: 6E688BB6
%08p::[InetAcquireResourceExclusive] WaitForSingleObject Failed, xrefs: 6E688BE4
%08p::[InetAcquireResourceExclusive] Sem Timeout, xrefs: 6E688B8E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$DebugOutputStringsprintf_s$EnterLeave$ObjectSingleWait
String ID: %08p::[InetAcquireResourceExclusive] Re-Waiting$%08p::[InetAcquireResourceExclusive] Sem Timeout$%08p::[InetAcquireResourceExclusive] WaitForSingleObject Failed
API String ID: 3396701503-892644184
Opcode ID: bc6cf20cad47c2e78859beb514791aa5262575df1ed835de7c85585520933b05
Instruction ID: 9cf0200fdf6c32c9ea5a0f4d9ad024e3ff64750c84d1d3a2587ddc329d44cc2f
Opcode Fuzzy Hash: bc6cf20cad47c2e78859beb514791aa5262575df1ed835de7c85585520933b05
Instruction Fuzzy Hash: 3D31B471940B04EBCB21DFAACC4CA9B7BB8FF4A320F900A56F55982651C734B985CF64

Function 6E6889F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000), ref: 6E688A10
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688A34
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688A46
LeaveCriticalSection.KERNEL32(00000000), ref: 6E688A58
WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 6E688A70
sprintf_s.MSVCRT ref: 6E688A8B
OutputDebugStringA.KERNEL32(?), ref: 6E688A9B
sprintf_s.MSVCRT ref: 6E688AAF
OutputDebugStringA.KERNEL32(?), ref: 6E688ABF
sprintf_s.MSVCRT ref: 6E688AD9
OutputDebugStringA.KERNEL32(?), ref: 6E688AE9

Strings

%08p::[InetAcquireResourceShared] Re-Waiting, xrefs: 6E688AA2
%08p::[InetAcquireResourceShared] Sem timeout, xrefs: 6E688A7E
%08p::[InetAcquireResourceShared] WaitForSingleObject Failed, xrefs: 6E688ACC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$DebugLeaveOutputStringsprintf_s$EnterObjectSingleWait
String ID: %08p::[InetAcquireResourceShared] Re-Waiting$%08p::[InetAcquireResourceShared] Sem timeout$%08p::[InetAcquireResourceShared] WaitForSingleObject Failed
API String ID: 462334392-2994773890
Opcode ID: 29c3e36b95aa5ea78445c728f4532ac7d649fdc01acd9cfc0cd064ecd7cc54cc
Instruction ID: 14683adab633829acec77f7afc254c1595cc1df82e3bcd7cab6400eabe85429e
Opcode Fuzzy Hash: 29c3e36b95aa5ea78445c728f4532ac7d649fdc01acd9cfc0cd064ecd7cc54cc
Instruction Fuzzy Hash: 99316171850A04AFCB20DFAAC84CADF77BCFF1A315F800856E545C2691D774AE85CBA5

Function 6E6875D0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E6A8650), ref: 6E6875DC
LeaveCriticalSection.KERNEL32(6E6A8650), ref: 6E6875FF
SetLastError.KERNEL32(00000057), ref: 6E687636
EnterCriticalSection.KERNEL32(?,6E6A8650), ref: 6E687649
sprintf_s.MSVCRT ref: 6E687662
LeaveCriticalSection.KERNEL32(?), ref: 6E687735
sprintf_s.MSVCRT ref: 6E687756
SetLastError.KERNEL32(0000007A), ref: 6E68776B

Strings

AllocCacheTable Data <br><TABLE BORDER> <TR> <TH> Item Name </TH> <TH> Config(concurr, threshold, size) </TH> <TH> # Total Items </TH> <TH> # Alloc Calls </TH> <TH> # Free Calls </TH> <TH> # Free Entries </TH> <TH> # Total Size (bytes) </TH> <TH> Fill Patt, xrefs: 6E687658
<TR> <TD> [%d] %s </TD> <TD> (%d, %d, %d) </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> 0x%08lX </TD> </TR>, xrefs: 6E6876F2
<b> <TR> </TR> <TR> <TD> Total </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> %4d </TD> </TR></b> </TABLE>, xrefs: 6E68774A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavesprintf_s
String ID: AllocCacheTable Data <br><TABLE BORDER> <TR> <TH> Item Name </TH> <TH> Config(concurr, threshold, size) </TH> <TH> # Total Items </TH> <TH> # Alloc Calls </TH> <TH> # Free Calls </TH> <TH> # Free Entries </TH> <TH> # Total Size (bytes) </TH> <TH> Fill Patt$ <TR> <TD> [%d] %s </TD> <TD> (%d, %d, %d) </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> %4d </TD> <TD> 0x%08lX </TD> </TR>$ <b> <TR> </TR> <TR> <TD> Total </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> </TD> <TD> %4d </TD> </TR></b> </TABLE>
API String ID: 544551304-60044760
Opcode ID: 138c9a56614fbdab7af84c6072a06153fdf8c09170036b0b15b2f0b854643a4b
Instruction ID: 711dc2f8f090428499f8a1223044d62d9dcf139d54f9ae0632ea70fcc261bda3
Opcode Fuzzy Hash: 138c9a56614fbdab7af84c6072a06153fdf8c09170036b0b15b2f0b854643a4b
Instruction Fuzzy Hash: 3651F232A00201EFDB158FA8CC48F9ABBB5FF06354F1485A5E909DB351D731A960CFA0

Function 6E68CBEC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 6E68C823: OpenSCManagerW.ADVAPI32(00000000,00000000,80000000), ref: 6E68C852
Part of subcall function 6E68C823: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68C85F
Part of subcall function 6E68C823: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA07
Part of subcall function 6E68C823: CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6E68CC19), ref: 6E68CA15
Part of subcall function 6E68C823: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000335,GetProcessHandleForInetinfo,Could not open the inetinfo process, hr = %08x,00000000), ref: 6E68CA9D

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000459,MonitorProcess,Failed to get inetinfo process handle hr = %08x,00000000), ref: 6E68CC43

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Part of subcall function 6E68CABC: OpenSCManagerW.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 6E68CAF9
Part of subcall function 6E68CABC: OpenServiceW.ADVAPI32(00000000,IISADMIN,80000000,?,?,?,?,?,?,?,?,?,?,?,?,6E68CD32), ref: 6E68CB13
Part of subcall function 6E68CABC: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,000003DB,AdminMonitorRequiresShutdown,Reset action is %d ,?), ref: 6E68CB5F
Part of subcall function 6E68CABC: WaitForSingleObject.KERNEL32(?), ref: 6E68CB76
Part of subcall function 6E68CABC: CloseServiceHandle.ADVAPI32(00000000), ref: 6E68CBC7
Part of subcall function 6E68CABC: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E68CD32), ref: 6E68CBCE

SetEvent.KERNEL32(?), ref: 6E68CC7B
WaitForMultipleObjectsEx.KERNEL32(00000002,?,00000000,000000FF,00000000), ref: 6E68CC8F
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000494,MonitorProcess,WaitResult = %d ,00000000), ref: 6E68CCCA
GetLastError.KERNEL32 ref: 6E68CCDA
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,0000049C,MonitorProcess,WaitForMultipleObjectsEx failed, hr = %08x,00000000), ref: 6E68CD13
CloseHandle.KERNEL32(00000000), ref: 6E68CD65
SetEvent.KERNEL32(?), ref: 6E68CD8B

Strings

MonitorProcess, xrefs: 6E68CC2E, 6E68CCB5, 6E68CCFE
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68CC38, 6E68CCBF, 6E68CD08
WaitForMultipleObjectsEx failed, hr = %08x, xrefs: 6E68CCF9
WaitResult = %d , xrefs: 6E68CCB0
Failed to get inetinfo process handle hr = %08x, xrefs: 6E68CC29

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandlePrintService$ErrorLast$Open$EventManagerWait$FreeInternal@MemoryMultipleObjectObjectsSingle
String ID: Failed to get inetinfo process handle hr = %08x$MonitorProcess$WaitForMultipleObjectsEx failed, hr = %08x$WaitResult = %d $inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 715878782-288598621
Opcode ID: 11bcb37638087fd4de4adf9278b745e1d584b06db10a32c9f5a2b7a8057d4c11
Instruction ID: a3eacf53b87067aa4dd069dfcb6b1ba4f103ae0e132fb900b8ab2f8f35626e79
Opcode Fuzzy Hash: 11bcb37638087fd4de4adf9278b745e1d584b06db10a32c9f5a2b7a8057d4c11
Instruction Fuzzy Hash: 0D41F635D80A11ABDB119FE9CC68BAF7B74EF02315F004619E916AF391D770A800CBE5

Function 6E6935F2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 141registrywindowCOMMON

Download Yara Rule

APIs

?IpmMessageCreated@IPM2_MESSAGE_PIPE@@QAGXPAVIPM2_MESSAGE_IMP@@@Z.IISUTIL(?,00000000,?,?,00000000), ref: 6E693642

Part of subcall function 6E692490: ?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69249E
Part of subcall function 6E692490: ?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6924CE
Part of subcall function 6E692490: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000252,IPM2_MESSAGE_PIPE::IpmMessageCreated,IPM2_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d,00000002), ref: 6E692503

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000000), ref: 6E693698
GetLastError.KERNEL32 ref: 6E6936A2
RegisterWaitForSingleObject.KERNEL32(?,00000000,?,00000000,000000FF,00000008), ref: 6E6936EC
GetLastError.KERNEL32 ref: 6E6936F6
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000006F6,IPM2_MESSAGE_IMP::CreateMessage,IPM2_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x,00000000), ref: 6E69372F
UnregisterWaitEx.KERNEL32(00000000,000000FF), ref: 6E693767

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E693724
IPM2_MESSAGE_PIPE::CreateMessage failed allocation of IPM2_MESSAGE_IMP, hr = %x, xrefs: 6E693676
IPM2_MESSAGE_IMP::CreateMessage, xrefs: 6E69367B, 6E6936CA, 6E69371A
IPM2_MESSAGE_PIPE::CreateMessage failed CreateEvent, hr = %x, xrefs: 6E6936C5
MIM2, xrefs: 6E693651
IPM2_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x, xrefs: 6E693715

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastLock3@@PrintReaderWaitWriteWriter$CreateCreated@EventLock@MessageObjectP@@@RegisterSingleUnlock@Unregister
String ID: IPM2_MESSAGE_IMP::CreateMessage$IPM2_MESSAGE_PIPE::CreateMessage failed CreateEvent, hr = %x$IPM2_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x$IPM2_MESSAGE_PIPE::CreateMessage failed allocation of IPM2_MESSAGE_IMP, hr = %x$MIM2$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2066366827-266453244
Opcode ID: cfd4caaa9440611d395869be83930f3287e02071b1c23c669ce885a9f7f8baeb
Instruction ID: 7e3e499a27d7f31549142d72610bed8a9e7b3363a1f2c467ae8da64103a3a51a
Opcode Fuzzy Hash: cfd4caaa9440611d395869be83930f3287e02071b1c23c669ce885a9f7f8baeb
Instruction Fuzzy Hash: 6E41E671980706AFDB218FE9C888B5FBFF4EB06715F00462AE555AB381D774A904DB88

Function 6E683BC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(?), ref: 6E683C55

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

sprintf_s.MSVCRT ref: 6E683CA0
strcat_s.MSVCRT ref: 6E683CB3
strcat_s.MSVCRT ref: 6E683CE1
strcat_s.MSVCRT ref: 6E683CFF
sprintf_s.MSVCRT ref: 6E683D29
?Append@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E683D3F
?Copy@STRA@@QAEJPBD@Z.IISUTIL(00000000 -), ref: 6E683D5C

Strings

%02x , xrefs: 6E683C92
%08x %s%s, xrefs: 6E683D1B
00000000 -, xrefs: 6E683D55
, xrefs: 6E683CD6
, xrefs: 6E683CEA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: strcat_s$Resize@sprintf_s$Append@Copy@ErrorLast
String ID: $ $%02x $%08x %s%s$00000000 -
API String ID: 3137952148-3645772103
Opcode ID: 5171be1de5fbe42986b26f3b0c7c319082b65de0606b55e5e1167bd0c276eb89
Instruction ID: 0515979f961d844f487f45257f13a76a380a6d19eff927378432eab81793544f
Opcode Fuzzy Hash: 5171be1de5fbe42986b26f3b0c7c319082b65de0606b55e5e1167bd0c276eb89
Instruction Fuzzy Hash: F241B871E44259AFEF21CBE9CC44BDEBBBC9F55304F4004A6E648D7241D6709A48CBA2

Function 6E686E60 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

?Copy@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E686F08
EnterCriticalSection.KERNEL32(6E6A8630), ref: 6E686F27
CreateDirectoryW.KERNEL32(?,00000000), ref: 6E686F43
GetCurrentProcessId.KERNEL32 ref: 6E686F49
swprintf_s.MSVCRT ref: 6E686F5C
?Append@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E686F6E
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,00000080,00000000), ref: 6E686F95
WriteFile.KERNEL32(FFFFFFFF,?,?,?,00000000), ref: 6E686FB8
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6E686FD7
LeaveCriticalSection.KERNEL32(6E6A8630), ref: 6E686FDE
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E686FEE
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E686FFD

Part of subcall function 6E686328: _vsnprintf_s.MSVCRT ref: 6E686345
Part of subcall function 6E686328: ?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E68635A

Strings

%d.log, xrefs: 6E686F50

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: File$CreateCriticalFreeInternal@MemorySectionWrite$Append@Copy@CurrentDirectoryEnterLeaveProcessResize@_vsnprintf_sswprintf_s
String ID: %d.log
API String ID: 4159032641-3129118065
Opcode ID: 11d1499664a01e738fd07e8320eee6b44a2e373b4e99281d169284901b9e5248
Instruction ID: cc29dba4b09750b5fbe019261477dc73a7a37814750efb25d7d72083858273fb
Opcode Fuzzy Hash: 11d1499664a01e738fd07e8320eee6b44a2e373b4e99281d169284901b9e5248
Instruction Fuzzy Hash: 3F415F71968785AFDB10DFA4C888A9FBBE9FF86354F000C1AF59486260D731DD44CB62

Function 6E6913AE Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 117registrywindowCOMMON

Download Yara Rule

APIs

?IpmMessageCreated@IPM_MESSAGE_PIPE@@QAGXPAVIPM_MESSAGE_IMP@@@Z.IISUTIL(?,00000000,?,?,00000000,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E6913EE

Part of subcall function 6E690710: ?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69071E
Part of subcall function 6E690710: ?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69074E
Part of subcall function 6E690710: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000002EB,IPM_MESSAGE_PIPE::IpmMessageCreated,IPM_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d,00000002), ref: 6E690783

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000652,IPM_MESSAGE_IMP::CreateMessage,IPM_MESSAGE_PIPE::CreateMessage failed allocation of IPM_MESSAGE_IMP, hr = %x,8007000E,?,?,00000000,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E691439
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000000,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E691451
GetLastError.KERNEL32(?,6E690F8C,00000000,?,?,00000000), ref: 6E69145B
RegisterWaitForSingleObjectEx.KERNEL32(00000000,?,00000000,000000FF,00000008,?,6E690F8C,00000000,?,?,00000000), ref: 6E69149D
GetLastError.KERNEL32(?,6E690F8C,00000000,?,?,00000000), ref: 6E6914A7
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000067E,IPM_MESSAGE_IMP::CreateMessage,IPM_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x,00000000,?,6E690F8C,00000000,?,?,00000000), ref: 6E6914E0

Strings

IPM_MESSAGE_IMP::CreateMessage, xrefs: 6E691424, 6E69147F, 6E6914CB
MIMP, xrefs: 6E6913FD
IPM_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x, xrefs: 6E6914C6
IPM_MESSAGE_PIPE::CreateMessage failed CreateEvent, hr = %x, xrefs: 6E69147A
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E69142E, 6E6914D5
IPM_MESSAGE_PIPE::CreateMessage failed allocation of IPM_MESSAGE_IMP, hr = %x, xrefs: 6E69141F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$ErrorLastLock3@@ReaderWriteWriter$CreateCreated@EventLock@MessageObjectP@@@RegisterSingleUnlock@Wait
String ID: IPM_MESSAGE_IMP::CreateMessage$IPM_MESSAGE_PIPE::CreateMessage failed CreateEvent, hr = %x$IPM_MESSAGE_PIPE::CreateMessage failed RegisterWaitForSingleObject, hr = %x$IPM_MESSAGE_PIPE::CreateMessage failed allocation of IPM_MESSAGE_IMP, hr = %x$MIMP$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 997510691-596668177
Opcode ID: 3eab3f19cbd3702e812c738c0421e3e88eb6b82d2ed9e0da3146448b88dbf60b
Instruction ID: 936f59b63547c857f3d0674a5faea667f3243d6287181993869a5ab15a8cb1b3
Opcode Fuzzy Hash: 3eab3f19cbd3702e812c738c0421e3e88eb6b82d2ed9e0da3146448b88dbf60b
Instruction Fuzzy Hash: EA3107B29903226BDB214FDA8C84B4B7FACAB06B64F11415BFC14AF381D770D9049BE5

Function 6E689E34 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

CreateWellKnownSid.ADVAPI32(0000003E,00000000,?,?,?,?,?,0000003E,?,6E68B10F), ref: 6E689E82

Strings

GetWellKnownSID, xrefs: 6E689EBE, 6E689F02
Could not create wellknown sid, xrefs: 6E689EFC
Failed to allocate appropriate space for the sid, xrefs: 6E689EB4
inetsrv\iis\iisrearc\core\common\util\useracl.cxx, xrefs: 6E689F09

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateKnownWell
String ID: Could not create wellknown sid$Failed to allocate appropriate space for the sid$GetWellKnownSID$inetsrv\iis\iisrearc\core\common\util\useracl.cxx
API String ID: 2679968358-52010560
Opcode ID: b45ca0ee1ffb088c01394c5826373a2bd90128fc9aad51e15d6b0cca8954c1fd
Instruction ID: 2531fb4fb92e7995581c52c9bf92c191b4f2d0f6cc2af2b757daa88b599c02c0
Opcode Fuzzy Hash: b45ca0ee1ffb088c01394c5826373a2bd90128fc9aad51e15d6b0cca8954c1fd
Instruction Fuzzy Hash: 432127316C4541BFEB215AEA9C0CF6F7B95AB47718F048615FA5CAB391C770AC1087B4

Function 6E68A0C0 Relevance: 22.6, APIs: 15, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 6E68A0DD
LocalAlloc.KERNEL32(00000040,?), ref: 6E68A0E8
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 6E68A10B
GetLengthSid.ADVAPI32 ref: 6E68A124
GetLengthSid.ADVAPI32 ref: 6E68A132
GetLengthSid.ADVAPI32(?), ref: 6E68A13D
LocalAlloc.KERNEL32(00000040,00000000), ref: 6E68A14E
LocalFree.KERNEL32(00000000), ref: 6E68A1E7
LocalFree.KERNEL32(00000000), ref: 6E68A1F2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Local$Length$AllocFreeInformationToken
String ID:
API String ID: 1779477374-0
Opcode ID: dbb32aca6459b01de556172f0535560288fa7650eb5a3d6af50ac01d5540d058
Instruction ID: 75df78cb880174377c7ecb1a5e5e8b1bb784defbe3f5935372c9f180ada60a5a
Opcode Fuzzy Hash: dbb32aca6459b01de556172f0535560288fa7650eb5a3d6af50ac01d5540d058
Instruction Fuzzy Hash: 23319C32E80A05BBDF514FAA8C0CF9F7B79EB46744F104015FE14E6280DB369944DBA8

Function 6E68F995 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 283registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,System\CurrentControlSet\Services\http\Parameters,00000000,00020019,?,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx), ref: 6E68F9CB
RegQueryValueExW.ADVAPI32(?,EnableNonUTF8,00000000,?,?,?), ref: 6E68F9F4
RegQueryValueExW.ADVAPI32(?,EnableDBCS,00000000,?,?,?), ref: 6E68FA31
RegQueryValueExW.ADVAPI32(?,FavorDBCS,00000000,?,?,?), ref: 6E68FA72
RegCloseKey.ADVAPI32(?), ref: 6E68FA97
RtlUpcaseUnicodeChar.NTDLL(00000000), ref: 6E68FD65

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E68F9A0
FavorDBCS, xrefs: 6E68FA6A
EnableDBCS, xrefs: 6E68FA29
InitializeIISUtil, xrefs: 6E68F9A2
System\CurrentControlSet\Services\http\Parameters, xrefs: 6E68F9AE
EnableNonUTF8, xrefs: 6E68F9EC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: QueryValue$CharCloseOpenUnicodeUpcase
String ID: EnableDBCS$EnableNonUTF8$FavorDBCS$InitializeIISUtil$System\CurrentControlSet\Services\http\Parameters$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 198723422-2819932958
Opcode ID: 8e3270abe920c93c2707f1d4bbceb57c904eccc7191cbf734ccafc3ddcb2ed3c
Instruction ID: e5ad061a8dc9e6413b0c5d784e5fab1d43e9235f99b88e48c3069fb77c541472
Opcode Fuzzy Hash: 8e3270abe920c93c2707f1d4bbceb57c904eccc7191cbf734ccafc3ddcb2ed3c
Instruction Fuzzy Hash: 22B17970E50A98EFDB44DF9EC88959EBBF5FB5A700B24802AE546D3360D7706940CFA0

Function 6E682620 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 6E68263A
iswxdigit.MSVCRT ref: 6E682674
iswxdigit.MSVCRT ref: 6E682688
iswxdigit.MSVCRT ref: 6E68269C
iswxdigit.MSVCRT ref: 6E6826B0
iswxdigit.MSVCRT ref: 6E68275D
iswxdigit.MSVCRT ref: 6E68276D
wcschr.MSVCRT ref: 6E6827DC
memmove.MSVCRT ref: 6E682800
memmove.MSVCRT ref: 6E682838
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL ref: 6E68284E

Strings

9, xrefs: 6E682651

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: iswxdigit$memmovewcschr$Buffer@SyncWith
String ID: 9
API String ID: 760810773-2366072709
Opcode ID: ecb03e89b5736c65d6dd4ced7b71b1a3d683605fa933c4b1206e4e7b03aebb89
Instruction ID: e4dbe08990862d5c8d761f42951baacc50ce5a2e99b499bc60e5ac4c71461c2f
Opcode Fuzzy Hash: ecb03e89b5736c65d6dd4ced7b71b1a3d683605fa933c4b1206e4e7b03aebb89
Instruction Fuzzy Hash: 7A6125B6C00223ABEB048FFAC9682AFBBB4FF57310B50411AE891D7640D7759A81C770

Function 6E683A30 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 137COMMON

Download Yara Rule

APIs

?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,00000001,00000000,00000001), ref: 6E683AB9

Part of subcall function 6E682F60: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,00000001,?,?,?,?,6E678E59,00000000,00000001,?,00000001), ref: 6E682FB4
Part of subcall function 6E682F60: GetLastError.KERNEL32(?,00000001,?,?,?,?,6E678E59,00000000,00000001,?,00000001), ref: 6E682FBD

?Copy@STRA@@QAEJPBDK@Z.IISUTIL(?,00000000), ref: 6E683AE7
?Append@STRA@@QAEJPBDK@Z.IISUTIL(",00000006), ref: 6E683B52
?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,?,00000000,00000001), ref: 6E683B86
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E683B98

Strings

", xrefs: 6E683B44, 6E683B4D
, xrefs: 6E683A4C
{, xrefs: 6E683B24
>, xrefs: 6E683B2B
}, xrefs: 6E683B1D
<, xrefs: 6E683B34
&, xrefs: 6E683B3B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@$Copy@ErrorFreeInternal@LastMemoryResize@
String ID: ${$}$&$>$<$"
API String ID: 1284757249-3582520496
Opcode ID: 9d11ad75d9170cc84f596d993d99113c88712be8796a25f79bdfd294dcefeddd
Instruction ID: fcbaca196c4a9a5f4e25c106a2ed42fde013f11d768207f3d661fe2f9ad8193c
Opcode Fuzzy Hash: 9d11ad75d9170cc84f596d993d99113c88712be8796a25f79bdfd294dcefeddd
Instruction Fuzzy Hash: D74127B16D93529FD364CEE8C8687A7B3E5EBD3B14F00461EB89197290D721CC0187A6

Function 6E682D40 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 128COMMON

Download Yara Rule

APIs

?Copy@STRU@@QAEJPBGK@Z.IISUTIL(?,00000000), ref: 6E682DE1
?Append@STRU@@QAEJPBGK@Z.IISUTIL(",00000006), ref: 6E682E4D
?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(?,?,00000000,00000001), ref: 6E682E8F
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E682EA1

Strings

}, xrefs: 6E682E18
{, xrefs: 6E682E1F
, xrefs: 6E682D69
<, xrefs: 6E682E2F
", xrefs: 6E682E3F, 6E682E48
>, xrefs: 6E682E26
", xrefs: 6E682D99
&, xrefs: 6E682E36

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@$Copy@FreeInternal@Memory
String ID: $"${$}$&$>$<$"
API String ID: 3534354980-3497705539
Opcode ID: 03eaa2339febfcd9482babb23b39d00888ed6dab1c74d3c1c90568624b0d9bdd
Instruction ID: 4141c97b7330b82fbe5be238d006168384690666b03d147237405c544de9814a
Opcode Fuzzy Hash: 03eaa2339febfcd9482babb23b39d00888ed6dab1c74d3c1c90568624b0d9bdd
Instruction Fuzzy Hash: F04117B25487029BD754CFA4C86876B7BE1FBC2704F004A2EF5A5972A0E731CC458B7A

Function 6E68EB14 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,System\CurrentControlSet\Services\http\Parameters,00000000,00020019,?,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx), ref: 6E68EB4A
RegQueryValueExW.ADVAPI32(?,EnableNonUTF8,00000000,?,?,?), ref: 6E68EB73
RegQueryValueExW.ADVAPI32(?,EnableDBCS,00000000,?,?,?), ref: 6E68EBB0
RegQueryValueExW.ADVAPI32(?,FavorDBCS,00000000,?,?,?), ref: 6E68EBF1
RegCloseKey.ADVAPI32(?), ref: 6E68EC16
GetSystemDefaultLangID.KERNEL32 ref: 6E68EC1C

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E68EB1F
FavorDBCS, xrefs: 6E68EBE9
EnableDBCS, xrefs: 6E68EBA8
InitializeIISUtil, xrefs: 6E68EB21
System\CurrentControlSet\Services\http\Parameters, xrefs: 6E68EB2D
EnableNonUTF8, xrefs: 6E68EB6B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: QueryValue$CloseDefaultLangOpenSystem
String ID: EnableDBCS$EnableNonUTF8$FavorDBCS$InitializeIISUtil$System\CurrentControlSet\Services\http\Parameters$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 1437782280-2819932958
Opcode ID: edc16d836a006f8fe9b2dc7c696eda344d9d5f3af664f1c0b13b0a29133bb9ea
Instruction ID: 1d06dbe4ab58c459d7ffcac95456bf1560d938eaaad7ce3ee718fe647804bac5
Opcode Fuzzy Hash: edc16d836a006f8fe9b2dc7c696eda344d9d5f3af664f1c0b13b0a29133bb9ea
Instruction Fuzzy Hash: B24148B5E4561AEFAF20CFEADD489AF7BBCFB42354B104167E511D2250E734AA40CB60

Function 6E68CABC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105servicesleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6E68C432: RegOpenKeyExW.ADVAPI32(80000002,System\CurrentControlSet\Services\IISAdmin\Parameters,00000000,00020019,?), ref: 6E68C483
Part of subcall function 6E68C432: RegQueryValueExW.ADVAPI32(?,MillisecondsToWaitForShutdownAfterCrash,00000000,?,?,?), ref: 6E68C4AE
Part of subcall function 6E68C432: RegQueryValueExW.ADVAPI32(?,MillisecondsToWaitForInetinfoRestartAfterCrash,00000000,?,?,00000004), ref: 6E68C4E3
Part of subcall function 6E68C432: RegQueryValueExW.ADVAPI32(?,MillisecondsCheckIntervalForInetinfoToRestart,00000000,?,?,00000004), ref: 6E68C514
Part of subcall function 6E68C432: RegCloseKey.ADVAPI32(?), ref: 6E68C52F

OpenSCManagerW.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 6E68CAF9
OpenServiceW.ADVAPI32(00000000,IISADMIN,80000000,?,?,?,?,?,?,?,?,?,?,?,?,6E68CD32), ref: 6E68CB13
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E68CD32), ref: 6E68CBCE

Part of subcall function 6E68C543: QueryServiceConfig2W.ADVAPI32(?,00000002,?,00000100,?), ref: 6E68C5F3
Part of subcall function 6E68C543: GetLastError.KERNEL32 ref: 6E68C601
Part of subcall function 6E68C543: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E68C61C
Part of subcall function 6E68C543: GetLastError.KERNEL32(?), ref: 6E68C625
Part of subcall function 6E68C543: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,0000024E,DetermineIISResetState,( 2 ) Failed to query the IISAdmin service config, hr = %08x bytes needed = %d,00000000,?), ref: 6E68C668
Part of subcall function 6E68C543: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68C7C8

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,000003DB,AdminMonitorRequiresShutdown,Reset action is %d ,?), ref: 6E68CB5F

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

WaitForSingleObject.KERNEL32(?), ref: 6E68CB76
Sleep.KERNEL32(?), ref: 6E68CB93
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 6E68CBA6
CloseServiceHandle.ADVAPI32(00000000), ref: 6E68CBC7

Strings

IISADMIN, xrefs: 6E68CB0D
Reset action is %d , xrefs: 6E68CB45
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68CB54
AdminMonitorRequiresShutdown, xrefs: 6E68CB4A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: QueryService$ErrorLast$CloseOpenValue$FreeHandleInternal@MemoryPrint$Config2ManagerObjectResize@SingleSleepStatusWait
String ID: AdminMonitorRequiresShutdown$IISADMIN$Reset action is %d $inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 4205123854-670687361
Opcode ID: 4304b0bcf0a26c1e0d8d47ae82491b0ae90a69dd4c2ef5c62ec56a89f5d364b0
Instruction ID: 7fe59064266124ccc3bc8173ab23ac8dac85628aa37c1edd8199724fea50b2ca
Opcode Fuzzy Hash: 4304b0bcf0a26c1e0d8d47ae82491b0ae90a69dd4c2ef5c62ec56a89f5d364b0
Instruction Fuzzy Hash: 83318F76D40609ABDF119FEAEC88EEFB778EB4A314F10012AF5026A211D730A805CB65

