Play interactive tour

Edit tour

Analysis Report ImmunityDebugger_1_85_setup.exe

Overview

General Information

Sample Name:	ImmunityDebugger_1_85_setup.exe
Analysis ID:	415756
MD5:	b94ff046f678a5e89d06007ea24c57ec
SHA1:	e01a72a487ac0e2ec02ddfc20fd2994919ef1e9a
SHA256:	9c15cd47d018ccd99a6c8865baba20134c67061ae0e19232c32ecd0139ccfd42
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Startup

System is w10x64

ImmunityDebugger_1_85_setup.exe (PID: 6200 cmdline: 'C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe' MD5: B94FF046F678A5E89D06007EA24C57EC)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Updater.pem.0.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: ImmunityDebugger_1_85_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Window detected: &Next >CancelNullsoft Install System v2.46Please review the license agreement before installing Immunity Debugger. If you accept all terms of the agreement click the check box below. Click Next to continue.Last Updated: February 11 2009IMMUNITY INC.SOFTWARE LICENSE AGREEMENTTHIS LICENSE AGREEMENT (with the schedules annexed hereto the "Agreement") is made as of the day when registered on the download server between "Licensee" the user of the software whether corporate entity or individual and Immunity Inc "Licensor" a New York State based company with primary offices at 1130 Washington Avenue Floor 8 Miami Beach FL 33139. If the Licensee does not agree to the terms described within this document the Licensee is not authorized to install copy or otherwise use the Software.W I T N E S S E T H:WHEREAS Licensor is in the business among other things of licensing the proprietary software more particularly described in Schedule "A" attached hereto and made a part hereof which together with the object code registration key documentation and other materials are collectively referred to herein as the "Software"; andWHEREAS Licensor owns or has the license to all of the intellectual and other proprietary rights (including copyrights and trademarks) associated with the Software; andWHEREAS Licensee wishes to obtain a license to use the Software for the purpose of facilitating Licensee's business; andWHEREAS Licensor is willing to grant a non-exclusive license to Licensee to use the Software pursuant to the terms conditions and limitations hereinafter set forth.NOW THEREFORE in consideration of the mutual promises and obligations hereinafter contained the parties have agreed as follows:1. Grant of License Term1.1 Subject to the terms and conditions of this Agreement Licensor hereby grants to Licensee a limited non-exclusive non-transferable non-assignable right and license (the "License") to access download install and use the Software on the licensed number of computers (identified in Schedule "A") solely for the uses as set forth in Section 2 of this Agreement.1.2 The term of the License granted herein shall be in perpetuity ("Term") unless otherwise terminated pursuant with this Agreement.1.3 Licensor shall deliver to Licensee the Software within 5 business days of the Effective Date.2. Scope and Use of License2.1 Licensee agrees that the License granted hereunder is limited to use the Software internally and only in connection with Licensee's business in accordance with the terms of this Agreement.2.2 Licensee shall not decompile reverse compile disassemble decode or otherwise reverse engineer the Software. Licensee shall not modify or translate the Software or create any derivative works based on the Software. Except as otherwise set forth in this Agreement Licensee shall not publish distribute market rent lease sublicense or assign all or any portion of the Software. Porting the Software to another framework or product is a violation of this licen

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407A42 FindFirstFileA,FindClose,	0_2_00407A42
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407E0E DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00407E0E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040334A FindFirstFileA,	0_2_0040334A

Source: Changelog.txt.0.dr	String found in binary or memory: http://PEiD.info/BobSoft/)
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://auth.immunityinc.com/ImmunityDebugger/ID_getads.py
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://auth.immunityinc.com/ImmunityDebugger/ID_getads.pyImmunity
Source: Changelog.txt.0.dr, Credits.txt.0.dr	String found in binary or memory: http://code.google.com/p/pefile/)
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/ID_adref.py?referer=
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/ID_adref.py?referer=%s%sSoftware
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/ID_checkupdate.py
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/ID_checkupdate.pyhttp://debugger.immunityinc.com/update/ImmunityDebu
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/update/ImmunityDebugger.exe
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/update/ImmunityDebugger.exeSignature
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://debugger.immunityinc.com/update/ImmunityDebugger.sig
Source: Libs.libheap.Win7LFHeap-class.html.0.dr	String found in binary or memory: http://epydoc.sourceforge.net
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://forum.immunityinc.com/
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=137.0)
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=138.0)
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=140.0)
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=157.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=158.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=159.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=162
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=163.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=34
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=49.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=63.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=74.0
Source: Changelog.txt.0.dr	String found in binary or memory: http://forum.immunityinc.com/index.php?topic=84.0
Source: ImmunityDebugger_1_85_setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ImmunityDebugger_1_85_setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Changelog.txt.0.dr	String found in binary or memory: http://peid.info/BobSoft/Downloads.html)
Source: activex.py.0.dr	String found in binary or memory: http://sourceforge.net/projects/comtypes/
Source: UserDB.TXT.0.dr	String found in binary or memory: http://wibu.com/us/
Source: pelib.py.0.dr	String found in binary or memory: http://win32assembly.online.fr/files/pe1.zip
Source: hidedebug.py.0.dr	String found in binary or memory: http://www.PEiD.info/BobSoft/
Source: scanpe.py.0.dr	String found in binary or memory: http://www.SecretAsHell.com/BobSoft/
Source: horse.py.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: funsniff.py.0.dr, ImmunityDebugger.exe.0.dr, Libs.librecognition-module.html.0.dr, Libs.immlib-module.html.0.dr, pelib.py.0.dr, stackvars.py.0.dr, libheap.py.0.dr, graphclass.py.0.dr, libstackanalyze.py.0.dr	String found in binary or memory: http://www.immunityinc.com
Source: Libs.libevent-pysrc.html.0.dr, Libs.immvcglib-pysrc.html.0.dr, Libs.debugtypes-pysrc.html.0.dr, Libs.immutils-pysrc.html.0.dr, Libs.libanalyze-pysrc.html.0.dr, Libs.graphclass-pysrc.html.0.dr	String found in binary or memory: http://www.immunityinc.com>
Source: pelib.py.0.dr, Libs.pelib-module.html.0.dr	String found in binary or memory: http://www.immunityinc.com/CANVAS/
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://www.immunityinc.comDVarFileInfo$
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://www.immunityinc.comopen
Source: syscall.py.0.dr	String found in binary or memory: http://www.openrce.org/blog/view/1077/Digging_up_system_call_ordinals
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ImmunityDebugger.exe.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: UserDB.TXT.0.dr	String found in binary or memory: http://www.oreans.com
Source: Libs.immvcglib-pysrc.html.0.dr, immvcglib.py.0.dr	String found in binary or memory: http://www.penguin-soft.com/penguin/man/1/vcg.html
Source: Credits.txt.0.dr	String found in binary or memory: http://www.secretashell.com/BobSoft/

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_00406B9F GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00406B9F

Source: Yara match

File source: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe, type: DROPPED

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_0040407F EntryPoint,InitCommonControls,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,DeleteFileA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,OleUninitialize,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040407F

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0041F035	0_2_0041F035
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0042655E	0_2_0042655E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0041D96E	0_2_0041D96E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0041EE34	0_2_0041EE34
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00424E97	0_2_00424E97
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0042635D	0_2_0042635D

Source: ImmunityDebugger_1_85_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger_1_85_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger_1_85_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ImmunityDebugger.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.503771718.00000000027A0000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs ImmunityDebugger_1_85_setup.exe

Source: ImmunityDebugger_1_85_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: ImmunityDebugger.exe.0.dr

Binary string: iphlpapi.dllAllocateAndGetTcpExTableFromStackAllocateAndGetUdpExTableFromStackkernel32.dll%d.%d.%d.%dFailed to snapshot TCP EndpointFailed to snapshot UDP EndpointFailed to take process SnapshotRtlInitUnicodeStringZwOpenSectionInitializeObjectAttributesZwOpenFile\Device\PhysicalMemory\Device\Tcp\Device\UdpCould not map TCPCould not map UDPCould not open HandlesError accesing memoryDebugActiveProcessStopSymCleanup%s s,s,sSearching in %sSearch Done.Unable to allocate %li bytes of memorySearching for callsk(k,i,k)(k,i,i,k)k[k,k,k,k,i,s,s,s]w+zzz.txt%i%s

Source: classification engine

Classification label: clean4.winEXE@1/278@0/0

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_004053A4 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,

0_2_004053A4

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_004028AD CoCreateInstance,MultiByteToWideChar,

0_2_004028AD

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File created: C:\Program Files (x86)\Immunity Inc

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File created: C:\Users\Public\Desktop\Immunity Debugger.lnk

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsqAA72.tmp

Jump to behavior

Source: ImmunityDebugger_1_85_setup.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File read: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File written: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.ini

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Automated click: I accept
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Automated click: Install
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Source: ImmunityDebugger_1_85_setup.exe

Static file information: File size 22749412 > 1048576

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_00407B28 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00407B28

Source: ImmunityDebugger_1_85_setup.exe	Static PE information: real checksum: 0x1b6cd should be:
Source: loaddll.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xe500

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push ebx; mov dword ptr [esp], 00000000h	0_2_0040409D
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push eax; mov dword ptr [esp], 00000000h	0_2_0040411F
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push ecx; mov dword ptr [esp], eax	0_2_0040415D
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push esi; mov dword ptr [esp], ebx	0_2_0040426A
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push eax; mov dword ptr [esp], 0043A400h	0_2_0040432E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push ecx; mov dword ptr [esp], 0042B810h	0_2_0040439C
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push eax; mov dword ptr [esp], 0042B810h	0_2_00404403
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040407F push ebx; mov dword ptr [esp], 00000002h	0_2_00404485
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00401834 push eax; mov dword ptr [esp], ebx	0_2_004018E5
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00403CB7 push ebx; mov dword ptr [esp], 00439C00h	0_2_00403D38
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00406A5D push eax; mov dword ptr [esp], 0042D474h	0_2_00406A96
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407A78 push ebx; mov dword ptr [esp], 0042E0B8h	0_2_00407A94
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407A78 push edx; mov dword ptr [esp], 0042E0B8h	0_2_00407AFA
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407A78 push ecx; mov dword ptr [esp], 0042E0B8h	0_2_00407B09
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00401AC9 push edx; mov dword ptr [esp], eax	0_2_00401B10
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00401AC9 push esi; mov dword ptr [esp], 0040C004h	0_2_00401B27
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407769 push eax; mov dword ptr [esp], ebx	0_2_004079DC
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004057D7 push edx; mov dword ptr [esp], eax	0_2_00405A8F
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004057D7 push ecx; mov dword ptr [esp], esi	0_2_00405A9B
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004057D7 push esi; mov dword ptr [esp], eax	0_2_00405AE0
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00403FDC push eax; mov dword ptr [esp], 0043A400h	0_2_00403FEF
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00405B86 push eax; mov dword ptr [esp], ebx	0_2_00405D2A
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00405B86 push ebx; mov dword ptr [esp], 00439400h	0_2_00405D45
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00405B86 push eax; mov dword ptr [esp], 0040B340h	0_2_00405ECA
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00405B86 push ecx; mov dword ptr [esp], 00000001h	0_2_00405F87
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00406B9F push eax; mov dword ptr [esp], 00000015h	0_2_00406C76
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00406B9F push eax; mov dword ptr [esp], esi	0_2_00406EB3
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00406B9F push edx; mov dword ptr [esp], eax	0_2_0040707E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004053A4 push ecx; mov dword ptr [esp], ebx	0_2_004053E5
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004053A4 push ecx; mov dword ptr [esp], ebx	0_2_00405414
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_004053A4 push ecx; mov dword ptr [esp], ebx	0_2_00405537

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Bookmark.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Cmdline.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\debugger.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libgmp-10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\loaddll.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libcvc3.2.1.1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File created: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc	Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger	Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Immunity Debugger.lnk	Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Uninstall.lnk	Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Cmdline.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Bookmark.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\debugger.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libgmp-10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\loaddll.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libcvc3.2.1.1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407A42 FindFirstFileA,FindClose,	0_2_00407A42
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_00407E0E DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00407E0E
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Code function: 0_2_0040334A FindFirstFileA,	0_2_0040334A

Source: debugger.pyd.0.dr	Binary or memory string: check_vmware
Source: debugger.pyd.0.dr	Binary or memory string: Check if vmware is present
Source: ImmunityDebugger.exe.0.dr	Binary or memory string: AddRowHeaderAddhooksAddsorteddataAddtolistAnalysecodeAnimateArefgettextAreggettextAssembleAttachtoactiveprocessBroadcastBrowsefilenameCalculatecrcCheckconditionCheckhookCompressCreatedumpwindowCreatelistwindowCreatepatchwindowCreateprofilewindowCreatertracewindowCreatesorteddataCreatethreadwindowCreatewatchwindowCreatewinwindowDecodeaddressDecodeasciiDecodecharacterDecodefullvarnameDecodeknownargumentDecodenameDecoderangeDecoderelativeoffsetDecodethreadnameDecodeunicodeDecompressDefaultbarDeletebreakpointsDeletehardwarebreakbyaddrDeletehardwarebreakpointDeletenamerangeDeletenonconfirmedsorteddataDeleteruntraceDeletesorteddataDeletesorteddatarangeDeletewatchDemanglenameDestroysorteddataDisasmDisassemblebackDisassembleforwardDiscardquicknamesDumpbackupErrorExecutehooktimeoutExpressionFindallcommandsFindalldllcallsFindallsequencesFinddecodeFindfileoffsetFindfixupFindhittraceFindimportbynameFindlabelFindlabelbynameFindmemoryFindmoduleFindnameFindnextnameFindnextprocFindnextruntraceipFindprevprocFindprevruntraceipFindprocbeginFindprocendFindreferencesFindsorteddataFindsorteddataindexFindsorteddatarangeFindstringsFindsymbolicnameFindthreadFindunknownfunctionFlashFollowcallGet3dnowGet3dnowxyGetaddressfromlineGetasmfindmodelGetasmfindmodelxyGetbprelnameGetbreakpointtypeGetbreakpointtypecountGetcputhreadidGetdisassemblerrangeGetfloatGetfloat10Getfloat10xyGetfloatxyGethexstringGethexstringxyGetlineGetlinefromaddressGetlinexyGetlongGetlongxyGetmmxGetmmxxyGetnextbreakpointGetoriginaldatasizeGetproclimitsGetregistersGetregxyGetresourcestringGetruntraceprofileGetruntraceregistersGetsortedbyselectionGetsourcefilelimitsGetstatusGettableselectionxyGettextGettextxyGetwatchGoGraphAddGuardmemoryHardbreakpointsHavecopyofmemoryInfolineInjectcodeInsertnameInsertwatchIsadministratorIsfillingIsprefixIsretaddrIssuspiciousIstextAIstextWListhookListmemoryLoopTickingManualbreakpointMergequicknamesMessageModifyhittraceNewtablewindowOpenEXEfilePainttableParseasmoperandPlugingetvaluePluginreadintfrominiPluginreadstringfrominiPluginsaverecordPluginwriteinttoiniPluginwritestringtoiniPrepareasmseqPreparefornewprocessPrint3dnowPrintfloat10Printfloat4Printfloat8PrintsseProgressPyCommitKnowledgePyDetachPyExitIDPyFindDataRefPyFindStringsPyGetUDDKnowledgePyGetVariableNamePyGetallbasicblocksPyGoSilentPyIgnoreSingleStepPySetVariableNamePyShowgraphPyStdout_CatcherPyaddknowledgePycmdexecPycomboPycreategraphwindowPyforgetknowledgePygetallhandlesPygetallnamesPygetallthreadsPygetcallstackPygetcalltreePygeteventPygetintercallPygetknowledgePygetpanelinfoPygetsehchainPygetthreadidPyinputPylistknowledgePypsPysetregPyshellcallPyshowtextwindowPythonsearchPyvqueryQuickinsertnameQuicktablewindowReadcommandReadmemoryRedrawdisassemblerRegisterotclassRegisterpluginclassRemovehookRestoreallthreadsRunsinglethreadRuntracesizeScanmodulesScrollruntracewindowSelectandscrollSendshortcutSetIncludePathSetbreakpointSetbreakpointextSetcpuSetdisasmSetdumptypeSethardwarebreakpointSetmembreakpointSetstatusSettracecon
Source: ImmunityDebugger.exe.0.dr	Binary or memory string: vmware_detect
Source: api-objects.txt.0.dr	Binary or memory string: Libs.immlib.Debugger.isVmWareLibs.immlib.Debugger-class.html#isVmWare

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	API call chain: ExitProcess graph end node			graph_0-3900
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	API call chain: ExitProcess graph end node			graph_0-3568

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_00407B28 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00407B28

Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.500694936.0000000001290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.500694936.0000000001290000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.500694936.0000000001290000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.500694936.0000000001290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: ImmunityDebugger_1_85_setup.exe, 00000000.00000002.500694936.0000000001290000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe

Code function: 0_2_00407769 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00407769

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Process Injection1	Masquerading2	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ImmunityDebugger_1_85_setup.exe	2%	Metadefender		Browse
ImmunityDebugger_1_85_setup.exe	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Bookmark.dll	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Bookmark.dll	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Cmdline.dll	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Cmdline.dll	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\codegraph.py	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\codegraph.py	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\debugtypes.py	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\debugtypes.py	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\deplib20.py	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\deplib20.py	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libfinder.py	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libfinder.py	0%	ReversingLabs
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libgadgets.py	0%	Metadefender	Browse
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libgadgets.py	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.ImmunityDebugger_1_85_setup.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://forum.immunityinc.com/index.php?topic=49.0	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/ID_checkupdate.pyhttp://debugger.immunityinc.com/update/ImmunityDebu	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=163.0	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=137.0)	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/update/ImmunityDebugger.exe	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/ID_adref.py?referer=	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/update/ImmunityDebugger.sig	0%	Avira URL Cloud	safe
http://www.SecretAsHell.com/BobSoft/	0%	Avira URL Cloud	safe
http://wibu.com/us/	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/ID_checkupdate.py	0%	Avira URL Cloud	safe
http://www.immunityinc.comopen	0%	Avira URL Cloud	safe
http://www.immunityinc.com/CANVAS/	0%	Avira URL Cloud	safe
http://PEiD.info/BobSoft/)	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=74.0	0%	Avira URL Cloud	safe
http://www.oreans.com	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=138.0)	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/ID_adref.py?referer=%s%sSoftware	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=140.0)	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=157.0	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=34	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/	0%	Avira URL Cloud	safe
http://debugger.immunityinc.com/update/ImmunityDebugger.exeSignature	0%	Avira URL Cloud	safe
http://www.immunityinc.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=159.0	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=158.0	0%	Avira URL Cloud	safe
http://www.immunityinc.com>	0%	Avira URL Cloud	safe
http://auth.immunityinc.com/ImmunityDebugger/ID_getads.pyImmunity	0%	Avira URL Cloud	safe
http://www.penguin-soft.com/penguin/man/1/vcg.html	0%	Avira URL Cloud	safe
http://auth.immunityinc.com/ImmunityDebugger/ID_getads.py	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=63.0	0%	Avira URL Cloud	safe
http://www.immunityinc.com	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=84.0	0%	Avira URL Cloud	safe
http://peid.info/BobSoft/Downloads.html)	0%	Avira URL Cloud	safe
http://www.PEiD.info/BobSoft/	0%	Avira URL Cloud	safe
http://forum.immunityinc.com/index.php?topic=162	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://forum.immunityinc.com/index.php?topic=49.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://debugger.immunityinc.com/ID_checkupdate.pyhttp://debugger.immunityinc.com/update/ImmunityDebu	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=163.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	horse.py.0.dr	false		high
http://forum.immunityinc.com/index.php?topic=137.0)	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://debugger.immunityinc.com/update/ImmunityDebugger.exe	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.openrce.org/blog/view/1077/Digging_up_system_call_ordinals	syscall.py.0.dr	false		high
http://debugger.immunityinc.com/ID_adref.py?referer=	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://debugger.immunityinc.com/update/ImmunityDebugger.sig	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.SecretAsHell.com/BobSoft/	scanpe.py.0.dr	false	Avira URL Cloud: safe	unknown
http://wibu.com/us/	UserDB.TXT.0.dr	false	Avira URL Cloud: safe	unknown
http://debugger.immunityinc.com/ID_checkupdate.py	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.immunityinc.comopen	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ImmunityDebugger_1_85_setup.exe	false		high
http://www.immunityinc.com/CANVAS/	pelib.py.0.dr, Libs.pelib-module.html.0.dr	false	Avira URL Cloud: safe	unknown
http://PEiD.info/BobSoft/)	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=74.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	ImmunityDebugger.exe.0.dr	false		high
http://www.oreans.com	UserDB.TXT.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=138.0)	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://epydoc.sourceforge.net	Libs.libheap.Win7LFHeap-class.html.0.dr	false		high
http://www.openssl.org/support/faq.htmlRAND	ImmunityDebugger.exe.0.dr	false		high
http://nsis.sf.net/NSIS_Error	ImmunityDebugger_1_85_setup.exe	false		high
http://debugger.immunityinc.com/ID_adref.py?referer=%s%sSoftware	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=140.0)	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=157.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=34	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://debugger.immunityinc.com/update/ImmunityDebugger.exeSignature	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://win32assembly.online.fr/files/pe1.zip	pelib.py.0.dr	false		high
http://www.immunityinc.comDVarFileInfo$	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	low
http://forum.immunityinc.com/index.php?topic=159.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=158.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.immunityinc.com>	Libs.libevent-pysrc.html.0.dr, Libs.immvcglib-pysrc.html.0.dr, Libs.debugtypes-pysrc.html.0.dr, Libs.immutils-pysrc.html.0.dr, Libs.libanalyze-pysrc.html.0.dr, Libs.graphclass-pysrc.html.0.dr	false	Avira URL Cloud: safe	low
http://auth.immunityinc.com/ImmunityDebugger/ID_getads.pyImmunity	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.secretashell.com/BobSoft/	Credits.txt.0.dr	false		unknown
http://www.penguin-soft.com/penguin/man/1/vcg.html	Libs.immvcglib-pysrc.html.0.dr, immvcglib.py.0.dr	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	ImmunityDebugger.exe.0.dr	false		high
http://auth.immunityinc.com/ImmunityDebugger/ID_getads.py	ImmunityDebugger.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=63.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://sourceforge.net/projects/comtypes/	activex.py.0.dr	false		high
http://www.immunityinc.com	funsniff.py.0.dr, ImmunityDebugger.exe.0.dr, Libs.librecognition-module.html.0.dr, Libs.immlib-module.html.0.dr, pelib.py.0.dr, stackvars.py.0.dr, libheap.py.0.dr, graphclass.py.0.dr, libstackanalyze.py.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=84.0	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://peid.info/BobSoft/Downloads.html)	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.PEiD.info/BobSoft/	hidedebug.py.0.dr	false	Avira URL Cloud: safe	unknown
http://forum.immunityinc.com/index.php?topic=162	Changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	415756
Start date:	17.05.2021
Start time:	11:07:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ImmunityDebugger_1_85_setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@1/278@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 69.4% (good quality ratio 40.1%) Quality average: 29.4% Quality standard deviation: 33.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/415756/sample/ImmunityDebugger_1_85_setup.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Bookmark.dll Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.066763411894013
Encrypted:	false
SSDEEP:	192:fkdkzng24j2HBTNneppbH4W7GoyZqY/FRSEJ0JU2PVVAGYg:fkwg24jyBTNe3bYXZ1/FK9bY
MD5:	631E00D77F30BAEF75756577772DBC5B
SHA1:	A74BEE9B88E861CE7DA9BF72048B4BCFF89F7BD6
SHA-256:	E3F5F9E85D082D41728AF28CE7818F986DF76903EDCFEDD2984FEB78E46D4715
SHA-512:	216EE4BC12BBD38095982C916DA852F7450B06C22A1FAAD7719416AD97406BEDA4C7AAC7B9752D90F2121A467DD0D22F32707B35EDFB58E86CD02B1072922E12
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.;O...........#.........2......`........0.....p................................*......... ......................`.......p.................................. ...................................................Tq...............................text...D...........................`.P`.data........0....... ..............@.0..rdata.......@......."..............@.0@.bss.........P........................`..edata.......`.......$..............@.0@.idata.......p.......&..............@.0..CRT................................@.0..tls.... ............0..............@.0..reloc.. ............2..............@.0B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Changelog.txt Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	16309
Entropy (8bit):	4.859520150491236
Encrypted:	false
SSDEEP:	384:Z/CkW6+HDHJAcQ13BfQCaM6xj9x+XNZaNHD:Z/ChrecQ13B4W2hx+XUj
MD5:	1E61F400ED77BD2758F3C3CDF8CC7402
SHA1:	8BC58A321BFDBCBFEDAC67D77797AFEDF0AA1854
SHA-256:	41746A474D408B83EB00774364F99E9E8EF04A13D42F2AB96B5523915E71FD6E
SHA-512:	FE99B8CE4DC5A0D01D069718BCF5D4D96C33513986E13F9521024EDE597F2315C372DD6BDF1B5CC6679C1531B0E584E0574E19126ADAB312299E8ED6DFAE9196
Malicious:	false
Reputation:	low
Preview:	1.85.- Added libptrace DLL; this is the new debugging core from which... new primitives will gradually be used....- Rewrote the .SYS file handling to use the libptrace core, to... address several other problems that were reported.....1.84.- Minor Python script fixes....- Fixed crash on loading of .SYS files.....1.83.- Things now work again on Windows 2000....- Python bindings bug fixes....- Improved python error handling....- Added interceptor and symbolicexecutor scripts.....1.82.- Better handling of breakpoints....- Fix thread suspend issues while handling breakpoints....- Reintroduced the python shell....- Updated Python to 2.7.1...- Fixed python tracebacks to work again.....1.81...- EXCEPTION_GUARD_PAGE can now be ignored.... This will work properly, unless the end-user uses on-access... breakpoints which use guard pages (this principle is broken... anyhow, as passing guard pages to system functions can lead... to undesired side effects)......- Every python script and hook no