Function 6E6858B5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

PuLoadDebugFlagsFromRegStr.IISUTIL(System\CurrentControlSet\Services\W3SVC\Parameters\IisUtil,00000008,6E68553C), ref: 6E6858BC

Part of subcall function 6E686D40: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,00000000), ref: 6E686D65
Part of subcall function 6E686D40: PuLoadDebugFlagsFromReg.IISUTIL(00000000,?), ref: 6E686D73
Part of subcall function 6E686D40: RegCloseKey.ADVAPI32(00000000), ref: 6E686D7D

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,00000092,InitializeIISUtilProcessAttach,InitializeIISUtilProcessAttach,6E68553C), ref: 6E6858EE

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Part of subcall function 6E6859D4: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,000000E0,TerminateIISUtilProcessDetach,TerminateIISUtilProcessDetach,6E68554D), ref: 6E685A01

InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A915C,80000000,?,6E68553C), ref: 6E685919
InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A8668,80000000,?,6E68553C), ref: 6E685937
InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A8680,800003E8,?,6E68553C), ref: 6E685959
?Initialize@ALLOC_CACHE_HANDLER@@SGHXZ.IISUTIL(?,6E68553C), ref: 6E685976
?InitializeStatic@BIG_REF_TRACE@@SGJXZ.IISUTIL(?,6E68553C), ref: 6E68599C
?Initialize@EVENT_LOG@@SGJXZ.IISUTIL(?,6E68553C), ref: 6E6859AF

Strings

System\CurrentControlSet\Services\W3SVC\Parameters\IisUtil, xrefs: 6E6858B7
inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E6858E3
InitializeIISUtilProcessAttach, xrefs: 6E6858D4
InitializeIISUtilProcessAttach, xrefs: 6E6858D9

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Initialize$CountCriticalSectionSpin$DebugErrorFlagsFromInitialize@LastLoadPrint$CloseFreeInternal@MemoryOpenStatic@
String ID: InitializeIISUtilProcessAttach$InitializeIISUtilProcessAttach$System\CurrentControlSet\Services\W3SVC\Parameters\IisUtil$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 4262487783-1658353140
Opcode ID: 46bfead52a1721d25a2f46818004f8804de6f6833c1231401f345a1b95b039bc
Instruction ID: 886181ee8b67519d553d320071bed8bbd2bfb0c77eeccf442ff64ff8cd0c5fca
Opcode Fuzzy Hash: 46bfead52a1721d25a2f46818004f8804de6f6833c1231401f345a1b95b039bc
Instruction Fuzzy Hash: 18117F70D807825BFF505FEAA80C74F3B587B0236CF4119959945AB390FB789805C779

Function 6E68D540 Relevance: 19.7, APIs: 13, Instructions: 163stringtimeCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057), ref: 6E68D560
strchr.MSVCRT ref: 6E68D577
atoi.MSVCRT ref: 6E68D5B4
atoi.MSVCRT ref: 6E68D5CF
atoi.MSVCRT ref: 6E68D5DD
atoi.MSVCRT ref: 6E68D5EB
atoi.MSVCRT ref: 6E68D6C7
?NtSystemTimeToLargeInteger@@YGHPBU_SYSTEMTIME@@PAT_LARGE_INTEGER@@@Z.IISUTIL(?,?), ref: 6E68D6FC
SetLastError.KERNEL32(00000057), ref: 6E68D707

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: atoi$ErrorLast$Integer@@LargeR@@@SystemTimestrchr
String ID:
API String ID: 3907561782-0
Opcode ID: 150390edbe2ab3da5e32a6bf0723551c540547456078f47843ff3994e64e2cf5
Instruction ID: 0a460623aa54a0975711fc0a7ae78aa982b0c85a248536724b880f164a5ecea3
Opcode Fuzzy Hash: 150390edbe2ab3da5e32a6bf0723551c540547456078f47843ff3994e64e2cf5
Instruction Fuzzy Hash: 6A51E439914649AACF15DFF8C4488EFB77DEF06314B00850BD89693641EB31A645CFBA

Function 6E67C8B6 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z.IISUTIL(LKRhash:::CLKRLinearHashTable,?,00000000), ref: 6E67C8F2

Part of subcall function 6E6878E0: ?InsertNewItem@ALLOC_CACHE_HANDLER@@SGXPAV1@@Z.IISUTIL(?,?,?), ref: 6E687976

??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z.IISUTIL(LKRhash:::CNodeClump,?,00000000), ref: 6E67C939
??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z.IISUTIL(LKRhash:::CSmallSegment,?,00000000), ref: 6E67C980
??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z.IISUTIL(LKRhash:::CMediumSegment,?,00000000), ref: 6E67C9C7
??0ALLOC_CACHE_HANDLER@@QAE@PBDPBUALLOC_CACHE_CONFIGURATION@@H@Z.IISUTIL(LKRhash:::CLargeSegment,?,00000000), ref: 6E67CA0A

Strings

LKRhash:::CLargeSegment, xrefs: 6E67CA03
LKRhash:::CNodeClump, xrefs: 6E67C932
LKRhash:::CMediumSegment, xrefs: 6E67C9C0
LKRhash:::CSmallSegment, xrefs: 6E67C979
LKRhash:::CLKRLinearHashTable, xrefs: 6E67C8EB
<, xrefs: 6E67C91C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: InsertItem@V1@@
String ID: <$LKRhash:::CLKRLinearHashTable$LKRhash:::CLargeSegment$LKRhash:::CMediumSegment$LKRhash:::CNodeClump$LKRhash:::CSmallSegment
API String ID: 3765021739-2819535054
Opcode ID: 7acc67c81f65e9597fb5e4f605675066ee40090f88b92292285d48eac94e72f0
Instruction ID: 6ceffcb1af698885ee5b734f708b038afb7926f1914c8de5e48c1eac6ca30eda
Opcode Fuzzy Hash: 7acc67c81f65e9597fb5e4f605675066ee40090f88b92292285d48eac94e72f0
Instruction Fuzzy Hash: 3441D4B1E41206AAEF50DFEA9C14BDF7BB8AF06354F0084199991EF2C0EB709904DB90

Function 6E68DEC0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020006,?), ref: 6E68DEE5
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68DF0C
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 6E68DF5E
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68DF80
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx,00000120,SetStringParameterValueInAnyService,00000000,Failed writing string value), ref: 6E68DFB1
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68DFC6
RegCloseKey.ADVAPI32(?), ref: 6E68DFD6

Strings

SetStringParameterValueInAnyService, xrefs: 6E68DF28, 6E68DF9C
inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx, xrefs: 6E68DFA6
Openning registry key for write failed, xrefs: 6E68DF22
Failed writing string value, xrefs: 6E68DF96

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$CloseErrorOpenPrintValue
String ID: Failed writing string value$Openning registry key for write failed$SetStringParameterValueInAnyService$inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx
API String ID: 2888133020-1036294783
Opcode ID: e6aa554e055337990359e6ae66253d5a8923c78d525414822a8c472644d580c1
Instruction ID: fba01141b855f0825cf0bb1004e094f32ba186a59572de450261e719841bf494
Opcode Fuzzy Hash: e6aa554e055337990359e6ae66253d5a8923c78d525414822a8c472644d580c1
Instruction Fuzzy Hash: E231F831584552ABEB215F9ACC0CF6B7759EB46718F01411AB9449B261C371AC11DFB4

Function 6E68DD80 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019), ref: 6E68DDBA
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68DDEB
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 6E68DE1A
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68DE4F
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx,000000B7,ReadDwordParameterValueFromAnyService,00000000,Reading registry value failed), ref: 6E68DE70
SetConsoleTextAttribute.KERNEL32(?,00000007,?,?,?), ref: 6E68DE85
RegCloseKey.ADVAPI32(?), ref: 6E68DEA2

Strings

Reading registry value failed, xrefs: 6E68DE55
inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx, xrefs: 6E68DE65
ReadDwordParameterValueFromAnyService, xrefs: 6E68DDF7, 6E68DE5B
Opening registry key failed, xrefs: 6E68DDF1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$CloseErrorOpenPrintQueryValue
String ID: Opening registry key failed$ReadDwordParameterValueFromAnyService$Reading registry value failed$inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx
API String ID: 257334535-2634718457
Opcode ID: 0850fbe582f2ede9b027f87c6ddb4896df95887c9659e93eed4d3788c41a6aab
Instruction ID: f27b4dd1b6d0c0006b3711f992965d9c1fd43adb162b7533fed2b91e6761f557
Opcode Fuzzy Hash: 0850fbe582f2ede9b027f87c6ddb4896df95887c9659e93eed4d3788c41a6aab
Instruction Fuzzy Hash: 1431A672845206AFDB119F9ACC4CB5FBBA8BB46315F00062AFA54A7261C73198158FB5

Function 6E68DFF0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?), ref: 6E68E019
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 6E68E04D
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68E08B
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx,0000018F,ReadStringParameterValueFromAnyService,8000FFFF,Key was not of string type ), ref: 6E68E0ED
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68E102
RegCloseKey.ADVAPI32(00000000), ref: 6E68E113

Strings

inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx, xrefs: 6E68E0E2
ReadStringParameterValueFromAnyService, xrefs: 6E68E097, 6E68E0D8
Inetinfo: Failed reading registry value , xrefs: 6E68E091
Key was not of string type , xrefs: 6E68E0D2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$CloseErrorOpenPrintQueryValue
String ID: Inetinfo: Failed reading registry value $Key was not of string type $ReadStringParameterValueFromAnyService$inetsrv\iis\iisrearc\core\common\util\helpfunc.cxx
API String ID: 257334535-3197213549
Opcode ID: b7fc25699a551b33ffc1705696e62266680aa5b9a573773844830a7cfeec6dfb
Instruction ID: 5bbd14c6e527c9eab1e5d74fea88c15782b2190c397d0339def3b80a4a0ec8e2
Opcode Fuzzy Hash: b7fc25699a551b33ffc1705696e62266680aa5b9a573773844830a7cfeec6dfb
Instruction Fuzzy Hash: 7331C531584252BFEF215E96CC0CB5B7F94EB07365F004525F998662A1C7319865CBF2

Function 6E68C1F8 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 69synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,00000001), ref: 6E68C1FD
GetLastError.KERNEL32(?,00000001), ref: 6E68C20C
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000099,StartIISAdminMonitor,Can not create startup complete event for monitoring the inetinfo process, hr = %08x), ref: 6E68C245
CreateThread.KERNEL32(?,00008000,Function_0001C7F0,?,?,6E6A86B8), ref: 6E68C265
GetLastError.KERNEL32(?,00008000,Function_0001C7F0,?,?,6E6A86B8,?,00000001), ref: 6E68C274
WaitForSingleObject.KERNEL32(?,000000FF,?,00008000,Function_0001C7F0,?,?,6E6A86B8,?,00000001), ref: 6E68C291
CloseHandle.KERNEL32(00000000), ref: 6E68C2B3
CloseHandle.KERNEL32(?), ref: 6E68C2C9

Strings

Can not create shutdown event for monitoring the inetinfo process, hr = %08x, xrefs: 6E68C22B
StartIISAdminMonitor, xrefs: 6E68C230
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C23A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventObjectPrintSingleThreadWait
String ID: Can not create shutdown event for monitoring the inetinfo process, hr = %08x$StartIISAdminMonitor$inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 3711291514-2421879754
Opcode ID: d24f66bd5a21fa07ec8c06ae096986fc62007d2f69c0892bf91ab707ad2f5971
Instruction ID: aa78551ee4792e65cf4c56d8b434e672890d3bd266552ee071d1351fd089c7a5
Opcode Fuzzy Hash: d24f66bd5a21fa07ec8c06ae096986fc62007d2f69c0892bf91ab707ad2f5971
Instruction Fuzzy Hash: 1C216875D85A6197DB259EDA9C1CB1B7B64A783B11F000716FC41AB390D720980596B3

Function 6E68C2E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 6E68C2F4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6E68C310
GetLastError.KERNEL32 ref: 6E68C32D
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,0000011E,StopIISAdminMonitor,Failed to wait for iis admin thread to shutdown. hr = %08x,00000000), ref: 6E68C352
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000123,StopIISAdminMonitor,Inetinfo monitor thread has completed), ref: 6E68C381
CloseHandle.KERNEL32 ref: 6E68C38F
CloseHandle.KERNEL32(00000000), ref: 6E68C3A6

Strings

Failed to wait for iis admin thread to shutdown. hr = %08x, xrefs: 6E68C340
Inetinfo monitor thread has completed, xrefs: 6E68C36F
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C322, 6E68C34B, 6E68C37A
StopIISAdminMonitor, xrefs: 6E68C318, 6E68C345, 6E68C374

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandlePrint$ErrorEventLastObjectSingleWait
String ID: Failed to wait for iis admin thread to shutdown. hr = %08x$Inetinfo monitor thread has completed$StopIISAdminMonitor$inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 2332343693-3609325408
Opcode ID: 3c30a9f960c89a9682e2e030fe429babd69012156d9ff3b035cbfa9abe32c7d9
Instruction ID: 5adb940eb9cb0cb1a1735499feeb0df2bf4c064521ecc2343daa0aa9f5510f74
Opcode Fuzzy Hash: 3c30a9f960c89a9682e2e030fe429babd69012156d9ff3b035cbfa9abe32c7d9
Instruction Fuzzy Hash: B511D3B5A9064167EF108EAFDC0CF5F3758AB53265B040219F815DB3A2DB20F81286B5

Function 6E683410 Relevance: 18.2, APIs: 12, Instructions: 215stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 6E683428
isxdigit.MSVCRT ref: 6E683453
isxdigit.MSVCRT ref: 6E683467
isxdigit.MSVCRT ref: 6E68347B
isxdigit.MSVCRT ref: 6E68348F
WideCharToMultiByte.KERNEL32(00000000,00000400,00000000,00000001,00000000,00000002,00000000,00000000), ref: 6E68353C
isxdigit.MSVCRT ref: 6E683551
isxdigit.MSVCRT ref: 6E683561
strchr.MSVCRT ref: 6E6835C9
memmove.MSVCRT ref: 6E6835E9
?SyncWithBuffer@STRA@@QAEXXZ.IISUTIL ref: 6E68360F
memmove.MSVCRT ref: 6E68362E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: isxdigit$memmovestrchr$Buffer@ByteCharMultiSyncWideWith
String ID:
API String ID: 3219190148-0
Opcode ID: ba69ba674e59353a7b0a66f52a9ef9696c9bef09817fa6a4ba6ae4da7095566c
Instruction ID: 6734844f9f23f30ae1983da18805f21fde25db77a234bcfc7b0d792f07f87a0d
Opcode Fuzzy Hash: ba69ba674e59353a7b0a66f52a9ef9696c9bef09817fa6a4ba6ae4da7095566c
Instruction Fuzzy Hash: 0E5154B69C8652AFEB154AFD892C3EF7FE99B07710F04404BE4A1C2A43D368D5068772

Function 6E67F090 Relevance: 18.2, APIs: 12, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?), ref: 6E67F0CA
?_AllocateSegmentDirectory@CLKRLinearHashTable@@CGQAVCDirEntry@@I@Z.IISUTIL(00000000,?,?,?,?,?,?,?,?,?), ref: 6E67F0FE
?_FreeSegmentDirectory@CLKRLinearHashTable@@AAE_NXZ.IISUTIL(00000000,?,?,?,?,?,?,?,?,?), ref: 6E67F12A
?_AllocateSegment@CLKRLinearHashTable@@ABEQAVCSegment@@XZ.IISUTIL ref: 6E67F160
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67F171
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67F1C5
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67F1CC
?_AllocateNodeClump@CLKRLinearHashTable@@CGQAVCNodeClump@@XZ.IISUTIL ref: 6E67F1DC
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67F22D
?_SplitRecordSet@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PAVCNodeClump@@0KKK0@Z.IISUTIL(?,?,?,?,?,?), ref: 6E67F24F
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67F258
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67F260

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$HashLinearTable@@$Lock2@@Unlock@$AllocateLock3@@Lock@Node$Directory@Segment$Clump@Clump@@Clump@@0Entry@@FreeRecordSegment@Segment@@Set@Split
String ID:
API String ID: 2002723007-0
Opcode ID: 61bd95a2e2f01fc4261316c43d511b1a13ee1ea1ea5a9bfc08ca2dde7c10ca78
Instruction ID: 5d16881fb36d13248b6e0f3ca7404f32606044215018111afe2596a1b616a09a
Opcode Fuzzy Hash: 61bd95a2e2f01fc4261316c43d511b1a13ee1ea1ea5a9bfc08ca2dde7c10ca78
Instruction Fuzzy Hash: 23619B75A007059FCF34CFA9C99089AB7F6FF89318B20492ED86297B40EB31E945CB50

Function 6E683640 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(?), ref: 6E683710
?Copy@STRA@@QAEJPBDK@Z.IISUTIL(?,?), ref: 6E68372E
?Resize@BUFFER@@QAE_NKK@Z.IISUTIL(?,?), ref: 6E68374D
?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,00000003,?,00000001,?,?), ref: 6E6837B3
?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,00000001,00000000,00000001), ref: 6E6837D2

Part of subcall function 6E682F60: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,00000001,?,?,?,?,6E678E59,00000000,00000001,?,00000001), ref: 6E682FB4
Part of subcall function 6E682F60: GetLastError.KERNEL32(?,00000001,?,?,?,?,6E678E59,00000000,00000001,?,00000001), ref: 6E682FBD

?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,00000000,00000000,00000001), ref: 6E683802
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E683814
GetLastError.KERNEL32(?,?), ref: 6E68382F

Strings

%, xrefs: 6E68375F
, xrefs: 6E683659

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@Resize@$ErrorLast$Copy@FreeInternal@Memory
String ID: $%
API String ID: 3192582106-2111875603
Opcode ID: d5b7769ab1759e72f8860ccf488468dbe947769a3d24645431388b189be535fe
Instruction ID: f2c5abb5940dbe7d3b3d56b0c0632e36e471569f91de43542b4feaf892e289a3
Opcode Fuzzy Hash: d5b7769ab1759e72f8860ccf488468dbe947769a3d24645431388b189be535fe
Instruction Fuzzy Hash: 4C513CB2A993424FE715CAA8C46879B7BE4AF82314F14091EF8D1873D1D735C484C7A6

Function 6E692BC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100pipeCOMMON

Download Yara Rule

APIs

DisconnectNamedPipe.KERNEL32(000000FF,?,?,00000000,?,?,?,?,?), ref: 6E692C39
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?), ref: 6E692C46
?StartNamedPipe@IPM2_MESSAGE_PIPE@@AAEJPAH@Z.IISUTIL(?,?,?,00000000,?,?,?,?,?), ref: 6E692C65

Part of subcall function 6E692D90: SetConsoleTextAttribute.KERNEL32(?,00000004,00000000,?,00000001,?), ref: 6E692DE7
Part of subcall function 6E692D90: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000004C9,IPM2_MESSAGE_PIPE::StartNamedPipe,IPM2_MESSAGE_PIPE::StartNamedPipe failed ConnectNamedPipe, hr = 0x%08x,00000000), ref: 6E692E83
Part of subcall function 6E692D90: SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E692E98

SetConsoleTextAttribute.KERNEL32(?,00000004,?,?,00000000,?,?,?,?,?), ref: 6E692CA6
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000455,IPM2_MESSAGE_PIPE::NotifyPipeDisconnected,IPM2_MESSAGE_PIPE::NotifyPipeDisconnected m_pAcceptor->PipeConnected failed hr=0x%08x,00000000,?,?,00000000,?,?,?,?,?), ref: 6E692CC7
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E692CDC
?LegacyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAEXJ@Z.IISUTIL(?,?,?,00000000,?,?,?,?,?), ref: 6E692CE9

Strings

IPM2_MESSAGE_PIPE::NotifyPipeDisconnected m_pAcceptor->PipeConnected failed hr=0x%08x, xrefs: 6E692CAD
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E692CBC
IPM2_MESSAGE_PIPE::NotifyPipeDisconnected, xrefs: 6E692CB2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$NamedPipePrint$DisconnectDisconnected@ErrorLastLegacyPipe@Start
String ID: IPM2_MESSAGE_PIPE::NotifyPipeDisconnected$IPM2_MESSAGE_PIPE::NotifyPipeDisconnected m_pAcceptor->PipeConnected failed hr=0x%08x$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2872559620-2714477533
Opcode ID: 6fdd589a644894acec53548cfd0c1ff7e0039dcc57ddbedfdb8ad427ba044202
Instruction ID: ecbe73cf63708d60c79e4993c18b1b23e796ea462244106d0a7b5d848a7c816a
Opcode Fuzzy Hash: 6fdd589a644894acec53548cfd0c1ff7e0039dcc57ddbedfdb8ad427ba044202
Instruction Fuzzy Hash: 6F31E430640A12EBCB529FA5EC09B6EB7A5FB46315F004529F915AB390C730EC55DBD4

Function 6E68A0A0 Relevance: 16.8, APIs: 11, Instructions: 263COMMON

Download Yara Rule

APIs

GetKernelObjectSecurity.ADVAPI32(?,00000004,00000000,00000000,?), ref: 6E68A242
GetLastError.KERNEL32 ref: 6E68A24D

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorKernelLastObjectSecurity
String ID:
API String ID: 617647591-0
Opcode ID: 452ffdc4721e6fd74e131b8dfb5f7d1dca7d0674ea95a1a5776042e403713187
Instruction ID: f13b53f559149bafbb89e52a0b7e08fd17bad49f64d712ff23066c864d7247b0
Opcode Fuzzy Hash: 452ffdc4721e6fd74e131b8dfb5f7d1dca7d0674ea95a1a5776042e403713187
Instruction Fuzzy Hash: E5815076D4061AAFDF518AE9D844AEFBBBCEB05324F10412AED04F7280E735AD0497B4

Function 6E693797 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 182COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000075B,IsReadDataOk,data type + data size validation failed on: %d %d,00000000,?,6E693E94,?), ref: 6E69385E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000073B,IsReadDataOk,size validation failed on: %d,?,?,?,00000000,?,?,6E693E94,?), ref: 6E6939DA

Strings

data type + data size validation failed on: %d %d, xrefs: 6E6938E7
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E693853, 6E6939CF
data flow validation failed on: %d , xrefs: 6E69393F, 6E693979
size validation failed on: %d, xrefs: 6E6939C0
max size validation failed on: %d %d, xrefs: 6E693844
data validation failed on: %d, xrefs: 6E6939A5
IsReadDataOk, xrefs: 6E693849, 6E6938EC, 6E693944, 6E69397E, 6E6939AA, 6E6939C5

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print
String ID: IsReadDataOk$data flow validation failed on: %d $data type + data size validation failed on: %d %d$data validation failed on: %d$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx$max size validation failed on: %d %d$size validation failed on: %d
API String ID: 3558298466-1293992405
Opcode ID: 1363752b25942b76c655b92ea0e86aa8c7e7d83ba8cb05b19529702ec9e6ed3c
Instruction ID: 221b82a1aee609fec99711270c8e62164ca1f219e566102f1e728c3fe669f30c
Opcode Fuzzy Hash: 1363752b25942b76c655b92ea0e86aa8c7e7d83ba8cb05b19529702ec9e6ed3c
Instruction Fuzzy Hash: F4510B34B90A159FDF119F65CC5CB2C7BA5EB4A321B04406AEC4A9B3A6DB347D05CF81

Function 6E69150F Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 169COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000006E3,IsReadDataOk,data type + data size validation failed on: %d %d,00000000,?,6E691B64,?), ref: 6E6915D3
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000006C3,IsReadDataOk,size validation failed on: %d,?,?,?,00000000,?,?,6E691B64,?), ref: 6E691727

Strings

data type + data size validation failed on: %d %d, xrefs: 6E691659
size validation failed on: %d, xrefs: 6E69170D
max size validation failed on: %d %d, xrefs: 6E6915B9
data validation failed on: %d, xrefs: 6E6916F2
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E6915C8, 6E69171C
server side validation failed on: %d , xrefs: 6E6916C7
IsReadDataOk, xrefs: 6E6915BE, 6E69165E, 6E6916CC, 6E6916F7, 6E691712

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print
String ID: IsReadDataOk$data type + data size validation failed on: %d %d$data validation failed on: %d$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx$max size validation failed on: %d %d$server side validation failed on: %d $size validation failed on: %d
API String ID: 3558298466-4168586017
Opcode ID: 385bc16134245a6bce0757d7415d0a95dc03ee33e062fb3910d264d28a0f3722
Instruction ID: 58198d0e73b0cf876dfa6fdf0f3889938c290c5dc8cca2ab8d55e7367ffcfceb
Opcode Fuzzy Hash: 385bc16134245a6bce0757d7415d0a95dc03ee33e062fb3910d264d28a0f3722
Instruction Fuzzy Hash: 7151D838B409259FDF119F55C864B2C7FAADB4B310B15446AEC029B3A2CB74BD0ADB91

Function 6E67A580 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 6E6811A7
CloseHandle.KERNEL32(?,?,?,00000000,6E698A68), ref: 6E6811E9

Strings

%ls, xrefs: 6E681267
inetsrv\iis\iisrearc\core\common\util\irtldbg.cpp, xrefs: 6E681273
Close semaphore in destructor for CSharelock, xrefs: 6E6811FF
Wakeup failed in ReleaseLock(), xrefs: 6E6811C3
IrtlTrace, xrefs: 6E68126C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore
String ID: %ls$Close semaphore in destructor for CSharelock$IrtlTrace$Wakeup failed in ReleaseLock()$inetsrv\iis\iisrearc\core\common\util\irtldbg.cpp
API String ID: 68019002-1329658642
Opcode ID: 519de13795ad4d775db3210f6b21a72bbab6b8952d228d7a5d5103140ae033d4
Instruction ID: 86b134832f28131178b0c698d69a3e37abcdf6e6e0b8b377c746eb66493f666a
Opcode Fuzzy Hash: 519de13795ad4d775db3210f6b21a72bbab6b8952d228d7a5d5103140ae033d4
Instruction Fuzzy Hash: 6921F770900209BBDF018FE9CD08F9E77ACEB05319F6005D5A9189B252EB32EA45DBA4

Function 6E690590 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000025D,IpmWriteFileChunked,IpmWriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,?,?,?,?), ref: 6E6905E1

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

WriteFile.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 6E690629
GetLastError.KERNEL32 ref: 6E690633
GetOverlappedResult.KERNEL32(?,?,00000000,00000001), ref: 6E69064A
GetLastError.KERNEL32 ref: 6E690669
GetLastError.KERNEL32 ref: 6E69067D

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E6905D6
IpmWriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E6905C7
IpmWriteFileChunked, xrefs: 6E6905CC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FileFreeInternal@MemoryOverlappedPrintResultWrite
String ID: IpmWriteFileChunked$IpmWriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 3890206533-1085080289
Opcode ID: 552412ad4f9da38be42d22840597090139fc7d478c3e12054fe6efa92378451a
Instruction ID: cddbe12063c5e345a1fa99d5a093a940cdc3e90c2319e0c1546932f5b1abef70
Opcode Fuzzy Hash: 552412ad4f9da38be42d22840597090139fc7d478c3e12054fe6efa92378451a
Instruction Fuzzy Hash: 2731C131E40107ABDB948BDA8C54FAE7779EBC2314F108125E825AB344E730ED80BBA0

Function 6E692319 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,000001C1,Ipm2WriteFileChunked,Ipm2WriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,?,?,?,?), ref: 6E69236A

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

WriteFile.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 6E6923B2
GetLastError.KERNEL32 ref: 6E6923BC
GetOverlappedResult.KERNEL32(?,?,?,00000001), ref: 6E6923D3
GetLastError.KERNEL32 ref: 6E6923F2
GetLastError.KERNEL32 ref: 6E692406

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E69235F
Ipm2WriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E692350
Ipm2WriteFileChunked, xrefs: 6E692355

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FileFreeInternal@MemoryOverlappedPrintResultWrite
String ID: Ipm2WriteFileChunked$Ipm2WriteFileChunked called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 3890206533-323547999
Opcode ID: c9ebbe00f7325d7a85f5853e952ea054f2e75db0c356650bfd26654b8f78c7e9
Instruction ID: 49f9ab38c156e06dfb3d3f4a06181ceb7223b0f1008b03fa1740c8f6c337b1f2
Opcode Fuzzy Hash: c9ebbe00f7325d7a85f5853e952ea054f2e75db0c356650bfd26654b8f78c7e9
Instruction Fuzzy Hash: 9B31A271E94506EBDB10CAEAEC44EAF7779EBA2B14F108125E814DB344D730DD91A7A0

Function 6E68C432 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,System\CurrentControlSet\Services\IISAdmin\Parameters,00000000,00020019,?), ref: 6E68C483
RegQueryValueExW.ADVAPI32(?,MillisecondsToWaitForShutdownAfterCrash,00000000,?,?,?), ref: 6E68C4AE
RegQueryValueExW.ADVAPI32(?,MillisecondsToWaitForInetinfoRestartAfterCrash,00000000,?,?,00000004), ref: 6E68C4E3
RegQueryValueExW.ADVAPI32(?,MillisecondsCheckIntervalForInetinfoToRestart,00000000,?,?,00000004), ref: 6E68C514
RegCloseKey.ADVAPI32(?), ref: 6E68C52F

Strings

MillisecondsCheckIntervalForInetinfoToRestart, xrefs: 6E68C50C
MillisecondsToWaitForInetinfoRestartAfterCrash, xrefs: 6E68C4DB
System\CurrentControlSet\Services\IISAdmin\Parameters, xrefs: 6E68C46D
MillisecondsToWaitForShutdownAfterCrash, xrefs: 6E68C4A6

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: MillisecondsCheckIntervalForInetinfoToRestart$MillisecondsToWaitForInetinfoRestartAfterCrash$MillisecondsToWaitForShutdownAfterCrash$System\CurrentControlSet\Services\IISAdmin\Parameters
API String ID: 1586453840-3801827760
Opcode ID: bf88deca03f062830ab7db0cfaabc4fd5a8861c13dbf03f8c716ab32d06ebafd
Instruction ID: c4afe637082861d954a347dda23b42f9f677c000dfef9891c162621ae1431e0c
Opcode Fuzzy Hash: bf88deca03f062830ab7db0cfaabc4fd5a8861c13dbf03f8c716ab32d06ebafd
Instruction Fuzzy Hash: 7F310FB1A10209ABEF118FD5CC84FEFB7BCFB06705F10016AE915EA241E771AA54CB65

Function 6E689390 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,?,?,6E6895D9,?,?,?,?), ref: 6E6893D0
LeaveCriticalSection.KERNEL32(?,?,?,6E6895D9,?,?,?,?), ref: 6E6894A6