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Cmdline.dll Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	5.813851652319192
Encrypted:	false
SSDEEP:	768:go2hzdu7EfCRUksRlxedDEYZtW+bujQe1:Uw7WNRuqYDbGQe1
MD5:	6DDD4DC32E217A2484226DEB571C78CC
SHA1:	D9C5FD947283A7E5A2350716722D7A9288F26158
SHA-256:	22AB6F2F8473556AD3CDB27747303CF2695E74576EBB551AEB02E7DDAF96C23B
SHA-512:	F24246B280A006ADB45A5D0464427A1A076637AC6520736178BC9C4DCB23029192204BCAE4F7CF47A86D32A3D84271A35291605DA6B7A74F0EC3AF420159D061
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.;O...........#.....F...p......`........`....`b.......................................... .................................\|...............................(....................................................................................text....D.......F..................`.P`.data...@....`.......J..............@.`..rdata.......p.......L..............@.`@.bss....p.............................`..edata...............X..............@.0@.idata..\|............Z..............@.0..CRT.................h..............@.0..tls.... ............j..............@.0..reloc..(............l..............@.0B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Data\UserDB.TXT Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	499709
Entropy (8bit):	4.369988484647749
Encrypted:	false
SSDEEP:	6144:fPt2gx9LiZv4w+lLHezTf+zFZbdCMiZp5lZxyLmjt/9VIHF+1VOc2:fPtMZv4w+8z25Ch/9VIHFWO5
MD5:	CABEB4D94F3588C46CCE6D793E263C44
SHA1:	E63369562182C8DA5A4E7A59CEBAD0455B4C250F
SHA-256:	E3DF02374544078A945D1593B9C08A02D94AE6A5C1FC4E7007235BEA31A5D00F
SHA-512:	3DB3041768285F664EB42319E4C7A18E4A5A1C0731D806A8E7A4070D086395727AD5CBA292F81DB5BA9F6DE7F244F34594B7379D32234FA01380083966874809
Malicious:	false
Reputation:	low
Preview:	; By BoB / Team PEiD ....; 1832 Signatures in list ......[!EP (ExE Pack) V1.0 -> Elite Coding Group]..signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10..ep_only = true....[!EPack 1.4 lite (final) - by 6aHguT]..signature = 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8..ep_only = true....[$pirit v1.5]..signature = ?? ?? ?? 5B 24 55 50 44 FB 32 2E 31 5D..ep_only = true....[$PIRIT v1.5]..signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21..ep_only = true....[* PseudoSigner 0.1 --> Anorganix]..signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90..ep_only = true....[* PseudoSigner 0.1 [32Lite 0.03] --> Anorganix]..signature = 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9..ep_only = true....[* PseudoSigner 0.1 [ACProtect 1.09] --> Anorganix]..signature = 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 0

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Data\libc.dat Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	387415
Entropy (8bit):	5.873794082172507
Encrypted:	false
SSDEEP:	6144:nKZkBy0ysTi+o4i3dmZFIdd8g62O/iecvTsF44rbvCiqNd8FN1QE7pcrvbGHnnqK:nTBy0ysW+li3dGFIr8g62OaecvfiqNd4
MD5:	930732AF92620D5D99BDD7E940E3231C
SHA1:	B9F181E1CD63F155DB842AA75F9287568465F81E
SHA-256:	07FEFEEE57A71661C6218A85B712630A3DCA61C466193AAFED301086CDEB440E
SHA-512:	C1CA4167BE38D5C1C5470EA86A22906F152E52EC28D0B2715BCC8158C7021C637C791EA0ADC2EEEF8DABDDA1772217BC01DF4FAD8B73C198E0972F7B9E457DFF
Malicious:	false
Reputation:	low
Preview:	__strncoll,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",CXYH8EupfWBPi8wKP9Bkq8K8QFbSiz3PT4vMCgAAAAAAAAAAS6l9YD/QZKs8OdvB0os9zwAAAAAAAAAAPDnbwQAAAAAAAAAAwrxAVgAAAAAAAAAA,[],8724f312d7d930b017b73fcb194ec31b5061e46d,VS2005,LIBC.LIB..___CxxFrameHandler,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCLD\nMOV DWORD PTR SS:[EBP+CONST],R32",jrZbAwAAAAAAAAAA,voVkygAAAAAAAAAAe7L2qZyGUTichlE4OVp8YAAAAAAAAAAA3xP/6QAAAAAAAAAAKCc7MTlafGAAAAAAnIZROL6FZMpSYmcrnIZROL6FZMqchlE4nxDKfHuy9qlrIAKxayACsZyGUTichlE4UmJnK98T/+m7IZT2nIZROL6FZMqgLhZNoC4WTb6FZMoAAAAAuyGU9t8T/+lBjXwbQY18G98T/+koJzsx,fb687cb3c11335e10eee7f8ba7cd3ba2b1fbec93,VS2005,LIBC.LIB..?_JumpToContinuation@@YGXPAXPAUEHRegistrationNode@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST",YtYcGAAAAAAAAAAA,[],ff70b9726ce7f40af7121b64dbf7d5f0607f07e9,VS2005,LIBC.LIB..___CxxLongjmpUnwind@4,"MOV R

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Data\libcd.dat Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	459418
Entropy (8bit):	5.831533066389373
Encrypted:	false
SSDEEP:	12288:3W08yS2WMb59W+5X8cuGEb//g7K6nN0HgIBB5N789EE/oKjYF008jyT2nSgaGtgw:3W08yS2WMb59W+5X8cuGEb//g7K6nN0Q
MD5:	17E08C701A5B8FD229508051E1B828D5
SHA1:	17A56B32562CBA1D780CABEE092CBF2B2AFFC81D
SHA-256:	1F59A9E8D47B81729D98B9E9C717F569481C82338E12F34693BD9C5F491B6362
SHA-512:	11225AD9AACA98BF880258B4152B02FE2D3081A0419333B5C82FB4B65890EC60183700F28B1B2D2FEAF964A809F71E872B1F50458B7523CCE94499F79019018A
Malicious:	false
Reputation:	low
Preview:	__vsnprintf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32",mY/2juRSvJ+S9NEB8BpJtfvKdJIWcp1ouz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavFnKdaLs9SYUAAAAA+8p0kgAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTjwGkm15FK8n5yGUTjwGkm1kvTRAeRSvJ91gwav,[],03d04de2584ceb94a12d1105eb6a26c95c5fa811,VS2005,LIBCD.LIB..__heapmin,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32",xJKmaADh1msAAAAAAuh/9MSSpmiDEaxcJu7hZQDh1msAAAAAvOu/qSbu4WUC6H/0AOHWawAAAAAAAAAAgxGsXADh1msAAAAA,[],93c7bbe7c265f5db9d3182268147fbcd64ff015a,VS2005,LIBCD.LIB..___crtGetEnvironmentStringsA,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH CONST\nPUSH CONST",dvz6pvh3+cFmeTE1ZnkxNU+LzAoAAAAAXqODJyEgQSUAAAAA86W31dFIlKV2/Pqm+Hf5

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Cmdbox.hlp Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS Windows 3.1 help, Thu May 17 03:10:46 2007, 13274 bytes
Category:	dropped
Size (bytes):	13274
Entropy (8bit):	3.6843188669339604
Encrypted:	false
SSDEEP:	192:+eYlel+Jqsl+kUnM+tjfXoj4BKuOsHAQ:+xlnqg9UM+h4j4BK
MD5:	38D52C0D79DFE7982B6A23B95F8CB62D
SHA1:	273F13807D5E5F3E925B36C6BCF3BC35EBB98BDE
SHA-256:	5D8296C0FB1BC36E5AFD60573E616F43663F56980D0A7FA03767B392B231C8E9
SHA-512:	23D868A71B81090ABEBEB13EF103797A81305FBF4EFC489072585D1C2E4DF4040B9668D8F16565C0367B01866952DBD7E23EE9EEFAB78427B7DF68D61A1CECF7
Malicious:	false
Reputation:	low
Preview:	?_...........3............'()+,-.1.2:;[[,]a.ccessadd.r..llandA.PIareasA.ssignatA.TBPBPXb...kpointB.`@sbytec6.c.anClosecXommB..@s..e.ntcondit.ion..sta7..CPUcurr...Debugger.decimalD.eletedes.crip2.Dis.assemble.rDittodu.mpD..each.EAXExecu.teexp..b..0K..v.1.p2E.`s.external.filename.Followfo.r..matfun.c..GetPro.cA#1given.Graphhar.dw).HELPh.elphexIm.munityin.INT3*.ois.labelmem0orym..j.ot.ofonover.programp.ycmdpyth.onrangeR.-.veRuns.1.SetsetSh.ow=.ckSte.psymboliDct..tha..e.thistill.toTracev.alueView.windowWM._CLOSEwr.ite./...&....;)....z4..............................o.......\|CONTEXT..+..\|CTXOMAP.$...\|FONT.g...\|KWBTREE.M...\|KWDATA./...\|KWMAP.<...\|PhrImage.....\|PhrIndex.7...\|SYSTEM.....\|TOPIC.....\|TTLBTREE.\|#..................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Credits.txt Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	4.737222850476109
Encrypted:	false
SSDEEP:	6:JLPoHRC5cX+n2cmGGqaFCMXLDV2FZ4rDHUvoar:B0ReI+2cmGoFCe4Fygvoar
MD5:	F945D686B4764D29C768CF2F622E44FC
SHA1:	B074B6CED0AE4916B8246F8B0ED77A0B75915A95
SHA-256:	93F325E1C0D4E2BFF73E4FD98B5624529796BEBAD09D3636E411B4981AA165AC
SHA-512:	6C86BB013536E69AE6E9F2B6D234024F3B786D8EC38C3D333B2422033056D2D638EFD6F0DCF0D126880C1FA469F5D8ED1DB1742C6698C1F7A97C36842D3F7246
Malicious:	false
Reputation:	low
Preview:	We will like to thanks the following contributors:....o Ero Carrera for pefile (http://code.google.com/p/pefile/)..o JMS for the getrpc mod ( jms@bughunter.ca )..o Bob for the PEid UserDB ( http://www.secretashell.com/BobSoft/ )..........

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\DEBUGGER.HLP Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS, 198434 bytes
Category:	dropped
Size (bytes):	198434
Entropy (8bit):	6.957375132741213
Encrypted:	false
SSDEEP:	3072:m8KsyGzJEusGBin2me5NMfHF8LrXguXUKlakdPRR3chT6z0NmZg21RwG55OIdG3T:01Gz6u/BblGdSXYkhL3c9c0gyu5puB
MD5:	E918C909A199E4EEE77EB06F4D94EDC4
SHA1:	9293D145EA113B285A82A922C99731BED78C3F21
SHA-256:	F8B7B8143FF62251CE3A1718C0168F4E047AC2629568968EB98D4B84EDFF5ACE
SHA-512:	5E7B5295CACAC289F74B6E87D6CF8E7262FDC2E29F2B994D1CE6C994E9B196025D8F91CF85DD84541D0BC2AB5665BC87DD2AD7797BE42E5A545717A5196FB86A
Malicious:	false
Reputation:	low
Preview:	?_...+......"........... ...0....(.:p.(),-.00:.;accessa.ddr.PssesHall..ow..s.oAnalyze.randappl.icationa.reargume.ntsasASC.IIA:.mbl).Putom%.cG.y@availa..b@ackupb7.k point.psb.y...scanc.odecolum...mmv..@sco(ndi\| l..st.ant..tainE..t..cor..p.(.ngCtrlc.u..ntdata.debugged.D.0r.0'.def.aultdiff2e,.Di...@di.splayed.@.sDWORDEA.X..ryexam.pleexcep...execut....0. p[.2.fil.efirstfo.\...forfro`mfuncS..Ps.hW...imalhPighl..t..I.fifImmun.ityinin>..f.onisitm.emorymod.uleMOVna.....snotnu.mberofon`onlyo. .0s.or. proce0dure.`..gr.amPUSHre..!).regist.ec..0..turn.runs..chs elect.0edC.0..etso..t...str..sym$boK.syN.mt.hatthethHisT..th\.d.totraceU.NICODEWh.enw..ill:.Hdow.0sW.0w.ithyouYo.u .2.D.V.h.z.......!!",!.)""),")..",.."."<".]#%%)%.&.&&'','.'.>..\("()(.)!()-().(+)(-)(..(:)(;)(?.)(.)".),.).);)[*+.++)++,+[!R.-,....<,.[..#.&.).........P.]//./00..0012 34004.P11H71B.027.03.1..405&..0.P.3.@6.@9'@F/0T52.@5.@A.@D.O06.@6.@68.@{....Ew0...0g@7.?@7g@6..0.@8w@.8?@9.@9.@9g@.9.@9.@A.....@zA.@A.@...0.AB..@B.ABC'1..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\IMMLIB.HLP Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS Windows 3.1 help, Thu May 17 03:24:59 2007, 152670 bytes
Category:	dropped
Size (bytes):	152670
Entropy (8bit):	5.1580822605174665
Encrypted:	false
SSDEEP:	3072:GoXNKbivPFoluVZdzkeAVntVzRZpcDHooFbkMrYx9nRphmDwp4M5gOebNp5hpWim:X/GX
MD5:	7474DCB8D3A20C5D76A99A1938ABB313
SHA1:	692D29595B4F48FF440C8022928C2BABE3175D32
SHA-256:	C110D862FF47FF70310487AB670ABF820D06CC34E003116B5F1D374E13E36C61
SHA-512:	E4F26B45B138070A08C0B0F08427B771FBA371564799BBE5BBFA3306F6F461B1F36B2261544EDD79C97FC137E1A70C41E953951D30498EE3875B1BC8483C5C71
Malicious:	false
Reputation:	low
Preview:	?_..........^T...........l.!....KF......Immunity Debugger Python API...........Z.............main.................................................................r..........Z.............second......................................................H.f...f..Q............................................................................................................................................................................................./...&....;)....z4......................................\|CONTEXT./<..\|CTXOMAP. ...\|FONT.T...\|KWBTREE.....\|KWDATA.+...\|KWMAP.....\|SYSTEM.....\|TOPIC.....\|TTLBTREE....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\ImmunityDebugger.odt Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	OpenDocument Text
Category:	dropped
Size (bytes):	281543
Entropy (8bit):	7.952708994470811
Encrypted:	false
SSDEEP:	6144:NNxaQqiPrN6aU4EnlbKZW7GhUK5+m2yc+TQH3cczvU+U:NzaviPp61ZKZ/SK5Ao8HsiU
MD5:	6A9A81849D2ABA1B440D15634D4D149A
SHA1:	6AF7CB7CAAD0C4165CA9276766AF9F5DE034761B
SHA-256:	5982B998E2057079024723C24134FC3B76DBC5C8918F2DE267D786C62B27C0C3
SHA-512:	D059613137CE874DFE0F86DAB8A379BA2AF8E122A0EC78B7F5678AD04D2AE4A32FC021CC297907AED98D599D064771E766705ED5FF82A0DAC95F4BCD6D73E394
Malicious:	false
Reputation:	low
Preview:	PK.........y.6^.2.'...'.......mimetypeapplication/vnd.oasis.opendocument.textPK.........y.6................Configurations2/statusbar/PK.........y.6............'...Configurations2/accelerator/current.xml..PK..............PK.........y.6................Configurations2/floater/PK.........y.6................Configurations2/popupmenu/PK.........y.6................Configurations2/progressbar/PK.........y.6................Configurations2/menubar/PK.........y.6................Configurations2/toolbar/PK.........y.6................Configurations2/images/Bitmaps/PK.........y.6....B...B..-...Pictures/1000000000000253000000A65AE979FC.png.PNG........IHDR...S.........q.<....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<..A.IDATx^.}....?F.}...\c.hP......%.D..w......K,.Q,`A.....A@zQA.... .*.yb.W.Ac..M,.\|.i;{v.ly..{..<..S..f....9.....:.Cy.:......u...O..5.........I[....{.Ie....I..dE.:.~..5I.o..i..N.....K&..}.=W.1...F#..P..M.7M"+..^..b.q.f....s.\|..>ir...].....O.a..m.3X