Strings

Event Log for %S initialized (hEventSource=%p), xrefs: 6E689433
inetsrv\iis\iisrearc\core\common\util\eventlog.cxx, xrefs: 6E689481
Could not register event source (%S) ( Error %lu), xrefs: 6E689472
EVENT_LOG::LazyInit, xrefs: 6E689438, 6E689477

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Event Log for %S initialized (hEventSource=%p)$Could not register event source (%S) ( Error %lu)$EVENT_LOG::LazyInit$inetsrv\iis\iisrearc\core\common\util\eventlog.cxx
API String ID: 3168844106-3326138938
Opcode ID: 8547caf1438a921c01c45616b10871d8e677b683cabc20a155a128542f333817
Instruction ID: a25132c5b88b0c312081e8f7392bc2210dfc2c5f99a8f9a4ca1b4d11414a2504
Opcode Fuzzy Hash: 8547caf1438a921c01c45616b10871d8e677b683cabc20a155a128542f333817
Instruction Fuzzy Hash: 59310834694681AFDB208F9EDC84D2A33A9E74736CB10511CED559B792DB32FC02CB64

Function 6E694600 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72pipewindowCOMMON

Download Yara Rule

APIs

?PipeConnected@MULTI_IPM@@QAEJXZ.IISUTIL ref: 6E694622

Part of subcall function 6E694460: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,00000102,MULTI_IPM::PipeConnected,Pipe connected. Use count: %d,?), ref: 6E69449F
Part of subcall function 6E694460: ?InstantiatePipe@MULTI_IPM@@AAEJPAU_SECURITY_ATTRIBUTES@@@Z.IISUTIL(00000000), ref: 6E6944B0
Part of subcall function 6E694460: SetConsoleTextAttribute.KERNEL32(?,00000004,00000000), ref: 6E6944D2
Part of subcall function 6E694460: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000010C,MULTI_IPM::PipeConnected,MULTI_IPM::PipeConnected InstantiatePipe FAILED hr=0x%08X ,00000000), ref: 6E6944EF
Part of subcall function 6E694460: SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E694504

GetCurrentProcessId.KERNEL32 ref: 6E694641
?WriteMessage@IPM2_MESSAGE_PIPE@@QAEJW4IPM2_OPCODE@@HKKPAXK1@Z.IISUTIL(00000001,00000000,00000000,00000000,00000000,00000008,00000000), ref: 6E694665

Part of subcall function 6E693270: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000060A,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage called with opcode=%d, len=%d, writesize=%d,?,?,?), ref: 6E693327
Part of subcall function 6E693270: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000613,IPM2_MESSAGE_PIPE::WriteMessage,IPM2_MESSAGE_PIPE::WriteMessage failed CreateMessage, hr = %x,00000000,?), ref: 6E69336D
Part of subcall function 6E693270: ?NotifyPipeDisconnected@IPM2_MESSAGE_PIPE@@AAGXJ@Z.IISUTIL(?,80070216), ref: 6E6935D2

SetConsoleTextAttribute.KERNEL32(?,00000004,00000001,00000000,00000000,00000000,00000000,00000008,00000000), ref: 6E694687
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000016E,IPM_INSTANCE::PipeConnected,IPM_INSTANCE::PipeConnected WriteMessage failed hr=0x%08X,00000000), ref: 6E6946A8

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E6946BD

Strings

IPM_INSTANCE::PipeConnected, xrefs: 6E694693
IPM_INSTANCE::PipeConnected WriteMessage failed hr=0x%08X, xrefs: 6E69468E
inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E69469D

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print$AttributeConsoleText$ErrorLastPipe$Connected@CurrentDisconnected@FreeInstantiateInternal@MemoryMessage@NotifyPipe@ProcessS@@@Write
String ID: IPM_INSTANCE::PipeConnected$IPM_INSTANCE::PipeConnected WriteMessage failed hr=0x%08X$inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 3635968646-3548723115
Opcode ID: 67f7edbdbf95d613505b6f6e271957ae9174d7b245119184efba6475063d476e
Instruction ID: bdb4cfd1affd4d532829279ce49f1b6f2520ee5a79498d3644fc9e58fe7abe14
Opcode Fuzzy Hash: 67f7edbdbf95d613505b6f6e271957ae9174d7b245119184efba6475063d476e
Instruction Fuzzy Hash: F021C231A40504BFDF018FA9CC49F6EBBB5EB85705F0480A9EA059B392CB70AC058B94

Function 6E68068A Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 70libraryloadersleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 6E6806BC
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6E6806D7
GetProcAddress.KERNEL32(00000000,SwitchToThread), ref: 6E6806E9
GetProcAddress.KERNEL32(00000000,TryEnterCriticalSection), ref: 6E6806FA
GetProcAddress.KERNEL32(00000000,SetCriticalSectionSpinCount), ref: 6E68070B

Strings

TryEnterCriticalSection, xrefs: 6E6806EF
kernel32.dll, xrefs: 6E6806D2
SwitchToThread, xrefs: 6E6806E3
SetCriticalSectionSpinCount, xrefs: 6E680700

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AddressProc$HandleModuleSleep
String ID: SetCriticalSectionSpinCount$SwitchToThread$TryEnterCriticalSection$kernel32.dll
API String ID: 2249130157-1033352837
Opcode ID: ffda62013fd5476656a51f2e869ffbd1448b1124d5edfad9c6c10d0fe316063b
Instruction ID: 33b1379feaf48c761006b7ef7597c8edb0c782f9d7675ee7ba26757cd56295fa
Opcode Fuzzy Hash: ffda62013fd5476656a51f2e869ffbd1448b1124d5edfad9c6c10d0fe316063b
Instruction Fuzzy Hash: 4F212AB0D82644DBFB918FAAD50874A3BB4AB53309F109929D5149B360E770A981CFB5

Function 6E694460 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58pipeCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,00000102,MULTI_IPM::PipeConnected,Pipe connected. Use count: %d,?), ref: 6E69449F

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?InstantiatePipe@MULTI_IPM@@AAEJPAU_SECURITY_ATTRIBUTES@@@Z.IISUTIL(00000000), ref: 6E6944B0
SetConsoleTextAttribute.KERNEL32(?,00000004,00000000), ref: 6E6944D2
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000010C,MULTI_IPM::PipeConnected,MULTI_IPM::PipeConnected InstantiatePipe FAILED hr=0x%08X ,00000000), ref: 6E6944EF
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E694504

Strings

MULTI_IPM::PipeConnected, xrefs: 6E694480, 6E69448E, 6E6944DE
inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E694494, 6E6944E4
Pipe connected. Use count: %d, xrefs: 6E694489
MULTI_IPM::PipeConnected InstantiatePipe FAILED hr=0x%08X , xrefs: 6E6944D9

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleErrorLastPrintText$FreeInstantiateInternal@MemoryPipe@S@@@
String ID: MULTI_IPM::PipeConnected$MULTI_IPM::PipeConnected InstantiatePipe FAILED hr=0x%08X $Pipe connected. Use count: %d$inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 466560324-1449044624
Opcode ID: 1419a7bf7780299a43db25dc90b6faf95adb9d0a3401a78eb0052aceba8a5bd4
Instruction ID: 31aa9cbe53a96fc2b6ca5430b68ec0f22e7a6cd9a873a3dd26a3debcdab52eb6
Opcode Fuzzy Hash: 1419a7bf7780299a43db25dc90b6faf95adb9d0a3401a78eb0052aceba8a5bd4
Instruction Fuzzy Hash: C91148319846017FEF225E9ADC49F6A3B59EB42329F040261F9585B3E3D7B13D2286E4

Function 6E688310 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000015), ref: 6E688320
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,0000019E,RemoveWorkItem,RemoveWorkItem: cookie=%d,?), ref: 6E68835F
EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E68836E
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E68837E

Strings

inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E688354
RemoveWorkItem: cookie=%d, xrefs: 6E688345
RemoveWorkItem, xrefs: 6E68834A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavePrint
String ID: RemoveWorkItem$RemoveWorkItem: cookie=%d$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 537697161-3590841335
Opcode ID: e12c904e1231513a5f57685bff1f66391fa97e6862a496d6fc59142a9a68318e
Instruction ID: d2fd342c2eeba856201d6b09383c4902d9dd20656d1d82838f9db626c3f703d3
Opcode Fuzzy Hash: e12c904e1231513a5f57685bff1f66391fa97e6862a496d6fc59142a9a68318e
Instruction Fuzzy Hash: 44014931AC1D11ABCB215BEE9808BAF3769AFB7709F810824F501AE361CB34D85196F5

Function 6E685C00 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E6A915C), ref: 6E685C09
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,00000158,TerminateIISUtil,TerminateIISUtil, %d %s,?,Uninitializing), ref: 6E685C52
?ResetLookasideCleanupInterval@ALLOC_CACHE_HANDLER@@SGHXZ.IISUTIL ref: 6E685C63
SchedulerTerminate.IISUTIL ref: 6E685C68
LeaveCriticalSection.KERNEL32(6E6A915C), ref: 6E685C78

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E685C47
TerminateIISUtil, %d %s, xrefs: 6E685C38
TerminateIISUtil, xrefs: 6E685C3D
Uninitializing, xrefs: 6E685C27, 6E685C36

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterInterval@LeaveLookasidePrintResetSchedulerTerminate
String ID: TerminateIISUtil$TerminateIISUtil, %d %s$Uninitializing$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 3592840689-2524625203
Opcode ID: e41415195860a4ca6533cf02e95ef2f051aa23aa9724481568ae0076d6b21ac2
Instruction ID: f9d5c21fe3069ca2aa0588290dfa1e7a29e9661f686b2754d3db87bc8da56d6d
Opcode Fuzzy Hash: e41415195860a4ca6533cf02e95ef2f051aa23aa9724481568ae0076d6b21ac2
Instruction Fuzzy Hash: 02F0E2B499054177DE106EE9A85DCDE3718EB5332D7150414F4016B381DB226C968A76

Function 6E6859D4 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,000000E0,TerminateIISUtilProcessDetach,TerminateIISUtilProcessDetach,6E68554D), ref: 6E685A01

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?Terminate@EVENT_LOG@@SGXXZ.IISUTIL ref: 6E685A1D

Part of subcall function 6E6890B0: DeleteCriticalSection.KERNEL32(?), ref: 6E6890C2
Part of subcall function 6E6890B0: ?DestroyEventLogSource@EVENT_LOG@@CGXPAU_EVENT_LOG_SOURCE@@@Z.IISUTIL(?), ref: 6E6890E8
Part of subcall function 6E6890B0: GetProcessHeap.KERNEL32(00000000,?), ref: 6E689101
Part of subcall function 6E6890B0: HeapFree.KERNEL32(00000000), ref: 6E689108

?Cleanup@ALLOC_CACHE_HANDLER@@SGHH@Z.IISUTIL(00000000), ref: 6E685A2E

Part of subcall function 6E687550: DeleteCriticalSection.KERNEL32(?), ref: 6E687563

DeleteCriticalSection.KERNEL32(6E6A8680), ref: 6E685A41
DeleteCriticalSection.KERNEL32(6E6A8668), ref: 6E685A53
DeleteCriticalSection.KERNEL32(6E6A915C,6E68554D), ref: 6E685A5E

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E6859F6
TerminateIISUtilProcessDetach, xrefs: 6E6859E7
TerminateIISUtilProcessDetach, xrefs: 6E6859EC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalDeleteSection$ErrorFreeHeapLast$Cleanup@DestroyE@@@EventInternal@MemoryPrintProcessSource@Terminate@
String ID: TerminateIISUtilProcessDetach$TerminateIISUtilProcessDetach$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx
API String ID: 2291002637-959836108
Opcode ID: ffbaf06c756478b63655625d44c1060617246e7392c7f0838fe013d826af08f4
Instruction ID: da3a7f272cf4cf1a0d7da1b21d98167b69b2bd389fbc96ba810982c5083ed4ae
Opcode Fuzzy Hash: ffbaf06c756478b63655625d44c1060617246e7392c7f0838fe013d826af08f4
Instruction Fuzzy Hash: 6EF0C274C90681ABEF109FFDE89DB4D3B207B0330EF140405E1026F3A1D7756861C62A

Function 6E686679 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97stringthreadCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 6E68668B
GetCurrentThreadId.KERNEL32 ref: 6E6866B6
swprintf_s.MSVCRT ref: 6E6866C6
_vsnwprintf_s.MSVCRT ref: 6E6866ED
?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E686702
_vsnwprintf_s.MSVCRT ref: 6E686734
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL ref: 6E686753

Strings

%lu %hs!%hs [%hs @ %d]:, xrefs: 6E6866BD

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: _vsnwprintf_s$Buffer@CurrentResize@SyncThreadWithstrrchrswprintf_s
String ID: %lu %hs!%hs [%hs @ %d]:
API String ID: 2970611915-2851016625
Opcode ID: 09affa8077df107425f26ecb082b623b4afa14e288454ce43854e7e40bcda1c8
Instruction ID: 9b5f3c454ed2ad347a1aaceb8127e9b1537a2eec230e53976db0544c62a6927e
Opcode Fuzzy Hash: 09affa8077df107425f26ecb082b623b4afa14e288454ce43854e7e40bcda1c8
Instruction Fuzzy Hash: EB3191B16105049F8F548F6DCC88CAF3BAAFF893207154259FD1ACB295DA31DC10CBA0

Function 6E6815C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

?AuxAppend@STRA@@AAEJPBEKK_N@Z.IISUTIL(?,00000001,?,00000001), ref: 6E681678
?Append@STRA@@QAEJPBD@Z.IISUTIL("), ref: 6E6816A2

Strings

", xrefs: 6E68169B
', xrefs: 6E68168D
%, xrefs: 6E6815C9
>, xrefs: 6E68167F
<, xrefs: 6E681686
&, xrefs: 6E681694

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@
String ID: %$&$'$>$<$"
API String ID: 3021750933-1171047623
Opcode ID: 8f6ad8a187ce435234d022b2659b9ddc105f7da3d5b688952772a65f5f48ba84
Instruction ID: e887ecd2f8ff1a7170afbb483431dd8ba8ef865fa83ca8c04583479b6e0b3eed
Opcode Fuzzy Hash: 8f6ad8a187ce435234d022b2659b9ddc105f7da3d5b688952772a65f5f48ba84
Instruction Fuzzy Hash: 8E214D7166451AAFEB154EF88871BEB77A9A713310F0C424BE6F1E6343D12191CE8635

Function 6E686247 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90stringthreadCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 6E686259
GetCurrentThreadId.KERNEL32 ref: 6E686284
sprintf_s.MSVCRT ref: 6E686292
_vsnprintf_s.MSVCRT ref: 6E6862B5
?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E6862CA
_vsnprintf_s.MSVCRT ref: 6E6862FA
?SyncWithBuffer@STRA@@QAEXXZ.IISUTIL ref: 6E686315

Strings

%lu %hs!%hs [%hs @ %d]:, xrefs: 6E68628B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: _vsnprintf_s$Buffer@CurrentResize@SyncThreadWithsprintf_sstrrchr
String ID: %lu %hs!%hs [%hs @ %d]:
API String ID: 649851915-2851016625
Opcode ID: 64d1fecfe0e0c11788385deb3f397303c48ce07ae2e0258cf119bcafb1e7a378
Instruction ID: 273057c63804456c7a2418a09ed94af8b29650f2124e7669cde63ba5f2bc307f
Opcode Fuzzy Hash: 64d1fecfe0e0c11788385deb3f397303c48ce07ae2e0258cf119bcafb1e7a378
Instruction Fuzzy Hash: 2521A5B1614504AFDF148F6DC898DAF3BA9EF99324B150299FD05CB396D731DC108BA0

Function 6E691F4A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,0000007B,Ipm2ReadFile,Ipm2ReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,000000FF,?,?,?,?,?,?,000000FF,?,6E69316D,?,?), ref: 6E691F8E

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

ReadFile.KERNEL32(000000FF,?,?,00000000,?,?,?,?,000000FF,?,6E69316D,?,?), ref: 6E691FB0
GetLastError.KERNEL32(?,6E69316D,?,?), ref: 6E691FBA
SetEvent.KERNEL32(?,?,6E69316D,?,?), ref: 6E691FCA
GetLastError.KERNEL32(?,6E69316D,?,?), ref: 6E691FD4

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E691F83
Ipm2ReadFile, xrefs: 6E691F7C
Ipm2ReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E691F77

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$EventFileFreeInternal@MemoryPrintRead
String ID: Ipm2ReadFile$Ipm2ReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2348339786-2675874397
Opcode ID: 337b74cb572130fc9b642d78db6e3b6ae404f3ffaa52a1322af907a747295bcb
Instruction ID: 7f6de3caff595c9adaf9323264f78604c97d76cb7cf1b4e71c7dcff87af2419b
Opcode Fuzzy Hash: 337b74cb572130fc9b642d78db6e3b6ae404f3ffaa52a1322af907a747295bcb
Instruction Fuzzy Hash: D211293156050A7BCB105EEB9C48F7F37ECAF43351F21021AF818A7780C721E948A6B0

Function 6E69025A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000014C,IpmReadFile,IpmReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,?,?,?,00000000,?,?,6E691064,?,?), ref: 6E6902A1

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

ReadFile.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,6E691064,?,?,00000000,?,?), ref: 6E6902C3
GetLastError.KERNEL32(?,6E691064,?,?,00000000,?,?,00000000), ref: 6E6902CD
SetEvent.KERNEL32(?,?,6E691064,?,?,00000000,?,?,00000000), ref: 6E6902DD
GetLastError.KERNEL32(?,6E691064,?,?,00000000,?,?,00000000), ref: 6E6902E7

Strings

IpmReadFile, xrefs: 6E69028C
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690296
IpmReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E690287

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$EventFileFreeInternal@MemoryPrintRead
String ID: IpmReadFile$IpmReadFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 2348339786-2464152963
Opcode ID: 726034395c796b487aabb842108b706c95816a74bd9fdedacceefa530789b3a0
Instruction ID: a8e6aa1574ff46d11460113c3440a87c28310ce112eee749860d7c494841f1d6
Opcode Fuzzy Hash: 726034395c796b487aabb842108b706c95816a74bd9fdedacceefa530789b3a0
Instruction Fuzzy Hash: D5112531991503BBDB904EEA8C48F6F3B6DAB477A0F100619F858A7350E621E841B6B4

Function 6E694050 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53pipeCOMMON

Download Yara Rule

APIs

?Copy@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E694073

Part of subcall function 6E678650: ?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(?,?,00000000,00000001), ref: 6E67867F

?InstantiatePipe@MULTI_IPM@@AAEJPAU_SECURITY_ATTRIBUTES@@@Z.IISUTIL(?), ref: 6E694086

Part of subcall function 6E6941D0: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,000000F3,MULTI_IPM::InstantiatePipe,Instatiating new pipe result hr=0x%08X,00000000,00000000,?,00000001,00000000,?,?,?), ref: 6E694437

SetConsoleTextAttribute.KERNEL32(?,00000004,?), ref: 6E6940A7
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000003E,MULTI_IPM::CreateServer,MULTI_IPM::CreateServer failed InstantiatePipe hr=0x%08x ,00000000), ref: 6E6940C5

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E6940DA

Strings

MULTI_IPM::CreateServer failed InstantiatePipe hr=0x%08x , xrefs: 6E6940AE
MULTI_IPM::CreateServer, xrefs: 6E6940B3
inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E6940BA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleErrorLastPrintText$Append@Copy@FreeInstantiateInternal@MemoryPipe@S@@@
String ID: MULTI_IPM::CreateServer$MULTI_IPM::CreateServer failed InstantiatePipe hr=0x%08x $inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 3412756257-79680046
Opcode ID: 24d22a8e4e3b2ba9154bb4b77d27fb6090883d7b99d13de611a113089fd87275
Instruction ID: 5197d3dcf9d130acfc5300ff2cdeee8f5a43b6b8e99b90b2ea6ef2ea1e418f15
Opcode Fuzzy Hash: 24d22a8e4e3b2ba9154bb4b77d27fb6090883d7b99d13de611a113089fd87275
Instruction Fuzzy Hash: 7901E135A406136BEB225FDADC88B6B7B58AB02314F044022B9245B3A1C7B0AC72D6E4

Function 6E687990 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

?RemoveItem@ALLOC_CACHE_HANDLER@@SGXPAV1@@Z.IISUTIL ref: 6E6879A3

Part of subcall function 6E6875D0: EnterCriticalSection.KERNEL32(6E6A8650), ref: 6E6875DC
Part of subcall function 6E6875D0: LeaveCriticalSection.KERNEL32(6E6A8650), ref: 6E6875FF

?CleanupLookaside@ALLOC_CACHE_HANDLER@@QAEXH@Z.IISUTIL(00000001), ref: 6E6879AC

Part of subcall function 6E687A20: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\acache.cxx,0000027A,ALLOC_CACHE_HANDLER::CleanupLookaside,AllocCalls = %ld, LastAllocCount = %ld,?,?,?,00000000,?,6E6878B7,00000000), ref: 6E687A8C

?QueryDepthForAllSLists@ALLOC_CACHE_HANDLER@@AAEKXZ.IISUTIL(?), ref: 6E6879D8
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\acache.cxx,00000244,ALLOC_CACHE_HANDLER::~ALLOC_CACHE_HANDLER,Items in look-aside lists = %u, Pending HeapFree calls = %u,00000000,?), ref: 6E6879F8
_aligned_free.MSVCRT ref: 6E687A07

Strings

inetsrv\iis\iisrearc\core\common\util\acache.cxx, xrefs: 6E6879ED
Items in look-aside lists = %u, Pending HeapFree calls = %u, xrefs: 6E6879DE
ALLOC_CACHE_HANDLER::~ALLOC_CACHE_HANDLER, xrefs: 6E6879E3

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalPrintSection$CleanupDepthEnterItem@LeaveLists@Lookaside@QueryRemoveV1@@_aligned_free
String ID: ALLOC_CACHE_HANDLER::~ALLOC_CACHE_HANDLER$Items in look-aside lists = %u, Pending HeapFree calls = %u$inetsrv\iis\iisrearc\core\common\util\acache.cxx
API String ID: 4177698886-2337942645
Opcode ID: d72a71333871ef39bb671fa2bbf7b7639c02a9ca79c05109a514059098102bcb
Instruction ID: 9db06ab8bd84624669b320977b6abc1312f70c50d31207452c59c78edfc72073
Opcode Fuzzy Hash: d72a71333871ef39bb671fa2bbf7b7639c02a9ca79c05109a514059098102bcb
Instruction Fuzzy Hash: 4301F931B50E0097DF225EA99C0499F73E8EB82715B10092AF8A5E73D1EB31764186B9

Function 6E6880E0 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,00000058,SchedulerInitialize,SchedulerInitialize: inits=%d, uninits=%d,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E68811B

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

EnterCriticalSection.KERNEL32(6E6A8668,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E68813A
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E688159

Strings

inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx, xrefs: 6E6880E7
inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E688110
SchedulerInitialize: inits=%d, uninits=%d, xrefs: 6E688104
InitializeIISUtil, xrefs: 6E6880F3
SchedulerInitialize, xrefs: 6E688109

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterFreeInternal@LeaveMemoryPrint
String ID: InitializeIISUtil$SchedulerInitialize$SchedulerInitialize: inits=%d, uninits=%d$inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 3087881159-2844777888
Opcode ID: 47cbd55c62040156c5d4c0e5ef2c22bc480849408de59b8a193b682109700c3e
Instruction ID: 797e58bf274e50fdd2f67fd130343d58b4377edfc526de4a5c2d2cc1c0729790
Opcode Fuzzy Hash: 47cbd55c62040156c5d4c0e5ef2c22bc480849408de59b8a193b682109700c3e
Instruction Fuzzy Hash: 56014972AA15015BCF019DBDEC0895F332AEBC73093144438E601AF326DF229C128BA4

Function 6E6894C0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

DeregisterEventSource.ADVAPI32(00000000), ref: 6E6894D2
GetLastError.KERNEL32(?,6E6890ED,?), ref: 6E6894EF
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,000001A4,EVENT_LOG::DestroyEventLogSource,Destruction of EVENT_LOG_SOURCE[%p] failed. error %lu,?,00000000,?,6E6890ED,?), ref: 6E689511

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,6E6890ED,?), ref: 6E689524
HeapFree.KERNEL32(00000000,?,6E6890ED,?), ref: 6E68952B

Strings

EVENT_LOG::DestroyEventLogSource, xrefs: 6E6894FC
inetsrv\iis\iisrearc\core\common\util\eventlog.cxx, xrefs: 6E689506
Destruction of EVENT_LOG_SOURCE[%p] failed. error %lu, xrefs: 6E6894F7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FreeHeap$DeregisterEventInternal@MemoryPrintProcessSource
String ID: Destruction of EVENT_LOG_SOURCE[%p] failed. error %lu$EVENT_LOG::DestroyEventLogSource$inetsrv\iis\iisrearc\core\common\util\eventlog.cxx
API String ID: 3478840444-909833668
Opcode ID: 29d6e8d9f4a17f3db877009e78dd4e56607dbedc925c8765092e4f94b284bdaf
Instruction ID: 90e177e3486a9a1bf1d98896b8de53250d637c049724b704dbfac615dffe7f69
Opcode Fuzzy Hash: 29d6e8d9f4a17f3db877009e78dd4e56607dbedc925c8765092e4f94b284bdaf
Instruction Fuzzy Hash: 2CF0AF71580A01BBEF215EA6E80CB8BBB68AB0335DF008416F4595A252D730A891DB71

Function 6E6846C0 Relevance: 13.6, APIs: 9, Instructions: 99COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 6E684725
?Copy@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E68473E

Part of subcall function 6E678650: ?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(?,?,00000000,00000001), ref: 6E67867F

ExpandEnvironmentStringsW.KERNEL32(?,?,00000084), ref: 6E684757
GetLastError.KERNEL32 ref: 6E684761
GetLastError.KERNEL32 ref: 6E68476B
?Copy@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E6847DE
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6847F4

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Copy@ErrorLast$Append@EnvironmentExpandFreeInternal@MemoryStringswcschr
String ID:
API String ID: 4199137474-0
Opcode ID: 4edb1d052df8413e224fcf53fc133c179cd11664e3f3eec2bc6aa48e5fec3e0f
Instruction ID: 443a7ab67a62c05c2c6ff8fde6fc24e0275379dbc54c33fea51fcf5e88e98dc1
Opcode Fuzzy Hash: 4edb1d052df8413e224fcf53fc133c179cd11664e3f3eec2bc6aa48e5fec3e0f
Instruction Fuzzy Hash: 6C31A670A402199BDB509FA58C847DF7BBCAB17704F0005A9E685A3241EBF49E858BA5

Function 6E682A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

iswalnum.MSVCRT ref: 6E682A93
?Copy@STRU@@QAEJPBGK@Z.IISUTIL(?,?), ref: 6E682ACB

Part of subcall function 6E6786A0: ?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(00000000,?,00000000,00000001), ref: 6E6786B8

?Append@STRU@@QAEJPBGK@Z.IISUTIL(?,00000006), ref: 6E682BE9
?Append@STRU@@QAEJPBGK@Z.IISUTIL(?,00000001), ref: 6E682C04
?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(?,?,00000000,00000001), ref: 6E682C42
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E682C54

Strings

, xrefs: 6E682A48

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@$Copy@FreeInternal@Memoryiswalnum
String ID:
API String ID: 3885340200-3916222277
Opcode ID: 909991ecaee475b30b69ef28b014e45123c059a5932c8c170f720e0772870e54
Instruction ID: dac8f7d94cef9ff4a060548015ace9b74f69b74d79381a46056a2091035c378c
Opcode Fuzzy Hash: 909991ecaee475b30b69ef28b014e45123c059a5932c8c170f720e0772870e54
Instruction Fuzzy Hash: 705107771197018ED3548FB5C8503ABB3E5BF9A728F100A2AF4A9D7290E335C8058766

Function 6E68AFB0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

AllocateAndCreateWellKnownSid.IISUTIL(?,?), ref: 6E68B013
SetConsoleTextAttribute.KERNEL32(?,00000004), ref: 6E68B039
PuDbgPrintError.IISUTIL(inetsrv\iis\iisrearc\core\common\util\secfcns.cxx,0000026D,CSecurityDispenser::GetSID,00000000,Failed to create the sid we were looking for,?), ref: 6E68B06B
SetConsoleTextAttribute.KERNEL32(?,00000007), ref: 6E68B080

Strings

CSecurityDispenser::GetSID, xrefs: 6E68B056
Failed to create the sid we were looking for, xrefs: 6E68B050
inetsrv\iis\iisrearc\core\common\util\secfcns.cxx, xrefs: 6E68B060

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AttributeConsoleText$AllocateCreateErrorKnownPrintWell
String ID: CSecurityDispenser::GetSID$Failed to create the sid we were looking for$inetsrv\iis\iisrearc\core\common\util\secfcns.cxx
API String ID: 2231831652-1422335758
Opcode ID: 7f60ef89b151e854fd46f1f3729ea6cca206405063748578ab178c3ad77c9659
Instruction ID: b475d5c2a2635e9f06775063c01cecd0be1e112ef1b90618269593f3ef53d9dc
Opcode Fuzzy Hash: 7f60ef89b151e854fd46f1f3729ea6cca206405063748578ab178c3ad77c9659
Instruction Fuzzy Hash: 04318F39784102EFD764CEAEC8A8E6B7BA5FB47304B104559E9649B399C7729C01CB70

Function 6E692520 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80pipewindowCOMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69252D

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E692557
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000274,IPM2_MESSAGE_PIPE::IpmMessageDeleted,IPM2_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d), ref: 6E69258C

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?CreateIpmMessagePipe@IPM2_MESSAGE_PIPE@@SGJPAVIPM2_MESSAGE_ACCEPTOR@@PBGHHKPAU_SECURITY_ATTRIBUTES@@PAPAV1@PAH@Z.IISUTIL(?,?,?,00000000,00000001,?,?,00000000), ref: 6E6925D1

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E692581
IPM2_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d, xrefs: 6E692572
IPM2_MESSAGE_PIPE::IpmMessageDeleted, xrefs: 6E692577

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastLock3@@ReaderWriteWriter$CreateCurrentFreeInternal@Lock@MemoryMessagePipe@PrintThreadUnlock@
String ID: IPM2_MESSAGE_PIPE::IpmMessageDeleted$IPM2_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 1179956177-3346642813
Opcode ID: f34ee2d5358428432de7aef23d32a991651993a763d0a891fb57f21621b61baf
Instruction ID: 06e76dad721d24fc6b1cb8649a37e103249478eab61a8420e1360098fcbf67a5
Opcode Fuzzy Hash: f34ee2d5358428432de7aef23d32a991651993a763d0a891fb57f21621b61baf
Instruction Fuzzy Hash: F711027211020ABBDF118F95EC04E9ABB6AFF81368F444126F9145B2A1E731EDB1DAD4