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9585
Entropy (8bit):	5.100101137803713
Encrypted:	false
SSDEEP:	192:tXxDHDX/9NVPR10o36/Iso/ERoF+dxo/BqhHDX/9z8rwM9:tXxhpCQYG88L9
MD5:	6FAABE21B95CD6CF9FA323A0F7F92170
SHA1:	48A294CF0B0AEFAB50A7148C2907BA849C515396
SHA-256:	323ACC560DCEC98F7BAB01F28E4BD354C5AB4D8BC1ECAF3FBB872689E81E4DED
SHA-512:	48FA96862ACB67EDBDA5CE5CF8C7C90568510A3BA6E76258FFE222B0B0EA081B501A1275F90A5868CACC93D152A0E9786666CC6F1E43FDD14CC5CDC1A89D9166
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	302745
Entropy (8bit):	4.82518480687736
Encrypted:	false
SSDEEP:	1536:FvGPUvPg4j/eP5rCgE/aCw9qce05aiyZmjcy+fEZ:cUHg4j/exrCJavve0IiyZmjcUZ
MD5:	4460EB4F455E638B1BBD348923F88620
SHA1:	44D5EB0CCBD1F8C22EA2B63E48D70344B3E70C48
SHA-256:	5026E828143418F8BD7BEE3D50996D3DDC31BBA27F5922DACFEB90DF00816AC5
SHA-512:	16F842AD8ED9315DD8A27AC7311E87DB776992B51D0968632C4CDD4D9FB85F0A1559C65DACB9983554C350072F400BDA27BD8FDA0A2360EB5F4AC95305B23E9F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Handle-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	11749
Entropy (8bit):	4.770376233208785
Encrypted:	false
SSDEEP:	192:t7xDHDX/9NVMr1aaRcp6QcHlKXQ2uFqS8HDX/9z8rwM9:t7xhIE/8L9
MD5:	EEB3711FDBFC3F86B1D09F3A8F6EF9F0
SHA1:	1A6FC49A318F2C60251D47A6BD2DB036FF1E3917
SHA-256:	2CCC32216EE5EDF0C43D433476420A083200ABDDF7AAEF410FC8AEAABE6CA1BE
SHA-512:	C001C3B07EB5B0983B32D376CF46EF03FFC14EE3B983DDE30A65FFB02DEE60A34513AF1128CA14DFA0F52B4392665EB5A6787640E0602F2F9BBE356B3A9EEAC1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Handle</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.MemoryPage-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	23077
Entropy (8bit):	4.843056022199922
Encrypted:	false
SSDEEP:	192:t1xDHDX/9NViB1yaxcp8/nevsirK2GAePF7drzX8ytYkiSNG9tnLKxofz8YYW/h8:t1xh0sNVeRxYGmImv8L9
MD5:	C38FAC53F6D9692206794615539D3A67
SHA1:	D2B7A3C7676344B70447B1519420525AA0CD5ACE
SHA-256:	3D165BB1AB2D1914F0831D33D1E0CC68EA7BDBD67BAD1A3A1FDA195329E9A27D
SHA-512:	A288F52B39FAA2E0F5F9F4D7C5AF70D3BEE1FD489473AC4C4C4FCBA8F9E2451E60E71D6C5D643E6FBE1109AE178D0CA1A78FB5A3EF74F145EE789D9CA86CD0FD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.MemoryPage</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Module-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	46181
Entropy (8bit):	4.7340678818254185
Encrypted:	false
SSDEEP:	192:tlxDHDX/9NVyR1aaHUnT7au2lApPrJKzM+5zBc4hrlSYEkfsslHgs1vFDpdOIfp3:tlxhs2n783aV8sKgZ83BXwpQ0W9Uv8L9
MD5:	461CA794BDF984C5BD47D9C2CCE0FCAF
SHA1:	224078C956476E14D67514244A16C8AE337CF95C
SHA-256:	F7DF8BC549ED8EB2225079831583B566D7F9F6A93A51A67A17DD291D06255203
SHA-512:	4ACC4B15D7718C5B44A0E060842C1DBB715DDA14AB583D53F72C15687EE504364C03C715BF0897CB71DA118550AD42580A5BDB207BB1893FE3A9183B7D50ABB1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Module</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.PEB-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6922
Entropy (8bit):	4.940862891818608
Encrypted:	false
SSDEEP:	192:taxDHDX/9NVHs1yagtYiqhHDX/9z8rwM9:taxhM/8L9
MD5:	1B5703999A90F76B381C1D849E2227A7
SHA1:	FF6B1052232DED8BB9328F7194E0A346C76413ED
SHA-256:	302088E0DFD93DFB287E138EE194D58EAAE6B6FE4788744BF6A3EADAB748AD3A
SHA-512:	DA60A0C13DA17217B6FEBF42FD23C30DB422EC653254422021C75D8AB5D2D88C939DD67CB23C08A529647CD5C3EC7F905E739004AFB1AF9C102D1368A33CE03B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.PEB</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Stack-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	10416
Entropy (8bit):	4.7982278207743345
Encrypted:	false
SSDEEP:	192:tJxDHDX/9NVCh19ia8Q4N05fAyBRL8HDX/9z8rwM9:tJxhuRfs8L9
MD5:	BF560E9B14391765B2E73F4B281679A7
SHA1:	00C2E7CFBE4CFE12A9001D5E06494990BAF0A99C
SHA-256:	8A435CFE366BAD66E8E7635998867A942B39235075B4CCD13EEA97D6563EDE93
SHA-512:	D56A96599D8658F11EBC53620E3DC363F8C17800D012283647A850887169DF2C3D30B0B9AE0A9A802145B69C48CE142FBBE8C4081CFF532FA30CAB4C56D86ECE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Stack</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Symbol-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9821
Entropy (8bit):	4.8050671539611
Encrypted:	false
SSDEEP:	192:t5vxDHDX/9NVm91XSa0cpY5hAsJc1T78HDX/9z8rwM9:thxhUj4h98L9
MD5:	0BD189649487BBE1E031706E7450B63B
SHA1:	2C7974A7FE3529AC40FB108CBB2ECD9F726710BE
SHA-256:	DF09F181017AE470CD01BF3D072FD9084F2E3F841A0A83A8604CA9B639E88A9C
SHA-512:	B2437924729696F13DF5F6467AF0218A5335B90BA6D724B7004CC8E763692C1C7DA777DD14E4B8CB305A0DE37C73A2001D29317F17533AB5B2A21E9D240D2C5C
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Symbol</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Table-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	12759
Entropy (8bit):	4.8562799445878
Encrypted:	false
SSDEEP:	192:tJrxDHDX/9NV2zJ18aQoiQMqQQtYwcW2pMhHDX/9z8rwM9:tJrxhyJw2EW8L9
MD5:	FF32D0BB7B0E799A7C33DA0D9C313787
SHA1:	08E46E74BBCD995672849F7D17F4850373CAABBF
SHA-256:	CAE52059F7974413FF93BE9F9AD53490FB307FF9987647499E8A5D41A95C4955
SHA-512:	0108FDB3330DE98FF282DD1730F644FF4AE5DDD5135FFF7FAA98DAD15F6E93949106F7C4784C156ED8555B842FD2C9F3E8A116192170BB35ABB94E96FF0A277D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Table</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.debugtypes.Thread-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9135
Entropy (8bit):	4.8204055807590205
Encrypted:	false
SSDEEP:	192:tVxDHDX/9NVqZ1QJa2cpcxJmrHMV28HDX/9z8rwM9:tVxhwO0Y8L9
MD5:	341706C91C89198A255E271450032BE5
SHA1:	F9BD51004AECBA0095E092219FF950218243CA38
SHA-256:	430332780F039AD9C18BC16F52714566F1999DD4BE06C25BF7F70299C6B93DF2
SHA-512:	59852B29B35CA081C75A31C61E77B878201B72A136542D3EDE2D0207EB65377C837858BC224FDAC319C2EECBE9A0F84436F24782CE03C0E543877F62B15A532C
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.debugtypes.Thread</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9951
Entropy (8bit):	5.165831190038342
Encrypted:	false
SSDEEP:	96:tfxRxHhdFd3hdS3dq/hdf3d2CmoNJ719PfxUhoefOa5wquBzQbV+3qC4oTwzfBzH:tfxDHDX/9NVvx1K05+dAhHDX/9z8rwM9
MD5:	E77641D5A1A00696D3DC4020F207ED8C
SHA1:	387BEF9826CEF9CBC4BF87B01472CF82ACC7CE55
SHA-256:	1DF7E5D35FE5257C242C8F7D9B06B8EF2A90785ECE1CF84A2B27A5D1347AF1A4
SHA-512:	9656DAE8D93CD0A21A7E7581863367785F400CB53B979453BC734376AF6857DD2F465A99BF2FC5732E107815D7DC70CED86765B7A058D328F046012B3F285249
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	145740
Entropy (8bit):	4.825746535271094
Encrypted:	false
SSDEEP:	384:tfxhqxhYII6ZIfoopvkjbDXrYqs5Jgc7UTxwQEJfzijd1dqJLLzG0qgQtRV0ZUnU:ZxyXy2gzoV8x
MD5:	1F1694229EEE4C4F2829708F3EF7EDE9
SHA1:	8E80A4E0B68D6B0F4BB8E592A40F7925AF342C54
SHA-256:	1AB60D62C144036B9EAEA0B6E35288148F0664A54357F797CEDFDF4485830E10
SHA-512:	8793C8A20C3158CB5C4A215FEC40F49DC97482318ACB0405C6E581AB0AD6B81ACC8AFE001EC0133FD06D646A52C5C35A7E8BD77C39217D65F459A9FDD2E13DD0
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass.Draw-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8805
Entropy (8bit):	4.840911399805762
Encrypted:	false
SSDEEP:	192:tzxDHDX/9NVgn1Oay70CKq8HDX/9z8rwM9:tzxhUL8L9
MD5:	72D6E674580C86A98F5032024888B94A
SHA1:	F8A77452034B54A5DEB685DEECF011F4B3E15F4E
SHA-256:	1401FA629B4DCD68429C9F66970B480FCC5469A04DAAB4A9A9CDBD43878EA876
SHA-512:	210CEA365BDF109182AEA79BE8033D5C9009C10934C31E017C6E8DD8F8F427F96B029FA056B0B660982D3619FC411894F2226D71E0F2A5E2397920B6FD9ACF30
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass.Draw</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass.Graph-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	11957
Entropy (8bit):	4.767833770778552
Encrypted:	false
SSDEEP:	192:tZxDHDX/9NVmt13wapWowc+mPpBqnF2rq/VByi+Cle8HDX/9z8rwM9:tZxh2pfdp++nqFaOPh+IH8L9
MD5:	7E07825815C5626F741B4B1F1B7C62FC
SHA1:	56F8B58D8760AFAB151FF71AC482AA3964B6C7AE
SHA-256:	F1EA0CBEAA03B2D11F9FF9B9A9B3E4CE37FC6F17311F506740B050E113D52721
SHA-512:	CE2EC2579DDF44A89458E25D536B4220CA3C0C019C5DAE25CEDE271B1807E447C1F8CE9091B8E66B37EF416082F644C6F3E5EE24F5A890B4ED17546DD0CCA584
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass.Graph</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass.Line-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8093
Entropy (8bit):	4.832769080350538
Encrypted:	false
SSDEEP:	192:tPxDHDX/9NVI/1Sa75O8PQ8HDX/9z8rwM9:tPxhodR8L9
MD5:	310537A6AF31B4CACC2445D5B4C70B6A
SHA1:	9623C74FD8EBF4B5678EE9DC234CD527718CD746
SHA-256:	B4EF506D0CCEC97E16EF2E9AD46E9D7662DA76D6C2CC49C554304F153551BDCE
SHA-512:	5B0BA62F2FD02F55F10F3C622E791E359180C1A73FF8559E7DB96B453C8EC59889B46A3022D89511520802CB46DD3ADA42370A6E5940B802139389AE74D430DB
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass.Line</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass.Vertex-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	29027
Entropy (8bit):	4.675590282397895
Encrypted:	false
SSDEEP:	192:tHxDHDX/9NVUT1+ar51a7qXhZ0iiqpvvUmH124FyPAuai2oH+0KEVM8HDX/9z8r9:tHxh0Ny8L9
MD5:	FBD349A00F73DC9AAB8D96C447E02FC4
SHA1:	48E8CC07E867FC05441B3BC5A20716E06813E6EE
SHA-256:	72FDCDAF56F5F398D4FF1448DC2ACA3CC0BF04846C1A17565BAFDA2B883681F6
SHA-512:	4872AC82844A67CF89395749CA8E8E680A7F3387F543C627F866E959DF02C9B990A76A3F44C62813930C826CAC0CFCA674F7C6B5434A972C4A77D9B520035BFC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass.Vertex</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.graphclass.vcgNode-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	14441
Entropy (8bit):	4.7455433758963
Encrypted:	false
SSDEEP:	192:txxDHDX/9NVyh10VauAj8VmaLcLQYYb7wIR8HDX/9z8rwM9:txxh6L8Vmz8L9
MD5:	874357D69F4EC9A0782EB4EDB43A0478
SHA1:	4CC9919B604057D9DF54A0B0024FFBDEB7815818
SHA-256:	B8CE122F5D732921500D83A03F01759D1F157174F143857F17D01B8DBB9B9754
SHA-512:	DA40E243487AC19568C0ECE858312B1631ADE6845DD2C03B731F64866E3FD97D68892BA9A07B11ECEB1B9C24410BD307899A189C74D4317556E1A6D19FA47141
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.graphclass.vcgNode</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	32969
Entropy (8bit):	5.2451330347667104
Encrypted:	false
SSDEEP:	192:t3xDHDX/9NV9JB1KSjK/qPnBYDmFWGZZIXrpliSrF3uBxAlZ+du0GUAM50rpzQc6:t3xhBISKiPaDmFWsZG53uklZL+Lju8L9
MD5:	07992AED67055533C1126E1226FA80C3
SHA1:	0E1F21E897325AC9AEBA5FA4FF7694732B0C4961
SHA-256:	E984B9A3D6D11783AFAE6141F915BC050035CCE9274F58741C95BA0BBCDB6429
SHA-512:	9218597D1A850BDDD9D35D25B99357FC4A006985C80F1E3F367B6CDF05989A379A575CD0EC6A5FD1D9A34290741446424B545852D17C2613A2E2A28F43BE17C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	769596
Entropy (8bit):	4.940111067861848
Encrypted:	false
SSDEEP:	12288:WTdPrcOwaXxci4Q6upZbpr4sG0v0NZBmRusjwv28VSw5q10Updf5pvmm2a1wF2l0:WTdPrcOwaXxci4Q6upZbpr4sG0v0NZBd
MD5:	702C6A6C8F65FA6F4C4ABFA57BC0C5A9
SHA1:	78A88FEDC877AA8273602912D6C48DCD9CD262EE
SHA-256:	E2446A36929A1F8717EC1D69D30CECCC4F9D8783D88222FBAA4625B7C8129FE8
SHA-512:	07C9E6C96E5C8CA54B38A51B3C6D3AD813DB7D05B122549EB12CC779598D685221F2FC94CBA9B60AEE08B5ADBB51D097F4604F12028FC1272707EAB0F58DCD21
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib.Debugger-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	337192
Entropy (8bit):	4.799238668235835
Encrypted:	false
SSDEEP:	3072:Wc1GWcgNz98hnVrCd0EB4betcla9Htl5TJLZ4frC9p0bURr7bLEX99:WJgRoVIYlOtlDLWrETO99
MD5:	CD5F6D779554EB8130CBBB085402D19D
SHA1:	E6FE6A7AAD501476D47487219D9FBAD703417D36
SHA-256:	2B956AB1742671EFCF079372C97F0667C749E960869B40E13D5AFA2938077CCD
SHA-512:	AA736474DDF927971750C9E3431695B76F003E9FF52A0C46D5F04EF2E2CD6BDEE8E63B285144B6535F8AC801D6B7EED5E45D9ED82890322E044EC16F542F390F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib.Debugger</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib.DictTypes-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	10789
Entropy (8bit):	4.878220594044714
Encrypted:	false
SSDEEP:	192:tAxDHDX/9NVGwS1k1aC2e2zEtYFOUhHDX/9z8rwM9:tAxhQl0m8L9
MD5:	119B721308371ADC99E924AEF85732CE
SHA1:	377DE11E860E70FAD6B1426A511242D32717A6C3
SHA-256:	0CD7A6B9E432A73A97CE8BC48E4990C65EE37E72709949876B5A6A64796FA949
SHA-512:	A2237840E22271E57826BA3700D050AE3B90A57CED3F849ECEE06BC5A166964F7196B42D0A3D05B8D38AE50764DB13C2DC7E3356A49EA45299E59A9E179CF1CD
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib.DictTypes</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib.HookOutput-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6600
Entropy (8bit):	4.898024250127717
Encrypted:	false
SSDEEP:	192:tzxDHDX/9NVG8gH1QPaMoD8HDX/9z8rwM9:tzxhkU8L9
MD5:	77E7E8E5951210B02953BDCC1244AC1F
SHA1:	60BB7A6EFE83D781557E3A3A0018EC513CEA7967
SHA-256:	C8839841CBACFE2D4D06ECE402448338A91AA04B7DD57D1B963B157D659B04D8
SHA-512:	46378AB0AC855DECA8930106055ACA68119765ADF177767A25BB5B08724CED1A3A353A22DAFD016D5C32DCBB1AC534F5B533056A81448198D70D81708C417446
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib.HookOutput</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib.StderrToLog-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	4.956265884287318
Encrypted:	false
SSDEEP:	192:tcxDHDX/9NVGAW19W1artYchHDX/9z8rwM9:tcxhgn8L9
MD5:	FF9969FE8FD10C88AEF87DEEFFFDCE04
SHA1:	9508D5208C9C99370A655F3E4370F003510AEE23
SHA-256:	516FD2B3D608128C4D27CAC12C07AEBBF8B71FD34444434AFD86E940B13EB9FA
SHA-512:	55DFBAD8ACAB490F33C0E86F0E4092D88801A699B66913E0763FE9265C1DBEC3329C973A70FC6337ACE725CFC7137F24BE55655F419F20ED4321082C1C42C880
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib.StderrToLog</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immlib.StdoutToLog-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	4.9590567428660846
Encrypted:	false
SSDEEP:	192:tFxDHDX/9NVG2mt19Z1aRtY/hHDX/9z8rwM9:tFxhuL8L9
MD5:	1855D162120B6A5EAECAF56539488FCA
SHA1:	487568681321C1570147EAAF0E45C09C81FEAF5B
SHA-256:	5E8F7384552BB40B5B72FF0B6FF686F04639887AC51D9091B79419ADE8AB4EB9
SHA-512:	46100FB555FF8BBBE5959FF8889849BF7CE94939217F87EE3B897EFB8B7EF39F7AF09B6D6E962D510FC984E90309752C93B2541B5B08E02E83D0862D311624C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immlib.StdoutToLog</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immutils-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	68496
Entropy (8bit):	4.627312483642167
Encrypted:	false
SSDEEP:	192:tiQxDHDX/9NVZz1udAcyUyI5++y+2Bt+uHzZ1pGeGw48Sv+MNWxBVfRll+Bfq1Wf:tiQxhd4dAc7/vr1qOZwtZ4rm8L9
MD5:	6A0298E876FCBBAFE128F491BC91536E
SHA1:	0B6904FF532CC9B4B4E3C13A6C3D28499DF076A8
SHA-256:	CFC519C30EE8F97E955BF69F3B07B46F798CEB824EBE56E19D5BC01C3952A426
SHA-512:	475AB481AA373096C3FD97DC61563285F4482E3CF907B8EA1E151B4E03E4509A04A4D580F9C946CBAAE41E27C8F5FC64D12FC7C26252BB36B44217D4CAEDE65F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immutils</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immutils-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	259202
Entropy (8bit):	4.947865985221676
Encrypted:	false
SSDEEP:	768:0QxqvZxBt5Kiew1zOZCosxjyjNSW5Dh46GCVIW5ctmvpTgaoOVxTG9Uw0HpGwPEq:0/NtA4ssjyRSW5Dh46GcIW5ctIpDrrac
MD5:	B5A3E1459C007C425B152A1D640F9279
SHA1:	8B93B95D0C328D10E632BF8759BBF68E6CDC65B1
SHA-256:	3C55F73D0C04E167B9A0C02CE9F883AF0ED1970FEDD29B1F519A54DCE2F9C48E
SHA-512:	5A0662E780292C8F295887690218046F164FD375CC61E0615AD3B834EAB395E34595199A87A98C232FB6F0522A9B947AB7FBF02D99B5DA6F4394E2EA21CC83AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immutils</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immutils.antifloatdict-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	15396
Entropy (8bit):	4.854568059085868
Encrypted:	false
SSDEEP:	192:taoxDHDX/9NVOLbgY1KAi11ZXFAXdXXOqXlMyRVO0xtYhPlpBedXchHDX/9z8rwq:taoxhOLUY0AixFMdHOWlMyRVwPsRu8L9
MD5:	8AAD68BE7FDA38722076453BBCECEA07
SHA1:	2B992AC60D54609891FBAC7038305C831521D009
SHA-256:	DE778CF319A06D96DBEC64BBBD6C04186B40AEBE5E3E128A0E05E4966375937F
SHA-512:	733D19FF13E04B9274F7FF5E6D7E0217A6754DDEBEE1B23E33579053E4765144BEC1AB1FC0DF3A9875E2D66BFBB4C56BF9114F8854E4C49A1778728D96727013
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immutils.antifloatdict</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immvcglib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	31959
Entropy (8bit):	4.79769335146733
Encrypted:	false
SSDEEP:	384:tVxhbIVcXgQMvzRYUTiRdjVXwJJAvhraJvk3j98L9:/x2+wEISx8x
MD5:	DC8159C420AA27B7F29CC0FCF4BE7C58
SHA1:	70F152D07A00501215B8705D8618FD9A637FD5C9
SHA-256:	693E35BDA4EAB37583888677C9EABB42E6ED4750676D8A03B3DB409BBFE62E87
SHA-512:	0D7784F67424D96D44F84AB6E04302B13797F2862B26A5CF92105292119FC7C9EE7463B8937B447260CECBE88A533864F387125768DF8C7B8091C5484FB19C3D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immvcglib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immvcglib-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	452401
Entropy (8bit):	4.834747887287394
Encrypted:	false
SSDEEP:	6144:EoNAVY7HamMno7FxisjERMNg6G265RFIik1beR8arTV304:LNAVdxno7hon
MD5:	505A7067BA5FF028566DF4E6BA1CCA36
SHA1:	E0E016BAE5C87FBA67DE02FD7CC337508803FD0C
SHA-256:	547A2B91C30353B80CB9E04FBF48C34AAF1DD0DAA633F6E8B9CCAF5D38CB1091
SHA-512:	1456763583E6CF31038594A2416D2640717A8E8E4D1FFA7C4B9484D7E53D9B4E7912D6BC819CD4AA2BF2CF05B2D29683EAAEAD66D9FEEB70897CB933F137E8A2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immvcglib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immvcglib.ParseVCGList-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9031
Entropy (8bit):	4.885124268405242
Encrypted:	false
SSDEEP:	192:t6xDHDX/9NVFk1AaacNtSt7whHDX/9z8rwM9:t6xhun8L9
MD5:	A325093FC591090F20524F74413FAE93
SHA1:	DEB661B0E7D198EC8D6843C7BCD063C5395A1F49
SHA-256:	FE101948937B717D35392ADEA444D702F5C0254B0482BF5453F09E6A5DF45987
SHA-512:	B42A6C6CB72EBA4AE476B8F14F26F3804955278E212BB09AFACD5CD29A2AE100AAA0241182088DCBFE413C4BFDBCC515D58FC917B0417DB2FDF63E3419F42B45
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immvcglib.ParseVCGList</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.immvcglib.graphTree-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9690
Entropy (8bit):	4.839380842167425
Encrypted:	false
SSDEEP:	192:tbxDHDX/9NVm31caGwcu0ZuwC+FzTX8HDX/9z8rwM9:tbxhyIu4NFu8L9
MD5:	B284B6A7DCB429946353414D49C3FB7F
SHA1:	F5FF48545104D490745827897705AB83ADAE4706
SHA-256:	23C1E7334076301E401D930D62A5E3DFA5B7EF59F6031E7E4212A010C143B02C
SHA-512:	7065FCBF1EA6551DCA0D4D5D71414D3BC5909A9C9599A991824A985E1D67C3CE76C935DEE341A2EDB4B03E661193DB32666B8390C18BA3D0AF7656B9F18BEA53
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.immvcglib.graphTree</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.internals-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7791
Entropy (8bit):	4.887164776887259
Encrypted:	false
SSDEEP:	96:thxRxHhdFd3hdS3dq/hdf3d2CmoNJ73PfLUhoQf36wLh1BzQbH+M28yZFVPr8MuE:thxDHDX/9NVHL10Sb3nW8HDX/9z8rwM9
MD5:	521C00A485FBCA2CE09F3BF2D26BB790
SHA1:	370ABD0974DA969CA418B304187A500299161F30
SHA-256:	9CC38EF06EF48F78D65FB9EF062C9DF501CC37403BC447FC344483885612CABC
SHA-512:	AAC9187ACCB1FC181777B4F76E738A40B721775F92903DEC3681611728EC6D5E1ABF7E36A7C9B21C98BC6BB89F3573DE03C8CB9B2680C89C13EDA03AF07F3F17
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.internals</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.internals-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	15247
Entropy (8bit):	5.096411267224625
Encrypted:	false
SSDEEP:	192:thxDHDX/9NVH41s1+1HpDoJmcrFeMnhq9M1rCssYQksg3oZ/VxhHDX/9a8rwM9:thxhYrPWrrFrnzNVsYQHg4Z/W8L9
MD5:	F1D012CDECB6CA4B38E5D5A04AAE0E6D
SHA1:	342FE9EC5EE9CB8821A4C3DE1F97D868DC3D2055
SHA-256:	826220128930BE34A5E8FF72209A565003D99BE88A98B15572C9077B48AA6DAA
SHA-512:	CE369B800ED297CBAD495B42D28250ABAF53B20D8A3E90E3515344D05B9C857576DDBC3F5CC3BD9FEA9CA3F5A0839EF22030819CD5259DFFFF457F728EC19104
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.internals</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	32244
Entropy (8bit):	5.056114850209102
Encrypted:	false
SSDEEP:	192:t2xDHDX/9NVzgU1R+LBq9uqtGupxgthLVsufVuO+ueJzdniwJoKdDxTzyhHDX/9e:t2xhz/D+UcP2awYqb08L9
MD5:	1A8472BED90F60DC0AC71B2BB42D2ADA
SHA1:	7A176FE792A3750E97EBB6C09576AFD45D37B974
SHA-256:	8B9B66193CB871750E8D7B83CA379BDC9739019CA1888DE22773303068E94E8E
SHA-512:	A27256324DBE0D79A3024C8B4CD8BCAD56763DD6C6EEC8A24C8D1C97723CB042A1AF8C79EBB5CD28673C2D701B2FA6B5413ABC406872A9C56F5CB3E60E83D4D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	345318
Entropy (8bit):	5.0600163123320145
Encrypted:	false
SSDEEP:	1536:IBa5B6dfVbDsVIgvAZZ8upraqO/yrdgZcEke5vGe8q:tWfVXgvoZ8upraqIyrdge1e5vGeF
MD5:	F6B1147E52B8C94F61D0F3A20920AA34
SHA1:	7C2EACBEB527E6A3F21DE48BBB03E0CF43E16A42
SHA-256:	DBE188352DC2282BC03ACBD0781828881BCD53F870AFBD2A681B6563E90BDDA3
SHA-512:	EE8DDAE9696ED90242A627495F4FD79F0CDC9015A054E1129D9F9EDC5EFF24D5AACF80D711CE75A6FAC0BB195A41C7F307A84CC63347F138B924BD0393D75E71
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.BasicBlock-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	33960
Entropy (8bit):	4.824139127025934
Encrypted:	false
SSDEEP:	192:tFxDHDX/9NVrLp1xa1LSlxiQ+9Qwb7TvxOPA8o72PX/3/AtY5eRF0DPffDEU9F/s:tFxhrFKe8L9
MD5:	0E954D7C4E0A8582154286DCC9DF752D
SHA1:	E931ED457127995FAC53FB571A8B0BD294F757B9
SHA-256:	CF18BB71DE0BE6E295CE7C1D1D39F637D1841C52FE50E96B0EC3DB5E3CAB1FB5
SHA-512:	4E7733CB5E641EFA66098387FA9315211A80AE4F78B96499BD70C860FD433899690AA8C93D94854EE1E38360834CBAC8ADFA1F290D4647F1D1D9CE579F5614E2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.BasicBlock</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.Decode-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	25703
Entropy (8bit):	4.8209970989719375
Encrypted:	false
SSDEEP:	192:tsxDHDX/9NVrwS1oNAIzb6nueaU5QO89M30u8UYyowvT29CxtYC8UhbT7r+K1wP5:tsxhrZqb6nS2Gyowv/8L9
MD5:	A4C4A4F5EB49D2FFBF76F33337AFF2CB
SHA1:	7CADB72A39092E3D68EE1D1F99746832F8A00208
SHA-256:	2F11081787A3CB5FE0F380153581A777B3DD744F5EA01B11C533ABA6A52694DA
SHA-512:	1A98DB5AF7AC41088F60468B3135242820C6DD61D997C71AEE9BD99543CC76DE7412F8BF6C6B982425D2D4D046C2793E5652B51649AA4180F270C1728EDA6C6C
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.Decode</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.Function-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	20419
Entropy (8bit):	4.847156619291997
Encrypted:	false
SSDEEP:	192:tWxDHDX/9NVris10aaR36GzdKN8aWwS2tY7Otg3YdVERzpKwvMFHhHDX/9z8rwM9:tWxhrpedHaCkdV4VKPF8L9
MD5:	65CDAB23B6803FE205A7A76B3C242002
SHA1:	63D885CCA4A841A19496DBD1CA6E849CD4249DD5
SHA-256:	073EE04E7A20E986571ED90C19F1EB81A1EFDB7C1E7DD818DFA16EACF18FC43E
SHA-512:	677D41663F0760EBAA2F99CE1360E3D51BE54415EAB244F9D6E70900168E1A659C21AA2324DB6B36688C5E88D517177B88087C907D9CBEB1BC8472D1D7C2AE25
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.Function</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.JMCBasicBlock-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9934
Entropy (8bit):	5.0072735494144185
Encrypted:	false
SSDEEP:	192:tZxDHDX/9NVrJZ1U1aa6VOtYothHDX/9z8rwM9:tZxhrfMRR8L9
MD5:	6DC8C2C9358FE0AA0EA060EA633C2779
SHA1:	11704696DE6960AFB87F441265AFBFD8465626CC
SHA-256:	1B01E0A74D967F40A17446CDD10745995D2C9A1530743C3EA390F99E2A5A4A6F
SHA-512:	17F2E92A3695DD91B52C908732427EEFA0B3F67FA5C408FF058437F4490CEDF326B75C665F0E6A30E5FB0F35930D81ED69E7C61E54549E58AC2A34870455DA09
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.JMCBasicBlock</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.JMPBasicBlock-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9848
Entropy (8bit):	5.009140354812816
Encrypted:	false
SSDEEP:	192:tgxDHDX/9NVrmy1j1aYVOtYAhHDX/9z8rwM9:tgxhrBY8L9
MD5:	7BD1DE6C41B6B2EDA55B6A5495EA84F7
SHA1:	08427008E86A7C8AD5D0393EB91ED8BC33A010BF
SHA-256:	E6FFDEBD382FC2810A32093FFF1A827D27D8E71B870848697C0BA229EB1AFB3F
SHA-512:	BA89E44417FE0C411DEBD6B0C31E86FB77A4F777D3E54D186F604214B55470CD0FA5ABEF382347C6EE6FBF8991635DB10595B3E264541A3AF4BD40E2451A799B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.JMPBasicBlock</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.RETBasicBlock-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9878
Entropy (8bit):	5.0072350041429114
Encrypted:	false
SSDEEP:	192:t8xDHDX/9NVr6G1P1afVOtYVhHDX/9z8rwM9:t8xhr5u8L9
MD5:	91677EBF78765B3619B9B9E93BFAB44F
SHA1:	E717DD110B98482CAAAD0C9F247DDCA35C9041F3
SHA-256:	C3CB9E5365C0A850E2ABC34A4C696706A8839DCA23A3F6F816F3A5390B6B2AE3
SHA-512:	2B422A7EEB2ADD8032EEFDF6B8176C5BC7FB5DDAFFAAA1B7E4BD3529B57A5FFD17F36AC88F11B055DE06A90EB51A5062C6A3907AF88D18086B5431D0F7FA126A
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.RETBasicBlock</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.TraceArgs-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7696
Entropy (8bit):	4.871311341446529
Encrypted:	false
SSDEEP:	192:t0xDHDX/9NVrSa1Fa35uNSH8HDX/9z8rwM9:t0xhrZH8L9
MD5:	C79FC4C9796C7CD2CF1300168AEEA47D
SHA1:	EEB6B9CA99A857EBD196E899115957D2D69FFBA1
SHA-256:	AED5D6C9DD9C90840686ECF825681426A21E18792AB3117867A195FD7943BD96
SHA-512:	3556D9EE351101B94F8DA77FCFD23CC82E20CEF245EFDD44E21181CD5AF26EAF9097594F2A4B0EE1F858A1BEA7B8C4019FC3B94B49980ACFD5179532450A1BF5
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.TraceArgs</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.XREFBasicBlock-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9853
Entropy (8bit):	5.011689178581873
Encrypted:	false
SSDEEP:	192:t4xDHDX/9NVrLjoy171amKVOtYxhHDX/9z8rwM9:t4xhrLRK8L9
MD5:	7FC19769B6E0EE7F3E1DEF031C4A7767
SHA1:	E22F44B14F0D7C5DF65D3D718CF5B30DFAD1E2BC
SHA-256:	C4CAEF4F3B70FFC2996B017265CC2AEA1E6A83D7D35F4EDD1439033F4B283F22
SHA-512:	FC8EF56392B406339B7EC7917FA2A56845F7C428791B392A73CBFCAF989F8A4B6D7B1D81B833EC5A5AACE9F54CC8E5A4CD3C404D209111012E47F355C71A9D7B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.XREFBasicBlock</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Hel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libanalyze.opCode-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	36888
Entropy (8bit):	4.661648954862282
Encrypted:	false
SSDEEP:	192:tQrxDHDX/9NVrseJ1hatcp656EMm56Ah2M+07BQ9UMI0RC6VYfOxHJyljnCiERGz:tQrxhrLJFY6E7Pa8L9
MD5:	0C9624F78A26768267E089CB288ABBBF
SHA1:	5A537DE90C62623120334A5D07338449E82C0380
SHA-256:	EA0D7A6DD1D5C5D22E68B27FC1C6F238D360BD402CADA7C5A08EF297EE24FCDB
SHA-512:	3B0179B9AA87F287CC7D39D4F275F5E4C3BB59E1656163ACC72413901337792D01226836651D3EC7C0B2B31A1ADAE3FAE126F2A16852A76104182DBBCCFF41AF
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libanalyze.opCode</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	14076
Entropy (8bit):	4.931436476016086
Encrypted:	false
SSDEEP:	192:tcxDHDX/9NV0+1fpLLlONdfRRRRRRRkbhHDX/9z8rwM9:tcxh3nNO2z8L9
MD5:	046D3A058622B64A5198EE568AFB574F
SHA1:	5D624B449077218EB651DC9D35F55EDDAB444698
SHA-256:	16AA4BCAB456EE4C07733069D11F16F1AA94C15EC02B798720475D86DDADEBF7
SHA-512:	9A83938DA5B1B18B1E2FB5E15A680F20DAFD20B51C6CCFB4CA7CF6D4F3D48886D36F5ADE09FC08D6CD43971DFD6ACAC3DE124E6EC9430B4278C3C6C72F3FB8A0
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	147566
Entropy (8bit):	5.06052240024727
Encrypted:	false
SSDEEP:	768:qxgTCBrZx++l3IuSzVtkg/pvy3EAX1i8x:nWBX4XzVtkmY3EAX1r
MD5:	92B0BAB2B049A8CD4511BB8F7EF3904E
SHA1:	5FFA8A7039037EB4FEBC3489037F03F2E140232A
SHA-256:	7A10A40F830D6217D661D4440BC06A8A79768E43FB3C1BAD478AB8942E905CED
SHA-512:	7FF68DCCB47E02D1E97A8EA3C86D5FF9F5DEF051FE0122636AE0C3F49EFAEC241DA5C8F212D079E8AFD9609F3DD277F5D7D8AEDAABE1C9C262BB65EF564D8BE5
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.Data-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	12175
Entropy (8bit):	4.854347532009217
Encrypted:	false
SSDEEP:	192:tIxDHDX/9NVUa16Y1au0HnUZdktZilqkkzRkshHDX/9z8rwM9:tIxhjHD7k9x8L9
MD5:	1DA0C581BF18CF43F2A9EC8E1D9075F6
SHA1:	E717F9539FFB8ECEF1D0E100151629F8674CD89F
SHA-256:	EF0C880211DB360326AD85F9F43DA800339DF788BC0AF8E5B8CF25E7F7215BFD
SHA-512:	3FD3ADAB8E6C04E7158E9C96AB978150A93D19AC6BD015D0AEC924C3250902262FD706BBF7256D3B30D8C9B34AA768E0E9E64AE717B4681568CF2107D0CFB72D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.Data</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.DataTypes-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	16516
Entropy (8bit):	4.844320626618117
Encrypted:	false
SSDEEP:	192:tTxDHDX/9NVHL1habhiWFUTBotAytYGySC4oDLtbvhHDX/9z8rwM9:tTxhrW69f8L9
MD5:	07C2DB3DD4F75073447E44CCCDDCF88A
SHA1:	554BE8A1C884A0B2F1E2247182A57C5FE4956DB7
SHA-256:	B4DC79922B64463680791B92F2EA89A126A1E1FCACF6503FC3985311BE78B2F6
SHA-512:	E47ECD18507706A8D7EBA35081BD93ECB04F6E572710556070ECFDFB4E1DD08566BE822722C6CF2851A36A417ED36257273E186FE95AD8DD44640F662163CC64
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.DataTypes</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.DoubleLinkedList-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9361
Entropy (8bit):	4.923091935156129
Encrypted:	false
SSDEEP:	192:tMxDHDX/9NVgC1LT1am1NtYwu+hHDX/9z8rwM9:tMxhThj8L9
MD5:	B94788724414784827997DD7A89A73E8
SHA1:	7ED38FE0FE3A84CBAD849ACC9ACE376544406354
SHA-256:	6FD48A54D09BC0E2C2F47DE91F9A647617CB79A47700A308B3DA55C1EEF615D1
SHA-512:	24BF4DF426FB97151B4C2BEDD72A71C336F616FAE771BE74A73FC173E309882CF0619AAE66255BF3C1B3FDC88328C97BA8795038AAF70E673AE86F06A0B069AD
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.DoubleLinkedList</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.Pointer-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	12553
Entropy (8bit):	4.842712865060327
Encrypted:	false
SSDEEP:	192:tLxDHDX/9NVX71QJ1a6jtZhmZqH8NtY69+hHDX/9z8rwM9:tLxhriwy8L9
MD5:	99DAB55A4F8A1CDE7C6BB39FC4538587
SHA1:	DF0EC0E7F6A896270A805020CDE84CE8BEB32844
SHA-256:	70D732C614F2CCCF93358335BED988CB832620386636CEC1F6177072410CD9DF
SHA-512:	9080F455E5444D04BEEEDFC9A27381A5BC36EE8C79709B6535B71E3C3BF10976C0314DFB1B0502AC0050F9685D5F664ACDA0EE39E6AC133CF54C235EF64383C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.Pointer</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.String-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9217
Entropy (8bit):	4.910015131361214
Encrypted:	false
SSDEEP:	192:tRxDHDX/9NVPN19O1aBhNtYY1+hHDX/9z8rwM9:tRxhFRE8L9
MD5:	0853E8CD5D2F21222CA611A29466C2DA
SHA1:	4FA3C67DCA8F9FFDF160C7E4277BE8EA0ADA904F
SHA-256:	C9B475A66E06568EBA0828DAE5BE20AB751A246F716E8761E97A3AC51F3F0776
SHA-512:	62F8F8D556DA7A14BDB2E031A74090265848DD00EF7920738775D2FEDF1F2E24F3D2DD1D64BE6EFEFBA13D2A290D72E5F23DDD4A0C4162026DE9DB68AD1AE706
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.String</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libdatatype.Unicode-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9231
Entropy (8bit):	4.912658698429165
Encrypted:	false
SSDEEP:	192:thxDHDX/9NVVd11Jy1aykCiNtYaIOQs+hHDX/9z8rwM9:thxhrTCXiNuP8L9
MD5:	0DEB92327F790F6A7597D73A93AE440B
SHA1:	16F156667F9EC5ABD6609B66AC433286FCFBAD6E
SHA-256:	70D3C535AC3A7BAE665DDA1803957D75A4FFD053F52D91E19C612DC37A734CCF
SHA-512:	78D36D6DF7180FA515C33ACE72EBDB30A75782AEB925D0450B5824B5D018110CAEE2580FBCD993ACAA1FC758AAB5EBEBADD5A9A3AB29432DFE86F3E885A5F56E
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libdatatype.Unicode</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	11871
Entropy (8bit):	5.182500672944486
Encrypted:	false
SSDEEP:	192:tqxDHDX/9NVow1hQdWGlHvYULakdk+dUgOvDvdmV/bdXbhHDX/9z8rwM9:tqxh7zQdYJALz8L9
MD5:	0508FBA87B763FE079009015BF305A59
SHA1:	98093D962D724E9D56366223B84D3DE7747EA189
SHA-256:	069B9698DB6AC46E0B9D03F155534975DA29A2BEFF328668FCB400E46A7A7A47
SHA-512:	B18BBEBABC0413E6FF57F63ADB106B3737DFFD1ED7C6172038A7CD2370FF622153F4F4F1D8C6BBB44050F908130061A7F719B5D81F5B665B9F53DEF71CE3F9DB
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	135925
Entropy (8bit):	5.160046437516147
Encrypted:	false
SSDEEP:	384:tqxhoLPkclmOKU7jI+GQO05l1Q8V9qemdZefVgORimQ9h/12EuoZYDE6ekGxzEK/:sxY5QZxYCVY2HDvfiKIxlzFx6+7gI8x
MD5:	B08451D99B7D89D89D4F856647DDE29B
SHA1:	7AD715255774FF4CAE44235CEE2483EF1755BC75
SHA-256:	4266416F2B396AE60ED0FCDCE53A9BDE6209172094B6D2CF813F0A5D4E5BCCD8
SHA-512:	5E92421975B08B7B7F0F33A06EDE9612497798D2EF348F39DE3C3A6D8966582A79BFC88C0B0CB8578A89BAF83CD615A82CECB1964BC122C75CDBC215AAFC981B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.CreateProcessEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9677
Entropy (8bit):	4.946618032492666
Encrypted:	false
SSDEEP:	192:tNxDHDX/9NV3J1c1aNLFGGqybtYgEhHDX/9z8rwM9:tNxh54G+8L9
MD5:	F642A631FD2B00EABDFA26203C17E71B
SHA1:	C7161A01A7A5096EF79F1930101925DFFFFB29C6
SHA-256:	7AE2BE830D6BFB3831ACCE468BA59DDB1064ACDAC2085619E5F50FC266B7ECF8
SHA-512:	8F7FE0A98DB8AE31F00C4ED2B6288436116F70BDE1EE803A0FBC63BEA22CFCA37185D1F3844C590221575B2527835C4FE374FAAC3BEFF31D7EFDA658864A5C4A
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.CreateProcessEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">H