Function 6E689190 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,000000BD,EVENT_LOG::LogEvent,reporting event %08lX, Error Code = %lu,?,?), ref: 6E6891D6

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,000000C3,EVENT_LOG::LogEvent, substring[%lu] = %S,00000000,?), ref: 6E689211
?LogEventPrivate@EVENT_LOG@@AAEXKGGQAPBGK@Z.IISUTIL(?,00000001,?,?,?), ref: 6E689253

Strings

inetsrv\iis\iisrearc\core\common\util\eventlog.cxx, xrefs: 6E6891CB, 6E689206
substring[%lu] = %S, xrefs: 6E6891F7
reporting event %08lX, Error Code = %lu, xrefs: 6E6891BC
EVENT_LOG::LogEvent, xrefs: 6E6891C1, 6E6891FC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastPrint$EventFreeInternal@MemoryPrivate@
String ID: substring[%lu] = %S$EVENT_LOG::LogEvent$inetsrv\iis\iisrearc\core\common\util\eventlog.cxx$reporting event %08lX, Error Code = %lu
API String ID: 657523427-984811282
Opcode ID: e37e96f4f3ed4ec37589d7a0b86a21ddd372b1b97b6ee09701c51ac601a2822e
Instruction ID: 142140b6ee8fcfaca4248c6d0c5ea35dcb580ccb13a84f077aff1399cf4c4024
Opcode Fuzzy Hash: e37e96f4f3ed4ec37589d7a0b86a21ddd372b1b97b6ee09701c51ac601a2822e
Instruction Fuzzy Hash: 571121325A0254BBCF208E8DDC54DAF7B65EB5A624F008205FD586B361D631A921C7B5

Function 6E6883D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,000001E8,ScheduleAdjustTime,ScheduleAdjustTime: cookie=%d time=%d,?,?), ref: 6E688410

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E68842D
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E68843D
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E688484

Strings

ScheduleAdjustTime: cookie=%d time=%d, xrefs: 6E6883F6
inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E688405
ScheduleAdjustTime, xrefs: 6E6883FB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$ErrorLastLeave$EnterFreeInternal@MemoryPrint
String ID: ScheduleAdjustTime$ScheduleAdjustTime: cookie=%d time=%d$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 3380817030-2998826662
Opcode ID: 125239f5979f00b59704de239ff0a34228e389c52c77d933ff3bb297d391ebc1
Instruction ID: 0347a935c7a9f1a96d35a215d3f25a6dfa9f52a184103e730efdcec66442ff2a
Opcode Fuzzy Hash: 125239f5979f00b59704de239ff0a34228e389c52c77d933ff3bb297d391ebc1
Instruction Fuzzy Hash: 04110633AC0A01BBCB315EDADC04F8F3766AB99715F409825F6055F2B1C731A95187B4

Function 6E681510 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(?,00000002,?,00000001), ref: 6E68156E
?Append@STRU@@QAEJPBG@Z.IISUTIL("), ref: 6E681598

Part of subcall function 6E678470: ?AuxAppend@STRU@@AAEJPBEKK_N@Z.IISUTIL(00000000,?,?,00000001), ref: 6E6784A0

Strings

', xrefs: 6E681583
<, xrefs: 6E68157C
", xrefs: 6E681591
>, xrefs: 6E681575
&, xrefs: 6E68158A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@
String ID: &$'$>$<$"
API String ID: 3021750933-87953025
Opcode ID: 2c4cc7b3c32ee80a7be7c4aa601043cda6029e1a53fb05dd6eedff684a9faf8a
Instruction ID: 41c856d8e5b2f11c7046b894d0c253df56e3fa071a8597ca136c37b3a5712561
Opcode Fuzzy Hash: 2c4cc7b3c32ee80a7be7c4aa601043cda6029e1a53fb05dd6eedff684a9faf8a
Instruction Fuzzy Hash: 0A115CF5A502026BDB244EED98759BB7398DB4A340B004117FC37D7713E161DE0842B3

Function 6E690830 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 65pipefilewindowCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,40080003,00000006,00000001,00001000,00001000,00000000,?), ref: 6E690916
GetLastError.KERNEL32 ref: 6E690925
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000360,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x,00000000), ref: 6E690962
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000036A,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x,00000000,00000000), ref: 6E6909A5
ConnectNamedPipe.KERNEL32(?,00000020,00000000), ref: 6E6909D6
GetLastError.KERNEL32 ref: 6E6909E0
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,0000037D,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x,00000000), ref: 6E690A26
CreateFileW.KERNEL32(?,00120183,00000000,?,00000003,40000000,00000000), ref: 6E690A58
GetLastError.KERNEL32 ref: 6E690A69
SetNamedPipeHandleState.KERNEL32(00000000,?), ref: 6E690AB0
GetLastError.KERNEL32 ref: 6E690ABA
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000330,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S,?), ref: 6E69087B

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

??0IPM_MESSAGE_PIPE@@AAE@XZ.IISUTIL ref: 6E6908A2
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000345,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x,8007000E), ref: 6E6908DE
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000003C0,IPM_MESSAGE_PIPE::CreateIpmMessagePipe,IPM_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x,00000000), ref: 6E690AF7
?ReadMessage@IPM_MESSAGE_PIPE@@AAGJK@Z.IISUTIL(00000000,00000010), ref: 6E690B22
CloseHandle.KERNEL32(00000000,00000000,00000010), ref: 6E690B76
CloseHandle.KERNEL32(?,00000000,00000010), ref: 6E690B89

Strings

IPM_MESSAGE_PIPE::CreateIpmMessagePipe, xrefs: 6E690866, 6E6908C9, 6E69094D, 6E690990, 6E690A11, 6E690A91, 6E690AE2, 6E690B3C
IPM_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x, xrefs: 6E690B37
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x, xrefs: 6E69098B
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateFile, hr = %x, xrefs: 6E690A8C
IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S, xrefs: 6E690861
IPM_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x, xrefs: 6E690ADD
IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x, xrefs: 6E6908C4
IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x, xrefs: 6E690A0C
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690801, 6E690870, 6E6908D3, 6E690957, 6E69099A, 6E690A1B, 6E690AEC
IPM_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d, xrefs: 6E6907F2
IPM_MESSAGE_PIPE::IpmMessageDeleted, xrefs: 6E6907F7
IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x, xrefs: 6E690948

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastPrint$HandleNamedPipe$CloseCreate$ConnectFileFreeInternal@MemoryMessage@ReadState
String ID: IPM_MESSAGE_PIPE::CreateIpmMessagePipe$IPM_MESSAGE_PIPE::CreateMessagePipe called name=%S$IPM_MESSAGE_PIPE::CreateMessagePipe failed ConnectNamedPipe, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateFile, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateMessage, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed CreateNamedPipe, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed ReadMessage, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed SetNamedPipeHandleState, hr = %x$IPM_MESSAGE_PIPE::CreateMessagePipe failed allocation of IPM_MESSAGE_PIPE, hr = %x$IPM_MESSAGE_PIPE::IpmMessageDeleted$IPM_MESSAGE_PIPE::IpmMessageDeleted m_cMessages = %d$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 4223288803-3680292098
Opcode ID: 56c56b3f548781c29e2df5f3c6a62108b597b8ff50c9f36bdaf0b91eb63a50fb
Instruction ID: 7d7760046079c1ee05b8ccc0940fd6da787285e5406ee06e0cdad795c182ca64
Opcode Fuzzy Hash: 56c56b3f548781c29e2df5f3c6a62108b597b8ff50c9f36bdaf0b91eb63a50fb
Instruction Fuzzy Hash: F6113A71B203425BDF409EED9C08F4F77E89B82328F000525F950AB3D2F761A511A3E9

Function 6E6904E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,00000215,IpmWriteFile,IpmWriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,00000000,?,?,?,?,?,6E6912EF,?,?,00000000), ref: 6E69052D

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

WriteFile.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,6E6912EF,?,?,00000000), ref: 6E690550
GetLastError.KERNEL32(?,6E6912EF,?,?,00000000), ref: 6E69055A
GetLastError.KERNEL32(?,6E6912EF,?,?,00000000), ref: 6E69056B

Strings

IpmWriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E690513
IpmWriteFile, xrefs: 6E690518
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690522

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FileFreeInternal@MemoryPrintWrite
String ID: IpmWriteFile$IpmWriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 3719856016-488947723
Opcode ID: 73c29760a0087f724e3d68c16fb437b3aa4c4cb41cb990bd58a4b70c8da7cf83
Instruction ID: f71e6f32c79748fb3f9fab775ca0026913dd0775af1538c332e83648c3f38dd1
Opcode Fuzzy Hash: 73c29760a0087f724e3d68c16fb437b3aa4c4cb41cb990bd58a4b70c8da7cf83
Instruction Fuzzy Hash: B1014932950503BBEF908DDA9D48FAF3B5C9B53764F008111FC1896292F230E881FAB0

Function 6E692272 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000178,Ipm2WriteFile,Ipm2WriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p,?,?,?,?,?,?,?,?,6E693525,-00000010,?), ref: 6E6922B6

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

WriteFile.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,6E693525,-00000010,?), ref: 6E6922D9
GetLastError.KERNEL32(?,6E693525,-00000010,?,?,?,?,?,?,?,?,?,?,?,?,6E69322C), ref: 6E6922E3
GetLastError.KERNEL32(?,6E693525,-00000010,?,?,?,?,?,?,?,?,?,?,?,?,6E69322C), ref: 6E6922F4

Strings

inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E6922AB
Ipm2WriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p, xrefs: 6E69229C
Ipm2WriteFile, xrefs: 6E6922A1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FileFreeInternal@MemoryPrintWrite
String ID: Ipm2WriteFile$Ipm2WriteFile called with hFile=%d, pBuffer=%p, cbBuffer=%d, pOvl=%p$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 3719856016-1857769377
Opcode ID: 5091c5dacdaf3e59121126eb21b73c7308820cbe5ee413cfaacd432abfc2e7cb
Instruction ID: dca0fd6df1a8aec76f3e388d4c10ec58dada49bf8a27aad42b1126be90c65862
Opcode Fuzzy Hash: 5091c5dacdaf3e59121126eb21b73c7308820cbe5ee413cfaacd432abfc2e7cb
Instruction Fuzzy Hash: AB01D6325D52076BDF5019DABC44FAF3B589B63755F004215F9189B290C6209985F6B0

Function 6E68C140 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000087,StartIISAdminMonitor,Start monitoring called when we were all ready monitoring, setting hr to equal %08x,8000FFFF), ref: 6E68C1A4
CloseHandle.KERNEL32(00000000), ref: 6E68C2B3
CloseHandle.KERNEL32(?), ref: 6E68C2C9

Strings

StartIISAdminMonitor, xrefs: 6E68C18F
Start monitoring called when we were all ready monitoring, setting hr to equal %08x, xrefs: 6E68C18A
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C199

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandle$Print
String ID: Start monitoring called when we were all ready monitoring, setting hr to equal %08x$StartIISAdminMonitor$inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 1935847771-2729748448
Opcode ID: 74facc15bdc74ddfc641eda7641a999f5954a7ced1259c019be04c8621caf4fd
Instruction ID: e7744ab809998912356cfe6ec0115103a017289e0c0cf3dffac32738cad8ffd2
Opcode Fuzzy Hash: 74facc15bdc74ddfc641eda7641a999f5954a7ced1259c019be04c8621caf4fd
Instruction Fuzzy Hash: B611A575E44741ABDB109E9F9C0CA5BBBE8ABD3721F00072ABC54DB390D77099118BB2

Function 6E687850 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E6A8650), ref: 6E687862
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\acache.cxx,000001EC,ALLOC_CACHE_HANDLER::CleanupAllLookasides,Cleaning lookaside list for '%s' handler,?), ref: 6E6878A2
?CleanupLookaside@ALLOC_CACHE_HANDLER@@QAEXH@Z.IISUTIL(00000000), ref: 6E6878B2
LeaveCriticalSection.KERNEL32(6E6A8650,00000000), ref: 6E6878C2

Strings

ALLOC_CACHE_HANDLER::CleanupAllLookasides, xrefs: 6E68788D
Cleaning lookaside list for '%s' handler, xrefs: 6E687888
inetsrv\iis\iisrearc\core\common\util\acache.cxx, xrefs: 6E687897

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterLeaveLookaside@Print
String ID: ALLOC_CACHE_HANDLER::CleanupAllLookasides$Cleaning lookaside list for '%s' handler$inetsrv\iis\iisrearc\core\common\util\acache.cxx
API String ID: 2548777736-20289401
Opcode ID: 63a2879206da2f08c0dd2b691d3f5db9ee9bc90ef4742e7db97870048a5d1e34
Instruction ID: af41076be041606d6026ad2bb4ab690a59185385f3a310725ab9bac753c57e9b
Opcode Fuzzy Hash: 63a2879206da2f08c0dd2b691d3f5db9ee9bc90ef4742e7db97870048a5d1e34
Instruction Fuzzy Hash: FEF0F6B2E50540A7EA105EDEEC48E8FB76CE762365F040525F950BB3A2DB207D21C6F5

Function 6E68A590 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000009(TokenIntegrityLevel),?,00000004,?), ref: 6E68A5A6
GetLastError.KERNEL32 ref: 6E68A5B9
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\tokenacl.cxx,00000391,DupTokenWithSameImpersonationLevel,GetTokenInformation - failed to get TokenImpersonationLevel LastError=%d, using SecurityImpersonation,00000000), ref: 6E68A5DA

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

DuplicateTokenEx.ADVAPI32(?,?,00000000,?,?,?), ref: 6E68A5FC

Strings

DupTokenWithSameImpersonationLevel, xrefs: 6E68A5C5
GetTokenInformation - failed to get TokenImpersonationLevel LastError=%d, using SecurityImpersonation, xrefs: 6E68A5C0
inetsrv\iis\iisrearc\core\common\util\tokenacl.cxx, xrefs: 6E68A5CF

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Token$DuplicateFreeInformationInternal@MemoryPrint
String ID: DupTokenWithSameImpersonationLevel$GetTokenInformation - failed to get TokenImpersonationLevel LastError=%d, using SecurityImpersonation$inetsrv\iis\iisrearc\core\common\util\tokenacl.cxx
API String ID: 4278200080-1452575203
Opcode ID: ae5ce3feac60e49e97a490f55339179caa9ea6b44d15c15593725d5aa487f1c0
Instruction ID: 5a75012c08f4462a1066f4cffef69d318912b1f9a09067f932abb46d66990d60
Opcode Fuzzy Hash: ae5ce3feac60e49e97a490f55339179caa9ea6b44d15c15593725d5aa487f1c0
Instruction Fuzzy Hash: CE018172580208BFEF118FD6CC09FAE3B6CEB05304F004006FE15AA292D3715A609B61

Function 6E67E020 Relevance: 12.2, APIs: 8, Instructions: 152COMMON

Download Yara Rule

APIs

?IsWriteLocked@CReaderWriterLock3@@QBE_NXZ.IISUTIL(?,?), ref: 6E67E04E
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?), ref: 6E67E0B4
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?), ref: 6E67E196

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$Lock2@@$Lock3@@Lock@Locked@Unlock@
String ID:
API String ID: 2347972203-0
Opcode ID: 1f55da7cd10debe690caceef68d53b7aea8310a6409a0402ab757c5edfd9086e
Instruction ID: dec528f749924ac46ac8c3b11ef78bc278a8235dc10f8d5d6631f74804aea34e
Opcode Fuzzy Hash: 1f55da7cd10debe690caceef68d53b7aea8310a6409a0402ab757c5edfd9086e
Instruction Fuzzy Hash: B1517831A0020ADFCF65CEE8C99A9EE77B5FB06355B10446EE812DB250DB30D958CB92

Function 6E68F110 Relevance: 12.1, APIs: 8, Instructions: 125COMMON

Download Yara Rule

APIs

?CopyWToUTF8Escaped@STRA@@QAEJPBG@Z.IISUTIL(?), ref: 6E68F1C3
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(00000000), ref: 6E68F1DE
GetLastError.KERNEL32(00000000), ref: 6E68F1E7
?UlCleanAndCopyUrl@@YGJPADKPAKPAGPAPAG@Z.IISUTIL(?,?,?,?,?,00000000), ref: 6E68F217

Part of subcall function 6E68F910: RtlNtStatusToDosError.NTDLL ref: 6E68F97A

?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68F26C
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68F27B
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?,?,?,?,?,?,00000000), ref: 6E68F28E
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?,?,?,?,?,?,00000000), ref: 6E68F29D

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: FreeInternal@Memory$CopyError$CleanEscaped@LastResize@StatusUrl@@
String ID:
API String ID: 419448607-0
Opcode ID: 9fd8d4d58edc225a6f8d2905b9ac5af3eb686fd36dc026c83a9680d1a11f746b
Instruction ID: 6e3fd01336fbac777ad56a51294c50d6f0621746807d0c69359ef828467bf249
Opcode Fuzzy Hash: 9fd8d4d58edc225a6f8d2905b9ac5af3eb686fd36dc026c83a9680d1a11f746b
Instruction Fuzzy Hash: 8141D5364097469FC765CFE8C86069BBBE4BFC5704F10492EE9E487250EB31D909CBA6

Function 6E688880 Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E688899
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E6888A9
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E6888C4

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 2975dc6e9b1922e8647f3b7a4b7ef96a1ccfea656cb6737d06126a5263c9817b
Instruction ID: 3ab788f4ddfbff86489d9c6a27ea2da59a986c01b64e55634efd77b673d48bfd
Opcode Fuzzy Hash: 2975dc6e9b1922e8647f3b7a4b7ef96a1ccfea656cb6737d06126a5263c9817b
Instruction Fuzzy Hash: CC21A131A40A05AFCF059FF9D88895F7BB9FF5A325B404529E41297310DB30AC50CBE5

Function 6E689270 Relevance: 11.3, APIs: 9, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6E689179,?), ref: 6E689283
_wcsicmp.MSVCRT ref: 6E6892B4
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,6E689179,?), ref: 6E6892E6
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,6E689179,?), ref: 6E6892ED
GetProcessHeap.KERNEL32(00000000), ref: 6E689338
HeapFree.KERNEL32(00000000), ref: 6E68933F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6E689179,?), ref: 6E68935F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,6E689179,?), ref: 6E68936C
HeapFree.KERNEL32(00000000,?,?,?,?,?,6E689179,?), ref: 6E689373

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Heap$Process$CriticalFreeSection$AllocEnterLeave_wcsicmp
String ID:
API String ID: 2437545445-0
Opcode ID: ff321f0fbe049972e2875b4c8c899425be3290bbd535b0722d16c9382ae12b2b
Instruction ID: 3115591a7106a4463facc0e4fff2c71ceeb70a0b64ad93dc49e61556b282ee02
Opcode Fuzzy Hash: ff321f0fbe049972e2875b4c8c899425be3290bbd535b0722d16c9382ae12b2b
Instruction Fuzzy Hash: 5D31E271EA4A15ABEB049FAFC818A5F376DFB573097104119E60AC3340D731AC01D7A0

Function 6E694E80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,000003E8), ref: 6E694F15
GetLastError.KERNEL32 ref: 6E694F1F
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E6950F8

Strings

, xrefs: 6E694ED8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CountCriticalErrorFreeInitializeInternal@LastMemorySectionSpin
String ID:
API String ID: 2988988047-3916222277
Opcode ID: feee988e719b44c348ece4190aa70a9a6ccf45c8cb58e1fb02c65e091194ced3
Instruction ID: 765dbe49a80b3d45159cb9c50e00d1b619a18b900dbeb6133cf503cb7362a160
Opcode Fuzzy Hash: feee988e719b44c348ece4190aa70a9a6ccf45c8cb58e1fb02c65e091194ced3
Instruction Fuzzy Hash: 33819E719047039FD714CFA9C894B6AB7E4FF86315F004A2EE5A58B2A0D731E854DBE2

Function 6E67D130 Relevance: 10.7, APIs: 7, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67D14A

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?), ref: 6E67D189
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67D191
?_AllocateNodeClump@CLKRLinearHashTable@@CGQAVCNodeClump@@XZ.IISUTIL(?,?), ref: 6E67D22F
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67D29D
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(00000001), ref: 6E67D2C4
?_Expand@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@XZ.IISUTIL ref: 6E67D2FB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$HashLinear$Lock2@@Lock3@@Lock@NodeTable@@Unlock@$AllocateClump@Clump@@CurrentExpand@Iterator@@Ref@Table_Thread
String ID:
API String ID: 1032148664-0
Opcode ID: 59fefe3ee1cfe9c055483e4b6cdbb7513c3fd721c944facaa923e63b0eb4af87
Instruction ID: 4289f3e351c5455c1bb688add51cfc0b54a5b32540bee44e6169ed8935f5f6e1
Opcode Fuzzy Hash: 59fefe3ee1cfe9c055483e4b6cdbb7513c3fd721c944facaa923e63b0eb4af87
Instruction Fuzzy Hash: 09719F31A04A1AEBDF24CFA9C9846AEBBB0FF0A314F114569D915A7340DB31ED61CF94

Function 6E68EFA0 Relevance: 10.6, APIs: 7, Instructions: 136stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 6E68F007
strchr.MSVCRT ref: 6E68F021
memmove.MSVCRT ref: 6E68F054
strchr.MSVCRT ref: 6E68F060
?Copy@STRA@@QAEJPBD@Z.IISUTIL(?), ref: 6E68F074
?Unescape@STRA@@QAEJXZ.IISUTIL ref: 6E68F083
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68F0EA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: strchr$Copy@FreeInternal@MemoryUnescape@memmove
String ID:
API String ID: 721943812-0
Opcode ID: f31811551d67bc43aff309302e7f3da50d94d90e617bd3e6dd6cab5a7a52522b
Instruction ID: 754c64a47a4704c840f03592c497025b7a2dbcb748258da2c46f88e966dd1bdd
Opcode Fuzzy Hash: f31811551d67bc43aff309302e7f3da50d94d90e617bd3e6dd6cab5a7a52522b
Instruction Fuzzy Hash: 63418B3290C7569FD7258A68C4707BB7BE59F87364F24426DEC819B381EB258C05C3B1

Function 6E694D20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

sprintf_s.MSVCRT ref: 6E694DD4
OutputDebugStringA.KERNEL32(?), ref: 6E694DE4
OutputDebugStringA.KERNEL32(Breaking on configured error), ref: 6E694DFC
DebugBreak.KERNEL32 ref: 6E694E02

Strings

hr = 0x%08x - %s (%s:%s:%d), xrefs: 6E694DC9
Breaking on configured error, xrefs: 6E694DF7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Debug$OutputString$Breaksprintf_s
String ID: Breaking on configured error$hr = 0x%08x - %s (%s:%s:%d)
API String ID: 2889725838-4108870998
Opcode ID: eb5527a967fd69f1d336650264c716d1141b3e91cc92f2094a28e006bf0b82e4
Instruction ID: e45be97a50e86dc0b5e30e4280cb6734edcd136d96cc428ca0da4e10428b9390
Opcode Fuzzy Hash: eb5527a967fd69f1d336650264c716d1141b3e91cc92f2094a28e006bf0b82e4
Instruction Fuzzy Hash: F321F636A4061B5BDF54CEADC8D8BEE37A4FB57301F10406AE935D3340D671A946DB80

Function 6E6800F0 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E680137

Part of subcall function 6E67BE40: ??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67BE57

?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E680142
?Find@CLKRHashTable@@QAE_NKAAVCLKRHashTable_Iterator@@@Z.IISUTIL(?,?,000000FF), ref: 6E68014F

Part of subcall function 6E67FFF0: ??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E680026
Part of subcall function 6E67FFF0: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E680030

??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?,000000FF), ref: 6E680165
?_Increment@CLKRHashTable_Iterator@@IAE_N_N@Z.IISUTIL(00000001,000000FF), ref: 6E68016E

Part of subcall function 6E67FCB0: ?_Increment@CLKRLinearHashTable_Iterator@@IAE_N_N@Z.IISUTIL(?), ref: 6E67FCCA

??9CLKRHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(000000FF,00000001,000000FF), ref: 6E680199
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF,00000001,000000FF), ref: 6E6801DA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$Table_$Iterator@@$LinearV0@@$Ref@$Increment@$Find@Iterator@@@Table@@
String ID:
API String ID: 6046500-0
Opcode ID: 13a697628245a634f3180037a8cf76e0e37b13a19fa1144c27d3f322b468106a
Instruction ID: 4e8d8b35770e2ec7d74f43424deee00d2b56b2775271af67fe3660e3b6111da0
Opcode Fuzzy Hash: 13a697628245a634f3180037a8cf76e0e37b13a19fa1144c27d3f322b468106a
Instruction Fuzzy Hash: D0317E315083419FCB51DFB8C840AAFBBE5BF89324F004E1EE8A897291E730D505CB9A

Function 6E681299 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 82COMMON

Download Yara Rule

Strings

', xrefs: 6E6812F5
<, xrefs: 6E6812EC
", xrefs: 6E681307
>, xrefs: 6E6812E3
&, xrefs: 6E6812FE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID: &$'$>$<$"
API String ID: 0-87953025
Opcode ID: 15bdec3d4499af7e4fa4d3277ea5da622de91b2a2fe499cc310d7ba59dc9bd0e
Instruction ID: d3e584ed9bf66bc91e00fcbfeb96c39c97ac89173add76e920f7d8f389528f8f
Opcode Fuzzy Hash: 15bdec3d4499af7e4fa4d3277ea5da622de91b2a2fe499cc310d7ba59dc9bd0e
Instruction Fuzzy Hash: 41213DB2554202EBE7104EEDC860F977768DBB3710F158112F934DB651E162CD4883B5

Function 6E67FB70 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67FBAE

Part of subcall function 6E67BB30: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(00000001), ref: 6E67BB40
Part of subcall function 6E67BB30: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF,00000001), ref: 6E67BB49

?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E67FBB9
?Find@CLKRLinearHashTable@@QAE_NKAAVCLKRLinearHashTable_Iterator@@@Z.IISUTIL(?,?,000000FF), ref: 6E67FBC6

Part of subcall function 6E67FAC0: ??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67FAEE
Part of subcall function 6E67FAC0: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E67FAF8

??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?,000000FF), ref: 6E67FBDC
?_Increment@CLKRLinearHashTable_Iterator@@IAE_N_N@Z.IISUTIL(00000001,000000FF), ref: 6E67FBE5

Part of subcall function 6E67F740: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(?,?,?,?,?,6E67BBA7,00000001), ref: 6E67F754

??9CLKRLinearHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(000000FF,00000001,000000FF), ref: 6E67FC07
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF,00000001,000000FF), ref: 6E67FC47

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinear$Table_$Iterator@@$Ref@$V0@@$Find@Increment@Iterator@@@Table@@
String ID:
API String ID: 98911004-0
Opcode ID: a73a941a87c3d56e66950e7c9071ab15c6e0804912067dda4caf2abb80beeaa8
Instruction ID: d65a06383ba199730fefcfcd21ef7c28eec806a068da51ac2053ad9a501050e5
Opcode Fuzzy Hash: a73a941a87c3d56e66950e7c9071ab15c6e0804912067dda4caf2abb80beeaa8
Instruction Fuzzy Hash: 3731B4301083459FCB11DFB8C450AAFFBE5AF89314F144A5EE8A5C7291DB30D905CB96

Function 6E687205 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 6E687219
strrchr.MSVCRT ref: 6E68722A
strrchr.MSVCRT ref: 6E68723B
GetCurrentProcessId.KERNEL32(?,?,?,?), ref: 6E687279
sprintf_s.MSVCRT ref: 6E687294

Strings

%s:%lu %s:%08p PID:%lu, xrefs: 6E68728D

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: strrchr$CurrentProcesssprintf_s
String ID: %s:%lu %s:%08p PID:%lu
API String ID: 2293823197-3581873366
Opcode ID: d92901c3b40149ed4d2caec909d6b10ed7e45905fee51dd965565559f47a2bb7
Instruction ID: 2d5fdce822a4a50eb9c8be5bbb1ab76e899c41b661a86d7b76451131963a6430
Opcode Fuzzy Hash: d92901c3b40149ed4d2caec909d6b10ed7e45905fee51dd965565559f47a2bb7
Instruction Fuzzy Hash: C9113A36A08601AFDB298E999C1496B7B69DF87370B24425AFD01D7381D6B1AC0186B0

Function 6E694BB0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6E694BD5
?Resize@BUFFER@@QAE_NKK@Z.IISUTIL(?,?), ref: 6E694BF2
GetLastError.KERNEL32(?,?), ref: 6E694BFB
_vsnwprintf_s.MSVCRT ref: 6E694C2D
?AppendData@W3_TRACE_LOG_FACTORY@@QAEJPAXK@Z.IISUTIL(?,?), ref: 6E694C49
?ClearBuffer@W3_TRACE_LOG@@QAEXXZ.IISUTIL ref: 6E694C52
LeaveCriticalSection.KERNEL32(?), ref: 6E694C65

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$AppendBuffer@ClearData@EnterErrorLastLeaveResize@_vsnwprintf_s
String ID:
API String ID: 1925519508-0
Opcode ID: 0a623537b46aa59d17d3e3387df321e1074efc661965f1d1f22ddd65290b5dcf
Instruction ID: f43b1c154a52972aa52682d3ecdf19b6ce801eecf4bfac6418293b29c8c4958b
Opcode Fuzzy Hash: 0a623537b46aa59d17d3e3387df321e1074efc661965f1d1f22ddd65290b5dcf
Instruction Fuzzy Hash: AC21C972900A17EFC7008FE5C8C4A9AB7ACFF49328B054526E928D7900D774F866DBD0

Function 6E682170 Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000002,?,?,?), ref: 6E682185
GetLastError.KERNEL32 ref: 6E682192
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E6821A2
?GetData@MB@@QAEHPBGKKKPAXPAKK@Z.IISUTIL(?,?,?,00000002,?,?,?), ref: 6E6821C2
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL(?,?,?,00000002,?,?,?), ref: 6E6821CD
SetLastError.KERNEL32(00000000), ref: 6E682201