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.CreateThreadEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9665
Entropy (8bit):	4.946822489848514
Encrypted:	false
SSDEEP:	192:tUxDHDX/9NVya1t1a9KcGGqybtYPRhHDX/9z8rwM9:tUxhBtGo8L9
MD5:	51336BF6C94B6556FFE2C06B4862D34D
SHA1:	2F15F4BD9A4F53F4D660F94681376EAE6838C931
SHA-256:	407AFA8C5D241BFD050E0AD539BC62E6D80323B4AB014AA8C9C5CF2571B1EDC1
SHA-512:	BCB2A3ADB6DBD3781F22C30CB5E6FB407E581224AEAE73F1A73BA15C15005C8E8EDB2F3E43E09D9522486E48CDC7DC3A0072BCA0E4FDAEE49E0A4E8F078D708C
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.CreateThreadEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">He

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.Event-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	11783
Entropy (8bit):	4.781997391324049
Encrypted:	false
SSDEEP:	192:tAxDHDX/9NV+C1Fa0M7k2xAqbZMMrZc8ct8HDX/9z8rwM9:tAxhJmxAQ8L9
MD5:	FF35DB80580005CF3DE4A7545D05B432
SHA1:	ECF2E02FD484C3B0844A2456F4452205E05E8128
SHA-256:	0C6E948F2FDF2A237B809C1254AC76CB9DE5A1AF3E8CF4D417DD6E9D7BFB7A36
SHA-512:	0B39EC519C079A0907695803C64B8234EF9E49DA265599C5C9218AB3A6FBFD210249AB6BF443D769C15B96E65D2BF850177583D72FB92231BEB0BFB2615618D9
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.Event</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.ExceptionEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9629
Entropy (8bit):	4.948396437716235
Encrypted:	false
SSDEEP:	192:tRxDHDX/9NV/t1c1aBbVGGqybtYQ0hHDX/9z8rwM9:tRxh1MGC8L9
MD5:	07F067B959E7F09DF44ADCF99F644A7A
SHA1:	6B2482597EBF47826EC9F624B9E832EB55481FF8
SHA-256:	1623C21175D861692D4E018C5EE2172FCD9BE383A44710A0C666F1433405764C
SHA-512:	E59A5670FFFD385E9116966EBA31ACCBBC0001676E2229AEF3D2B08C0D1B1C9D09F60DA53E9B95B6A81DFC1B95D1F9D841AF812EC5A373C70EB944539C94A224
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.ExceptionEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.ExceptionRecord-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	20716
Entropy (8bit):	4.755995234225663
Encrypted:	false
SSDEEP:	192:tMxDHDX/9NVOK1BavWibUAy10bk6t8b1rremi5N4cim8HDX/9z8rwM9:tMxhBKUH8L9
MD5:	A9887BA0562EAF7FA5FA42AC44A02F56
SHA1:	69AE6531D1501F159680767A31CE5B9DBFEF87BD
SHA-256:	38AA40F578A8F05CFF901E30488EFBDCB01FDBF17403640B465CBB05D968E7BA
SHA-512:	6E2B03AB21DFA021ACD4A8B05CA20B2225655C2147E6047446D300CF93385BBA5807E497A911F90890D3DDF8A39319C369CD4015635FBE3AF030D9D44791B1AD
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.ExceptionRecord</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.ExitProcessEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9653
Entropy (8bit):	4.951816603068451
Encrypted:	false
SSDEEP:	192:t8GxDHDX/9NVlNOC1ZCB/1afSKfvjlGGqybtYTwPghHDX/9z8rwM9:t8GxhlcCfCBCSI7MGAGK8L9
MD5:	645260939FBC9685749DBA420DC2A60C
SHA1:	FD092543F59A6C8AE84D27996B4B7D5BAE83EA47
SHA-256:	42E75BC95F27E3C6E53C6CD285E6AC2F7B1AFD6183594B78B03A85396FBDBA49
SHA-512:	907E381FE84E1A58C543CAFAC8DC3DBC339C768E3E3A272B7F4A48AC7B66418C859B37563769FB84A1C3D9E21A6B0BED4CB5CFEFC9D4205747DF2C2C6BFB662B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.ExitProcessEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Hel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.ExitThreadEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9641
Entropy (8bit):	4.952077305611258
Encrypted:	false
SSDEEP:	192:tExDHDX/9NV26111a9W4GGqybtYDFhHDX/9z8rwM9:tExhB5GQ8L9
MD5:	12B4705F05040A8476D0B0DA15FF116D
SHA1:	E58478607CE30B65E68A2CEB2D2BD1C751158B06
SHA-256:	BACCBBBCD31F1DA422296ED1D91B7352EA4F9865437FC2762C19B814306DC652
SHA-512:	073607A0A909220708BC78828B4F213CE9AAE2FF0511B249955E747DEE27096F2D457CB4681ABBD284C3F90B35BA0DD2AE7F31DAD69782AB394588AB53F8340B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.ExitThreadEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.LoadDLLEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9605
Entropy (8bit):	4.956117407306635
Encrypted:	false
SSDEEP:	192:tuxDHDX/9NVGk1v1aJqUGGqybtYXRhHDX/9z8rwM9:tuxhRhGE8L9
MD5:	DF9B213ADE59894B607EEFAB7580D107
SHA1:	E0D583C42BCF80D2780FCEA3AD367EB2E3230DE5
SHA-256:	37F79BBA8DD8E9DCE8564CD1AE955C6D3973FF68D89D27B2000274884A4EEA46
SHA-512:	72EA800AF213C238EB58D253CFE37943D74CEA54991F3053F0FA3BC4E715211163C0BE65A601442A22AAE7BBB3E35DFD43A205ABC95082EBEBCDBD780C81AC20
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.LoadDLLEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.OutputDebugEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9653
Entropy (8bit):	4.958720329347462
Encrypted:	false
SSDEEP:	192:tixDHDX/9NV+o1b1aJSEGGqybtYH5hHDX/9z8rwM9:tixh55GE8L9
MD5:	0734E83DCBEA501FFDC3187EB6ADFA16
SHA1:	D05CA119EE8F5E65DB822D2D7100E194BE851A23
SHA-256:	B8CE82DA43EB66CBDDF2993FD170E36CCD543E871C7AD9ED263182F69553C37B
SHA-512:	B050DB0722364A606D8ECD2849335AADCD853294790D42F4BC6AFD44C75C9825233D8ACE0EB7DECFE0708114F662ED462D5723D3F9203E6585762B3F6F82DFE1
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.OutputDebugEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Hel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.RIPEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9557
Entropy (8bit):	4.9561134699175415
Encrypted:	false
SSDEEP:	192:tDxDHDX/9NV971r+1apn1CQGGqybtYS7GxhHDX/9z8rwM9:tDxhhKG+8L9
MD5:	CD1E0155711B4E637C3BD9E1ABFE059D
SHA1:	1D4837166781A3B40D8DD66C9D330E083D628E75
SHA-256:	C598BBC96D0707B9DFA7E85D4C40F3A37510A889076BB188C6CF4C3AC469FA34
SHA-512:	52AEBF296DAD3C901E3F21046CB9DD4C38C0447B59E07A9BC2B055D5EADCD23D568390D6CC1167E1DF095762CEE12E7180DEC24468304ECB5A52B3B9A039626C
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.RIPEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libevent.UnloadDLLEvent-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	9629
Entropy (8bit):	4.958990405433307
Encrypted:	false
SSDEEP:	192:tFxDHDX/9NVDN1I1apT1GGqybtYwMhHDX/9z8rwM9:tFxh5UGG8L9
MD5:	96CDAA85E05A898EEA530D01D5B3EEE9
SHA1:	BB783EFE4BE834213CFA364911F673A5B86723BE
SHA-256:	B6FBAEE321C777331C0490FB8D8DF70C5B6237E838FFEF253D47BDC73EF11E28
SHA-512:	96F1BE04BC92169DB659BC3E4D04E3CAE2CA3BE6723DE88D0B8BD2A57C914936DC5B89CA07D15045824EA3ED44774ABC00FBFF7549C226080AFC0FACDA3B7128
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libevent.UnloadDLLEvent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	12313
Entropy (8bit):	4.932974739850855
Encrypted:	false
SSDEEP:	192:tGxDHDX/9NVGw1gRBKRmP8HDX/9z8rwM9:tGxhDuRBc8L9
MD5:	64147691CD2A691F08E4B551358A24F3
SHA1:	7AC3FE75C59E4D09E0774BFC680A8E767F9F98D0
SHA-256:	13C41217762DB869BD3A86884E9EE209AE44E1CE30BF0620DEAC1A6B3F41EFD8
SHA-512:	372EE39D6D56748939118BEFBCA4048CD6C7CD8A4AE6A1AB120DC32E008C5DE75F002FA4CCBA598807C60A3623C37E85A8D8AB833FAE7FD88AA1D4BE62C8C1E6
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	434322
Entropy (8bit):	4.8897209280974865
Encrypted:	false
SSDEEP:	6144:MEtIn0cDkFt5Ilh1BwoQV821wqcLtWrfCOIP:MEt00qkFt5sh1BtQK21wqcLtWrf5IP
MD5:	7939A8EEB5358D898C805B9E663D5F76
SHA1:	E144F295E9ABD0AE47F3809D1FB740A9F57FCC60
SHA-256:	039FAD6E13F59CD295E4B23168A6B0AB29EA03C4EA1424277990015D59F14EF2
SHA-512:	DCE64BF333DBAD24724CB9087A3AC893DB5497D176AD43D2FAF3482532A6A39E561876B928D288A8EA6454DA871F090F9789331C268F52BC9CBE15C51E9EDE46
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.Blocks-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6713
Entropy (8bit):	4.886558085384955
Encrypted:	false
SSDEEP:	96:tgxRxHhdFd3hdS3dq/hdf3d2CmoNJ7ubPfeUhoO02uIwTdBzQbH5dM/wby8jMHbA:tgxDHDX/9NVie1faLEsf8HDX/9z8rwM9
MD5:	F0E1D424CBF251A99E017C38C4363A10
SHA1:	90F2104207D48C52EFF631518C4D3D7EDEC2F374
SHA-256:	A7C23DC1B99B059266B4A574122ED07816C61BA58D884A2568C0F8DF117F28A5
SHA-512:	1EFF51B74745515080F993966B1736B4E516F9C526EAA8C58447CDC1EF1305E6794E1108DD2385EF546B699A8A9BFF5089E057060FD4F58680CC6382BC5069C0
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.Blocks</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.Bucket-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	4.936385614497608
Encrypted:	false
SSDEEP:	96:tUxRxHhdFd3hdS3dq/hdf3d2CmoNJ7uXPf6Uho1OuIwTdBzQbH5dMXkbHKo8HhdY:tUxDHDX/9NVy61Xa78HDX/9z8rwM9
MD5:	8C5172ABBF7F28F0F833C4F8C5F977F6
SHA1:	680A4CBDE8C56A61B9F83FC5BAF7C553FDBDFBB6
SHA-256:	A2170AFBF4C01D9361EBBE635C7A5A39E4538922B3415462A260CB9FC367EDE7
SHA-512:	1531A8DEE61154A571AC94F4A0AD0C5FC74B0E6DFDAA284EE840CB17FA765B95C0B46CFD68045D9B3BF63C54357E9F893736E5584D2FB894FECB0E0A63EAE7E3
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.Bucket</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.HeapBucketRunInfo-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5378
Entropy (8bit):	4.953924646808095
Encrypted:	false
SSDEEP:	96:t1xRxHhdFd3hdS3dq/hdf3d2CmoNJ7uEPf1UhoqBuIwTdBzQbH5dMXkbRo8HhdFK:t1xDHDX/9NVf11Hay8HDX/9z8rwM9
MD5:	21D2C49F89E275BB184D4AB87A96397F
SHA1:	A922153A09DF0DDD7F991B0DCB77DF704CFB0977
SHA-256:	FB7ECB8D6835AD712DDE25152DE6F988FD6A94183EBD69771B77526AD2770480
SHA-512:	36FDA4364184E1FDB4D0BEE4298512BAEB3D753A73A80620ABBA17E8EBFCC33A39480F077A57EFEEB3835045BD3292F60E0D5161D5B9A7FDD1D7FE6FB1E3B627
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.HeapBucketRunInfo</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Hel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.HeapCache-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5330
Entropy (8bit):	4.933747305726136
Encrypted:	false
SSDEEP:	96:twxRxHhdFd3hdS3dq/hdf3d2CmoNJ7uLPf2UhoHkuIwTdBzQbH5dM/wbco8HhdFK:twxDHDX/9NVk21zap8HDX/9z8rwM9
MD5:	C266B0947EADC352D0446F2C85B3B346
SHA1:	8878D3D210AFE0102BD8083F0CE1C588A153C780
SHA-256:	EBFB2AE5CE0341C8E1848270F2C1F493CA0A0AE061191D42F0C2EEEEEA76B25B
SHA-512:	EB7462E1C9A845B33C3D5693B043D13A9A4CAEBB5EE8472115A32E5D45DFC247522F688B85A49E644E674BE84780FB4BC542587E5DACF1958073A3CF63E7CF53
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.HeapCache</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.LFHeap-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	4.940106101291543
Encrypted:	false
SSDEEP:	96:texRxHhdFd3hdS3dq/hdf3d2CmoNJ7uZPfYUhofMJuIwTdBzQbH5dM/wbM5o8Hhy:texDHDX/9NVcY1Uwag28HDX/9z8rwM9
MD5:	16914FF27034EBD9EF412E25F65DC9A3
SHA1:	87D038A3B26F1AD5DC2843D3EC7F446419B2463A
SHA-256:	C755757431E92CA16D54221609D2DE4CF337D9DF24172AED43A889E578D3B6A3
SHA-512:	579F782059D4E145FD789E0BB135EC408F2ACE8907D4ED5E8A3BBDA11EEF0ED8EEFEC413E24016ED136E0B5F9820C6D388557154B16E598E135C518F73C1DEDC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.LFHeap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.LocalData-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5330
Entropy (8bit):	4.933050420636271
Encrypted:	false
SSDEEP:	96:tjxRxHhdFd3hdS3dq/hdf3d2CmoNJ7uqPf3Uho8PuIwTdBzQbH5dM/wbbo8HhdFK:tjxDHDX/9NVZ31zaQ8HDX/9z8rwM9
MD5:	0B2E1F8692BB9665CEE9760158BF682F
SHA1:	B8C182517258034600F9F1EFD316EC27872AEF1A
SHA-256:	02F2CA396532D49739A4426413BED4FD2BE52C6DBEE509925D4511E3ABBEF1E9
SHA-512:	807CAB53EA19DA1D29A1EB608AB2AF7BBECC97F2DCB556C6B74AC533064D74235EB322409048263AA5094518DF67D0EA6DD6F89570D6AE9213EC6559A8FEAED5
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.LocalData</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.LocalSegmentInfo-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6490
Entropy (8bit):	4.925968126946219
Encrypted:	false
SSDEEP:	96:tuxRxHhdFd3hdS3dq/hdf3d2CmoNJ7uJPf8Uhoz4uIwTdBzQbH5dM/Xpbg8IQMkZ:tuxDHDX/9NVc81jayH8HDX/9z8rwM9
MD5:	661630DA7AE382C7B7599F514D197D54
SHA1:	C7C1BA5C3FD3CC6BED6E6EDFA1E3B232995C4FD2
SHA-256:	664DF02F773C2EC368FD6EB570017821DC4E1EB0695AD3C637725C55643FE4DA
SHA-512:	CD7D8D0351F298D83B30543511CB8B8B31ADCA175C026EFD1F10E52ECF173BC41D92DC9DBA3F668BFB0834F773E5BFB005F42CBB8E3609D9581113EAE687F043
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.LocalSegmentInfo</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.PHeap-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	19148
Entropy (8bit):	4.843368539936527
Encrypted:	false
SSDEEP:	192:tfuxDHDX/9NVyxa1m1rhgotLcpc6c0c1icIeQtzjJNreizSMfO2gXmhHDX/9z8r9:tfuxhKaZyDp1LfBi2iuXc8L9
MD5:	057187F711D73F09FB5FF1862455656F
SHA1:	D3396591166772A18832E2C9AE0709AF804489EF
SHA-256:	09873EEB99CAF5F946477996D41CDF9BC696BD9E2F0432F3B9004AD2033D4944
SHA-512:	5BE04C64EA742DBE3BEBD2BB65E18E7B815E1479888E73EF697F482A7E7C23253BB5EB23FDB4E272BC3E0D36485491E7FC5E915CB3A00E3E4DEBC3B3D51A465B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.PHeap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.PHeapLookaside-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	13721
Entropy (8bit):	4.819086491021691
Encrypted:	false
SSDEEP:	192:tfKUxDHDX/9NV9vxK01XK5NA/Zzb6nueacKEhNyc0vT29CxtYHFhHDX/9z8rwM9:tf1xhb3zb6nVJzyc0vy8L9
MD5:	1D7CB360FD56119443EFF52F60A0B29A
SHA1:	FCAAB36A8EC8B534CE08FD6F17D4AE6BDAED49D4
SHA-256:	64D832B764E8ACB34273D61117D73A4A12572E3A1BF308824F2435310DD15C55
SHA-512:	83F56B5D246B02A0C141D8A171137634F3643C9F7877FBE893DE1092E52137298C0426A21B9ECA4A1A1D586FEC10FBA858DE428E1517B2953EF90DC9F24DD6CB
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.PHeapLookaside</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.PLook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	11138
Entropy (8bit):	4.838937739498225
Encrypted:	false
SSDEEP:	192:t3xDHDX/9NVVH1/amZpYHBTtu4KDKhHDX/9z8rwM9:t3xhta8L9
MD5:	06929F9E629D50C68B263D03670A5935
SHA1:	40C1D409DD055676834790BD240BBE6A9C8E29A9
SHA-256:	803CE618B9452857E4E99A3452F586CBD53ADEEF2B0C740533C9414BC8B310EF
SHA-512:	1A49125E754DAC60211E1683BC3D1320C95C205CC168C2E6CEB534DC59150DCDA18DF08342BF0842E654A3B47C7009D785A0024B1326FF189C39C599A7210CA2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.PLook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.SearchHeap-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8668
Entropy (8bit):	4.934454439991597
Encrypted:	false
SSDEEP:	192:tIxDHDX/9NVWe1Xa5tYsFshHDX/9z8rwM9:tIxhJw+8L9
MD5:	56B93328207245E00587AA282DFFF511
SHA1:	B89E3435F4C88BD922162BE7BCC2271F3004D61C
SHA-256:	7DDA49F9E2EFD65A4F226D852BFC7EBD2F02BB6BEF9B03326E68A076E17DC4C7
SHA-512:	AEC4FC81FC57A999466646C076ED354436AB7927D999EB93CD4BC9B5581A83F77F8F102139EB711E058038855A01966E9D486D6953CB44EEF6AEF0231320F1BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.SearchHeap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.Segment-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	4.931264183113828
Encrypted:	false
SSDEEP:	96:thxRxHhdFd3hdS3dq/hdf3d2CmoNJ7u4PfFUhoeNuIwTdBzQbH5dM/wbNo8HhdFK:thxDHDX/9NV3F1jaG8HDX/9z8rwM9
MD5:	3BC6648131A0CBA5C20527D37D29041A
SHA1:	8E26A7DA452B4F116006E097FDD0A4A56FEEB169
SHA-256:	DF179BF64A1AC764901B67AEF208828968D06BFD49B896419457C4E7BC89E359
SHA-512:	3671E5F12C581A2D64E76B928DB84F10ECD84589BD449664C16FBF1C5285F13EE772BFB36F3140940B55672EA4F6B5A8E63F4AF1892F94B856075C50182207FA
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.Segment</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.SubSegment-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7942
Entropy (8bit):	4.865584034623614
Encrypted:	false
SSDEEP:	192:thxDHDX/9NVpx1haLcuN08HDX/9z8rwM9:thxh3o8L9
MD5:	A0D089A00F75723C0F3D83826D139F76
SHA1:	25A6AA12509D64E4C890ACBCE501DBAE6E7071EF
SHA-256:	193BCE8CE2BAC1B4A46BD4E8B1288429AE5FC044FDA387B5373F7FD2EB56EEC0
SHA-512:	51A83C145808CC7E2B8171D36CC1BE88FB9AFB395FF576D8E1753E03A5E8728D5E38474CAB6C9E5FEA613589EE909181D793D65B5E46965DE2193C3E4D33B3BC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.SubSegment</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.UserData-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5955
Entropy (8bit):	4.909183359657007
Encrypted:	false
SSDEEP:	96:tNxRxHhdFd3hdS3dq/hdf3d2CmoNJ7uMPfBUho0XuIwTdBzQbH5dM/wbD8hhbIo3:tNxDHDX/9NV9B1Vasd8HDX/9z8rwM9
MD5:	839CA5F216D76BC09568B11657769957
SHA1:	CF7A1928CE20FEC1D31223A872AC4814F60BAF02
SHA-256:	A3FA955C7894064183597C2A404968073E4F25DBD218D28144B1AD09E1C86ACC
SHA-512:	6B77471C1247CAA72D1C48ECC5E13DA925770AAA5E2DA5A4B7377323D08D164312E091CF5A74951C271CFB9494D7A1CABCB64CE69E4388EECFFD0D36989AC5FC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.UserData</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.UserMemoryCache-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5366
Entropy (8bit):	4.944606941093854
Encrypted:	false
SSDEEP:	96:t6xRxHhdFd3hdS3dq/hdf3d2CmoNJ7u9PfcUhodWuIwTdBzQbH5dMXkbSo8HhdFK:t6xDHDX/9NVyc1vab8HDX/9z8rwM9
MD5:	A0448119C99A38DCE67911840CAF6EFC
SHA1:	61CB3FDDAABBBC882E1C334AA6FF726E73C2515C
SHA-256:	CB56FCE02DEC0D99107E8A1A4B3F05179F2E230786C99AA1CAFBE991DE028C84
SHA-512:	D6C396FC5F97BB1ED56CA705DA1CBD439598A597E9839AB346D0227F107657DA7ACD6526DA1307F9632062E998C2E63F65C9B2A751E4C15CE06C8BD54337280E
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.UserMemoryCache</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.VistaPHeap-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	14884
Entropy (8bit):	4.89895133291382
Encrypted:	false
SSDEEP:	192:tvxDHDX/9NVfX1w11rG3mWNKc1fdRT//jemtYcxPZEnhJaNhHDX/9z8rwM9:tvxhf6i91fdRT//jLtmnSx8L9
MD5:	AC6B3276F657BC8BB441EA935E1180F9
SHA1:	3B47C67EC71CF7092F9F49665A96153FD62F22FF
SHA-256:	D90580B883A376328527D962A1E6BEA329D04C510D90B1608668E5F1857D4AD5
SHA-512:	1ECCB1AF8F97EEDD48C442793F637717426701BA260541C26482A42FBFB208E1CF79684BB28AA68A30CA71D8DCD1B95E0A10FCC1E90ED94B9A32DEF23B4BD52D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.VistaPHeap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.VistaSegment-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5348
Entropy (8bit):	4.935607849293833
Encrypted:	false
SSDEEP:	96:tgxRxHhdFd3hdS3dq/hdf3d2CmoNJ7utVPf2UhodmuIwTdBzQbH5dM/wbCo8HhdY:tgxDHDX/9NVy21/ar8HDX/9z8rwM9
MD5:	62E13FB536E7595EA34995FCFC65D343
SHA1:	65277FD13428E19F7F0D52DA3690A2BC346FCF6B
SHA-256:	870C7118DBDAFE522E9C8ED7841764ED6311F1A167D320B493EAEB506E6B9ED5
SHA-512:	54B980874BC30E2AAD76807A99F194D8628541EC72AE452043C2BA2CFEFDAE286F9E2DEDB089067C83E3A2973B072C70A1DC6B89B98879728CD5BFBB45CF8FEC
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.VistaSegment</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.Win7LFHeap-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5336
Entropy (8bit):	4.9521616596593425
Encrypted:	false
SSDEEP:	96:tVxRxHhdFd3hdS3dq/hdf3d2CmoNJ7u0Pf5Uho0XuIwTdBzQbH5dM/wbDo8HhdFK:tVxDHDX/9NVV51daY8HDX/9z8rwM9
MD5:	A591E8716133BD52811846EE0F5F0F0F
SHA1:	7AFD6CA9853FBA3ADC6E63E41AE9D2D44A2803AF
SHA-256:	813371FD223019BBF3E39EAFB3839CA7B7E1AFDFD5FD5D2B633949F3A9E33BE8
SHA-512:	14AA8FAE5B72BB430306AE89C0ADAB27856B6F3F4D976E85DD64335F35346A0C81778C004054660F65383051D14C4F4BF15C55CD8328D9E136812E9ACBDC255B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.Win7LFHeap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.win32heapchunk-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	18299
Entropy (8bit):	4.925819794862241
Encrypted:	false
SSDEEP:	192:tExDHDX/9NVyy1Q1aw6umK3jAx5LOf8P+cvyBaPvKMoFhHDX/9z8rwM9:tExh5Own0J8L9
MD5:	B37271DAB2F4F1CAB46FC4E285E41BBF
SHA1:	0A2508DCE6E87C34914C97C4E00AAC18A67FB3AC
SHA-256:	A6AF2EF4491BCF1B6267EE53F93BECEDAC305AC3436C88B27A59BF68FBF7F82B
SHA-512:	DF6571ADDCAC98D4C52B177038EC1558396B81CBC2D1D5FE08A203919F5F057E095581DBEDF2D4133F1825BE6EE1E9C300255DC4FDDBC8E9F9BFE62936990E57
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.win32heapchunk</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libheap.win32vistaheapchunk-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	23290
Entropy (8bit):	4.951752823552443
Encrypted:	false
SSDEEP:	192:tDxDHDX/9NVlj1Sp1a66zzTAE0OeYtStYLTx+BcVZtcvdpBaPvKOhHDX/9z8rwM9:tDxhZwtgt1wO8L9
MD5:	0CC586CF5EA963CDBC4D53C6AB113806
SHA1:	680D5DEA73666C79547E504C7804F3BB5A70E11A
SHA-256:	BDF57770CDC4E1D7A84F5086004CBB9CD7F895B49770D0178754DC180FD608FB
SHA-512:	B21A614263434A7EF260C414CDFCEEE3F402602AF00E2BE4CC8ABCC03F3F253024344A40FD14FEDDF7B992B4B01C12545BED9E0FF12834BF6736454CD1F5CD76
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libheap.win32vistaheapchunk</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">H