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Buffer@Data@Resize@SyncWith
String ID:
API String ID: 2043091418-0
Opcode ID: 2e810fe8da569f442b0553d99c643b3f11ec9d01735dbb11d633d711583910a0
Instruction ID: 84c8d2bf712b020d4748ff8bd77c8b3ea383d6fc838d34b6241c1092cf4a2bb8
Opcode Fuzzy Hash: 2e810fe8da569f442b0553d99c643b3f11ec9d01735dbb11d633d711583910a0
Instruction Fuzzy Hash: FB11C231644109FBCF155EE5CC18EAF3BAAAB4A310F10481AFF52D3250DB31DA559B71

Function 6E688200 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,000000CC,ScheduleWorkItem,ScheduleWorkItem: callback=%p context=%p time=%d periodic=%d Com=%d,?,?,?,?,00000001), ref: 6E688253
EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E688263
LeaveCriticalSection.KERNEL32(6E6A8668,?,?,?,00000001,00000000), ref: 6E688290

Strings

ScheduleWorkItem: callback=%p context=%p time=%d periodic=%d Com=%d, xrefs: 6E688239
inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E688248
ScheduleWorkItem, xrefs: 6E68823E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterLeavePrint
String ID: ScheduleWorkItem$ScheduleWorkItem: callback=%p context=%p time=%d periodic=%d Com=%d$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 1203512206-298956573
Opcode ID: 83b6cb0cf55dea48bca216462744ff94409711755044863197e60c78060c07b4
Instruction ID: 3b5ab75abd3275390a7e2b92a750819d87cb8cb66907d35a0bac23f75bdfb0b2
Opcode Fuzzy Hash: 83b6cb0cf55dea48bca216462744ff94409711755044863197e60c78060c07b4
Instruction Fuzzy Hash: CE01F5326C0605BBDF214ECADC04FEE3B26EB9A755F040415FA046F2A0C372A86197A0

Function 6E686DD1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%TEMP%\iisexpress\,?,?,?,6E6A8630,6E686F36), ref: 6E686DEA
?Resize@STRU@@QAEJK@Z.IISUTIL(?,?,6E6A8630,6E686F36), ref: 6E686E09

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

ExpandEnvironmentStringsW.KERNEL32(%TEMP%\iisexpress\,?,?,?,6E6A8630,6E686F36), ref: 6E686E1C
GetLastError.KERNEL32(?,6E6A8630,6E686F36), ref: 6E686E2F
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL(?,6E6A8630,6E686F36), ref: 6E686E45

Strings

%TEMP%\iisexpress\, xrefs: 6E686DDE, 6E686DE9, 6E686E1B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: EnvironmentErrorExpandLastResize@Strings$Buffer@SyncWith
String ID: %TEMP%\iisexpress\
API String ID: 2030749382-154721167
Opcode ID: cc0206608a446847ab1beedeb6fc02f397de8448b403daf8cc91e827d25a547e
Instruction ID: 1e3528120103a753c559870ce5cda93318598c99bfbc746c4df5ede343a2c56a
Opcode Fuzzy Hash: cc0206608a446847ab1beedeb6fc02f397de8448b403daf8cc91e827d25a547e
Instruction Fuzzy Hash: 210184317789129BDB6456AED86CA7F37DAAB8AB003000B1DA56AC6340DB64D801C770

Function 6E690710 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69071E

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69074E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata.cxx,000002EB,IPM_MESSAGE_PIPE::IpmMessageCreated,IPM_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d,00000002), ref: 6E690783

Strings

IPM_MESSAGE_PIPE::IpmMessageCreated, xrefs: 6E69076E
IPM_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d, xrefs: 6E690769
inetsrv\iis\iisrearc\core\common\util\pipedata.cxx, xrefs: 6E690778

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$CurrentLock@PrintThreadUnlock@
String ID: IPM_MESSAGE_PIPE::IpmMessageCreated$IPM_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d$inetsrv\iis\iisrearc\core\common\util\pipedata.cxx
API String ID: 2662747778-1942120473
Opcode ID: 18e92bf51e77e8775378d8055cf8857c0b5f75140f9271d5cefcf320c687d75d
Instruction ID: 435d4a28f09efe0b9020266352c1c96bb85397c6dbac022d5eea2741eec00984
Opcode Fuzzy Hash: 18e92bf51e77e8775378d8055cf8857c0b5f75140f9271d5cefcf320c687d75d
Instruction Fuzzy Hash: C301F2B104020AABCB10CF95EC44E6AFB68FF52368704802AE8099F351D731E952CBD4

Function 6E692490 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E69249E

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E6924CE
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx,00000252,IPM2_MESSAGE_PIPE::IpmMessageCreated,IPM2_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d,00000002), ref: 6E692503

Strings

IPM2_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d, xrefs: 6E6924E9
inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx, xrefs: 6E6924F8
IPM2_MESSAGE_PIPE::IpmMessageCreated, xrefs: 6E6924EE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$CurrentLock@PrintThreadUnlock@
String ID: IPM2_MESSAGE_PIPE::IpmMessageCreated$IPM2_MESSAGE_PIPE::IpmMessageCreated m_cMessages = %d$inetsrv\iis\iisrearc\core\common\util\pipedata2.cxx
API String ID: 2662747778-3679261160
Opcode ID: 75ffeb62316ec2958b8cd0e866d7150e17409eb9ad403fee6ca32c8a61a1173f
Instruction ID: 0e738420219f68521b130b82a632452465abe6b1b3b2b419b85e3098e148a5b7
Opcode Fuzzy Hash: 75ffeb62316ec2958b8cd0e866d7150e17409eb9ad403fee6ca32c8a61a1173f
Instruction Fuzzy Hash: 2001F27215010AAFCB10CF95EC04E6ABB68FF42368704802AE8099F392D731E956CBD4

Function 6E686050 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?), ref: 6E686081
CloseHandle.KERNEL32(?,?,?), ref: 6E68608D
GetLastError.KERNEL32(?,?), ref: 6E686097
sprintf_s.MSVCRT ref: 6E6860B7
OutputDebugStringA.KERNEL32(?), ref: 6E6860C7

Strings

CloseDbgPrintFile() : CloseHandle( %p) failed. Error = %d, xrefs: 6E6860AC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: BuffersCloseDebugErrorFileFlushHandleLastOutputStringsprintf_s
String ID: CloseDbgPrintFile() : CloseHandle( %p) failed. Error = %d
API String ID: 148034369-3431656766
Opcode ID: 7b3e78420b4b51d9abeb6a9ac0139b21c00654fbaa0103cae365c9ab3b3e2659
Instruction ID: fd938b68f0991e74da0e9f0810f806fbb8a32ecfab7b25a351fdc158ba9b18de
Opcode Fuzzy Hash: 7b3e78420b4b51d9abeb6a9ac0139b21c00654fbaa0103cae365c9ab3b3e2659
Instruction Fuzzy Hash: 8201BE71A54A04EBCB21AFB9CD0C99F7778AB45320F100655F755D7280D731A905CB64

Function 6E6874A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(verifier.dll), ref: 6E6874BC
GetProcessHeap.KERNEL32 ref: 6E6874EC
InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A8650,800003E8), ref: 6E687511
DeleteCriticalSection.KERNEL32(6E6A8650), ref: 6E687526

Strings

verifier.dll, xrefs: 6E6874B7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$CountDeleteHandleHeapInitializeModuleProcessSpin
String ID: verifier.dll
API String ID: 257532131-3265496382
Opcode ID: d1d8b437e7b59fcf01fe45d5553365844a1263c6dbf323cbd69792cd6b5c4076
Instruction ID: b724c3b078bfa6764c26694ccc4b9c6799e1b58800f94772e44e2e4806c349ac
Opcode Fuzzy Hash: d1d8b437e7b59fcf01fe45d5553365844a1263c6dbf323cbd69792cd6b5c4076
Instruction Fuzzy Hash: 8D018031FA0A108FDB818FBFE84865EBBA5E797B16720552BE010CB350D730B841CBA0

Function 6E687790 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45registrytimeCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Services\InetInfo\Parameters,00000000,00020019,?,00000001,?,?,6E685B7B), ref: 6E6877AC

Part of subcall function 6E687D48: RegQueryValueExA.ADVAPI32(?,LookasideCleanupInterval,00000000,?,?,00000004), ref: 6E687D6B

RegCloseKey.ADVAPI32(?,00000001,00000384,?,?,6E685B7B), ref: 6E6877E1
CreateTimerQueueTimer.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000010,?,?,6E685B7B), ref: 6E687803

Strings

AcacheHonorPageheap, xrefs: 6E6877CB
LookasideCleanupInterval, xrefs: 6E6877B9
System\CurrentControlSet\Services\InetInfo\Parameters, xrefs: 6E6877A2

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Timer$CloseCreateOpenQueryQueueValue
String ID: AcacheHonorPageheap$LookasideCleanupInterval$System\CurrentControlSet\Services\InetInfo\Parameters
API String ID: 2617051454-4086790903
Opcode ID: 06c68e2d41e5d8088d41bab6465ef603b48e049740d7e06c39807f4c3b13e07c
Instruction ID: 223995e8f1ba001ccd8f8337bde13ba59d8aa54d1c70f03293d4a84a48285f5f
Opcode Fuzzy Hash: 06c68e2d41e5d8088d41bab6465ef603b48e049740d7e06c39807f4c3b13e07c
Instruction Fuzzy Hash: 600181B1F80205BBEB204AE58D49F6B776CDB41B15F100565BA14FE3C0D670BD009660

Function 6E68C1C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx,00000099,StartIISAdminMonitor,Can not create startup complete event for monitoring the inetinfo process, hr = %08x), ref: 6E68C245
CloseHandle.KERNEL32(00000000), ref: 6E68C2B3
CloseHandle.KERNEL32(?), ref: 6E68C2C9

Strings

StartIISAdminMonitor, xrefs: 6E68C1EC
Can not create startup complete event for monitoring the inetinfo process, hr = %08x, xrefs: 6E68C1E7
inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx, xrefs: 6E68C23A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandle$Print
String ID: Can not create startup complete event for monitoring the inetinfo process, hr = %08x$StartIISAdminMonitor$inetsrv\iis\iisrearc\core\common\util\adminmonitor.cxx
API String ID: 1935847771-2918852286
Opcode ID: 2ccd4a577cc22089cb25b2c73dfabecfd5ed9fcad5a6cf55a37288916506a21f
Instruction ID: 39b14af6f94a210be7a3f89b7b61e850bc3881b5ca6c0e3c367eab1b571273f8
Opcode Fuzzy Hash: 2ccd4a577cc22089cb25b2c73dfabecfd5ed9fcad5a6cf55a37288916506a21f
Instruction Fuzzy Hash: 4901A276E85B6197DB158EDAAC2871F7B94ABD2B12F00072AAC417F390D320980596F3

Function 6E68857D Relevance: 10.5, APIs: 7, Instructions: 40sleeptimeCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(6E6A8668,00000000,00000000,6E6A8668,6E68816A), ref: 6E68858A
Sleep.KERNEL32(00000064), ref: 6E688596
EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E6885A2
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E6885B3
DeleteTimerQueueEx.KERNEL32(?,000000FF), ref: 6E6885BC
EnterCriticalSection.KERNEL32(6E6A8668), ref: 6E6885C9
FreeLibrary.KERNEL32(?), ref: 6E6885DB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteFreeLibraryQueueSleepTimer
String ID:
API String ID: 1513721479-0
Opcode ID: 520a35781bee494ac50e7914b5f8859f9187e2cf3dda6b0a6b261cbf5b4ec28d
Instruction ID: 5c692194379c0f3921f753e35b7b257bb20b2a047dba784caf06a918173a72cd
Opcode Fuzzy Hash: 520a35781bee494ac50e7914b5f8859f9187e2cf3dda6b0a6b261cbf5b4ec28d
Instruction Fuzzy Hash: 55F0A472D41951BFCB401FAADC4C85EBB64EF477223444A2BF21597250C7346C60CBA1

Function 6E6854F1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34threadCOMMON

Download Yara Rule

APIs

PuCreateDebugPrintsObject.IISUTIL(iisutil,00000001), ref: 6E685503

Part of subcall function 6E685CB0: InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A8630,00000014), ref: 6E685CCA
Part of subcall function 6E685CB0: GlobalAlloc.KERNEL32(00000040,00000288), ref: 6E685CE1
Part of subcall function 6E685CB0: strcpy_s.MSVCRT ref: 6E685D0B
Part of subcall function 6E685CB0: GetStdHandle.KERNEL32(000000F4), ref: 6E685D5D
Part of subcall function 6E685CB0: GetStdHandle.KERNEL32(000000F5), ref: 6E685D77

OutputDebugStringA.KERNEL32(Unable to Create Debug Print Object ), ref: 6E685516
DisableThreadLibraryCalls.KERNEL32(?), ref: 6E685531
PuDeleteDebugPrintsObject.IISUTIL ref: 6E685553

Strings

Unable to Create Debug Print Object , xrefs: 6E685511
iisutil, xrefs: 6E6854FE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Debug$HandleObjectPrints$AllocCallsCountCreateCriticalDeleteDisableGlobalInitializeLibraryOutputSectionSpinStringThreadstrcpy_s
String ID: Unable to Create Debug Print Object $iisutil
API String ID: 4034549691-2396372187
Opcode ID: d0bea5a09c2f0d011254f0d79df3de6e8e5f221b5e5454d24b0bebf8092491bb
Instruction ID: 211d04bf47e8f73d2cb6dc52dfe26c0c311707948144736ba61d314ee1cd8049
Opcode Fuzzy Hash: d0bea5a09c2f0d011254f0d79df3de6e8e5f221b5e5454d24b0bebf8092491bb
Instruction Fuzzy Hash: D0F0F670455645DBEF509FFAD80CB8F33AA9703304F444427E0068B222EB309550CEB7

Function 6E688180 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\sched.cxx,0000008B,SchedulerTerminate,SchedulerTerminate: inits=%d, uninits=%d,6E685C6D), ref: 6E6881BB

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

EnterCriticalSection.KERNEL32(6E6A8668,6E6A915C,6E685C6D), ref: 6E6881CA
LeaveCriticalSection.KERNEL32(6E6A8668), ref: 6E6881E9

Strings

SchedulerTerminate, xrefs: 6E6881A6
inetsrv\iis\iisrearc\core\common\util\sched.cxx, xrefs: 6E6881B0
SchedulerTerminate: inits=%d, uninits=%d, xrefs: 6E6881A1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterFreeInternal@LeaveMemoryPrint
String ID: SchedulerTerminate$SchedulerTerminate: inits=%d, uninits=%d$inetsrv\iis\iisrearc\core\common\util\sched.cxx
API String ID: 3087881159-2265624951
Opcode ID: 91daf410db69d7323e51bed8b90c6772359b9f1cc5ebcc343fa3d86109298d1a
Instruction ID: 50a4a291cf85e364d830e6096464c8dc3d504916b847340ec23d634d74997396
Opcode Fuzzy Hash: 91daf410db69d7323e51bed8b90c6772359b9f1cc5ebcc343fa3d86109298d1a
Instruction Fuzzy Hash: B4F0A731D954416BDF016FAEF80899E3725EF572097445029F5416B326CB212951DB64

Function 6E68AF60 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

FreeWellKnownSid.IISUTIL ref: 6E68AF66

Part of subcall function 6E68ABD0: GlobalFree.KERNEL32(?), ref: 6E68ABE0

FreeWellKnownSid.IISUTIL(?), ref: 6E68AF6F
FreeWellKnownSid.IISUTIL(?), ref: 6E68AF78
FreeWellKnownSid.IISUTIL(?), ref: 6E68AF81
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68AF8F

Part of subcall function 6E6823C0: GetProcessHeap.KERNEL32(00000000,?), ref: 6E6823C5
Part of subcall function 6E6823C0: HeapFree.KERNEL32(00000000), ref: 6E6823CC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Free$KnownWell$Heap$GlobalInternal@MemoryProcess
String ID:
API String ID: 3091046390-0
Opcode ID: 9efe2757af787b98ca5ec78d0bd49681bb23aa43977672067383aefe18ef1592
Instruction ID: f1de4b8b0c52f2f1f41c98828b1fc6090bca117cb61194ed644c1d36a5aabf55
Opcode Fuzzy Hash: 9efe2757af787b98ca5ec78d0bd49681bb23aa43977672067383aefe18ef1592
Instruction Fuzzy Hash: E1F0A0B18106506BCB61DBE0C458FCB37AEAF15318F940C89D58A83480CB39E845D735

Function 6E67E330 Relevance: 9.2, APIs: 6, Instructions: 176COMMON

Download Yara Rule

APIs

?ReadOrWriteLock@CReaderWriterLock3@@QAE_NXZ.IISUTIL ref: 6E67E356
?IsValid@CLKRLinearHashTable@@QBE_NXZ.IISUTIL ref: 6E67E360
?_ReadOrWriteUnlock@CLKRLinearHashTable@@ABEX_N@Z.IISUTIL(?), ref: 6E67E36E
?ReadLock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67E3B4

Part of subcall function 6E67ACB0: ?_LockSpin@CReaderWriterLock2@@AAEX_N@Z.IISUTIL(00000000), ref: 6E67ACE7

?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67E4CE
?_ReadOrWriteUnlock@CLKRLinearHashTable@@ABEX_N@Z.IISUTIL(?), ref: 6E67E504

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Read$ReaderWriter$HashLinearTable@@Unlock@Write$Lock2@@Lock3@@Lock@$LockSpin@Valid@
String ID:
API String ID: 3465082978-0
Opcode ID: 0edc12a665aff384cb347fa47418c71935b0cea8d6c099eeeb522880d5a93f8d
Instruction ID: 620bc696ea8b2c499b658bf473a14a6b043b7e5c769104353b0b84c1209258c7
Opcode Fuzzy Hash: 0edc12a665aff384cb347fa47418c71935b0cea8d6c099eeeb522880d5a93f8d
Instruction Fuzzy Hash: D8517031E00229DFCF28CFB8C8955AEB7F5BF89315B15486ED806E7244DB34A984CB84

Function 6E67D420 Relevance: 9.1, APIs: 6, Instructions: 134COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67D440

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D471
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D479
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D4E9
?_DeleteNode@CLKRLinearHashTable@@AAE_NPAVCBucket@@AAPAVCNodeClump@@1AAH@Z.IISUTIL(?,?,00000000,?,?,?,?), ref: 6E67D549
?_Contract@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@XZ.IISUTIL(?,?), ref: 6E67D55B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$HashLinearLock2@@Lock3@@Lock@Table@@Unlock@$Bucket@@Clump@@1Contract@CurrentDeleteNodeNode@Thread
String ID:
API String ID: 3403228298-0
Opcode ID: 6e8faac02641b0d04b642c8cb7b1f21271a4249df781ab036ade855f76537381
Instruction ID: f15aea88c27551a3058ca231337e2fa523356ddd56a4658af536e798b47074ea
Opcode Fuzzy Hash: 6e8faac02641b0d04b642c8cb7b1f21271a4249df781ab036ade855f76537381
Instruction Fuzzy Hash: 1951BD71E10A2AEBDF24CF95D894AAEB7B4FF4A318B10445AC845A7605CB30B960CFC4

Function 6E67E570 Relevance: 9.1, APIs: 6, Instructions: 132COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67E5C9
?_FreeNodeClump@CLKRLinearHashTable@@CG_NPAVCNodeClump@@@Z.IISUTIL(?), ref: 6E67E62B
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?), ref: 6E67E637
?_FreeSegment@CLKRLinearHashTable@@ABE_NPAVCSegment@@@Z.IISUTIL(?), ref: 6E67E662
?_FreeSegmentDirectory@CLKRLinearHashTable@@AAE_NXZ.IISUTIL ref: 6E67E67E
?_SetSegVars@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@W4LK_TABLESIZE@@K@Z.IISUTIL(?,00000000), ref: 6E67E6C1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinearTable@@$Free$Lock2@@NodeReaderWriteWriter$Clump@Clump@@@Directory@Lock@SegmentSegment@Segment@@@Unlock@Vars@
String ID:
API String ID: 529549155-0
Opcode ID: e859f6ddf3c0bde2b56ed6c19418113ffe6f96cf5d0690f1fb39ee0428328a26
Instruction ID: 3d6f81db899ec906b877dc22ea2b84d217f0d110bd1de77a0f239fec95ff2afd
Opcode Fuzzy Hash: e859f6ddf3c0bde2b56ed6c19418113ffe6f96cf5d0690f1fb39ee0428328a26
Instruction Fuzzy Hash: DC417A71E14A1AAFCB64CFA8C5904EEB7B5FB49308B10456ED801A7B50DB31B968CFC4

Function 6E67D640 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67D660

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D68E
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D696
?_DeleteNode@CLKRLinearHashTable@@AAE_NPAVCBucket@@AAPAVCNodeClump@@1AAH@Z.IISUTIL(?,?,00000000,?,?,?,?), ref: 6E67D6F7

Part of subcall function 6E67D860: ?_FreeNodeClump@CLKRLinearHashTable@@CG_NPAVCNodeClump@@@Z.IISUTIL(?,?,?,?,?,?,?), ref: 6E67D941

?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?,?), ref: 6E67D702
?_Contract@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@XZ.IISUTIL(?,?), ref: 6E67D753

Part of subcall function 6E67F3C0: ?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F3DA
Part of subcall function 6E67F3C0: ?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,00000002), ref: 6E67F3EA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$Lock3@@$HashLinearLock@NodeTable@@Unlock@$Lock2@@$Bucket@@Clump@Clump@@1Clump@@@Contract@CurrentDeleteFreeNode@Thread
String ID:
API String ID: 3816320070-0
Opcode ID: f78ff747002d6b1dac6c0fd1ba9fbe46b5091f6483039d19bbe24744c847d10f
Instruction ID: ccb630ba0e768d6465eb0286cb0d6afc38fff662c9b26239e674f43404999964
Opcode Fuzzy Hash: f78ff747002d6b1dac6c0fd1ba9fbe46b5091f6483039d19bbe24744c847d10f
Instruction Fuzzy Hash: 4C41AF71A10A1AEBDF18CF95D9946EEBBB5FF4A310F104959C806A7640DB30BA20CFC4

Function 6E67E1F0 Relevance: 9.1, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

?IsWriteLocked@CReaderWriterLock3@@QBE_NXZ.IISUTIL(00000000), ref: 6E67E218
?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(00000000), ref: 6E67E257
?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(00000000), ref: 6E67E2DE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriteWriter$Lock2@@$Lock3@@Lock@Locked@Unlock@
String ID:
API String ID: 2347972203-0
Opcode ID: 5c2f9c847fc5a0a5d55a8b8e669a37df65ebdb189e7557bc97584a856b660b30
Instruction ID: fff0099c5b2558f912e41ba6c8cc8fad5932598a859e541612c9b5d8c9524f65
Opcode Fuzzy Hash: 5c2f9c847fc5a0a5d55a8b8e669a37df65ebdb189e7557bc97584a856b660b30
Instruction Fuzzy Hash: BF415E75A00209DFCF61CFA9C894AEEB7B5FF46314F10496ED82297650DB30EA48CB90

Function 6E68A4B8 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(00000000,?,0000000C,00000002,00000000,00000000,?,?,?,?), ref: 6E68A4E3
GetLengthSid.ADVAPI32(?), ref: 6E68A4EE
InitializeAcl.ADVAPI32(00000000,?,00000002), ref: 6E68A511
GetAce.ADVAPI32(00000000,00000000,?), ref: 6E68A528
AddAce.ADVAPI32(00000000,00000002,00000000,?,?), ref: 6E68A53F
GetLastError.KERNEL32 ref: 6E68A55F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorInformationInitializeLastLength
String ID:
API String ID: 1821948656-0
Opcode ID: 3de6f888057c07db26894de64d15c777574dbbac39fe88d187f4ef9c9f89de40
Instruction ID: de42432eccc20f03b60e8146660739c7b1ae72ee7a2cd7674d844995d5151e97
Opcode Fuzzy Hash: 3de6f888057c07db26894de64d15c777574dbbac39fe88d187f4ef9c9f89de40
Instruction Fuzzy Hash: 2A21D331A40119ABEB509EAA8C45ABF77BCFB46754B00001AFD19E7281DB74ED8197B1

Function 6E684471 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,6E6830CE,?,?,?,?,00000000,00000000,?,?,?,?,?,6E68455A,6E6830CE,00000000), ref: 6E6844A7
GetLastError.KERNEL32(?,?,?,?,?,6E68455A,6E6830CE,00000000,00000400,?,6E6830CE,?,?,00000000,?,?), ref: 6E6844B3
WideCharToMultiByte.KERNEL32(?,6E6830CE,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,6E68455A,6E6830CE,00000000), ref: 6E6844CF
?Resize@BUFFER@@QAE_NKK@Z.IISUTIL(00000001,00000080,?,?,?,?,?,6E68455A,6E6830CE,00000000,00000400,?,6E6830CE,?,?,00000000), ref: 6E6844E2
WideCharToMultiByte.KERNEL32(?,6E6830CE,00000000,?,?,?,00000000,00000000,00000001,00000080,?,?,?,?,?,6E68455A), ref: 6E6844FD
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(00000001,?,?,?,?,?,6E68455A,6E6830CE,00000000,00000400,?,6E6830CE,?,?,00000000), ref: 6E68450F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ByteCharMultiWide$Resize@$ErrorLast
String ID:
API String ID: 726980417-0
Opcode ID: dcc7174b6ee3db3105d416d89a3592d4247ebc8f063c113aa5d8ba55dfa96689
Instruction ID: 8192d39d83c0dddf08edef7130cf1bdfd8551a96fad8c4b6f872b665fdd299ce
Opcode Fuzzy Hash: dcc7174b6ee3db3105d416d89a3592d4247ebc8f063c113aa5d8ba55dfa96689
Instruction Fuzzy Hash: 9921AC71600616BFEB158EA9DC48E7F7BAEEF0A320B000616FD1897650DB71EC118BB1

Function 6E685CB0 Relevance: 9.1, APIs: 6, Instructions: 79stringmemoryCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6E6A8630,00000014), ref: 6E685CCA
GlobalAlloc.KERNEL32(00000040,00000288), ref: 6E685CE1
strcpy_s.MSVCRT ref: 6E685D0B
strncpy_s.MSVCRT ref: 6E685D1E
GetStdHandle.KERNEL32(000000F4), ref: 6E685D5D
GetStdHandle.KERNEL32(000000F5), ref: 6E685D77

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Handle$AllocCountCriticalGlobalInitializeSectionSpinstrcpy_sstrncpy_s
String ID:
API String ID: 2471745371-0
Opcode ID: af21f297baf4c486529d9d42a0f2bec2b52a9f0ba3b85be61e5748815c85f9cf
Instruction ID: 6a435b5be6806fb779b8c4c33a690dc2d2d0347ca3f3c709860baff647c9aeb6
Opcode Fuzzy Hash: af21f297baf4c486529d9d42a0f2bec2b52a9f0ba3b85be61e5748815c85f9cf
Instruction Fuzzy Hash: 89210531984B02ABDB605FB9CC8CB977BA4EB03724F20471DE9AA962D0D731A505CB60

Function 6E683020 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

ConvertUnicodeToMultiByte.IISUTIL(?,?,00000000,?), ref: 6E683054
GetLastError.KERNEL32(?,?,00000000,?), ref: 6E68305E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ByteConvertErrorLastMultiUnicode
String ID:
API String ID: 1971560109-0
Opcode ID: 99aac8b803b095cbe8136ae1d23e256ed253d5a1337709f1efb06e660e49a6fd
Instruction ID: a99c2dad061017734e9547bc3d2e6f48f7e809e3b125bbe111ed015c7531f459
Opcode Fuzzy Hash: 99aac8b803b095cbe8136ae1d23e256ed253d5a1337709f1efb06e660e49a6fd
Instruction Fuzzy Hash: 5D21B171840228DBCB208EB5CC48BDF7BB8BB05714F108996E859D7280EB3599449BB5

Function 6E68A710 Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 6E68A73A
GetLastError.KERNEL32(?), ref: 6E68A744
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 6E68A77B
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E68A78A
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,?), ref: 6E68A798
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 6E68A7B8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: AccountLookupResize@$ErrorInformationLastToken
String ID:
API String ID: 2159639388-0
Opcode ID: 8c33b8acb4e4338b0d47cf83c0143371f0afe3a3899cbd0c9cc718f00c94419e
Instruction ID: 7de4e0ec6541bcadb01dab6b2997401b11ef83e66bab719b0da4e5fb47487685
Opcode Fuzzy Hash: 8c33b8acb4e4338b0d47cf83c0143371f0afe3a3899cbd0c9cc718f00c94419e
Instruction Fuzzy Hash: 15211B36A00549AFDF41CFE5C844EEFBBB9FB09704F004519A945EB184E735A915EB60

Function 6E68BF70 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 6E68BF9E
GetLastError.KERNEL32 ref: 6E68BFA8
GetLastError.KERNEL32 ref: 6E68BFB3
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 6E68BFE2
GetLastError.KERNEL32 ref: 6E68BFEC
FreeTokenUserSID.IISUTIL(?), ref: 6E68C008

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastToken$Information$FreeUser
String ID:
API String ID: 4087759212-0
Opcode ID: 1168a035c1550466c6bad7a35efb60462ecb2f24557392ac016ceb756c663894
Instruction ID: 85cd3b4339e17a028f0ac85be6b8d50d828e7d6e354d89cd145f72490f543adf
Opcode Fuzzy Hash: 1168a035c1550466c6bad7a35efb60462ecb2f24557392ac016ceb756c663894
Instruction Fuzzy Hash: 27117236540118BFDB118F9AC804A9FBBB8EB467A4F114156F805DB240D7719A40DBB1

Function 6E68B530 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000004,00000000,00000000,?), ref: 6E68B55E
GetLastError.KERNEL32 ref: 6E68B568
GetLastError.KERNEL32 ref: 6E68B573
GetTokenInformation.ADVAPI32(?,00000004,00000000,?,?), ref: 6E68B5A2
GetLastError.KERNEL32 ref: 6E68B5AC
FreeTokenUserSID.IISUTIL(?), ref: 6E68B5C8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLastToken$Information$FreeUser
String ID:
API String ID: 4087759212-0
Opcode ID: b937a4b434748666e76aa3e6b99536e0d0da279dcc2c612a5ede2f5380296fcb
Instruction ID: d116b05859574612a9b7b6d5b3381c45c1e6a191dbdd6d39b4fc40a06d6f3e08
Opcode Fuzzy Hash: b937a4b434748666e76aa3e6b99536e0d0da279dcc2c612a5ede2f5380296fcb
Instruction Fuzzy Hash: D311AF7A940218FFCB218F9AD804A9FBBB9EF46760B104027F805D7248DB709A0097B1

Function 6E686A00 Relevance: 9.1, APIs: 6, Instructions: 70filestringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 6E686A0F
GetLastError.KERNEL32 ref: 6E686A17
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6E686A55
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6E686A78
OutputDebugStringA.KERNEL32(?), ref: 6E686AA2
SetLastError.KERNEL32(?), ref: 6E686AAB

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorFileLastWrite$DebugOutputStringstrrchr
String ID:
API String ID: 555555021-0
Opcode ID: a1babaca24b18134c1b7338e799a328bb1b265070631c5961801344e424df509
Instruction ID: b99432f6193946241814542ad520d48a365084aee30bcd726dc0234538ea286e
Opcode Fuzzy Hash: a1babaca24b18134c1b7338e799a328bb1b265070631c5961801344e424df509
Instruction Fuzzy Hash: EB21C031560705BBDB518AB5C89CFAF7BA8EF43325F108A1DF86A92280CB316804C770

Function 6E68F3B9 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

isxdigit.MSVCRT ref: 6E68F3CF
isxdigit.MSVCRT ref: 6E68F3DF
isalpha.MSVCRT ref: 6E68F3EF
toupper.MSVCRT ref: 6E68F3FF
isalpha.MSVCRT ref: 6E68F423
toupper.MSVCRT ref: 6E68F433

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: isalphaisxdigittoupper
String ID:
API String ID: 4256377175-0
Opcode ID: f061a8032f0751f745f76b6cced2b1d0135cd416203138f12d6d6e8f8666a985
Instruction ID: 52d1843c06bce7afdf434ccb91781c7756caaf1b1a84c04e80117cd0df8e1cbf
Opcode Fuzzy Hash: f061a8032f0751f745f76b6cced2b1d0135cd416203138f12d6d6e8f8666a985
Instruction Fuzzy Hash: 351106A6488AA75DE7741AFE541C5AB7FDA4F4F222338541BF1F5C1983CA18D042C730

Function 6E67DE70 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

?WriteLock@CLKRHashTable@@QAEXXZ.IISUTIL ref: 6E67DE93
?IsValid@CLKRHashTable@@QBE_NXZ.IISUTIL ref: 6E67DEA1
?_ApplyIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@ZP6G?AW4LK_ACTION@@01@Z1W4LK_LOCKTYPE@@AAW42@@Z.IISUTIL(?,?,?,00000002,00000003), ref: 6E67DEC8
?WriteUnlock@CLKRHashTable@@QBEXXZ.IISUTIL ref: 6E67DEF0

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashTable@@$Write$ApplyLinearLock@N@@01@Unlock@Valid@W42@@
String ID:
API String ID: 3643287014-0
Opcode ID: 726f541788007ff27e3f9e82b06b23c66d1969c858db90bc6cd600f739a0c354
Instruction ID: fe84f656a649515206637c0271bad44405e7ce8bd44bdad55a3e66866e2720fc
Opcode Fuzzy Hash: 726f541788007ff27e3f9e82b06b23c66d1969c858db90bc6cd600f739a0c354
Instruction Fuzzy Hash: 26110231502209EFDFB3DEC4D96089F33B9BB93398B100D2AE4A102150D7715A54DF72

Function 6E683850 Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(000013FF,00000000,?,?,?,00000400,00000000), ref: 6E683891
?Copy@STRA@@QAEJPBDK@Z.IISUTIL(?,00000000), ref: 6E6838A4
LocalFree.KERNEL32(?), ref: 6E6838B1
GetModuleHandleA.KERNEL32(?,?,?,00000140), ref: 6E6838C9
LoadStringA.USER32(00000000), ref: 6E6838D0
?Copy@STRA@@QAEJPBDK@Z.IISUTIL(?,00000000), ref: 6E6838E4

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Copy@$FormatFreeHandleLoadLocalMessageModuleString
String ID:
API String ID: 781821437-0
Opcode ID: a7f1a3a523c06b3179e429451fd994b5e2218f6c70574b03c15a01a2d42bae6e
Instruction ID: 62e4ddb819022cefebbe3f1dda5d87f4a6011a856889e682970f16d0b564173e
Opcode Fuzzy Hash: a7f1a3a523c06b3179e429451fd994b5e2218f6c70574b03c15a01a2d42bae6e
Instruction Fuzzy Hash: 65115171A40219ABDF618EA6CC08EEF7B7DEB45360F000469B909E6260DB319D40DBA4

Function 6E67DD50 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

?WriteLock@CLKRHashTable@@QAEXXZ.IISUTIL ref: 6E67DD73
?IsValid@CLKRHashTable@@QBE_NXZ.IISUTIL ref: 6E67DD81
?_Apply@CLKRLinearHashTable@@AAEKP6G?AW4LK_ACTION@@PBXPAX@Z1W4LK_LOCKTYPE@@AAW4LK_PREDICATE@@@Z.IISUTIL(?,?,?,00000003), ref: 6E67DDA5
?WriteUnlock@CLKRHashTable@@QBEXXZ.IISUTIL ref: 6E67DDCD

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashTable@@$Write$Apply@E@@@LinearLock@Unlock@Valid@
String ID:
API String ID: 2497635140-0
Opcode ID: 7e10de008082ca3635ab4364eafcb1432a27bd451c4353930d722b764817e844
Instruction ID: 5b13c93067269071feb4b7772e7f78f2273501452da4c6d04c1367b8d64a4274
Opcode Fuzzy Hash: 7e10de008082ca3635ab4364eafcb1432a27bd451c4353930d722b764817e844
Instruction Fuzzy Hash: F811CE31501609EFCF718ED5C9648AF73BAFB83328F200E6AD45513190EB726A44CFA1

Function 6E67DDF0 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67DE19
?IsValid@CLKRLinearHashTable@@QBE_NXZ.IISUTIL ref: 6E67DE27
?_ApplyIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@ZP6G?AW4LK_ACTION@@01@Z1W4LK_LOCKTYPE@@AAW42@@Z.IISUTIL(?,?,?,00000002,00000003), ref: 6E67DE42
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67DE51

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinearLock3@@ReaderTable@@WriteWriter$ApplyLock@N@@01@Unlock@Valid@W42@@
String ID:
API String ID: 3966522376-0
Opcode ID: cf8bc33b4a71e0a69e259aaca5edced6f894431c40aeb432a3a413530feb7e79
Instruction ID: 72b63ebd86bd034684665260ac929e08b008d0ff507c15fe49670a52c5799782
Opcode Fuzzy Hash: cf8bc33b4a71e0a69e259aaca5edced6f894431c40aeb432a3a413530feb7e79
Instruction Fuzzy Hash: C201D632704149AFCF32CED59D548EF776EEB973A8B000C29E92157140CB319E64DAE2

Function 6E679540 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000000), ref: 6E67955C
?AuxAppend@STRAU@@AAEHPBDIH@Z.IISUTIL(00000000,00000000,00000001,00000000), ref: 6E679570

Part of subcall function 6E683E90: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,?,00000001), ref: 6E683F3E

?QueryCCH@STRAU@@QAEIXZ.IISUTIL(00000001,00000000), ref: 6E679567

Part of subcall function 6E679790: ?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E6797A3

?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E67957B
?QueryCCH@STRAU@@QAEIXZ.IISUTIL(00000001,00000001), ref: 6E679586
?AuxAppend@STRAU@@AAEHPBGIH@Z.IISUTIL(00000000,00000000,00000001,00000001), ref: 6E67958F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Query$PrivateStr@$Append@$Resize@
String ID:
API String ID: 2849583579-0
Opcode ID: 66ac50f72dce943278041b76e19450b1a0b0e691e594b1bb5afc1fd9d22d12ac
Instruction ID: 81de8c475ef2218871a679607c5a17d8312c388191a81f055ee514459d2a0c70
Opcode Fuzzy Hash: 66ac50f72dce943278041b76e19450b1a0b0e691e594b1bb5afc1fd9d22d12ac
Instruction Fuzzy Hash: 32F0B43172432027DA1459F55850BBFA7DE8BD136CB05043AE905D7281DAA1AC018378

Function 6E6796B0 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E6796C7
?QueryCCH@STRAU@@QAEIXZ.IISUTIL(00000001), ref: 6E6796D0

Part of subcall function 6E679790: ?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E6797A3

?Copy@STRAU@@QAEHPBGK@Z.IISUTIL(00000000,00000000,00000001), ref: 6E6796D9

Part of subcall function 6E679670: ?AuxAppend@STRAU@@AAEHPBGIH@Z.IISUTIL(?,?,00000000,?,?,6E679624,?,?), ref: 6E67969F

?QueryCBA@STRAU@@QAEIXZ.IISUTIL ref: 6E6796E0
?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000000), ref: 6E6796EB
?Copy@STRAU@@QAEHPBDK@Z.IISUTIL(00000000,00000000,00000000), ref: 6E6796F4

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Query$PrivateStr@$Copy@$Append@
String ID:
API String ID: 3882590147-0
Opcode ID: 13dabc8bbf61b33af3e7f19125faf77d7fd98001a98e52379460cc632f6dc09f
Instruction ID: 530e63e0b8f604460920013179e2d514b9f5ccde87fb23b0c9de6a174121adde
Opcode Fuzzy Hash: 13dabc8bbf61b33af3e7f19125faf77d7fd98001a98e52379460cc632f6dc09f
Instruction Fuzzy Hash: 6DE0303131821027EA2429FA5C54BEFA7EE9BD13BCF06092AA505D7290DAA05C41C3BC

Function 6E6863AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_vsnwprintf_s.MSVCRT ref: 6E6863CD
?Resize@STRU@@QAEJK@Z.IISUTIL(00002800,?,?,?,?,?,?,?,?), ref: 6E6863E2

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

_vsnwprintf_s.MSVCRT ref: 6E68640D
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?), ref: 6E68642C

Strings

[ehn, xrefs: 6E6863B1, 6E6863B7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Resize@_vsnwprintf_s$Buffer@ErrorLastSyncWith
String ID: [ehn
API String ID: 1205860031-1954214788
Opcode ID: 25229885e01a4f0ef298ddaa49042bc9d36217aa6f693f40bc661c481dfd8c07
Instruction ID: e592d8439fb8cf64c3fc1b33d6b312bdd4c8410ec8193ec6865001ad4684b51e
Opcode Fuzzy Hash: 25229885e01a4f0ef298ddaa49042bc9d36217aa6f693f40bc661c481dfd8c07
Instruction Fuzzy Hash: C911A531320901AF87088A6DD845C7F77A9FF8D3243444225FA0AC7BA0EB21EC21DBA4

Function 6E68CEFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,InitializeIISUtil,00000001), ref: 6E68CF16
_itoa_s.MSVCRT ref: 6E68CF49
SystemTimeToFileTime.KERNEL32(?,?), ref: 6E68CF75
?Write@?$CDataCache@VCDateTime@@@@QAE_NABVCDateTime@@@Z.IISUTIL(?), ref: 6E68CF84

Strings

InitializeIISUtil, xrefs: 6E68CF11

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Time$DateSystem$Cache@DataFileTime@@@Time@@@@Write@?$_itoa_s
String ID: InitializeIISUtil
API String ID: 3152777620-1109337598
Opcode ID: 61af889eb23eef5f571f90fdc66177ab1d51912620ab9586a2e0dcc16ac904ef
Instruction ID: 81137050d048f394069ba471af57f8513e72bef5c9b0faabf2c02ef4dfa549da
Opcode Fuzzy Hash: 61af889eb23eef5f571f90fdc66177ab1d51912620ab9586a2e0dcc16ac904ef
Instruction Fuzzy Hash: 7311A372D409099BDF04DFB9D9889FFB7B9EB46704F10011AE902FB340E671AD058BA5

Function 6E680F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.KERNEL32(00000000,00000000,00000100,00000000,00000000,001F0003), ref: 6E680F3D

Strings

Maximum spins invalid in constructor for CSharelock, xrefs: 6E680F64
Create semaphore in constructor for CSharelock, xrefs: 6E680F75
Maximum share invalid in constructor for CSharelock, xrefs: 6E680F53
0$gn, xrefs: 6E680F7C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateSemaphore
String ID: 0$gn$Create semaphore in constructor for CSharelock$Maximum share invalid in constructor for CSharelock$Maximum spins invalid in constructor for CSharelock
API String ID: 1078844751-1187431045
Opcode ID: 37f30ee8bd4a3a842100b29bba58f70ed79d376cce90cd36b699802873841ce1
Instruction ID: 5a0831ec58d295b2a6d3847b124e28c2cd5a1d72283ade4cf1d3a6a534b00fdf
Opcode Fuzzy Hash: 37f30ee8bd4a3a842100b29bba58f70ed79d376cce90cd36b699802873841ce1
Instruction Fuzzy Hash: 7A0192B1900709AFDB20CFD9C84099BB7FCEB84710B00C96EB95497300E730EA44CB60

Function 6E682910 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

?Copy@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E682945
?Copy@STRU@@QAEJPBG@Z.IISUTIL(\\?\), ref: 6E682964
?Append@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E682970

Strings

\\?\UNC\, xrefs: 6E68295A
\\?\, xrefs: 6E68297B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Copy@$Append@
String ID: \\?\$\\?\UNC\
API String ID: 727008895-3019864461
Opcode ID: e9724f446518bd3c7b6f17e5f0e0364335bc283fa4f85828599885f1a4cf1978
Instruction ID: 37c614af1555ac3985b99247cee29610e508db6d824ccd69efc7e7c47eaf24c7
Opcode Fuzzy Hash: e9724f446518bd3c7b6f17e5f0e0364335bc283fa4f85828599885f1a4cf1978
Instruction Fuzzy Hash: 8A01F9117546117A9E205FD788109BB7378EB97364B00CC2AED8957280F6A0E9C2C3B1

Function 6E68C3BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\INetStp,00000000,00020019,?), ref: 6E68C3DD
RegQueryValueExW.ADVAPI32(?,EnableRestart,00000000,?,?,?), ref: 6E68C403
RegCloseKey.ADVAPI32(?), ref: 6E68C420

Strings

EnableRestart, xrefs: 6E68C3FB
SOFTWARE\Microsoft\INetStp, xrefs: 6E68C3D3

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: EnableRestart$SOFTWARE\Microsoft\INetStp
API String ID: 3677997916-1069100440
Opcode ID: 26abeda6126579e68adc0f481837d6e78bdcde3abea7f7e7f4eeef6b16483d8d
Instruction ID: fc2f25aa188dc23327692bda6d2856719a29d5ae18cb0e6e77e985db49261d25
Opcode Fuzzy Hash: 26abeda6126579e68adc0f481837d6e78bdcde3abea7f7e7f4eeef6b16483d8d
Instruction Fuzzy Hash: 42F03C7594420CBFEB108ED9DD899BFB77CEB01299F100266F955A6100E7319E588A61

Function 6E681220 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

_vsnwprintf_s.MSVCRT ref: 6E68124E
PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\irtldbg.cpp,0000001E,IrtlTrace,%ls,?), ref: 6E68127E

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Strings

%ls, xrefs: 6E681267
inetsrv\iis\iisrearc\core\common\util\irtldbg.cpp, xrefs: 6E681273
Close semaphore in destructor for CSharelock, xrefs: 6E6811FF
Wakeup failed in ReleaseLock(), xrefs: 6E6811C3
IrtlTrace, xrefs: 6E68126C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FreeInternal@MemoryPrint_vsnwprintf_s
String ID: %ls$Close semaphore in destructor for CSharelock$IrtlTrace$Wakeup failed in ReleaseLock()$inetsrv\iis\iisrearc\core\common\util\irtldbg.cpp
API String ID: 1735476627-1329658642
Opcode ID: a1373082cdb74e419ac9c82ba36e293895a11270dcfdaf423200d20120e446f9
Instruction ID: fa6506c9176fd53bc6dfbb67d2e002c2c6845d03c8b04e25fa45c25669c08e21
Opcode Fuzzy Hash: a1373082cdb74e419ac9c82ba36e293895a11270dcfdaf423200d20120e446f9
Instruction Fuzzy Hash: CCF021B181014C6BEF019FD8CC00FDE376CEB05314F0001D1B814972D3E6306644CB94

Function 6E689130 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\eventlog.cxx,0000008A,EVENT_LOG::EVENT_LOG, Initializing Event Log for %S[%p],?), ref: 6E689169

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

?LazyInitGetHandleIndex@EVENT_LOG@@CGKPBG@Z.IISUTIL(?), ref: 6E689174

Strings

EVENT_LOG::EVENT_LOG, xrefs: 6E689154
inetsrv\iis\iisrearc\core\common\util\eventlog.cxx, xrefs: 6E68915E
Initializing Event Log for %S[%p], xrefs: 6E68914F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FreeHandleIndex@InitInternal@LazyMemoryPrint
String ID: Initializing Event Log for %S[%p]$EVENT_LOG::EVENT_LOG$inetsrv\iis\iisrearc\core\common\util\eventlog.cxx
API String ID: 1137605292-3820491269
Opcode ID: 0cc98a37fbdc16e23a5ea2a740c3e112ba3f6da3b07f7d88a1a3d749417619dd
Instruction ID: 04f6f156fdcce4d6e3e3f37db66c6d43f43a84b584f707afe0be23b9ae9ed418
Opcode Fuzzy Hash: 0cc98a37fbdc16e23a5ea2a740c3e112ba3f6da3b07f7d88a1a3d749417619dd
Instruction Fuzzy Hash: F0E0D83628021277DF205DD9DC08DCBBF55AF117A8B044021B9887F362DB22AC6297E4

Function 6E68D810 Relevance: 7.6, APIs: 5, Instructions: 97stringtimeCOMMON

Download Yara Rule

APIs

GetDateFormatA.KERNEL32(00000800,80000000,?,00000000,?,0000000F), ref: 6E68D84F
strcat_s.MSVCRT ref: 6E68D85D
GetTimeFormatA.KERNEL32(00000800,8000000C,?,00000000,?,0000000F), ref: 6E68D890
strcat_s.MSVCRT ref: 6E68D8A1
strcpy_s.MSVCRT ref: 6E68D8B5

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Formatstrcat_s$DateTimestrcpy_s
String ID:
API String ID: 3104055937-0
Opcode ID: e02ab39c7a91f568c8109eda9f0387ad3186078b408baffdb660ba4e1d7f6b2e
Instruction ID: ad67b1c1be7aef7fa129b3079c326ff8792e9495b209ca106ec84e822ed8c96e
Opcode Fuzzy Hash: e02ab39c7a91f568c8109eda9f0387ad3186078b408baffdb660ba4e1d7f6b2e
Instruction Fuzzy Hash: 3D31D571A40605AFDB14CFA4C888FAAB7B9FB4A314F14415AE905EB241D771F945CBF0

Function 6E682490 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,?,?,?,?,?,6E67858A,?,?,?,00000001,00000000), ref: 6E6824E1
GetLastError.KERNEL32(?,?,?,?,?,6E67858A,?,?,?,00000001,00000000), ref: 6E6824EA
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,?,?,?,?,?,?,6E67858A,?,?,?,00000001), ref: 6E682526
GetLastError.KERNEL32(?,?,?,?,?,6E67858A,?,?,?,00000001,00000000), ref: 6E682532
MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,6E67858A,?,?,?,00000001), ref: 6E68254F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide$Resize@
String ID:
API String ID: 3690292982-0
Opcode ID: 5fc701c2da717578a4fe388f5c4da17162374d8df5d384159f84f338bbb7d49d
Instruction ID: 6189a8d0818f293faf94a3b808c31249ff8e53c7a326d7b669fdc8251e2d0d9a
Opcode Fuzzy Hash: 5fc701c2da717578a4fe388f5c4da17162374d8df5d384159f84f338bbb7d49d
Instruction Fuzzy Hash: 33310471780601AFE7108FAACC64A6B37E5FB8A324B04842EFA06C7751FA70D8008771

Function 6E685F10 Relevance: 7.6, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 6E685F5F
strcpy_s.MSVCRT ref: 6E685F70
strcpy_s.MSVCRT ref: 6E685FB2
strcat_s.MSVCRT ref: 6E685FDA
strcat_s.MSVCRT ref: 6E685FE8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: strcat_sstrcpy_s$DirectoryWindows
String ID:
API String ID: 555915681-0
Opcode ID: 717b2332da280e7f1e00eec233bf31fc0ba543f70d3fd3fe583182fb7354a90b
Instruction ID: 016fad2b0609cda3f5a0deb70bad86dd5404dd3130d08ae6d9c460e218f1c24f
Opcode Fuzzy Hash: 717b2332da280e7f1e00eec233bf31fc0ba543f70d3fd3fe583182fb7354a90b
Instruction Fuzzy Hash: 6C215A75108602AFDB014F68CC94AEB7B29EF83318F049168E95757602DB32AD4BCFB0

Function 6E686770 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6E6867D8

Part of subcall function 6E686679: strrchr.MSVCRT ref: 6E68668B
Part of subcall function 6E686679: GetCurrentThreadId.KERNEL32 ref: 6E6866B6
Part of subcall function 6E686679: swprintf_s.MSVCRT ref: 6E6866C6
Part of subcall function 6E686679: _vsnwprintf_s.MSVCRT ref: 6E6866ED
Part of subcall function 6E686679: ?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E686702

?AuxAppendWTruncate@STRA@@AAEJPBGKK_N@Z.IISUTIL(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E68684F
SetLastError.KERNEL32(?,?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 6E686867
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E686878
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E686888

Part of subcall function 6E6864E2: WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 6E686579
Part of subcall function 6E6864E2: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68658E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: FreeInternal@Memory$ErrorLast$AppendCurrentFileResize@ThreadTruncate@Write_vsnwprintf_sstrrchrswprintf_s
String ID:
API String ID: 3711176006-0
Opcode ID: 18449b627f498b0d636f55c33dea911b948b75cd29ced14de456cddcb1033989
Instruction ID: f70ccf381021d6c6408c2fd75f246ec930cf4cb253d768b0e761950b5872d6d7
Opcode Fuzzy Hash: 18449b627f498b0d636f55c33dea911b948b75cd29ced14de456cddcb1033989
Instruction Fuzzy Hash: 65314D715183459BDB21CF64C844B9FBBF8BF85314F004D2EF595822A1EB31E548CBA6

Function 6E684140 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

?QueryCCH@STRAU@@QAEIXZ.IISUTIL ref: 6E68414D

Part of subcall function 6E679790: ?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E6797A3

GetSystemDefaultLangID.KERNEL32 ref: 6E684180
?QueryCCH@STRAU@@QAEIXZ.IISUTIL ref: 6E6841AF
IsDBCSLeadByteEx.KERNEL32(00000000,00000000), ref: 6E6841C5
?QueryCCH@STRAU@@QAEIXZ.IISUTIL ref: 6E6841DA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Query$ByteDefaultLangLeadPrivateStr@System
String ID:
API String ID: 1747909128-0
Opcode ID: 34e5f0022c5aff226143dbb39affeb19320b8919d260ca49bf81395acde5bc3a
Instruction ID: dce57404a11fff4af168ceb6affa6bce8c364d2bfb9e9bb4ce6547dd57895c23
Opcode Fuzzy Hash: 34e5f0022c5aff226143dbb39affeb19320b8919d260ca49bf81395acde5bc3a
Instruction Fuzzy Hash: 7121CD75A00217AFEB508FE9889857ABBEDFF66215710053FD9D1C3600D7B0D952C7A0

Function 6E68A637 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(00000000,?,0000000C,00000002,00000000,00000000,?,6E68A3E0,?,?), ref: 6E68A666
GetLastError.KERNEL32(?,6E68A3E0,?,?), ref: 6E68A670
GetAce.ADVAPI32(6E68A3E0,00000000,?,00000000,?,6E68A3E0,?,?), ref: 6E68A69A
EqualSid.ADVAPI32(?,?,?,6E68A3E0,?,?), ref: 6E68A6BC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: EqualErrorInformationLast
String ID:
API String ID: 1631938904-0
Opcode ID: 01679122f83c3cc2ef24f99e38095eb83dae5091c346b48c595a0d9787b2aa48
Instruction ID: fb6dc4781d1d815e36048e730683223b99790d8cb95321ba63b0110058714c81
Opcode Fuzzy Hash: 01679122f83c3cc2ef24f99e38095eb83dae5091c346b48c595a0d9787b2aa48
Instruction Fuzzy Hash: 8621A472E405299BDB508F99CD446AFBBB8FB02750F114016EC08A7284D7709880CBF5

Function 6E682C80 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_vsnwprintf_s.MSVCRT ref: 6E682CA2
_vscwprintf.MSVCRT ref: 6E682CB7
?Resize@STRU@@QAEJK@Z.IISUTIL(00000000), ref: 6E682CD7
_vsnwprintf_s.MSVCRT ref: 6E682CF8
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL ref: 6E682D17

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: _vsnwprintf_s$Buffer@Resize@SyncWith_vscwprintf
String ID:
API String ID: 4098323204-0
Opcode ID: 5a88ce1cffc68a96388198c6afd3fedbf6e69bc4f3939f2e7f7213afe61aeb05
Instruction ID: ec10a79f4f39d880f01709a8d94913a00ede7755d97f08e7950c8779e9685f5e
Opcode Fuzzy Hash: 5a88ce1cffc68a96388198c6afd3fedbf6e69bc4f3939f2e7f7213afe61aeb05
Instruction Fuzzy Hash: F421A2712109099FCB198F6DC8159BB77E9FF89720711062DF95AC72A0EB31E811CBA4

Function 6E68B8E0 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 6E68B90D
UuidToStringW.RPCRT4(?,?), ref: 6E68B91F
RpcStringFreeW.RPCRT4(00000000), ref: 6E68B968

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: StringUuid$CreateFree
String ID:
API String ID: 3044360575-0
Opcode ID: 6f481aff2e8112f9f054b888c9b9bc5f55c2be21e804e49ea023edc92285b72d
Instruction ID: e79f943f331f8bb10a342ef34acc80c0614091e45f7eb5958ab2fc2749b72971
Opcode Fuzzy Hash: 6f481aff2e8112f9f054b888c9b9bc5f55c2be21e804e49ea023edc92285b72d
Instruction Fuzzy Hash: 3D118E35A4460AEBDF009FEAC845AEFB7BCAF4A310F400026EA15D7244EB309D41CBE4

Function 6E688C60 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6E67A328), ref: 6E688C6C
ReleaseSemaphore.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,6E67A328), ref: 6E688C9C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E67A328), ref: 6E688CA7
ReleaseSemaphore.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,6E67A328), ref: 6E688CDB
LeaveCriticalSection.KERNEL32(?,?,?,?,?,6E67A328), ref: 6E688CE9

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$LeaveReleaseSemaphore$Enter
String ID:
API String ID: 1504494084-0
Opcode ID: 84d56ef08b8288d509cda4b1e4abe70902a198d1e0f5de9021883cf8fa7822e5
Instruction ID: 6979f235aa50892593e045af2f907079d3065e9f44eb05686caeedce6dd294a5
Opcode Fuzzy Hash: 84d56ef08b8288d509cda4b1e4abe70902a198d1e0f5de9021883cf8fa7822e5
Instruction Fuzzy Hash: 9B11DD71551F00EF87618F97C809457B7F9FF8A3617500A1EE48B82A24D731E951DF64

Function 6E682EC0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,?), ref: 6E682EDF
?Resize@STRU@@QAEJK@Z.IISUTIL(?), ref: 6E682EFE

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

ExpandEnvironmentStringsW.KERNEL32(00000000,?,?), ref: 6E682F13
GetLastError.KERNEL32 ref: 6E682F26
?SyncWithBuffer@STRU@@QAEXXZ.IISUTIL ref: 6E682F3C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: EnvironmentErrorExpandLastResize@Strings$Buffer@SyncWith
String ID:
API String ID: 2030749382-0
Opcode ID: ee5e7bf49e53e93494f3b664d081ea0e153d13ffa60c1be0b2d509e761db174d
Instruction ID: e35fbf78d56b0f887458ccd5413a8c972272cf9d6980f497187a1d7a3155cc25
Opcode Fuzzy Hash: ee5e7bf49e53e93494f3b664d081ea0e153d13ffa60c1be0b2d509e761db174d
Instruction Fuzzy Hash: 00019630280917ABDF655AAAC978B6F37D9FB07705B00551CF54ACB760DB20EC11CB64

Function 6E67CA39 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??1ALLOC_CACHE_HANDLER@@QAE@XZ.IISUTIL(00000000,?,6E67CA2B), ref: 6E67CA4B

Part of subcall function 6E687990: ?RemoveItem@ALLOC_CACHE_HANDLER@@SGXPAV1@@Z.IISUTIL ref: 6E6879A3
Part of subcall function 6E687990: ?CleanupLookaside@ALLOC_CACHE_HANDLER@@QAEXH@Z.IISUTIL(00000001), ref: 6E6879AC
Part of subcall function 6E687990: ?QueryDepthForAllSLists@ALLOC_CACHE_HANDLER@@AAEKXZ.IISUTIL(?), ref: 6E6879D8
Part of subcall function 6E687990: PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\acache.cxx,00000244,ALLOC_CACHE_HANDLER::~ALLOC_CACHE_HANDLER,Items in look-aside lists = %u, Pending HeapFree calls = %u,00000000,?), ref: 6E6879F8
Part of subcall function 6E687990: _aligned_free.MSVCRT ref: 6E687A07

??1ALLOC_CACHE_HANDLER@@QAE@XZ.IISUTIL(00000000,?,6E67CA2B), ref: 6E67CA69
??1ALLOC_CACHE_HANDLER@@QAE@XZ.IISUTIL(00000000,?,6E67CA2B), ref: 6E67CA87
??1ALLOC_CACHE_HANDLER@@QAE@XZ.IISUTIL(00000000,?,6E67CA2B), ref: 6E67CAA5
??1ALLOC_CACHE_HANDLER@@QAE@XZ.IISUTIL(00000000,?,6E67CA2B), ref: 6E67CAC3

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CleanupDepthItem@Lists@Lookaside@PrintQueryRemoveV1@@_aligned_free
String ID:
API String ID: 326052421-0
Opcode ID: 2d9cb5e41c66c94ecb4a84d247bd3e23554e11c4ff8eb9526f644122a008e866
Instruction ID: 49944aa0263ad7928dc9bc81bfe8b61d2a91ee7b6032f9930290f5fad58a6253
Opcode Fuzzy Hash: 2d9cb5e41c66c94ecb4a84d247bd3e23554e11c4ff8eb9526f644122a008e866
Instruction Fuzzy Hash: 43019272E42E738B5F65AF9E205479E275C7E5BB14301444EDC39AB3A0CB247C018ADD