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	14335
Entropy (8bit):	5.214313795547847
Encrypted:	false
SSDEEP:	192:t7xDHDX/9NVF91HzJgENVrnoFWQ+d3kmhHDX/9z8rwM9:t7xh7hzJgETuWQEp8L9
MD5:	F69AF2D232F8EBF6452D42011526AE89
SHA1:	BE9F379E58E1DE62BB4CCA0B9CA00FDB27CB34E5
SHA-256:	B1EB2658333E619C7217773C6F29054467D73CC60576D2167B93379F892C9FC3
SHA-512:	B0D0CAD7E86A6076633D401F57BCC92B7C4A6068F09B95E97FB1DB1A69C73151EAA1F2BD43D565BE13BD2F14E29A58E646BD43892E7F89E417BB2B67E8F900FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	198972
Entropy (8bit):	5.1143828994293745
Encrypted:	false
SSDEEP:	768:VxB6mHjbAE8g3/DegSqooZxh1hh2+7l5esG4vaYOY8x:5DbP8g3/DNhm
MD5:	8A4F3BA1880A239552780BCA085E26CB
SHA1:	27208C389F769B540532B676487D67A76322493D
SHA-256:	0C8246839F830F1220F05EE8B1E88CC65E30C709ECC216AF49E4F18C19D7D968
SHA-512:	C6235DBE944E6EE9D2CCAE8F22A9840D49EAA68D8CF060D365EB85F92206EF097088B662352A955D404A7B0D8F7F01B10C152C42C8612A0234FD0ADC49613D57
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.AccessViolationHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7994
Entropy (8bit):	4.974874662429129
Encrypted:	false
SSDEEP:	192:trxDHDX/9NVEX1V1aztYZhHDX/9z8rwM9:trxh8d8L9
MD5:	E76E1FE87C180F5635E8FBCF4E6DA6D1
SHA1:	6F39A0F461DEAC9BAEA2AC0A8DB4E13A769C283E
SHA-256:	07472F429F2FF13FF361B7BC6A2B56E41B2C1357DFE71EB5074D638CC7411686
SHA-512:	95BD2A255A8AC4AEFDB71418A14CEB7045310C0C8C701DE721E50DEBDABA507F4809CD82A0C338DF125D9BC8EF93CA5722909DC7778105AA2138FD7408AA9BC8
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.AccessViolationHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">H

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.AllExceptHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7940
Entropy (8bit):	4.979907340077589
Encrypted:	false
SSDEEP:	192:tIxDHDX/9NVp61K1aPtYahHDX/9z8rwM9:tIxhM78L9
MD5:	50234D53DE03F9BAD95D9C27BF7DF4A9
SHA1:	A1AE35C7A49F5441FC56CFB3F7E5F996DA3BF647
SHA-256:	A101AAA02968F2A38494AA3BF37F1AF67C9EF6619F7B81BE38CE200DEDECDB5A
SHA-512:	05505BC7156B80E98E513610AAD491177552A779B7D28968A1FFB26AB139C561EDA670199DEA92DEA89B37BDFAB03D2D60C066AC10305FBA1FA7818A3C0FA543
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.AllExceptHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.BpHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7877
Entropy (8bit):	4.973486271949538
Encrypted:	false
SSDEEP:	192:tMxDHDX/9NVZa181aJtYUhHDX/9z8rwM9:tMxhg38L9
MD5:	E03DB2479B5524879F419739422BF70A
SHA1:	EA4F6D867E5E6C01C8F4E7FBFF78E5A75F849DC8
SHA-256:	40DD02CFA8336857C403C7131E2BFBAEC64E3005225DB58DB2D45A11337E8CC5
SHA-512:	FD1FD765D07937192B7D3551B336D10609DD91A0CE9D573261DA48A0CAB8502A66B207A65F70647E0AB47D4450D58E169CCB78722CD256D6DCB922B07A2731D7
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.BpHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.CreateProcessHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7976
Entropy (8bit):	4.973123351725925
Encrypted:	false
SSDEEP:	192:tHxDHDX/9NV8v1l1aTtYdhHDX/9z8rwM9:tHxhod8L9
MD5:	C2988F795E989EDF87A0B88EF95FB324
SHA1:	549F729BDA80791084591C3EB844BFD18B9A4189
SHA-256:	C06D3DB584E0BB0EF3F03EBCCA56679FCD9CA9549A9212AEC61B2891DFD85A2F
SHA-512:	113BE46FCC60B1DFBD090AE48EB5D83EE98A7311B03EE2B1ACF9CC8F9F380FEE2DA07E44009F89C933CE853B0D4A6F38D6A70C58ED7E8C7846408577D9674D5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.CreateProcessHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Hel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.CreateThreadHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7967
Entropy (8bit):	4.973039931916896
Encrypted:	false
SSDEEP:	192:taxDHDX/9NV781y1altYqhHDX/9z8rwM9:taxhIL8L9
MD5:	267E528A7A784B54BBAA9A4828817B05
SHA1:	E36A3049BB7333D55DF80DF94C7D57DC30E4C8E3
SHA-256:	3153033FF28861131C7560431CD963C2782748451FF502E595500D365443DC04
SHA-512:	043EC9EF835229E63F1D750019A089A815BCDA8D4CA726A3CB6252B8F1501692FFF0E78D20FD76D3AE274B022DC4F9E56EE3360742788486B4C1EE4A2915599A
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.CreateThreadHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.ExitProcessHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7958
Entropy (8bit):	4.979458822783584
Encrypted:	false
SSDEEP:	192:tz3xDHDX/9NVBOdF1ZA5m1aSTAtY6ehHDX/9z8rwM9:tz3xhBMFfA5YTcU8L9
MD5:	36036AE1D5BE4A3DF3B839324AE2F8FA
SHA1:	421D4523EA17EAA94D7ABF81328DCE61EEDF6AC2
SHA-256:	F1AD10C8DB7E98287729570D109CCB9E47A9B44AFD048E04E1E8EDF59284BF29
SHA-512:	CE464E73E49064E48C07FA0568AD654FC13EF7A8D54D792F08AECB6155FCCB1C5B1EBA4DFD361EC544D4483851D95F0A492663A4BA3EA9A3F310B2C5FFD6E028
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.ExitProcessHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.ExitThreadHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7949
Entropy (8bit):	4.9794253910696415
Encrypted:	false
SSDEEP:	192:tGxDHDX/9NVHo161aJtYShHDX/9z8rwM9:tGxhIT8L9
MD5:	7E5E8F9C264918AB3274628B487E6B9D
SHA1:	E1ECE3251D2FB984F5D278467EB1E226A6968559
SHA-256:	2C02E8E0D8BFB5818F7CD0175773C671AD14E518C7451FACC4F95C518A3D022E
SHA-512:	7BE34F4E61071F7AD8E76E122FF8D651F7837FF5E29930637FEC2066CB7DAADBE5E816DD1A015682D309B2CBE02E4C0DED1DCA4C462075345779C886B4BAA316
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.ExitThreadHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.FastLogHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	18929
Entropy (8bit):	4.739924771907275
Encrypted:	false
SSDEEP:	192:tSxDHDX/9NVzE12aLbR56h2MOk+DDM+L604Cq3Ec8HDX/9z8rwM9:tSxh4j8L9
MD5:	3F33094717179A924EADED7BAEEE81F2
SHA1:	80E4165DD134B04AA03D602DF84F765C0B9908BD
SHA-256:	1C8DC22F5C31C1E7FFD517BA3086E81AB7BFAA58F8578A7487C96C842BD1DAC5
SHA-512:	63211986C6DE37D585F35A7BF92BFAB17E9670BEEE3CD8F5014FC369836A1BD0D427D88228F489FE2DE4A25D8DA04964B6CF8EB2AE022D8B239AE7AA2763C231
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.FastLogHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.Hook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	13539
Entropy (8bit):	4.792401492452092
Encrypted:	false
SSDEEP:	192:taxDHDX/9NV//w1uaVrhce05a2BQH1tlahHDX/9z8rwM9:taxhgUoe8L9
MD5:	618BFE390168BC5DADA41330622E4FF7
SHA1:	D036D346E7C35CCDB1D14B6BE38549C93B4E5F2B
SHA-256:	CB8529BF21D4FE7159050F32E60C53E29E75117013CAFAF1A5C88B00C5E98563
SHA-512:	CE49A1D8657CD708E63B2F78685B74E6389DDC782848F6356DD4E534908C7969A74C24DF465B041354C0CB515EB24E9D97B985DAFD223357A968FD676B0F3BFF
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.Hook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.LoadDLLHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7922
Entropy (8bit):	4.980605896022478
Encrypted:	false
SSDEEP:	192:tNgxDHDX/9NVHfA1E1amutY4hHDX/9z8rwM9:tNgxh/Ak68L9
MD5:	A9500B3353ACF8A06410573BF37AA6D3
SHA1:	8A28AE95048826D946C4F8EFF1254F2A9DED6195
SHA-256:	AA8742CAB4314593F04FF23EAC93631A10BBC0CF7DBE4B9BB9B81CB6B109ECEC
SHA-512:	3AEC9856BAF5CC2EF946A280FAE3A830C984E7A0064F161551590F99BAA9A5F6876F5E927CC853C9CE7F72520E591CE55423F848C2C731710614CADD60008AA2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.LoadDLLHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.LogBpHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7904
Entropy (8bit):	4.978404055025693
Encrypted:	false
SSDEEP:	192:tNYxDHDX/9NV3fI1g1amKtY0hHDX/9z8rwM9:tNYxhPIQK8L9
MD5:	829D2571E60934507398B77071BDFA9C
SHA1:	7FEEECC3BC2323E3469CF2BD6EB508A61627DD18
SHA-256:	3BF91DBD838549C1200D68544110346EAC34BD75352AF12402A2BE9ACCEC785E
SHA-512:	AFE43C4E8B4CF2B976D7FD82178869717C839159A4B19681CCB628F8075125221E924FDA978DAA5C91B650744BBDC864FB4389CA6FFC5CBC4011BB10516E9788
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.LogBpHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.PostAnalysisHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7967
Entropy (8bit):	4.976371673693773
Encrypted:	false
SSDEEP:	192:t+xDHDX/9NV/I1C1aZtYihHDX/9z8rwM9:t+xhwz8L9
MD5:	DAEAB37C70510089538ACF71A0A43B7A
SHA1:	B3C9789D5DC1E01106C891FC3A0979B292E1C918
SHA-256:	0FCAE7B861C29BF88702719B5BD2300D5ADA397854B7B0EEBDB77DFBDF6A3635
SHA-512:	C4A0FFE809057AD2B0A346D1A401B94BE07CFC9781FD16A4D0935A4F02CDD8B14B03E19A49EE28503FB5E1C359320707F699B4D3512B0E879D26E89DEB9D1E72
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.PostAnalysisHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.PreBpHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7904
Entropy (8bit):	4.9778629162381955
Encrypted:	false
SSDEEP:	192:tRxDHDX/9NVWh1L1aHtYvhHDX/9z8rwM9:tRxhsh8L9
MD5:	DA9CB632CF60A25FBCF2B26A3A60EE64
SHA1:	ECC9B9F4DB1DC3CDCCCE711C236AD32CF5A7E1FF
SHA-256:	1F41EC668DA8BA60FDB8DC4CD34516CAC6D81091E88A94AB7EF7CBA3E2089124
SHA-512:	67B5C4A425C2225A5A083B785C11D498B00998EF5290EE7AA7126A7C7BBDA54A4607BD82F965ABF32213B4044C58E2438F689840D15BCAE5BFD8C551D059B7A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.PreBpHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.RunUntilAV-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8005
Entropy (8bit):	4.982458441691564
Encrypted:	false
SSDEEP:	192:t5xDHDX/9NVux1D1abtYuhHDX/9z8rwM9:t5xhCi8L9
MD5:	A3E696C900C5C5200DD6AB977DC3CF1D
SHA1:	1A6A3C5FAB65F5B832EA8B2D8F5634575AD308D4
SHA-256:	4E2361C894F3EE704919B2396C366B76233B2E22C4A6A9ED26F9C3FFC7226AFD
SHA-512:	03F9F1347F61DEE01C81F6A45C8751612EFE51CB8FEF4257DF479F86528F9085A10EE9877E11375A058B468EF3BE32C9AC57A6ADE8978F7FAFEB0849840FF1A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.RunUntilAV</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.STDCALLFastLogHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	10956
Entropy (8bit):	5.012873128731588
Encrypted:	false
SSDEEP:	192:tJxDHDX/9NVi9151aQUumYsetYP6GhHDX/9z8rwM9:tJxhSwf8L9
MD5:	3E4EF0A59BEAF9D03244D9270A12DD84
SHA1:	75734A953E67BBD7BC8C4E7FFDA11EB5B664B96B
SHA-256:	22335A2A2809CC27A43BBB4D1D88FC7C2E662507838A5C7276D284448CAE364E
SHA-512:	A5C69E783B5ADEF638EF6233C254301D28B529905D46E579003EFFE4B2BA301934F4FD9BDABB42B0DC854350598300D38D85CB286D8DC8F0C2BD33220654ED48
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.STDCALLFastLogHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">He

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.libhook.UnloadDLLHook-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7940
Entropy (8bit):	4.983251698060141
Encrypted:	false
SSDEEP:	192:tXxDHDX/9NVQj1Z1a7tYJhHDX/9z8rwM9:tXxh4h8L9
MD5:	653244453156E900FA1C7826D4E3FDBE
SHA1:	607A2DC09C725570201F3C69C466922E1C312B0A
SHA-256:	C87739E460393F32997C38927476548C594DA6AB3B8D44553977109D6C293AD1
SHA-512:	EE655517145151FB91C89876E4E1775EA4C2D7764C3EFC975058824404C13875460B2670D0504D904AE92F00CD915C920E37838C23D151A960F66C177574B08D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.libhook.UnloadDLLHook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.librecognition-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6177
Entropy (8bit):	4.961438348592952
Encrypted:	false
SSDEEP:	96:ttxRxHhdFd3hdS3dq/hdf3d2CmoNJ71PfDUhoOfc5wquBzQb5oFoTwzfBzQbIWV4:ttxDHDX/9NV5D1x6Sq8HDX/9z8rwM9
MD5:	66EF82CE4A111535C7847C7BB5283C22
SHA1:	834294152A5840C2596DA64FA4267A5ECA599220
SHA-256:	43BECA415C4D1F15E68B2EBB2DA4801FE06BDFF91C554D9AFF8414EFF072BCA0
SHA-512:	9DD292D93028D26ADA4B54CA42B38DA84F82AF346B5BFCAA999BBE69BC69CF73CC5B74D604CB8256950D57EABA99AF626EB1A6180F671E6FC652A6E96A302703
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.librecognition</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.librecognition-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	222301
Entropy (8bit):	4.843065845634993
Encrypted:	false
SSDEEP:	6144:yfrgEvOTEfGgfIgqgJ06iNf+gOOUrmy5jn:yfMEWgfGgwgqgmNf+Fb6y5jn
MD5:	97749391C465C0A00ECD56A6F9FDB733
SHA1:	7E65B6851BA386A308F34BA3688717053C94EC25
SHA-256:	2189E3575DAF4F13B8032EA072D2BEFC9C115F72358B9FC72BEA9FF2DFEE7D04
SHA-512:	4DBF4A2D79A29DA9FAA9EBB695C852B04B2DEC021A464A35D286582D4DED1C84D4ED63B49D52437B3DF5AC7236CA3EE4CF6B94E6BAF9477834025FA999737F5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.librecognition</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.librecognition.FunctionRecognition-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	42131
Entropy (8bit):	4.844676239213507
Encrypted:	false
SSDEEP:	384:t4xhaLgFL7S+sCUYZNfFMtDZYBMlXx/hKfx/w2gx0dx8L9:SxGUUYZNsDZYBUhgfW08x
MD5:	66EE4408331448EDA77B7124CEC327C6
SHA1:	B16B661E8A60F9BE1E069BFE598F5A6F89477AC3
SHA-256:	F260F80645A61F69AB0F988EB00BBEECEE358A5EF78FA269FD92170C33D31DD8
SHA-512:	F311874B9917D8D2C5C734699037FBA4C7ECE73AEB01BA80C25E82D2E73AF51B1B4A61E2F2EC19679D4DBCD5511A7E6F0B6649132791656A0FEE379C2660890F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.librecognition.FunctionRecognition</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.librecognition.MultiCSVIterator-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7304
Entropy (8bit):	4.8882383787112005
Encrypted:	false
SSDEEP:	192:t+xDHDX/9NVq4E1oao6iy9asUx8HDX/9a8rwM9:t+xhKLq8L9
MD5:	4F7C1C445C889A7B85AD4EABF980B085
SHA1:	320E477DCE950E67E4D732404899B4EB9377C7C0
SHA-256:	78AA5CA6D04036C105C9A918150F41C1F0605F120236F1DC21C7D87E5B67874E
SHA-512:	50C4F173CD026F05DE5EBB265CB4B76CA6247323386A922D371DFC27384CCF6484A4DF80E507BF9062950B666DDD09FB6BCFABCE5CECEE4C6676254F3401B063
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.librecognition.MultiCSVIterator</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.htm

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	13111
Entropy (8bit):	4.945016130461086
Encrypted:	false
SSDEEP:	192:tBxDHDX/9NV/v1UDuNUSCXdAOj8HDX/9z8rwM9:tBxh3WhK8L9
MD5:	C080FC7B93B642A690ACD1D193F2BC67
SHA1:	359A55A5343319307203FEE4552CF6215DA46228
SHA-256:	37F64E2DC9C6B48674D95B8C27CEC41A9DEAC5DEE5D42343D4C8EC2FF241A587
SHA-512:	3C613CF713EBC232A402E440F77A5009688C460E754C20FE349646F5F150F01D1260F116DE7196E06D60CD66C7601711D092AC5CAC405C337A6CC0B596947948
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib-pysrc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	401915
Entropy (8bit):	4.872511247384112
Encrypted:	false
SSDEEP:	6144:h6XiyUi2inJdFkUsuqe7wcvd/KCQZwWW6Lux:mZJjcLs
MD5:	BC2A042007C3A3C62975C8D8FD3D450B
SHA1:	252B78172E81217CC45377FBF470423EEFA354FB
SHA-256:	DBC001B2F735EEEEB338C487DB0EE289E60B536A8E1DFB34959018E4134E8E09
SHA-512:	B0AC625D834D8B0D02A48BC682B1D8FF7FD901C9E36D67FD43CBF4D141E0663E5D9E59D261F3D90DFC59865C92CDAD9B03E1D23B6F5CF75FAB8CD80329E1CCEE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.Directory-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7134
Entropy (8bit):	4.859477288355149
Encrypted:	false
SSDEEP:	192:toxDHDX/9NVH+1fYaxgro8HDX/9a8rwM9:toxheJ38L9
MD5:	01C07AD58E3DC7A3D6C89BD17E333369
SHA1:	0A531DAD06C7C8FE272D9214D77208EAC10A665B
SHA-256:	2AB72C995563EEF5D2DD2CE19970A933C3C9AC70E1D38C87D9635DA0203E7B05
SHA-512:	1EEB78FCEDBF3DE7ADD7A2C9B34CB40C3B6774F03F7140A625A221A463BE199AC790E794D841BF06689B55CA41A36E4EA45BC59A674FF02ADD5568671BA6DB5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.Directory</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.IMGOPThdr-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7758
Entropy (8bit):	4.865268104670548
Encrypted:	false
SSDEEP:	192:tRxDHDX/9NVIl1waOVvJm8HDX/9a8rwM9:tRxhid8L9
MD5:	540DBBA53A5524DEDB3124AED405BEFE
SHA1:	1BF6A89D0ED63E0213D3E73AF2FD79BCFC17B93C
SHA-256:	4E87D9C34750CEFEC8BE2C43FDCBCFAAED107CDE3A8D90EA21378FA85557978B
SHA-512:	10ABE636D4A4308EC4E9EC78C3D20E130E7DA3728CE7DD4467FAAB67D2C67E7DBD4B723A48FF2967E08CF94D29928ADD17D4FFC85BD89BFC49700ED09FDE8D4F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.IMGOPThdr</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&nbsp

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.IMGhdr-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7107
Entropy (8bit):	4.868145104286331
Encrypted:	false
SSDEEP:	192:t4xDHDX/9NV3Z41cajQOl8HDX/9a8rwM9:t4xhiB8L9
MD5:	9A6309742632418694DF951D1E4C8ECB
SHA1:	D887D3A4B2D2F87310DD24C7D2E0CC297FA29C7E
SHA-256:	8A97408A4F1786EB8EA35E48F64B4D248A6A64E1DC33A29EE0E2A477ED0A2E6F
SHA-512:	0460E0C1D4EE3A49CA5B0AF2AEAE11FCD6241638BC5B99DDF300B843FF91ACA2DA69877C77081250FB939AACB60CB8E37AD39395C23BA8328066BF98D303E8DE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.IMGhdr</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.ImageExportDirectory-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7925
Entropy (8bit):	4.857152201818166
Encrypted:	false
SSDEEP:	192:tdxDHDX/9NVcl1qzaMjzNk8HDX/9a8rwM9:tdxhUsM8L9
MD5:	31DA0F09D16674D31C47752BC4E00EC9
SHA1:	CCAB772A7B6870F3AC8FFFEA4EF22F19C253D184
SHA-256:	FB9F3CAD363E30F517612868F51AD08894DF8250678775379C0EB07EB68D2C38
SHA-512:	1AE6F161BD4EF3AE9548C34EB4DD695F3E6CAC0CABCF94656BA848D4BDE3EEDC4EDE5637930DA82FF51F49697EB65EC22CFE1E285F7D04A26052029FA0A8F51D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.ImageExportDirectory</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">He

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.ImageImportByName-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7206
Entropy (8bit):	4.87651305498548
Encrypted:	false
SSDEEP:	96:t1xRxHhdFd3hdS3dq/hdf3d2CmoNJ78RPfZUhoQSuIwTdBzQbH5dh6+8pM/6w8hz:t1xDHDX/9NV0Z1sam11G8HDX/9a8rwM9
MD5:	8A644E84517C995986747AF430FF8032
SHA1:	F9D9D2B7548102CFC5822202A574AE2AAFA5D03A
SHA-256:	DE3F4A9F873F888A00001FC4D0BF56507D505E5645A618B58D9F20124ED5AFDD
SHA-512:	3EF9521078D38F89F5C04B0D4A6985CC7BC411BEC3D384165B6D9AC69752C0780DBF9406A40AEEC41511FDCE64D3761B16DE105F7485E75C317EB590C712360B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.ImageImportByName</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.ImportDescriptor-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8632
Entropy (8bit):	4.824732846310811
Encrypted:	false
SSDEEP:	192:tTxDHDX/9NVuP1GaCDQv+x8HDX/9a8rwM9:tTxhgQ8L9
MD5:	95F336924973A4D1C3E1ACCE6FF2556C
SHA1:	22B2F95DEC17D1C1F39868252D421103F336C545
SHA-256:	E2BCF1B459998D0F374FD2098FB1941F55B133A3FB6895D3B03B568265C0C0D8
SHA-512:	BB5751CD4E645482EF9BB04873358EEBFDCE3414644FC1485FFEFE5C005595C3CE90B5794E9FCCB7523EE470B700F5DF2DEB9B9A62DD8FA3ED4EF2E5CED900E4
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.ImportDescriptor</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.MZ-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	7706
Entropy (8bit):	4.849311828466697
Encrypted:	false
SSDEEP:	192:tcxDHDX/9NVDy1IaTCcFj8HDX/9a8rwM9:tcxhmH8L9
MD5:	BC8E7FBE32F0D086762801766551950F
SHA1:	CE9B5F47BBD51A277C69D653755F5DB251921523
SHA-256:	5F10C379D5CAB9FDF9FCB146AA60792C108341CBC0BA2693D317B4764E5F4272
SHA-512:	87A7044CCCE48102B438BA98F232A900025EECD3AEF5B775C3B65F36F26478312C4B11F4F02F0FBA2215FA988AAE9D465E5EBC14E3940C05811B1A3725EABE6F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.MZ</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.PE-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	13081
Entropy (8bit):	4.7679890987880995
Encrypted:	false
SSDEEP:	192:tkxDHDX/9NVr21sarncCOofQQhxHru0pphBr98HDX/9a8rwM9:tkxhChxHR8L9
MD5:	535B06F2E42BC0446C581B45AF9F3E55
SHA1:	20C506E711ACE2FFC6C07E381D48600F2D84E216
SHA-256:	8F73DBD8D3CA532A49EC731ACF16ABE57F0E49227DD6AB8E84BC29B7691C5473
SHA-512:	DDC2EF8A41FF4C308E5E60997B35DCFCADFF00602697D7FED44168D2924F64F3F6D56C8F1803D529DF3A8FE82F144DEBAD6047BB6CF98B0E980D6FF207896BD2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.PE</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.PEError-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6820
Entropy (8bit):	4.890851668294858
Encrypted:	false
SSDEEP:	96:t0xRxHhdFd3hdS3dq/hdf3d2CmoNJ78SPfyUhoJL11IwTdBzQbYTQoHwjfBzQbrm:t0xDHDX/9NVjy1L1rB18HDX/9a8rwM9
MD5:	19E49503166725F545998DBCE033744C
SHA1:	FACF29F466583B2CDB2A15FBF3A1E3E42FAAA591
SHA-256:	054B61CCBA26652F45B64E592EB55537BF85182C2E6EA19373AE7F9735A8FFB2
SHA-512:	2C92228F4A30DA639868245F128946A2723C73EED86FF6D763ABB508E5868DAA1DB346C6F6B97584F3B47E2D65B465697D844F075127F36ADB97D7089835D67F
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.PEError</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.PElib-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	12153
Entropy (8bit):	4.832531450210738
Encrypted:	false
SSDEEP:	192:tZxDHDX/9NVYV1ka6vW3Le4hPNP58HDX/9a8rwM9:tZxheZ8L9
MD5:	6C75D5506C4D2C9E259CEBEB987A1710
SHA1:	77E3E70343995D5B1EB29FAC2E24F625AB794B97
SHA-256:	47AC22FED81E1EB65B6163E80508AC42335521085D7CBEA8BCA38D8BCF626B98
SHA-512:	C35C51022D20FC2C341CA8636133922AFE4BE7551FC5DFC8D322D23EA0D621E146335194C77F73E31EE74C29D11EBC3B34E02A875870E3725635CA637FCB40EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.PElib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &nb

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\Libs.pelib.Section-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.818629644104831
Encrypted:	false
SSDEEP:	192:tcxDHDX/9NVDK1wadgl0cv8HDX/9a8rwM9:tcxh+I8L9
MD5:	53748592160E50FF440FB3400DBEC592
SHA1:	DC9DAB2E6A08821368E42997389334566D546020
SHA-256:	9A08BA80F7D6CA98C72202911580D6C73EAC66D80168048A97F1F4BF1978E439
SHA-512:	8DFB8C2E1917294B8C8A5F600B4999ED9C5CA3F030A6CDEA1E7A04A8912D677E9D18EC07A1A2D5D0F4DBADA58017059EBE322C8EB55D19422492BC81C94C27BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Libs.pelib.Section</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a> &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\abc.ABCMeta-class.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	4.825767323341313
Encrypted:	false
SSDEEP:	192:tyxDHDX/9Njg1Kaqn0oNslfRQexASyXF9SXhFpGyt1xjyRZP5hHDX/9a8rwM9:tyxoASlHyXqdyI8L9
MD5:	A534BD0AFDBA4643AFD6CE59977FD7DD
SHA1:	F98850AD72F6B7B284074FE72DD23D73F9995698
SHA-256:	3EF2A080BDC6542A2C94AF33A0D538F18F3B508E5F82A778FD88E03EB052314B
SHA-512:	5FA30C06B18D2E773195EF8B61933923A509B2038863223BE4CC57FF52CA3E7987683C757E513CE5099AD2A9D57761D1B94F85A7795BD2C52BEFF11049DD87DD
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>abc.ABCMeta</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>  &n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\api-objects.txt Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	113009
Entropy (8bit):	4.89778696000223
Encrypted:	false
SSDEEP:	768:aXrI7hL1GlUGjl4mmEuF6/J46kK9gC0r/Zb4tCx9nBJf:a7y6/HgFr/Zb4tCx9nBJf
MD5:	D42075EEB85B27EDB5B33EF02AD2F40E
SHA1:	ACC135A8390060CCB73C2087B2FB36ECBB7B994A
SHA-256:	5F15BD331F7EE54E97CBB1AA5834880846CDD48F33B8713F12B70D5D01D722A4
SHA-512:	479A25E7FE9B678AE793813CD3CC672E2D90D3ACEE781B7FE411190B6D46176CDEE8110CC9EE6EDEFC3B23438665B6F8F63BE94854222D9747D96D95D594BDA5
Malicious:	false
Preview:	Libs.debugtypes.Libs.debugtypes-module.html.Libs.debugtypes.MemoryProtection.Libs.debugtypes-module.html#MemoryProtection.Libs.graphclass.Libs.graphclass-module.html.Libs.graphclass.ImmDrawColors.Libs.graphclass-module.html#ImmDrawColors.Libs.immlib.Libs.immlib-module.html.Libs.immlib.HB_ONESHOT.Libs.immlib-module.html#HB_ONESHOT.Libs.immlib.NM_MODSEARCH.Libs.immlib-module.html#NM_MODSEARCH.Libs.immlib.NM_IMCALL.Libs.immlib-module.html#NM_IMCALL.Libs.immlib.NM_BREAKEXPR.Libs.immlib-module.html#NM_BREAKEXPR.Libs.immlib.NM_WATCH.Libs.immlib-module.html#NM_WATCH.Libs.immlib.BpMemFlags.Libs.immlib-module.html#BpMemFlags.Libs.immlib.NM_ASSUME.Libs.immlib-module.html#NM_ASSUME.Libs.immlib.jmpTypeFlags.Libs.immlib-module.html#jmpTypeFlags.Libs.immlib.DebugerStatus.Libs.immlib-module.html#DebugerStatus.Libs.immlib.NM_CASE.Libs.immlib-module.html#NM_CASE.Libs.immlib.NM_GOTO.Libs.immlib-module.html#NM_GOTO.Libs.immlib.NM_BREAKEXPL.Libs.immlib-module.html#NM_BREAKEXPL.Libs.immlib.__VERSION__.Libs

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\class-tree.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	14950
Entropy (8bit):	4.932476197451683
Encrypted:	false
SSDEEP:	192:tuxDHLX/9NuCb1HbYiCGNqjjqzK8KszK8KNzK8K2ybzOSHLX/9z8rwM9:tuxCGRCGMjEb9bWb3ybzOg8L9
MD5:	EA5586681F09D2EFB4E5D624EFDCD08D
SHA1:	8424C73D01861329E08CE8C78983B10FA35DA9D1
SHA-256:	5CA6C3D4818A1C34C6F51BA012BFCEE11642785D8BF3B4B0E800F7AF6A99DF41
SHA-512:	BF1C64FF14ED565B52FF61879240F429B11D3CC83656F22CB091C66AEED0A390F82AD91154F1616B51EA099061C9E5496F051D763049421AA2539F5A296D3E04
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Class Hierarchy</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th bgcolor="#70b0f0" class="navbar-select". >   Trees   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help</

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\crarr.png Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PNG image data, 17 x 10, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	340
Entropy (8bit):	6.555418601044393
Encrypted:	false
SSDEEP:	6:6v/lhP6JAoMHMkA5Tmytnlx7Cozyobxfu6oVw7MGthCMFKRV9U7Rlsup:6v/7pfH8myV7Ce/H7MGthnWXMRlN
MD5:	CA5E1D99F2231C4E29AEF5D419E36E14
SHA1:	BCC1196F30B7180116D58BAEF4B1B980A51CBDBE
SHA-256:	CC844124EE0F58D9E2EAE88EBC382FCAE7D404765E248969B31EC96B5EDACDC5
SHA-512:	90109C3185285BC81DBF149DAEF84CA0A212B76C41F0652A9303CE7121D4AB558BEB04EAFDA011CBBFAFB92D73C368E41C541F1CE35C3CAC5AC31706D323EE61
Malicious:	false
Preview:	.PNG........IHDR.............e.E....,tEXtCreation Time.Tue 22 Aug 2006 00:43:10 -0500`..X....tIME......)..}.....pHYs.........n.u>....gAMA......a....EPLTE.........f4sW ...rD`@.bC........X{`,...lN..o@...xdE....d...~T.w.v....tRNS.@..f...MIDATx.c`@...0&+...........(.....;;./...EX...?...n ......b..;.'.+...Y...#...(r..<.."....IEND.B`.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\epydoc.css Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16023
Entropy (8bit):	4.330436913047411
Encrypted:	false
SSDEEP:	384:ZDZDQDAyjf7/WJj9Q1GAiVndE2V4guO/pi:ppIJ7nGfDE2V4NF
MD5:	49C7B1B012A4E19DCD1C2E73DA051200
SHA1:	9142969D87B7588AD495C829E5C448CC0E35FDCF
SHA-256:	93B7C889FE3C46589627A4CF41F96A1FA49D27B43C1DD9CD7CDAA1DDEABF41BD
SHA-512:	74E1E331F3053E07A87F3E23C67A0913926CC186072CD185E166A0936712A397CF196C916614E7443DD708378502878C3174BAA63C1D6B1480BE595679FDE715
Malicious:	false
Preview:	../* Epydoc CSS Stylesheet. . This stylesheet can be used to customize the appearance of epydoc's. * HTML output.. . /../* Default Colors & Styles. * - Set the default foreground & background color with 'body'; and . * link colors with 'a:link' and 'a:visited'.. * - Use bold for decision list terms.. * - The heading styles defined here are used for headings within. * docstring descriptions. All headings used by epydoc itself use. * either class='epydoc' or class='toc' (CSS styles for both. * defined below).. */.body { background: #ffffff; color: #000000; }.p { margin-top: 0.5em; margin-bottom: 0.5em; }.a:link { color: #0000ff; }.a:visited { color: #204080; }.dt { font-weight: bold; }.h1 { font-size: +140%; font-style: italic;. font-weight: bold; }.h2 { font-size: +125

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\epydoc.js Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	10581
Entropy (8bit):	4.706594457472017
Encrypted:	false
SSDEEP:	192:HQyeAYcWyzBDyyCpyyUYy9yyVWv9zGieTinioiDinioihiBAiJWFgvbnrjPAORlY:HgARDBLC5UHsGiUinioiDinioihiBAia
MD5:	98B84160A551D0307D142DFF4AC77084
SHA1:	434CAD4DF13A264DF5402B570724AB12C16DC694
SHA-256:	71FFCA5149D412A6DF8A433C1E8DDA52403006087C23FD53F3540874A235BFD2
SHA-512:	F35856617C3DFC1B062F202D90EE83E3CC6AC842211AF4F3D1664A379CF33907EE7203765736130633EE90E88C543153558EBFE7CA2EB81DFD9DF04DA7C5E03D
Malicious:	false
Preview:	function toggle_private() {. // Search for any private/public links on this page. Store. // their old text in "cmd," so we will know what action to. // take; and change their text to the opposite action.. var cmd = "?";. var elts = document.getElementsByTagName("a");. for(var i=0; i<elts.length; i++) {. if (elts[i].className == "privatelink") {. cmd = elts[i].innerHTML;. elts[i].innerHTML = ((cmd && cmd.substr(0,4)=="show")?. "hide private":"show private");. }. }. // Update all DIVs containing private objects.. var elts = document.getElementsByTagName("div");. for(var i=0; i<elts.length; i++) {. if (elts[i].className == "private") {. elts[i].style.display = ((cmd && cmd.substr(0,4)=="hide")?"none":"block");. }. else if (elts[i].className == "public") {. elts[i].style.display = ((cmd &

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\frames.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	600
Entropy (8bit):	5.043849617315298
Encrypted:	false
SSDEEP:	12:TMHdoIWWnMJ9FcDh57PWQ4shOxxKNKv5NFO7LYpRR1816cX79L:2dVHMTmDh5bWQbhOx8Kv5NI7kpzal7x
MD5:	32F7701F1183AE5B24C05260B97B8C51
SHA1:	81C0C3A165E0468995BE8B3B1DFC5229F6D8EA09
SHA-256:	A876386EDDF7EBD7E824B85B729E383398C43B5118A1862E56A96C224DC236AD
SHA-512:	D7A3AA542E896E57BE38CD0EE5312CBD7415BCB30295227073545AF19D81B2E9BA211ECDE90F55999CC94448F92B0EC54CDE47AD70FC6B825E8AC3DFE1455A15
Malicious:	false
Preview:	<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN". "DTD/xhtml1-frameset.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title> Immunity Debugger API Reference </title>.</head>.<frameset cols="20%,80%">. <frameset rows="30%,70%">. <frame src="toc.html" name="moduleListFrame". id="moduleListFrame" />. <frame src="toc-everything.html" name="moduleFrame". id="moduleFrame" />. </frameset>. <frame src="module-tree.html" name="mainFrame" id="mainFrame" />.</frameset>.</html>.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\help.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	10940
Entropy (8bit):	4.828751359100776
Encrypted:	false
SSDEEP:	192:tKxDHDX/9NuC71kBHHLIUBWRdI8mlS3pCUdlW7BdD+ZdZVgHDX/9z8rwM9:tKx6W4JlS3pCUdg7KDC8L9
MD5:	12F1F5CA3C374FDCDE44B532D4C6CC0B
SHA1:	4CBC57C57BA9E4D560C1AA96B234EF9907B75320
SHA-256:	8B9A9157BB0C87AFF0F90B68F125F5FA2319AA4CDA916F738B166CBD412A954F
SHA-512:	ADAF61BF3ED3A6B24CE3B71057214D04AE9CECBA438BD5E90F0C094EC1C35C8548CB7B2B1492294452F29782D09FAEFFA6180582C8D53127B6CF6A88F68A34DE
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Help</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th bgcolor="#70b0f0" class="navbar-select". >   Help&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\identifier-index.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	266756
Entropy (8bit):	5.164371854671643
Encrypted:	false
SSDEEP:	3072:Z2ri/JLnF31+PhCOiYY9TOWL7A/t4hhwn2CN2D6TxW3TgkwpkESRJ0GKeXBPvZu6:z
MD5:	8808B2281FBFA190A7888620687C3066
SHA1:	8D6203F7415916582C909C78AED3CBCFC6F07351
SHA-256:	A541AA7D2D5F8D4BC946A324035478185D9482D5520C6470F10686A8119C867C
SHA-512:	E35107C9E7D50108CD8661EF8B465FF071B4BBEEAF9EA8F557BA9FAD28C4AA963366326BE5A2F41C15B405759F5ADBF554F7A91419936B2F79EE94BF8D7FFE0B
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Identifier Index</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th>   <a. href="module-tree.html">Trees</a>   </th>.. Index link -->. <th bgcolor="#70b0f0" class="navbar-select". >   Indices   </th>.. Help link -->. <th>   <a. href="help.html">Help</a>&n

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\index.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	600
Entropy (8bit):	5.043849617315298
Encrypted:	false
SSDEEP:	12:TMHdoIWWnMJ9FcDh57PWQ4shOxxKNKv5NFO7LYpRR1816cX79L:2dVHMTmDh5bWQbhOx8Kv5NI7kpzal7x
MD5:	32F7701F1183AE5B24C05260B97B8C51
SHA1:	81C0C3A165E0468995BE8B3B1DFC5229F6D8EA09
SHA-256:	A876386EDDF7EBD7E824B85B729E383398C43B5118A1862E56A96C224DC236AD
SHA-512:	D7A3AA542E896E57BE38CD0EE5312CBD7415BCB30295227073545AF19D81B2E9BA211ECDE90F55999CC94448F92B0EC54CDE47AD70FC6B825E8AC3DFE1455A15
Malicious:	false
Preview:	<?xml version="1.0" encoding="iso-8859-1"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN". "DTD/xhtml1-frameset.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title> Immunity Debugger API Reference </title>.</head>.<frameset cols="20%,80%">. <frameset rows="30%,70%">. <frame src="toc.html" name="moduleListFrame". id="moduleListFrame" />. <frame src="toc-everything.html" name="moduleFrame". id="moduleFrame" />. </frameset>. <frame src="module-tree.html" name="mainFrame" id="mainFrame" />.</frameset>.</html>.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\module-tree.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	5776
Entropy (8bit):	5.015251852830583
Encrypted:	false
SSDEEP:	96:tixRxHgdOd3hdS3dq/hdf3d2CmoNuiPfbUhol6BBrIHgdOd3hdS3dq/hdf3d2Cml:tixDHLX/9NuCb1ArIHLX/9z8rwM9
MD5:	8BFDB76408BE981DE63E821AC1546799
SHA1:	6570837502E308124D62D7D1CE1A6A0EC8B4BBB5
SHA-256:	09DCD42ECD9254187CCBC1F309A8D1F1B067F3F0A009B7F65F2B798E4825E1D7
SHA-512:	A762920988344E54BD1F6020FC102C5B86311BE913ED8DCED338B09DA5E9144707668E07F17A7C0B61C187B73E279B8468E452F1C36FB1C1113452EF713F5D12
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Module Hierarchy</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">. ==================== NAVIGATION BAR ==================== -->.<table class="navbar" border="0" width="100%" cellpadding="0". bgcolor="#a0c0ff" cellspacing="0">. <tr valign="middle">.. Tree link -->. <th bgcolor="#70b0f0" class="navbar-select". >   Trees   </th>.. Index link -->. <th>   <a. href="identifier-index.html">Indices</a>   </th>.. Help link -->. <th>   <a. href="help.html">Help<

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\redirect.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	4168
Entropy (8bit):	5.060293325116376
Encrypted:	false
SSDEEP:	96:B0Rr/BtkDKX81xJvDNim/JuAYOuG1sDND:ON/kDKwYmU1nG1cD
MD5:	90821ECE588EC5B579A5303EE1AECA49
SHA1:	A6B851E6CAB4A161E14622E197E398CB9078443F
SHA-256:	D1B771B602ACDC0D8F2B28DCE97FD18F0B569BBDF2F7237EB0CE28E7490B084D
SHA-512:	65C0A71F3827BBE67F02172301F2B4C18DEE8A6BA56E1852B6798AFEBB73B12AD017ACE79C6FA8ED3A038DB3211F03EFCC0FF3BA8B81E85EEE76CA1361545708
Malicious:	false
Preview:	<html><head><title>Epydoc Redirect Page</title>.<meta http-equiv="cache-control" content="no-cache" />.<meta http-equiv="expires" content="0" />.<meta http-equiv="pragma" content="no-cache" />. <script type="text/javascript" src="epydoc.js"></script>.</head>.<body>.<script type="text/javascript">. .var pages = ["Libs.librecognition.FunctionRecognition-c", "Libs.librecognition.MultiCSVIterator-c", "Libs.libdatatype.DoubleLinkedList-c", "Libs.libevent.CreateProcessEvent-c", "Libs.libheap.win32vistaheapchunk-c", "Libs.libhook.AccessViolationHook-c", "Libs.libevent.CreateThreadEvent-c", "Libs.libhook.STDCALLFastLogHook-c", "Libs.pelib.ImageExportDirectory-c", "Libs.libanalyze.XREFBasicBlock-c", "Libs.libevent.ExitProcessEvent-c", "Libs.libevent.OutputDebugEvent-c", "Libs.libheap.HeapBucketRunInfo-c", "Libs.libhook.CreateProcessHook-c", "Libs.libanalyze.JMCBasicBlock-c", "Libs.libanalyze.JMPBasicBlock-c", "Libs.libanalyze.RETBasicBlock-c", "Libs.libevent.ExceptionRecord-c", "Libs.libeve