Function 6E682210 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000005,?,?,?), ref: 6E682225
GetLastError.KERNEL32 ref: 6E682232
?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E682242
?GetData@MB@@QAEHPBGKKKPAXPAKK@Z.IISUTIL(?,?,?,00000005,?,?,?), ref: 6E682262
?CalcLength@MULTISZ@@SGKPBGPAK@Z.IISUTIL(?,?,?,?,?,00000005,?,?,?), ref: 6E682272

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$CalcData@Length@Resize@
String ID:
API String ID: 3217296047-0
Opcode ID: 568f05340bddeff71f4e1e75ab356069d25e62fdff4f761f800817f28c80d0dd
Instruction ID: c4086233c1433e077b698a7ab8a59b5b4e61d1cac360bb6fd2e7b05b6aa13702
Opcode Fuzzy Hash: 568f05340bddeff71f4e1e75ab356069d25e62fdff4f761f800817f28c80d0dd
Instruction Fuzzy Hash: 15017132550109AF8F159EE9E8149AF7BEAFF4A310B004919F946D3120EB32E9259B70

Function 6E67DCE0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67DD07
?_Apply@CLKRLinearHashTable@@AAEKP6G?AW4LK_ACTION@@PBXPAX@Z1W4LK_LOCKTYPE@@AAW4LK_PREDICATE@@@Z.IISUTIL(?,?,00000002,00000003), ref: 6E67DD22
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,00000002,00000003), ref: 6E67DD31

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$Apply@E@@@HashLinearLock@Table@@Unlock@
String ID:
API String ID: 2523373229-0
Opcode ID: 6cbbf8f507ef59906f6cc36a8c2c8ec1be1e3a9d9b4b608681ce20fa97b2a233
Instruction ID: 2ad2638365b3bc471a1721613a4f90c172883eec8d559864cedbcf046d64828a
Opcode Fuzzy Hash: 6cbbf8f507ef59906f6cc36a8c2c8ec1be1e3a9d9b4b608681ce20fa97b2a233
Instruction Fuzzy Hash: A5F04F72204149EBCF318ED58C04ADFB76EEBC2364F10091AE81056254CBB19A50CFA1

Function 6E684830 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(00000208), ref: 6E68483A

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6E68484D
?SetLen@STRU@@QAE_NK@Z.IISUTIL(00000000), ref: 6E68485E
GetLastError.KERNEL32 ref: 6E684876
GetLastError.KERNEL32 ref: 6E684880

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Resize@$DirectoryLen@System
String ID:
API String ID: 2259046429-0
Opcode ID: ace4adf80f7d82def40f5b4682638991fee55b9814dc129fc49d2ae6ffbb34f6
Instruction ID: d14b55fbc1b4a46f712e94aba2880e023b8b79818cc49dff97f58269aa0b2d1e
Opcode Fuzzy Hash: ace4adf80f7d82def40f5b4682638991fee55b9814dc129fc49d2ae6ffbb34f6
Instruction Fuzzy Hash: CDF02EF1780AA257EB7049F75C0875F1F9C5B8377971409267019D5250DB9DC4464271

Function 6E6848B0 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(00000208), ref: 6E6848BA

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 6E6848CD
?SetLen@STRU@@QAE_NK@Z.IISUTIL(00000000), ref: 6E6848DE
GetLastError.KERNEL32 ref: 6E6848F6
GetLastError.KERNEL32 ref: 6E684900

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Resize@$DirectoryLen@SystemWindows
String ID:
API String ID: 294177327-0
Opcode ID: a57bf16279134a5bdb17d821aa0707ee57039f539b9066515d4d571d1425e4b4
Instruction ID: 8d0cba0a1f9545bd0dd0061a3cf1adc5da1e9bfd6e3f2b74bd05826382a80c08
Opcode Fuzzy Hash: a57bf16279134a5bdb17d821aa0707ee57039f539b9066515d4d571d1425e4b4
Instruction Fuzzy Hash: 1DF0597138012287EF300AF74C08B6B178C9B8376870405267159D9150DA9CC883C230

Function 6E684930 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

?Resize@STRU@@QAEJK@Z.IISUTIL(00000208), ref: 6E68493A

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

GetTempPathW.KERNEL32(00000104,?), ref: 6E68494D
?SetLen@STRU@@QAE_NK@Z.IISUTIL(00000000), ref: 6E68495E
GetLastError.KERNEL32 ref: 6E684976
GetLastError.KERNEL32 ref: 6E684980

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$Resize@$Len@PathTemp
String ID:
API String ID: 650645119-0
Opcode ID: 94c561110b8e14d5cd3c23aa90f8af2f812be882c4fa53f00a45c65afc429582
Instruction ID: 00d99f0b7ffa205ff24c2a852255a894005854980b7235f699502f4ab7d4525d
Opcode Fuzzy Hash: 94c561110b8e14d5cd3c23aa90f8af2f812be882c4fa53f00a45c65afc429582
Instruction Fuzzy Hash: 32F052713802228BEF3049F74C08BAF2F9CAB83769B04091AB059C8380DB9DC883C231

Function 6E685DB0 Relevance: 7.5, APIs: 5, Instructions: 28fileCOMMON

Download Yara Rule

APIs

PuCloseDbgMemoryLog.IISUTIL(?), ref: 6E685DBE
PuCloseDbgPrintFile.IISUTIL(?,?), ref: 6E685DC4
SetLastError.KERNEL32(00000000,?,?), ref: 6E685DCE
GlobalFree.KERNEL32(?), ref: 6E685DD7
DeleteCriticalSection.KERNEL32(6E6A8630), ref: 6E685DED

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Close$CriticalDeleteErrorFileFreeGlobalLastMemoryPrintSection
String ID:
API String ID: 2757498885-0
Opcode ID: 397019d92f0d8c464d44ca3edc37d29b3453a418558f5cbb892bc560485298a0
Instruction ID: 56c4c2530a5e88d56c19828ca80f6e5546ccf1a8f7c781aa5e9629ee6c5b1e54
Opcode Fuzzy Hash: 397019d92f0d8c464d44ca3edc37d29b3453a418558f5cbb892bc560485298a0
Instruction Fuzzy Hash: 30E06D319A1A21ABDB111AEE981CB9F776CAB03796F240411F903A6200DB25AD508AFD

Function 6E695140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

?CopyWTruncate@STRA@@QAEJPBG@Z.IISUTIL(?), ref: 6E6951D6
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E69520C
?CopyToBuffer@STRA@@QBEJPADPAK@Z.IISUTIL(00000000,?), ref: 6E695234

Strings

@, xrefs: 6E695167

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Copy$Buffer@FreeInternal@MemoryTruncate@
String ID: @
API String ID: 960470809-2766056989
Opcode ID: d6553fbd93639cdb0c08b3bb222a7c0047548241c431ed4a3142ec63e2dabc8f
Instruction ID: c06ca6c2bad1c132001e92477eb3088adfd0d956d2f59e299686577d745cc7f4
Opcode Fuzzy Hash: d6553fbd93639cdb0c08b3bb222a7c0047548241c431ed4a3142ec63e2dabc8f
Instruction Fuzzy Hash: 2631A7711087429FD354CFA8C890A5BBBF9EF85324F108D2DE5A5872A0EB31E805DB55

Function 6E687A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\acache.cxx,0000027A,ALLOC_CACHE_HANDLER::CleanupLookaside,AllocCalls = %ld, LastAllocCount = %ld,?,?,?,00000000,?,6E6878B7,00000000), ref: 6E687A8C

Strings

AllocCalls = %ld, LastAllocCount = %ld, xrefs: 6E687A72
ALLOC_CACHE_HANDLER::CleanupLookaside, xrefs: 6E687A77
inetsrv\iis\iisrearc\core\common\util\acache.cxx, xrefs: 6E687A81

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Print
String ID: ALLOC_CACHE_HANDLER::CleanupLookaside$AllocCalls = %ld, LastAllocCount = %ld$inetsrv\iis\iisrearc\core\common\util\acache.cxx
API String ID: 3558298466-2386008125
Opcode ID: bd1591da02e1ebb619d4dd2ec41c65f05871850576ef3730c58b4d41d43609f5
Instruction ID: 56240e4885a94f94eff9ff439af05b88b4be8829431c165f9fcae2a5b7ddeb58
Opcode Fuzzy Hash: bd1591da02e1ebb619d4dd2ec41c65f05871850576ef3730c58b4d41d43609f5
Instruction Fuzzy Hash: 2901DB32650A029FCF22CEA9D810B57B3B5FB82314F10055DF465DB2A0EB32B541C7A4

Function 6E691E9C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

UnregisterWaitEx.KERNEL32(?,000000FF,?,00000000,6E69377D), ref: 6E691EBB
CloseHandle.KERNEL32(?,?,00000000,6E69377D), ref: 6E691ECC
?IpmMessageDeleted@IPM2_MESSAGE_PIPE@@QAEXPAVIPM2_MESSAGE_IMP@@@Z.IISUTIL(00000000,?,00000000,6E69377D), ref: 6E691EF1

Strings

mi2X, xrefs: 6E691EAA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseDeleted@HandleMessageP@@@UnregisterWait
String ID: mi2X
API String ID: 743827733-667848154
Opcode ID: e72b2a7c3622e079c0c8ca56fe5c44f0a16c3721108857e3f59f91a58b49317d
Instruction ID: 16e1ebba7af4c3dfda97e2608f00c892e6de3c083ff2b263106a6fec451c122a
Opcode Fuzzy Hash: e72b2a7c3622e079c0c8ca56fe5c44f0a16c3721108857e3f59f91a58b49317d
Instruction Fuzzy Hash: 8101FBB1511F029BC7728F6AD904857FBF8BF917213210A2FE4A242AA0DB71B549DF94

Function 6E68FF1C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

UnregisterWaitEx.KERNEL32(?,000000FF,?,00000000,6E6914F0,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E68FF3B
CloseHandle.KERNEL32(?,?,00000000,6E6914F0,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E68FF4C
?IpmMessageDeleted@IPM_MESSAGE_PIPE@@QAEXPAVIPM_MESSAGE_IMP@@@Z.IISUTIL(00000000,?,00000000,6E6914F0,?,?,6E690F8C,00000000,?,?,00000000), ref: 6E68FF71

Strings

mimX, xrefs: 6E68FF2A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseDeleted@HandleMessageP@@@UnregisterWait
String ID: mimX
API String ID: 743827733-451791937
Opcode ID: f4cae63677bfe86a590de3a54eb20aaadb2d9b716a283f527c8f56c27093c0af
Instruction ID: 8820c9dac82d51ab754a1f26ba44f73a5cdc27c5b3ea3f25e4d5a1f13cd6406c
Opcode Fuzzy Hash: f4cae63677bfe86a590de3a54eb20aaadb2d9b716a283f527c8f56c27093c0af
Instruction Fuzzy Hash: 4A014671815F029B87718F6AD904857FBF4BF927203201A2FE4A642A60DB30B849CFA0

Function 6E682990 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

?Copy@STRU@@QAEJPBG@Z.IISUTIL(\??\), ref: 6E6829C9
?Append@STRU@@QAEJPBG@Z.IISUTIL(?), ref: 6E6829D5

Strings

\??\UNC\, xrefs: 6E6829E3
\??\, xrefs: 6E6829BF

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Append@Copy@
String ID: \??\$\??\UNC\
API String ID: 3683307728-1450021133
Opcode ID: 5cdbb156577f583a9cf4b9399841a1edae636020cefd71284621aac9f8375865
Instruction ID: 1144310299802b5e1aaa833e9b67b548299117eaac133369f5d30986349a94a4
Opcode Fuzzy Hash: 5cdbb156577f583a9cf4b9399841a1edae636020cefd71284621aac9f8375865
Instruction Fuzzy Hash: 00F02752A14220668E305AD78C009AB73B9EBA2325700CC27F88897284F6A0E8C1D3F1

Function 6E687CC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29threadCOMMON

Download Yara Rule

APIs

?QueryDepthForAllSLists@ALLOC_CACHE_HANDLER@@AAEKXZ.IISUTIL(?,?,?,6E687CA6,?,?), ref: 6E687CCE

Part of subcall function 6E687C30: QueryDepthSList.KERNEL32(00000000,00000000,?,0000012C,6E6876C7,?,?), ref: 6E687C4E

GetCurrentThreadId.KERNEL32 ref: 6E687CEC
sprintf_s.MSVCRT ref: 6E687D00

Strings

[%d]ALLOC_CACHE_HANDLER[%08p]. Config: ObjSize = %d. Concurrency=%d. Thres=%d. TotalObjs = %d. Calls: Alloc(%d), Free(%d). FreeEntries = %d. FillPattern = 0x%08lX., xrefs: 6E687CF6

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: DepthQuery$CurrentListLists@Threadsprintf_s
String ID: [%d]ALLOC_CACHE_HANDLER[%08p]. Config: ObjSize = %d. Concurrency=%d. Thres=%d. TotalObjs = %d. Calls: Alloc(%d), Free(%d). FreeEntries = %d. FillPattern = 0x%08lX.
API String ID: 3584761850-1337742956
Opcode ID: 8d7c90f3184dfa1dc0c6f156e5afb9682b39f7926a854eef319371c5b78f8633
Instruction ID: 176519d3217e0bf47518c4543918ae8b2e6a327c51d41accede709be09c59d34
Opcode Fuzzy Hash: 8d7c90f3184dfa1dc0c6f156e5afb9682b39f7926a854eef319371c5b78f8633
Instruction Fuzzy Hash: FAF01C32410614BFDF225FE4CC04EABBBAAFF19310F044819FAA692120D7727860DB94

Function 6E694560 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 17COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000012B,MULTI_IPM::PipeClosed,Pipe closed! ptr=%p,?), ref: 6E69458F

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Strings

inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E694584
Pipe closed! ptr=%p, xrefs: 6E694575
MULTI_IPM::PipeClosed, xrefs: 6E69457A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FreeInternal@MemoryPrint
String ID: MULTI_IPM::PipeClosed$Pipe closed! ptr=%p$inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 1659842007-2301539529
Opcode ID: b2418e9e7d1093163601e127683ce701ca17083752ce58be57075ec7665bdf1a
Instruction ID: f52199f8abb8f8e3a587a90c461564887e6827852ba6556fc0750e1ebdafffb8
Opcode Fuzzy Hash: b2418e9e7d1093163601e127683ce701ca17083752ce58be57075ec7665bdf1a
Instruction Fuzzy Hash: 08D02B3100028471DB116DD1DC04F1B3F58C305309F480041B908162E3E323622295D5

Function 6E694520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON

Download Yara Rule

APIs

PuDbgPrint.IISUTIL(inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx,0000011D,MULTI_IPM::PipeDisconnected,Pipe Disconnected. Use count: %d), ref: 6E69454B

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Strings

MULTI_IPM::PipeDisconnected, xrefs: 6E694536
inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx, xrefs: 6E694540
Pipe Disconnected. Use count: %d, xrefs: 6E694531

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$FreeInternal@MemoryPrint
String ID: MULTI_IPM::PipeDisconnected$Pipe Disconnected. Use count: %d$inetsrv\iis\iisrearc\core\common\util\multi_ipm.cxx
API String ID: 1659842007-2131532264
Opcode ID: 058217761d7006975b51579c77c020071caf157110b2c8ec04a8b7e48ad2423f
Instruction ID: 0b0fa6e38c7635ca520c793d299033ebc72ea975f7d4516f9ddfe3027ef32891
Opcode Fuzzy Hash: 058217761d7006975b51579c77c020071caf157110b2c8ec04a8b7e48ad2423f
Instruction Fuzzy Hash: C6D0A93046118036EF030EA4EC01B193B64DB0230EF5840AAB9106A2F3E3622312AA84

Function 6E682310 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,6E6822C7,?,?,6E67844D,?), ref: 6E682332
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,6E6822C7,?,?,6E67844D,?), ref: 6E682339
SetLastError.KERNEL32(00000008,?,?,?,?,?,?,6E6822C7,?,?,6E67844D,?), ref: 6E682358

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Heap$AllocErrorLastProcess
String ID:
API String ID: 174111891-0
Opcode ID: 215b3aa621432f1802f5e8277b400e8091aa1b87876aacb5f761b109360b0eba
Instruction ID: c334a8f83b841a724cd84b060743bac7bee71a573d839383a606ef807f288451
Opcode Fuzzy Hash: 215b3aa621432f1802f5e8277b400e8091aa1b87876aacb5f761b109360b0eba
Instruction Fuzzy Hash: B701B172544B00BBDB611FEB8858B4BBBE8FB7F715F00091AE28A97600C672F8059774

Function 6E68ED51 Relevance: 6.2, APIs: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E68EC56: MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,00000000,80070057,?,?,?,?,6E68ED76,?,80070057,?), ref: 6E68EC74

IsDBCSLeadByte.KERNEL32(?,?,80070057,?), ref: 6E68EDE8
WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,?,00000002,00000000,00000000), ref: 6E68EE69
WideCharToMultiByte.KERNEL32(00000000,00000400,?,00000001,?,00000002,00000000,00000000), ref: 6E68EEC8
strrchr.MSVCRT ref: 6E68EF44

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Byte$CharMultiWide$Leadstrrchr
String ID:
API String ID: 2037453698-0
Opcode ID: ec482f37cec47e9cc3a04ae82c5b323c42f96636e9f294a41387098d81e531ef
Instruction ID: 990d4bdecbfa7e0ca2f45b7205e50be98aef6cfa61a749410bd90f291c4abd89
Opcode Fuzzy Hash: ec482f37cec47e9cc3a04ae82c5b323c42f96636e9f294a41387098d81e531ef
Instruction Fuzzy Hash: 18614131E642169FEF48CEB9CC947AFB7F2EB46300F10553AE450D3280E6B89945CB60

Function 6E67EC10 Relevance: 6.1, APIs: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

?_AllocateSegmentDirectory@CLKRLinearHashTable@@CGQAVCDirEntry@@I@Z.IISUTIL(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E67C427,00000001), ref: 6E67ECE7
?_AllocateSegment@CLKRLinearHashTable@@ABEQAVCSegment@@XZ.IISUTIL(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E67C427,00000001), ref: 6E67ED10
?_FreeSegment@CLKRLinearHashTable@@ABE_NPAVCSegment@@@Z.IISUTIL(?,00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E67C427), ref: 6E67ED36
?_FreeSegmentDirectory@CLKRLinearHashTable@@AAE_NXZ.IISUTIL(?,00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E67C427), ref: 6E67ED48

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinearTable@@$AllocateDirectory@FreeSegmentSegment@$Entry@@Segment@@Segment@@@
String ID:
API String ID: 3677430920-0
Opcode ID: 88310aa7dd3dad3178185753d7969f8f0231b104e9c30e295efb01d2f19532f7
Instruction ID: ee42d9ca814b384a866c86a45fd23ba7bd1664cce2d270613657726f7cb27c5c
Opcode Fuzzy Hash: 88310aa7dd3dad3178185753d7969f8f0231b104e9c30e295efb01d2f19532f7
Instruction Fuzzy Hash: 22413771601B028FEB74CF9AC694793BBE5FB96718F00182ED4928BA80D7B5F408CB40

Function 6E67D970 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

?ReadOrWriteLock@CReaderWriterLock3@@QAE_NXZ.IISUTIL(?,?), ref: 6E67D99A

Part of subcall function 6E67B1E0: ?IsWriteLocked@CReaderWriterLock3@@QBE_NXZ.IISUTIL ref: 6E67B1EB
Part of subcall function 6E67B1E0: ?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67B1F6

?ReadLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?), ref: 6E67D9DC
?_ReadOrWriteUnlock@CLKRLinearHashTable@@ABEX_N@Z.IISUTIL(?,?,?), ref: 6E67D9E6
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67DA6A

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriter$Lock3@@ReadWrite$Lock@$Unlock@$HashLinearLock2@@Locked@Table@@
String ID:
API String ID: 3943711224-0
Opcode ID: ce7b4b97288640ccb86596fb4d88b45a9e0c4465cda8d916950ef7150caf0122
Instruction ID: a7f2dcc6f530ae70d722e056530e8a8d93a71f991e0869ffcda026bf2400379e
Opcode Fuzzy Hash: ce7b4b97288640ccb86596fb4d88b45a9e0c4465cda8d916950ef7150caf0122
Instruction Fuzzy Hash: 0B416D31A00619EFCF25CFA9C8805ADBBB1FF4A314B15895AD855A7750C731BD11CF84

Function 6E684DD0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 6E684E0F
?Append@MULTISZ@@QAEHPBGK@Z.IISUTIL(?,00000000), ref: 6E684EA0
wcschr.MSVCRT ref: 6E684EB6
GetLastError.KERNEL32 ref: 6E684EC6

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: wcschr$Append@ErrorLast
String ID:
API String ID: 689891130-0
Opcode ID: 37715e88e22b02b520427f2fd47592de33f039552bbbf6272848706a7124b13e
Instruction ID: 1a21a7844f8f3b22f774ef9943bfb541281f1e558ab1a29df71fb04065ec39e0
Opcode Fuzzy Hash: 37715e88e22b02b520427f2fd47592de33f039552bbbf6272848706a7124b13e
Instruction Fuzzy Hash: 5B31083260021ADBDB609FD984596BFB77DEF81710F52471AD8358B284E7F1A842C661

Function 6E67FD40 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67FD76

Part of subcall function 6E67BE40: ??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67BE57

?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E67FD80
?_InsertRecord@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@PBXK_NPAVCLKRLinearHashTable_Iterator@@@Z.IISUTIL(?,?,?,?,?), ref: 6E67FE17
?_SubTableIndex@CLKRHashTable@@ABEHPAVCLKRLinearHashTable@@@Z.IISUTIL(?,?,?,?,?,?), ref: 6E67FE2E

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$Linear$Table_$Iterator@@$Table@@V0@@$Index@InsertIterator@@@Record@Ref@TableTable@@@
String ID:
API String ID: 2038308403-0
Opcode ID: 2cf87ebc41febad3d30269acbea670f45045220e5d732c9fca9350cb60d1bfd6
Instruction ID: 812095735aab3b4340fdf8218f5b215d68ecca52fe3a8a8ffcbea446db450e77
Opcode Fuzzy Hash: 2cf87ebc41febad3d30269acbea670f45045220e5d732c9fca9350cb60d1bfd6
Instruction Fuzzy Hash: 8031D071A00519AFCF14CFA5CC50AAEB7BAFF49310B10852AE856D3350DB74A941CBD4

Function 6E67FFF0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

??4CLKRHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E680026

Part of subcall function 6E67BE40: ??4CLKRLinearHashTable_Iterator@@QAEAAV0@ABV0@@Z.IISUTIL(?), ref: 6E67BE57

?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E680030
?_FindKey@CLKRLinearHashTable@@ABE?AW4LK_RETCODE@@KKPAPBXPAVCLKRLinearHashTable_Iterator@@@Z.IISUTIL(?,?,?,?,?), ref: 6E6800B6
?_SubTableIndex@CLKRHashTable@@ABEHPAVCLKRLinearHashTable@@@Z.IISUTIL(?,?,?,?,?,?), ref: 6E6800CD

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$Linear$Table_$Iterator@@$Table@@V0@@$FindIndex@Iterator@@@Key@Ref@TableTable@@@
String ID:
API String ID: 2883862318-0
Opcode ID: 1e8ff8b7258165a232027314f97c00211ea5b60d06bba8cde15531d2c2e7ff2d
Instruction ID: 22f5697cf6e33a6610534a26a49c0c8e3351b30f244a70549c2d4fd1e1fa93ec
Opcode Fuzzy Hash: 1e8ff8b7258165a232027314f97c00211ea5b60d06bba8cde15531d2c2e7ff2d
Instruction Fuzzy Hash: 4331DF75A01519AFCB14CFA5CC416EEB7BAFF88310B10862AE855E7350EB34AA40CBD4

Function 6E697920 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

?GetPrime@TREE_HASH_TABLE@@CGKK@Z.IISUTIL(?), ref: 6E697934
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?), ref: 6E697949

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?GetPrime@TREE_HASH_TABLE@@CGKK@Z.IISUTIL(?,?,?,?), ref: 6E697954
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?,?,?), ref: 6E6979FE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@Prime@ReaderWriteWriter$CurrentLock@ThreadUnlock@
String ID:
API String ID: 1354061521-0
Opcode ID: 184c605d28d76ca1ba59b1c9bbc42af6c70e2ca6a71e867836d582a1d87176f0
Instruction ID: 56bf026c77a832923e727f62951a29762f214e44da60247159ab68badb71e9d4
Opcode Fuzzy Hash: 184c605d28d76ca1ba59b1c9bbc42af6c70e2ca6a71e867836d582a1d87176f0
Instruction Fuzzy Hash: C1319E31A007169FEB64DFA9C89495AB7F8EF4A310B10896DE856DB391EB30FD40DB50

Function 6E68DAB0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

?IsHit@DATETIME_FORMAT_ENTRY@@QBEHPBU_SYSTEMTIME@@@Z.IISUTIL(?), ref: 6E68DAF6
?CopyFormattedData@CDFTCache@@QBEHPBU_SYSTEMTIME@@PAD@Z.IISUTIL(?,?), ref: 6E68DB08
?Write@?$CDataCache@UDATETIME_FORMAT_ENTRY@@@@QAE_NABUDATETIME_FORMAT_ENTRY@@@Z.IISUTIL(?), ref: 6E68DB60
?CopyFormattedData@DATETIME_FORMAT_ENTRY@@QBEXPBU_SYSTEMTIME@@PAD@Z.IISUTIL(?,?,?), ref: 6E68DB70

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CopyData@Formatted$Cache@Cache@@DataE@@@Hit@Write@?$Y@@@Y@@@@
String ID:
API String ID: 696034544-0
Opcode ID: bce4bab36bfc581c9454902ae55f114714ac68156627d7089b236224747fdcd3
Instruction ID: fc196f0f7cce160201ac22ab5b60e394fc85ccdad80c2d927c7919f951c5f88a
Opcode Fuzzy Hash: bce4bab36bfc581c9454902ae55f114714ac68156627d7089b236224747fdcd3
Instruction Fuzzy Hash: 45315372A002099BCF08DFA8C88099EB7B9FF48314B15451AD819A7351EB30ED13CFA4

Function 6E683130 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000), ref: 6E683179

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f25e28c5c47ff272a6b9e8dfe3277264f48aa345a88a27d48a38a9516be57b2b
Instruction ID: 6c70fb2b1190b13b22633761d0bf27dfeeeb0c00e5ae34f74a46bdcd7ff86bbf
Opcode Fuzzy Hash: f25e28c5c47ff272a6b9e8dfe3277264f48aa345a88a27d48a38a9516be57b2b
Instruction Fuzzy Hash: 7631C071D442299FCB20CFA5CC58B9FB7B9FB05354F0086A9E949E7250DB308E449FA4

Function 6E695AA0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

?ValidHeaderCharacters@LANG_STRING@@AAEHPBD@Z.IISUTIL(?), ref: 6E695AC7
?RemoveWhitespace@LANG_STRING@@AAEJPBDKPAPAD@Z.IISUTIL(?,?,?), ref: 6E695AE1
?HeaderToInstalledLanguage@LANG_STRING@@AAEJPADKPAPBDH@Z.IISUTIL(?,?,?,?), ref: 6E695B07
?GetFallbackLanguage@LANG_STRING@@QAEJPAPBD@Z.IISUTIL(?), ref: 6E695B28

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HeaderLanguage@$Characters@FallbackInstalledRemoveValidWhitespace@
String ID:
API String ID: 2455651388-0
Opcode ID: da93b983a854c28f13973dba79fa02d09f863d9b0848d59a8c1f09318b8014ff
Instruction ID: 1b35e6f6fed4e13cd4243156bf78886f231eb7633c6285aff0dc6032b7e691c7
Opcode Fuzzy Hash: da93b983a854c28f13973dba79fa02d09f863d9b0848d59a8c1f09318b8014ff
Instruction Fuzzy Hash: 4A113B32A1061BAFCB564ED98830BEE77699F82766F10016EEC146B208D731CD01B7F0

Function 6E68D030 Relevance: 6.1, APIs: 4, Instructions: 70timeCOMMON

Download Yara Rule

APIs

?Read@?$CDataCache@VCDateTime@@@@QBE_NAAVCDateTime@@@Z.IISUTIL(?), ref: 6E68D05B
GetSystemTimeAsFileTime.KERNEL32(?,?), ref: 6E68D069
FileTimeToSystemTime.KERNEL32(?,?), ref: 6E68D0AC
?Write@?$CDataCache@VCDateTime@@@@QAE_NABVCDateTime@@@Z.IISUTIL(?), ref: 6E68D0BC

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: DateTime$Cache@DataFileSystemTime@@@Time@@@@$Read@?$Write@?$
String ID:
API String ID: 1176459151-0
Opcode ID: d8d14485601d377bb631d12716906f496e7691b405069eb804e36282e635f1b1
Instruction ID: 8456b1da557ba34dd44edd28565cc1977d38c54b6a0f2b0692dcbd41f596780c
Opcode Fuzzy Hash: d8d14485601d377bb631d12716906f496e7691b405069eb804e36282e635f1b1
Instruction Fuzzy Hash: C421EA756087459B8700DFA9C49486BF7EDFF89618F004E2EF995A7200DB71EA058FA2

Function 6E694840 Relevance: 6.1, APIs: 4, Instructions: 69timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000038,800003E8), ref: 6E694890
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007530,00007530), ref: 6E69489A
CreateTimerQueueTimer.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007530), ref: 6E6948D4
?DestroyTraceLogFactory@W3_TRACE_LOG_FACTORY@@QAEXXZ.IISUTIL(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00007530,00007530), ref: 6E6948E8

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Timer$CountCreateCriticalDestroyErrorFactory@InitializeLastQueueSectionSpinTrace
String ID:
API String ID: 3448563265-0
Opcode ID: a17bfd1583842c7f2a6f1a80bb589c8fdc7409e840ff1345c2301c14fb935eb7
Instruction ID: c761399a9538a9a49b0eb6e0acb44a32b92e5441066810f5732950cc3c9f7929
Opcode Fuzzy Hash: a17bfd1583842c7f2a6f1a80bb589c8fdc7409e840ff1345c2301c14fb935eb7
Instruction Fuzzy Hash: 9111A2B1900B539FD3509F99C9C4A5777E8FB05734B104A2EE8A99B740D3B4EC059794

Function 6E6810E0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6E681133
?SleepWaitingForLock@CSharelock@@AAEEH@Z.IISUTIL(?,?,?,?,?,?,6E67A56F,?), ref: 6E68113F
GetTickCount.KERNEL32 ref: 6E681148
?SleepWaitingForLock@CSharelock@@AAEEH@Z.IISUTIL(000000FF,?,?,?,?,?,6E67A56F,?), ref: 6E681162

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CountLock@Sharelock@@SleepTickWaiting
String ID:
API String ID: 202854220-0
Opcode ID: 2b6954a1e14c05f8ce374ac95356dc4ac17c354199af22ffd011c7e7e2c21d2b
Instruction ID: 2266e5bd965c092005ea06bcc16762e19e1f1dbfa9830975902b01ffd8ce9a35
Opcode Fuzzy Hash: 2b6954a1e14c05f8ce374ac95356dc4ac17c354199af22ffd011c7e7e2c21d2b
Instruction Fuzzy Hash: BD11D336241A059BDB508ED9C848A9B73B9EB83335B104E1ED9F583284EB71AC4AC675

Function 6E67DB60 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

?ReadOrWriteLock@CReaderWriterLock3@@QAE_NXZ.IISUTIL(?,?), ref: 6E67DB81

Part of subcall function 6E67B1E0: ?IsWriteLocked@CReaderWriterLock3@@QBE_NXZ.IISUTIL ref: 6E67B1EB
Part of subcall function 6E67B1E0: ?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67B1F6

?ReadLock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?,?), ref: 6E67DBB1
?_ReadOrWriteUnlock@CLKRLinearHashTable@@ABEX_N@Z.IISUTIL(?,?,?), ref: 6E67DBBB
?ReadUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(?,?), ref: 6E67DC00

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ReaderWriter$Lock3@@ReadWrite$Lock@$Unlock@$HashLinearLock2@@Locked@Table@@
String ID:
API String ID: 3943711224-0
Opcode ID: 62de0f50758d1763080d89d29792107abb1e7ed9d59d308bea38f09d2915148f
Instruction ID: 1e7a103b495538247ab625a3319fbeca2aed49f0d9c1f3fe82869fbcc1cb9009
Opcode Fuzzy Hash: 62de0f50758d1763080d89d29792107abb1e7ed9d59d308bea38f09d2915148f
Instruction Fuzzy Hash: 3D21A175A00619EBCF24DFA5C8945ADBBB5FF49715B108869D8029B600CB31BD11CFC4

Function 6E681030 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6E681077
?SleepWaitingForLock@CSharelock@@AAEEH@Z.IISUTIL(?,?,?,?,?,?,6E67A506,?), ref: 6E681083
GetTickCount.KERNEL32 ref: 6E68108C
?SleepWaitingForLock@CSharelock@@AAEEH@Z.IISUTIL(000000FF,?,?,?,?,?,6E67A506,?), ref: 6E6810A6

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CountLock@Sharelock@@SleepTickWaiting
String ID:
API String ID: 202854220-0
Opcode ID: da0561f2566d0613721ea417e62ea73cd7b07a782e224e032828d18e19ec7d10
Instruction ID: 14b03fe52845afe42eb84a5e7e0ffd9dbc1f95c9f985de82f8d0793ada7896fe
Opcode Fuzzy Hash: da0561f2566d0613721ea417e62ea73cd7b07a782e224e032828d18e19ec7d10
Instruction Fuzzy Hash: 53112B325016849B9B614ED9CC5069F73FADFC3325B100A5AC93487285EF31984E8A72

Function 6E687D8C Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,-000000CC,6E6A8650), ref: 6E687DAF
InterlockedPopEntrySList.KERNEL32(?), ref: 6E687DC9
HeapFree.KERNEL32(00000000,00000000), ref: 6E687DDC
QueryDepthSList.KERNEL32(?), ref: 6E687DF5

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: List$DepthQuery$EntryFreeHeapInterlocked
String ID:
API String ID: 148319389-0
Opcode ID: a95a2765ced8ec260919d4eac517b8548f557384c4ff2244f70ebc224bb8ad04
Instruction ID: f42b07c1ae5d59a19c9590a179e669c7e85fd3a2cbbcabb4606976dc1db1fe16
Opcode Fuzzy Hash: a95a2765ced8ec260919d4eac517b8548f557384c4ff2244f70ebc224bb8ad04
Instruction Fuzzy Hash: F9115431A00519ABDB419F9AC998AAFFBB8FB46701B1141A6E844E7280D735BD41DBF0

Function 6E688960 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

IISInitializeCriticalSection.IISUTIL(?,?,?,6E67A29B), ref: 6E68896A

Part of subcall function 6E680650: InitializeCriticalSectionAndSpinCount.KERNEL32(?,000003E8,?,6E68896F,?,?,?,6E67A29B), ref: 6E68065D

CreateSemaphoreExW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,?,?,?,?,?,6E67A29B), ref: 6E68899C
CreateSemaphoreExW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,?,?,?,?,?,6E67A29B), ref: 6E6889BA
CloseHandle.KERNEL32(?,?,?,?,?,?,6E67A29B), ref: 6E6889CA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CreateCriticalInitializeSectionSemaphore$CloseCountHandleSpin
String ID:
API String ID: 2273267024-0
Opcode ID: 5a9acfa842ef4af4b848a53e0b461b3726d93a1197bf87f181476da639621e7a
Instruction ID: 657705ed10d1a5087c472f52a00f77983564c7590d8a3a7e3bb9954262dab012
Opcode Fuzzy Hash: 5a9acfa842ef4af4b848a53e0b461b3726d93a1197bf87f181476da639621e7a
Instruction Fuzzy Hash: 3E016D70640702AA97614F6B8D48C17FBFCEFCB7603400A2EF8A5C26A0DB70E405CA75

Function 6E67FF50 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

?Erase@CLKRHashTable@@QAE_NAAVCLKRHashTable_Iterator@@@Z.IISUTIL(?), ref: 6E67FF6A

Part of subcall function 6E67FE60: ?_IsValidIterator@CLKRHashTable@@ABE_NABVCLKRHashTable_Iterator@@@Z.IISUTIL(?), ref: 6E67FE84
Part of subcall function 6E67FE60: ?_Erase@CLKRLinearHashTable@@AAE_NAAVCLKRLinearHashTable_Iterator@@K@Z.IISUTIL(?,?,?), ref: 6E67FF11
Part of subcall function 6E67FE60: ?_Increment@CLKRHashTable_Iterator@@IAE_N_N@Z.IISUTIL(00000000,?), ref: 6E67FF21

??9CLKRHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(?), ref: 6E67FF9E
??9CLKRHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(?), ref: 6E67FFAD
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E67FFCE

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Hash$Table_$Iterator@@$LinearTable@@$Erase@Iterator@@@V0@@$Increment@Iterator@Ref@Valid
String ID:
API String ID: 1324313661-0
Opcode ID: befde9e3767915d00bb6ddbac05b4b7473b49c5700354153845eb451b616aa8d
Instruction ID: c04dc9b234fb2c651cfcfbb855b002c952a0c3bb7155a7c47a42faa5e9a2539a
Opcode Fuzzy Hash: befde9e3767915d00bb6ddbac05b4b7473b49c5700354153845eb451b616aa8d
Instruction Fuzzy Hash: 9A11A33110C3446ECB11DFB88440B9BBBD5AF86368F108A1EF8E887281DB358544C79A

Function 6E67FCB0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

?_Increment@CLKRLinearHashTable_Iterator@@IAE_N_N@Z.IISUTIL(?), ref: 6E67FCCA

Part of subcall function 6E67F740: ?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(?,?,?,?,?,6E67BBA7,00000001), ref: 6E67F754

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashIterator@@LinearTable_$Increment@Ref@
String ID:
API String ID: 445799283-0
Opcode ID: 8729c2a4c115535fa6bff618d119d6eec6202cf0f88ea42a9ebf8e42329f2fad
Instruction ID: 193b97b903cef01dad2941a30affd232f390aa49740f828266ab6d16f6a94312
Opcode Fuzzy Hash: 8729c2a4c115535fa6bff618d119d6eec6202cf0f88ea42a9ebf8e42329f2fad
Instruction Fuzzy Hash: 710192392002069BCB30DFA8D440FBBB3F9AF49710B31095DD852D3280EB71E845CBA5

Function 6E686328 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_vsnprintf_s.MSVCRT ref: 6E686345
?Resize@STRU@@QAEJK@Z.IISUTIL(00002800), ref: 6E68635A

Part of subcall function 6E678440: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?), ref: 6E678448
Part of subcall function 6E678440: GetLastError.KERNEL32(?), ref: 6E678451

_vsnprintf_s.MSVCRT ref: 6E686380
?SyncWithBuffer@STRA@@QAEXXZ.IISUTIL ref: 6E68639B

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Resize@_vsnprintf_s$Buffer@ErrorLastSyncWith
String ID:
API String ID: 1680262089-0
Opcode ID: 55596a81b6446a8461509872d64869346e111b06121c5e87462457873bc3fb1a
Instruction ID: c032020446885a83aec7a398bef2b3eba33f3ce6ff6b1c0405a5e9240473f8b3
Opcode Fuzzy Hash: 55596a81b6446a8461509872d64869346e111b06121c5e87462457873bc3fb1a
Instruction Fuzzy Hash: 8E018875224505BFDB058A69C844E6A77A9FF99328F040255F508C7A91D731FC20DBF1

Function 6E690EA0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690EC1

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690EDD
?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690EFD
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E690F07

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Lock3@@ReaderWriteWriter$Lock@Unlock@$CurrentThread
String ID:
API String ID: 2712252570-0
Opcode ID: 9a1ea56a563e95fc97735116bbd50026e48d201216684f818f7d841f286a309b
Instruction ID: 21fe9260156a8a34e3fdb85e327ecfe889872803e7225914013900b4e8fd31b7
Opcode Fuzzy Hash: 9a1ea56a563e95fc97735116bbd50026e48d201216684f818f7d841f286a309b
Instruction Fuzzy Hash: FD015275A10A19ABCF148FA5C8944ADF7BAFF89720B00056ED80657701DB31AD54DBC8

Function 6E67DF70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

?WriteLock@CLKRHashTable@@QAEXXZ.IISUTIL ref: 6E67DF8D
?IsValid@CLKRHashTable@@QBE_NXZ.IISUTIL ref: 6E67DF94
?_DeleteIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@Z1AAW42@@Z.IISUTIL(?,?,00000003), ref: 6E67DFB5
?WriteUnlock@CLKRHashTable@@QBEXXZ.IISUTIL ref: 6E67DFD7

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashTable@@$Write$DeleteLinearLock@Unlock@Valid@W42@@
String ID:
API String ID: 2545113154-0
Opcode ID: 06deee548af688115018416c19901ec8a029203d9be53babb12addc12ec1dbe0
Instruction ID: 8ac8eb655acf29acce4e00f8b3079664c0e973307c99a40dde0adead6ebb26b3
Opcode Fuzzy Hash: 06deee548af688115018416c19901ec8a029203d9be53babb12addc12ec1dbe0
Instruction Fuzzy Hash: 86012F31501209EF9F71DEC5C8748AE73B9EBC332CB200DAAE41143210E6365E0ACBA2

Function 6E67FA30 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

?Erase@CLKRLinearHashTable@@QAE_NAAVCLKRLinearHashTable_Iterator@@@Z.IISUTIL(?), ref: 6E67FA46

Part of subcall function 6E67F980: ?_IsValidIterator@CLKRLinearHashTable@@ABE_NABVCLKRLinearHashTable_Iterator@@@Z.IISUTIL(?), ref: 6E67F99F
Part of subcall function 6E67F980: ?_Erase@CLKRLinearHashTable@@AAE_NAAVCLKRLinearHashTable_Iterator@@K@Z.IISUTIL(?), ref: 6E67F9F0
Part of subcall function 6E67F980: ?_Increment@CLKRLinearHashTable_Iterator@@IAE_N_N@Z.IISUTIL(00000000), ref: 6E67FA01

??9CLKRLinearHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(?), ref: 6E67FA6B
??9CLKRLinearHashTable_Iterator@@QBE_NABV0@@Z.IISUTIL(?), ref: 6E67FA7A
?_AddRef@CLKRLinearHashTable_Iterator@@IBEXH@Z.IISUTIL(000000FF), ref: 6E67FA98

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinear$Table_$Iterator@@$Table@@$Erase@Iterator@@@V0@@$Increment@Iterator@Ref@Valid
String ID:
API String ID: 1542875557-0
Opcode ID: 917acc027917542ce1ab600690e28fbbec051e09cd23968f3d92a0d963d84b8c
Instruction ID: a4f34005c208655e3138a67d4506ae4156ddcd12d23a12c2394ecd06b8ccbafa
Opcode Fuzzy Hash: 917acc027917542ce1ab600690e28fbbec051e09cd23968f3d92a0d963d84b8c
Instruction Fuzzy Hash: 7801963084434CBADF51DFF48441BEEBFB59F06354F148195D89467281DB764A45C7D1

Function 6E6793A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000001), ref: 6E6793EA
?AuxInit@STRAU@@AAEXPBG@Z.IISUTIL(00000000,00000001), ref: 6E6793F2

Part of subcall function 6E683E00: ?Resize@BUFFER@@QAE_NK@Z.IISUTIL(?,?,?,00000000,?,6E679320,?), ref: 6E683E37

?PrivateQueryStr@STRAU@@AAEPAGH@Z.IISUTIL(00000000), ref: 6E6793FA
?AuxInit@STRAU@@AAEXPBD@Z.IISUTIL(00000000,00000000), ref: 6E679402

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Init@PrivateQueryStr@$Resize@
String ID:
API String ID: 566989901-0
Opcode ID: 89212d2e7a34fd7bc14ba8f35bd17a95f669302681756a3da1bea322c7f5028e
Instruction ID: f2c40bd82742230dca6e3db0f41c1f243dcde24606db356cc1a7f1f637b6e664
Opcode Fuzzy Hash: 89212d2e7a34fd7bc14ba8f35bd17a95f669302681756a3da1bea322c7f5028e
Instruction Fuzzy Hash: 710192F15457609FC318CFA98590996BFE9FF5931430185AED08987322D730D800CB68

Function 6E67DF10 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67DF31
?IsValid@CLKRLinearHashTable@@QBE_NXZ.IISUTIL ref: 6E67DF38
?_DeleteIf@CLKRLinearHashTable@@AAEKP6G?AW4LK_PREDICATE@@PBXPAX@Z1AAW42@@Z.IISUTIL(?,?,00000003), ref: 6E67DF4D
?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL ref: 6E67DF57

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinearLock3@@ReaderTable@@WriteWriter$DeleteLock@Unlock@Valid@W42@@
String ID:
API String ID: 1440366471-0
Opcode ID: 0e1c2865fc29a4b8d41fa276032434ac3be3a4d03b82d1e3dacb3a9bd1701bd4
Instruction ID: acb84859738ae849bb995f9ed455c606785bea4f7af520622225397fbafd04d8
Opcode Fuzzy Hash: 0e1c2865fc29a4b8d41fa276032434ac3be3a4d03b82d1e3dacb3a9bd1701bd4
Instruction Fuzzy Hash: B3F0E9321041086F8F319E85CC148EF776DEBD62787100A2AE81647150EB319E49CAE0

Function 6E6890B0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6E6890C2
?DestroyEventLogSource@EVENT_LOG@@CGXPAU_EVENT_LOG_SOURCE@@@Z.IISUTIL(?), ref: 6E6890E8
GetProcessHeap.KERNEL32(00000000,?), ref: 6E689101
HeapFree.KERNEL32(00000000), ref: 6E689108

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Heap$CriticalDeleteDestroyE@@@EventFreeProcessSectionSource@
String ID:
API String ID: 1175541915-0
Opcode ID: e51379b8e32b36baca3cfb9096012e499bac2818598d01f193a60fce869eb242
Instruction ID: 1c05ffc6fe88bde27a7874d2c2e6bacf68b8e60bec677630cf8b8419cf5e2e1d
Opcode Fuzzy Hash: e51379b8e32b36baca3cfb9096012e499bac2818598d01f193a60fce869eb242
Instruction Fuzzy Hash: A9F01D72D95651ABDF109FAFA89C84F776EF68631D324042AA64593705D6356801CB30

Function 6E6949B0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6E6949BE
?Resize@BUFFER@@QAE_NKK@Z.IISUTIL(?,?), ref: 6E6949CF
GetLastError.KERNEL32(?,?), ref: 6E6949D8
LeaveCriticalSection.KERNEL32(?), ref: 6E6949F9

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveResize@
String ID:
API String ID: 2521185493-0
Opcode ID: dd7e9c7dcceba340e25aef81b4485e04ec6c35fd320f28b1340f8d5e0389eef9
Instruction ID: a3ed5bb5021c7b9b23d1857ec6006e5a525b0c1fb64c0854175ce1e1b9b2ca3c
Opcode Fuzzy Hash: dd7e9c7dcceba340e25aef81b4485e04ec6c35fd320f28b1340f8d5e0389eef9
Instruction Fuzzy Hash: 14F03076440605BFCB209F9ADC88CDB77ACEF96328700881AF95A83611D731F955DB60

Function 6E683980 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,?,?,?), ref: 6E6839A4
FormatMessageA.KERNEL32(00002900,00000000), ref: 6E6839B0
?Copy@STRA@@QAEJPBDK@Z.IISUTIL(?,00000000), ref: 6E6839C0
LocalFree.KERNEL32(?), ref: 6E6839CA

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Copy@FormatFreeHandleLocalMessageModule
String ID:
API String ID: 133866721-0
Opcode ID: f78792e5252c5f9f77ab132a5a71b421b344ce763cfbabd75588ec95c142e7e1
Instruction ID: 5f1e174ca9f4b64655050f2113ade8e819757c072fd56d316ef0c2707e1970a6
Opcode Fuzzy Hash: f78792e5252c5f9f77ab132a5a71b421b344ce763cfbabd75588ec95c142e7e1
Instruction Fuzzy Hash: D1F05E32A40109BBDF118E99CC0DFEF7BADEB85361F040056FD04E2350EA71AD20EAA4

Function 6E687B40 Relevance: 6.0, APIs: 4, Instructions: 35memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6E687B4D
QueryDepthSList.KERNEL32(?,?,?,6E67EE69,00000000,?,6E67F394,?,00000000), ref: 6E687B61
HeapFree.KERNEL32(00000000,00000000,?,6E67EE69,00000000,?,6E67F394,?,00000000), ref: 6E687B7A
InterlockedPushEntrySList.KERNEL32(?,00000000,?,6E67EE69,00000000,?,6E67F394,?,00000000), ref: 6E687B87

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: List$CurrentDepthEntryFreeHeapInterlockedPushQueryThread
String ID:
API String ID: 3403768899-0
Opcode ID: 52167d8bab4588b42ded5609d1855620f0b5c0ef7501db4ff17375717db20c37
Instruction ID: 76ef3900930f802d2fbb6922a51d25329d6d3e77c17883b542ee524d06280828
Opcode Fuzzy Hash: 52167d8bab4588b42ded5609d1855620f0b5c0ef7501db4ff17375717db20c37
Instruction Fuzzy Hash: A5F09071684A06BFD7148F6ADC48E4BFB79FF46326B004523F44A82541CB35B820CAA4

Function 6E694900 Relevance: 6.0, APIs: 4, Instructions: 35timeCOMMON

Download Yara Rule

APIs

DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF,?,00000000,6E6948ED), ref: 6E694913
?TimerCallback@W3_TRACE_LOG_FACTORY@@CGXPAXE@Z.IISUTIL(00000000,00000001,?,00000000,6E6948ED), ref: 6E694924
DeleteCriticalSection.KERNEL32(00000038,?,00000000,6E6948ED,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E694937
?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL(?,00000000,6E6948ED,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6E694949

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Timer$Delete$Callback@CriticalFreeInternal@MemoryQueueSection
String ID:
API String ID: 2079187152-0
Opcode ID: 81dce17988da4ed275d050b119ae2e2b4bc42b2bfdb932dc27f622faf1cb094e
Instruction ID: 2d0edae3d9be49a5f6d31cd92b445ed8c85f06348f399881058cbb6cb74344ae
Opcode Fuzzy Hash: 81dce17988da4ed275d050b119ae2e2b4bc42b2bfdb932dc27f622faf1cb094e
Instruction Fuzzy Hash: C6F09671404F52ABC7325F59D8449A7B7E8BFC67247104A1EE0B643954D7B0B443D714

Function 6E68A033 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,6E6A915C,6E685C72), ref: 6E68A040
FreeSid.ADVAPI32(?,6E6A915C,6E685C72), ref: 6E68A056
LocalFree.KERNEL32(?,6E6A915C,6E685C72), ref: 6E68A06C
FreeSid.ADVAPI32(?,6E6A915C,6E685C72), ref: 6E68A082

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: Free$Local
String ID:
API String ID: 4294323854-0
Opcode ID: 55428ca3a8a53ddca3572d2684558f3577b8f38b842072a90ccd67e65a8160d6
Instruction ID: 83e8a5699d2dda8f01f3efef4dd9289828e89fe2a8c7affae061357afd4fbc15
Opcode Fuzzy Hash: 55428ca3a8a53ddca3572d2684558f3577b8f38b842072a90ccd67e65a8160d6
Instruction Fuzzy Hash: 72F07A70EA5A129B9F909FBFA54895E37AEBB0674D3100116B911E2340D735E444CB60

Function 6E67CE70 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

?WriteLock@CReaderWriterLock3@@QAEXXZ.IISUTIL(-00000001,?,6E67F073,?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 6E67CE79

Part of subcall function 6E67B100: GetCurrentThreadId.KERNEL32 ref: 6E67B141

?_Clear@CLKRLinearHashTable@@AAEX_N@Z.IISUTIL(00000000,-00000001,?,6E67F073,?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?), ref: 6E67CE82

Part of subcall function 6E67E570: ?WriteLock@CReaderWriterLock2@@QAEXXZ.IISUTIL ref: 6E67E5C9
Part of subcall function 6E67E570: ?WriteUnlock@CReaderWriterLock2@@QAEXXZ.IISUTIL(?), ref: 6E67E637
Part of subcall function 6E67E570: ?_FreeSegment@CLKRLinearHashTable@@ABE_NPAVCSegment@@@Z.IISUTIL(?), ref: 6E67E662
Part of subcall function 6E67E570: ?_FreeSegmentDirectory@CLKRLinearHashTable@@AAE_NXZ.IISUTIL ref: 6E67E67E
Part of subcall function 6E67E570: ?_SetSegVars@CLKRLinearHashTable@@AAE?AW4LK_RETCODE@@W4LK_TABLESIZE@@K@Z.IISUTIL(?,00000000), ref: 6E67E6C1

?WriteUnlock@CReaderWriterLock3@@QAEXXZ.IISUTIL(00000000,-00000001,?,6E67F073,?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?), ref: 6E67CE8A
?_RemoveThisFromGlobalList@CLKRLinearHashTable@@AAEXXZ.IISUTIL(00000000,-00000001,?,6E67F073,?,6E67CE4F,?,?,?,?,00000000,?,00000000,00000000,?), ref: 6E67CE91

Part of subcall function 6E67C110: ?RemoveEntry@CLockedDoubleList@@QAEXQAVCListEntry@@@Z.IISUTIL(?), ref: 6E67C11F

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: HashLinearTable@@$ReaderWriteWriter$FreeLock2@@Lock3@@Lock@RemoveUnlock@$Clear@CurrentDirectory@DoubleEntry@Entry@@@FromGlobalListList@List@@LockedSegmentSegment@Segment@@@ThisThreadVars@
String ID:
API String ID: 1648147194-0
Opcode ID: aba63367bf83f94761cbfd15657814277be5cda903b65d17a6e217f7952cfc70
Instruction ID: 4f8a5d7a5a324a075c1ea8e4a878201cb65bec4653dc722d1548c746426262ed
Opcode Fuzzy Hash: aba63367bf83f94761cbfd15657814277be5cda903b65d17a6e217f7952cfc70
Instruction Fuzzy Hash: 8CD05B3130050557CA249F55DC58AFEB73FAFE0324B250519D0120B5D4DF6078A7C7D8

Function 6E6884AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

CreateTimerQueue.KERNEL32(InitializeIISUtil,00000001,?,?,6E68812E,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E6884F3
GetModuleHandleExW.KERNEL32(00000004,6E688880,?,?,6E68812E,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E68850B

Part of subcall function 6E688538: DeleteTimerQueueEx.KERNEL32(?,000000FF,00000000,6E68852B,?,?,6E68812E,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E688548
Part of subcall function 6E688538: FreeLibrary.KERNEL32(?,00000000,6E68852B,?,?,6E68812E,InitializeIISUtil,00000001,inetsrv\iis\iisrearc\core\common\util\init_iisutil.cxx,6E685B20), ref: 6E68855B

Strings

InitializeIISUtil, xrefs: 6E6884B1

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: QueueTimer$CreateDeleteFreeHandleLibraryModule
String ID: InitializeIISUtil
API String ID: 3288184779-1109337598
Opcode ID: f55ee2cc7d24c2989deeb9ebfe8342e113ec6f09e7389bdfe8ce692c4566aa5f
Instruction ID: 0d27eb716940774c583b78dddf7af76b5797012dd8e6c37c0857da0a003188b8
Opcode Fuzzy Hash: f55ee2cc7d24c2989deeb9ebfe8342e113ec6f09e7389bdfe8ce692c4566aa5f
Instruction Fuzzy Hash: 1011C8B1E447129FD7A0CFAAD800A9B77E8EB46720740452FD869C7320DB74D900CBB1

Function 6E67A5A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 6E6811A7
CloseHandle.KERNEL32(?,?,?,00000000,6E698A68), ref: 6E6811E9

Strings

Wakeup failed in ReleaseLock(), xrefs: 6E6811C3

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore
String ID: Wakeup failed in ReleaseLock()
API String ID: 68019002-1156563770
Opcode ID: c4975353f2d594d6f515c7737ed21c6d16b200145e31f5fd4d533e96f43cc1ca
Instruction ID: f785eb08939f1c1a9be443efcea415d2ee2823759eb60c829406344af31b1d29
Opcode Fuzzy Hash: c4975353f2d594d6f515c7737ed21c6d16b200145e31f5fd4d533e96f43cc1ca
Instruction Fuzzy Hash: 0EF09030510205BBDB018F96CE0CF5B7BADEB42318F600999E9648A651EB72DD06D6A0

Function 6E686010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

PuCloseDbgPrintFile.IISUTIL(?), ref: 6E686023
OutputDebugStringA.KERNEL32( Error: MakeBkupCopy() Not Yet Implemented), ref: 6E686036

Strings

Error: MakeBkupCopy() Not Yet Implemented, xrefs: 6E686031

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: CloseDebugFileOutputPrintString
String ID: Error: MakeBkupCopy() Not Yet Implemented
API String ID: 3769588017-1652145653
Opcode ID: 4f91fe42362c1a8ce973e6d3999a7ba9c6ad2d2bfc61637690646337e4920e29
Instruction ID: e9a81cdd467b64ef75bbd17909f6c802a4e4669b5a38170a8eb37c5dae14a1ae
Opcode Fuzzy Hash: 4f91fe42362c1a8ce973e6d3999a7ba9c6ad2d2bfc61637690646337e4920e29
Instruction Fuzzy Hash: 47E02B32174724F7C67116D59908FCF3B4C8F46764F004905ED2A67281CBB0190051FD

Function 6E686B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6E686B35
PuDbgPrint.IISUTIL(?,?,?,?, TickCount = %u,00000000), ref: 6E686B4D

Part of subcall function 6E6865B0: GetLastError.KERNEL32 ref: 6E6865F9
Part of subcall function 6E6865B0: SetLastError.KERNEL32(?,?,0000001E,?,6E681283,?), ref: 6E686649
Part of subcall function 6E6865B0: ?FreeMemoryInternal@BUFFER@@AAEXXZ.IISUTIL ref: 6E68665A

Strings

TickCount = %u, xrefs: 6E686B3C

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID: ErrorLast$CountFreeInternal@MemoryPrintTick
String ID: TickCount = %u
API String ID: 1464156295-1293117735
Opcode ID: 6de2ec60d9a8cfa2f40a970d9ea1f5168162c55ce96976fe75724a4f7d14025d
Instruction ID: ace84e354f01ba4d46ee5d1bb4f8f408c2920a71131b4b01d05ee88d900a31b9
Opcode Fuzzy Hash: 6de2ec60d9a8cfa2f40a970d9ea1f5168162c55ce96976fe75724a4f7d14025d
Instruction Fuzzy Hash: E6D0C97344010CBFCF025FD59C04CAE3F2EAB89324F448811FE5815122E732D931ABA1

Function 6E688FC8 Relevance: 5.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976347394.000000006E671000.00000020.00000001.01000000.00000003.sdmp, Offset: 6E670000, based on PE: true

Associated: 00000000.00000002.2976309803.000000006E670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976407736.000000006E6A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2976448614.000000006E6AA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e670000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a8d64835f2494e98d8818b756df2a28c8d534df514521c33c84533f609a6a1
Instruction ID: 49fe987a7b54402b30077c01a333dc12396857f19b84fa3d03eb899d67c9893b
Opcode Fuzzy Hash: 45a8d64835f2494e98d8818b756df2a28c8d534df514521c33c84533f609a6a1
Instruction Fuzzy Hash: B1012D72544202ABDB501BEECC48F9BB72DEF56359F10441AF505D7100D7796C158B70

Analysis Process: rundll32.exePID: 7260, Parent PID: 6328COMMON

Non-executed Functions

Function 000FC984 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1823630988.00000000000FC000.00000004.00000010.00020000.00000000.sdmp, Offset: 000FC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_fc000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e1108440d541e956b55a852a6b13297180ac1dbdb88b8997340c7c6d69cef8
Instruction ID: b6d1329255c4c3b362f72460f49e2a5b985086440c7d97c494cf859d2e1eee8d
Opcode Fuzzy Hash: 44e1108440d541e956b55a852a6b13297180ac1dbdb88b8997340c7c6d69cef8
Instruction Fuzzy Hash: 0CF0440150E3C45FC7138B744C79AA67FB46F53208B1F89CFC8C58A4A3C258A918D332

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iisutil.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_74d2292676aa8f3d3b873026bfa4bb114f7744d_7522e4b5_6eb46e90-bbc7-4b96-a46f-f862dbf5ec4a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_82a4d751d744bbae5b7fe90618e3ca9a2ea43c5_7522e4b5_78808332-d4ee-4bfd-aa0c-5547fff18423\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_82a4d751d744bbae5b7fe90618e3ca9a2ea43c5_7522e4b5_cb845ae6-1dbd-4ce9-a86c-5f85bb38b7ec\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f34569f3e06624e3681d94af4f51e2a47231a897_7522e4b5_6634f637-9abb-48c2-9230-d3f04625b2f1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB379.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB389.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB493.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB494.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4C3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB541.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE95.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF61.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF91.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA2E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA9D.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
iisutil.dll