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.debugtypes-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1857
Entropy (8bit):	5.046456959446569
Encrypted:	false
SSDEEP:	48:cKba8xDNATTG0ffBVjBkKu4HfY0b/t35Ky1WA4HQoj:ta8xRAnXffBVjuKu4A0btG3H9
MD5:	0DD977595D3D80144D5BF66B5E5ED4F0
SHA1:	63CF6DCF2895FF36CD4D6D6E6404D3D21DAB78CB
SHA-256:	4B31344C371173B037A75D2B2223FCD90C68C8115D559307576BF76001E08055
SHA-512:	419A77340AAC614C736E36FAB55AB7CDAF0E3F43E3F76999BC1950B1E3CEA91763E652F94D2A3D64F910B9D281135095D312F8BFB357E41C0542A274A3099C45
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>debugtypes</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module debugtypes</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.debugtypes.Handle-class.html". >Handle</a><br /> <a target="mainFrame" href="Libs.debugtypes.MemoryPage-class.html". >MemoryPage</a><br /> <a target="mainFrame" href="Libs.debugtypes.Module-class.html". >Module</a><br /> <a target="mainFrame" href="Libs.debugtypes.PEB-class.html". >PEB</a><br /> <a target="mainFrame" href="Libs.debugtypes.Stack-class.html". >Stack</a><br /> <a target="m

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.graphclass-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.048572717694267
Encrypted:	false
SSDEEP:	24:2d+MKme5bW9SJDlsV4NkTCmrt7pfm8vvjZNaFPMV35Krts1WA4HQfP4j:cKb9xDNErttfmw/t35Ky1WA4HQoj
MD5:	278D8D1B27FAA59098FDA679CB42AFAA
SHA1:	B925FB8AC872F7C61A8BCC187082CF53FFB83717
SHA-256:	C123ED1B33DCDDC615CED76715FBF66E5E96957512DAEB849680F8B51831CC0D
SHA-512:	4187EF49A9E76B3637F7E8892AEF206BDE9C97D2CECCF7FC285A9153E9B72BAB487662694BA0139B7172C150D3CFF03A4921BE795DBF0040253E468DE6599DB2
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>graphclass</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module graphclass</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.graphclass.Draw-class.html". >Draw</a><br /> <a target="mainFrame" href="Libs.graphclass.Graph-class.html". >Graph</a><br /> <a target="mainFrame" href="Libs.graphclass.Line-class.html". >Line</a><br /> <a target="mainFrame" href="Libs.graphclass.Vertex-class.html". >Vertex</a><br /> <a target="mainFrame" href="Libs.graphclass.vcgNode-class.html". >vcgNode</a><br /> <h2 class="toc">Variab

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.immlib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6874
Entropy (8bit):	5.135496562872601
Encrypted:	false
SSDEEP:	48:cKblxDNs1Df1IJ8ESOaNtHNBad7VdwnCJaTaPYedVaEJtEgs5g+N5a/t35Ky1WAa:tlxRYI2AstHNBadrXGEnEgsa+XCtG3H9
MD5:	D7A8ECDD44970E1B401FCE5CA702F23D
SHA1:	0A384C0183366C06F49C65EF7F1EC3EF8E4CAC23
SHA-256:	CC98428CDFB4A1374AE7C2AF2608109A8AFCB54CBB7238E5C34C69E8A8D2D4D9
SHA-512:	AD197B87FEA9A41C0C8311705E533CD2DAB9F957F3A5ED52FE5D930CB97C616E5C27EC475DBE0B5AFA290545881137A66A9B330E1010F7ECB786BA1C5E90A2B3
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>immlib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module immlib</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.immlib.Debugger-class.html". >Debugger</a><br /> <a target="mainFrame" href="Libs.immlib.DictTypes-class.html". >DictTypes</a><br /> <a target="mainFrame" href="Libs.immlib.HookOutput-class.html". >HookOutput</a><br /> <a target="mainFrame" href="Libs.immlib.StderrToLog-class.html". >StderrToLog</a><br /> <a target="mainFrame" href="Libs.immlib.StdoutToLog-class.html". >StdoutToLog</a><br /> <h2

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.immutils-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	10503
Entropy (8bit):	4.8147613256196005
Encrypted:	false
SSDEEP:	96:tYQxRKFLTz9MFCXRFK6+260qqo2HkQXntG3H9:tYQxUFLTZMFCjK6+260qqo2LM9
MD5:	70FF3EF7BF7F5CA3DD12856EC00E1786
SHA1:	434D4FE9057F6C14BBC2D89983C72E5999440FD4
SHA-256:	734B9DAC2F91E2298F9440850F182B46F48A580EE990D39C57FDB56E59C1A3EA
SHA-512:	D90FC0C79102A075E9B862558E5922CDBC03043F2308E6640083844D3E879B142CE5DE459688B1CB7AD4D62B70D8C02923F6B0A64CB5E7AA6005780507DB16EB
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>immutils</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module immutils</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.immutils.antifloatdict-class.html". >antifloatdict</a><br /> <h2 class="toc">Functions</h2>. <a target="mainFrame" href="Libs.immutils-module.html#IsInt". >IsInt</a><br /> <div class="private">. <a target="mainFrame" href="Libs.immutils-module.html#__ignore". >__ignore</a><br /> </div>. <div class="private">. <a target="mainFrame" href="Libs.immutils-module.html#__retsamearg". >__retsamearg</a><b

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.immvcglib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	4259
Entropy (8bit):	5.062369125246183
Encrypted:	false
SSDEEP:	48:cKbjxDNSJPHqlrm7+DMdHMoGrLs1oJond0BqfeN57/t35Ky1WA4HQoj:tjxRQKl8GyiX7tG3H9
MD5:	C52B02C907012E9A83B4EB07573F5BF6
SHA1:	995F1A269BB2A72F19AD31D87E3239CC51E3162B
SHA-256:	1BA63EB8D25497EBC5696203825AB93691AEB9AA58EA15C23EF8386CE79C72E1
SHA-512:	F8D2A2D1A0D767FACE32BA44C4656EBDD7EA8996162AF7B81F9C49CD173747B1946B667D0A78249BB33F5541A47B84989CA3C3D170A49ACBD6640A3378D26D8D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>immvcglib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module immvcglib</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.immvcglib.ParseVCGList-class.html". >ParseVCGList</a><br /> <a target="mainFrame" href="Libs.immvcglib.graphTree-class.html". >graphTree</a><br /> <h2 class="toc">Functions</h2>. <a target="mainFrame" href="Libs.immvcglib-module.html#addEndPointToEdge". >addEndPointToEdge</a><br /> <a target="mainFrame" href="Libs.immvcglib-module.html#adjustStartCoords". >adjustStartCoords</a><br /> <a target=

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.internals-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1433
Entropy (8bit):	5.127138648020339
Encrypted:	false
SSDEEP:	24:2d+MKme5bcSJDlsV4NkTCQPHilrRG+T949ffmaN5CGvvjZNaFPMV35Krts1WA4H9:cKbfxDN+PHmvSRfLN57/t35Ky1WA4HQo
MD5:	FF1CA3D860B093F9835847AC91DCED70
SHA1:	931DF0F86B29FEF054AD60B281895ADC4D017A4E
SHA-256:	68552599020CACDC1552E5ED19DAA4FC2923FE52DEF95D6B90DB0FD07172C93B
SHA-512:	2FCAD23FB0C37E8622AD04BE36CA84D43643A951062C78195831D7B48B7B9FAFAA8D9780972FD7ED27F244263C1F7D45C91A7DC1A5E6687FDDD0D0E0E6A1688D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>internals</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module internals</h1>.<hr />. <h2 class="toc">Functions</h2>. <a target="mainFrame" href="Libs.internals-module.html#addGenHook". >addGenHook</a><br /> <a target="mainFrame" href="Libs.internals-module.html#hookmain". >hookmain</a><br /> <a target="mainFrame" href="Libs.internals-module.html#hookmaintimeout". >hookmaintimeout</a><br /> <h2 class="toc">Variables</h2>. <a target="mainFrame" href="Libs.internals-module.html#__VERSION__". >__VERSION__</a><br /><hr />.<span class="options">[<a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.libanalyze-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	8974
Entropy (8bit):	5.183070394823532
Encrypted:	false
SSDEEP:	96:tUxR4TIJSRWpFfNRdJXJgPYXgxr34Q+2b6X7tG3H9:tUxCkg6tdUTr34Q+2bYM9
MD5:	FA8B7C02A775ABA57AF808FCF55AD207
SHA1:	8DA629E1097D64F9B2B49F73543714F4B19265E3
SHA-256:	319DE952E08E631007ACCA3E8C267DB41AC527FA2212C0218C5FA16F3ED41F38
SHA-512:	1794FCB227F39ADDC3183001C4D04A11563E04CE309EEF051F38DE0616FF03E94363D54D8AEF74C2BB270BF91D2721A0DA997CFA3F1C891DF568C2F6A4940309
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>libanalyze</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module libanalyze</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.libanalyze.BasicBlock-class.html". >BasicBlock</a><br /> <a target="mainFrame" href="Libs.libanalyze.Decode-class.html". >Decode</a><br /> <a target="mainFrame" href="Libs.libanalyze.Function-class.html". >Function</a><br /> <a target="mainFrame" href="Libs.libanalyze.JMCBasicBlock-class.html". >JMCBasicBlock</a><br /> <a target="mainFrame" href="Libs.libanalyze.JMPBasicBlock-class.html".

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.libdatatype-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	3299
Entropy (8bit):	5.130127042233085
Encrypted:	false
SSDEEP:	48:cKbbCxDNDnfoCsALayfkcs7raCN5D/t35Ky1WA4HQoj:tOxRDg35aCXDtG3H9
MD5:	7FBBDA9A39EACACEF35DD3A8CCE57C84
SHA1:	C58DF3C6E99E567BE72729E90B58FE69F178A695
SHA-256:	B9F760FB1B10ADC2B24BE7C559068AA4A80B157BE40801C3AB1AF1F79381D1BC
SHA-512:	34FD1AB76D368A1644806C738A894D1BEFB604884EE88867E7841D0A284E19C61C8C8DD82F0467E2F264D2C04AC27B42DA6F60ADA9FF28E1FB6E612F63D42F1E
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>libdatatype</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module libdatatype</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.libdatatype.Data-class.html". >Data</a><br /> <a target="mainFrame" href="Libs.libdatatype.DataTypes-class.html". >DataTypes</a><br /> <a target="mainFrame" href="Libs.libdatatype.DoubleLinkedList-class.html". >DoubleLinkedList</a><br /> <a target="mainFrame" href="Libs.libdatatype.Pointer-class.html". >Pointer</a><br /> <a target="mainFrame" href="Libs.libdatatype.String-class.html". >S

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.libevent-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	2360
Entropy (8bit):	5.072415341775349
Encrypted:	false
SSDEEP:	48:cKbbUxDNJL4aVdfTd3+BGd5B/deRf6lpN57/t35Ky1WA4HQoj:tQxRZV1MQLN3pX7tG3H9
MD5:	4173AC20FAFD49D089A3A4328A5EEBC7
SHA1:	45BBB6E01DAACC827230D6E6A5A94400078CFB07
SHA-256:	C77A6973B3D07693EE8A035F1D1AC8393FA3DD01732ECDB6EA70275CEF08D41A
SHA-512:	97A7073CF5E6572C4DE25ED315966BF8B1BD2A29880B77255B395D61AF4EE1C78EE576AB63E6AC529E4D038A8A7E08CB6535C9CDF8FF583D49D43E30E9C6FB70
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>libevent</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module libevent</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.libevent.CreateProcessEvent-class.html". >CreateProcessEvent</a><br /> <a target="mainFrame" href="Libs.libevent.CreateThreadEvent-class.html". >CreateThreadEvent</a><br /> <a target="mainFrame" href="Libs.libevent.Event-class.html". >Event</a><br /> <a target="mainFrame" href="Libs.libevent.ExceptionEvent-class.html". >ExceptionEvent</a><br /> <a target="mainFrame" href="Libs.libevent.ExceptionRe

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.libheap-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	3519
Entropy (8bit):	5.073735931697678
Encrypted:	false
SSDEEP:	48:cKbbUxDNVhPawrkKI9oFPH5iAjf4N55/t35Ky1WA4HQoj:tYxRWwrkKI98H56XptG3H9
MD5:	1EB681EB34BE1EB108D8DE254C8A3C34
SHA1:	AC40C407706C68B5D2B3018671C916385945CE24
SHA-256:	C3A363030E7AC4B0DF78156F133D063E2A872563CDD555D82AEA93569BD185EF
SHA-512:	6CA9853783EA704E1817512DA57A78977ECFA2F4937E3848D3433F39CC07987FE331A924FA496074BE7E199D852F24EEFCE1091D0179A73AF96A4BD7E787CC42
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>libheap</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module libheap</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.libheap.Blocks-class.html". >Blocks</a><br /> <a target="mainFrame" href="Libs.libheap.Bucket-class.html". >Bucket</a><br /> <a target="mainFrame" href="Libs.libheap.HeapBucketRunInfo-class.html". >HeapBucketRunInfo</a><br /> <a target="mainFrame" href="Libs.libheap.HeapCache-class.html". >HeapCache</a><br /> <a target="mainFrame" href="Libs.libheap.LFHeap-class.html". >LFHeap</a><br /> <a ta

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.libhook-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	3171
Entropy (8bit):	5.102614308124707
Encrypted:	false
SSDEEP:	96:t5xR6Wpk+lsSLDSy1vv53Joi8llIX7tG3H9:t5xhbRhMeM9
MD5:	20B335C34F051A10156C4767494946EA
SHA1:	CFD4BF3E83D8985E9E23CEEA64621C12E733036E
SHA-256:	AE12FF7236D62A7A093EF34F926BC22887F44199DD429B8F08D6963D41B53A82
SHA-512:	08E626B8C5DF62E3C4DB26FAFF647A32A680FD43DA949A9250F06A94F49F39120FA71AC432DF52EA8F8006454398C2C78812EE02A8EF4E5E5119FC7B73360CF1
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>libhook</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module libhook</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.libhook.AccessViolationHook-class.html". >AccessViolationHook</a><br /> <a target="mainFrame" href="Libs.libhook.AllExceptHook-class.html". >AllExceptHook</a><br /> <a target="mainFrame" href="Libs.libhook.BpHook-class.html". >BpHook</a><br /> <a target="mainFrame" href="Libs.libhook.CreateProcessHook-class.html". >CreateProcessHook</a><br /> <a target="mainFrame" href="Libs.libhook.CreateThreadHook

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.librecognition-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	5.148399327419983
Encrypted:	false
SSDEEP:	24:2d+MKme5bbISJDlsV4NkTCoXGNK+G79WkVVfnN5CGvvjZNaFPMV35Krts1WA4HQo:cKbb7xDNqXoMjfnN57/t35Ky1WA4HQoj
MD5:	8911629C73B57ED557A2C4DC06270656
SHA1:	70D2E3D25E6DDF81CA5BC00480FC8349859B4C36
SHA-256:	ED2FEB516FB072DC7C4D420768BB1E15F8E1FCC005DFF98546BE9016ED5FE896
SHA-512:	15B6B5C7217DAE82ED535DC867C56AADEA797CE3E92957453E9FD767007DEA6F613EC13B5391E857FBE609DB89720DA2CC0F017C264B56F61A8686051D91F215
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>librecognition</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module librecognition</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.librecognition.FunctionRecognition-class.html". >FunctionRecognition</a><br /> <a target="mainFrame" href="Libs.librecognition.MultiCSVIterator-class.html". >MultiCSVIterator</a><br /> <h2 class="toc">Variables</h2>. <a target="mainFrame" href="Libs.librecognition-module.html#__VERSION__". >__VERSION__</a><br /><hr />.<span class="options">[<a href="javascript:void(0);" class="privatelink".

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-Libs.pelib-module.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	3066
Entropy (8bit):	5.176858642898826
Encrypted:	false
SSDEEP:	48:cKbyExDN+cEz37LPHbEG9fi9S9RqN5K/t35Ky1WA4HQoj:tLxRj0z7EjXytG3H9
MD5:	F2C16F616EF247AB3703DB2B900C19B2
SHA1:	6EAA9C2A78879FD9C04EBD78C8BAA56EB9FA1445
SHA-256:	2769373EA27A60027B8B1A01510E7B08F70FD904A30FFA60DC5E9B5C3AB10E58
SHA-512:	05DCB406DDC0077CFB0D8543222CD43137E031EDA1795C6DDDEEF559072CDCDD78541C1832FF1751EC98CAABA1B2CA1C455C30B3748D9BA1B2728E8F641FE41D
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>pelib</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Module pelib</h1>.<hr />. <h2 class="toc">Classes</h2>. <a target="mainFrame" href="Libs.pelib.Directory-class.html". >Directory</a><br /> <a target="mainFrame" href="Libs.pelib.IMGOPThdr-class.html". >IMGOPThdr</a><br /> <a target="mainFrame" href="Libs.pelib.IMGhdr-class.html". >IMGhdr</a><br /> <a target="mainFrame" href="Libs.pelib.ImageExportDirectory-class.html". >ImageExportDirectory</a><br /> <a target="mainFrame" href="Libs.pelib.ImageImportByName-class.html". >ImageImportByNam

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc-everything.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	44846
Entropy (8bit):	5.059505596197432
Encrypted:	false
SSDEEP:	384:tQxCYNE9n007K4wR/jj4oQv3gyNXO1Ry9:WxCYNu3xO1RY
MD5:	250F07D568B76B90DDA5D1C332FBE7E8
SHA1:	A2E3B91105DA0AFFF8643026B29D67AA993873A4
SHA-256:	FB472D11BC1EFA220203E391503C14308D6360253CAA480CD398171AB4A9013B
SHA-512:	C57C0AAE1D5171119DB14B4CCD189F9F8784BF53E764EFF0EBF4DDBF017F09063D578CD9A0C878F03CD3EEA66C923B75A1047E3CA27CABE36718EE0A6DF53D98
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Everything</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Everything</h1>.<hr />. <h2 class="toc">All Classes</h2>. <a target="mainFrame" href="Libs.debugtypes.Handle-class.html". >Libs.debugtypes.Handle</a><br /> <a target="mainFrame" href="Libs.debugtypes.MemoryPage-class.html". >Libs.debugtypes.MemoryPage</a><br /> <a target="mainFrame" href="Libs.debugtypes.Module-class.html". >Libs.debugtypes.Module</a><br /> <a target="mainFrame" href="Libs.debugtypes.PEB-class.html". >Libs.debugtypes.PEB</a><br /> <a target="mainFrame" href="Libs.debug

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\Ref\toc.html Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	3467
Entropy (8bit):	5.015321938951849
Encrypted:	false
SSDEEP:	48:cKb8xDNPrFsUJ6D0bvdEDCd5XJRFhdTFp1vx/t35Ky1WA4HQoj:t8xRPxZJ6D0zVd5XJRFhdTFp1vhtG3H9
MD5:	02CF5197FB29E535A763C4C42ECA2BD8
SHA1:	F6FB3482B690BE3187FF3B01F2DB36216EFFC475
SHA-256:	41A4AFB48AFF838D221622A6732FB26561D759373789898B68B019CBFFF6A6A3
SHA-512:	8A1E0704D0C832D3492E06746D32D0984FA723EA00D48516095AD1B1F415622F365B50ECC5697BD1EB632B73D3BD30C285BA624AAA38484E06BB28CB597669C7
Malicious:	false
Preview:	<?xml version="1.0" encoding="ascii"?>.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>. <title>Table of Contents</title>. <link rel="stylesheet" href="epydoc.css" type="text/css" />. <script type="text/javascript" src="epydoc.js"></script>.</head>..<body bgcolor="white" text="black" link="blue" vlink="#204080". alink="#204080">.<h1 class="toc">Table of Contents</h1>.<hr />. <a target="moduleFrame" href="toc-everything.html">Everything</a>. <br />. <h2 class="toc">Modules</h2>. <a target="moduleFrame" href="toc-Libs.debugtypes-module.html". onclick="setFrame('toc-Libs.debugtypes-module.html','Libs.debugtypes-module.html');" >Libs.debugtypes</a><br /> <a target="moduleFrame" href="toc-Libs.graphclass-module.html". onclick="setFrame('toc-Libs.graphclass-module.html','Libs.graphclass-module.html');" >Libs.graphclass</a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Documentation\pelib_COPYING Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1441
Entropy (8bit):	5.22530965032693
Encrypted:	false
SSDEEP:	24:JEf93UnzobbOOrPFTtTJyFTzw+BCaTPZ9inc432smBOkJ/RO232sWyxtTfr10TnV:JYvOOrPJOJzpCuPDinc432s4l32sWEt+
MD5:	2AAAB150927386507B73B0A808551ABD
SHA1:	0598CE41F9AD285F17127328E0AA0C7998B350D4
SHA-256:	2496EDD489D0712399ABD1C5E72799B9A05788AD23C9FBDFB6A53A38F1A6DEE8
SHA-512:	ED185D7F734B57D4E5A6C32478181CD2B699BAD6CC60ED48D7412D40C1BC376CE1B093C800716BAC51C5574BC08399F5BC5239AAA8E4B13705871704C941F4A3
Malicious:	false
Preview:	Copyright (c) 2004, 2005, 2006 Ero Carrera <ero@dkbza.org>. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are met:....1. Redistributions of source code must retain the above copyright notice, this..list of conditions and the following disclaimer. ....2. Redistributions in binary form must reproduce the above copyright notice,..this list of conditions and the following disclaimer in the documentation..and/or other materials provided with the distribution.....3. The name of the author may not be used to endorse or promote products..derived from this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED..WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF..MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO..EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDI

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2853888
Entropy (8bit):	6.511143885202333
Encrypted:	false
SSDEEP:	49152:n4/h6muhf2UXepyGIq/c2xfOx8GlN5rqQvT3FCgCIQLFZ8eZx/iOsRnBG9U:4/ruZ2UXepyGI9+OxZlN5PvTAgCIQLwZ
MD5:	E316774002199E940E042C34695F1CAB
SHA1:	9238302CEFEE59008649FE925437930C1474F426
SHA-256:	6847711E7782729FAC009EDE5FC3EA5ED6CA54FF582EED3386C1F74D83E1A372
SHA-512:	3604DED0D17F0EBDCDD0B8E831E0D556D4D164341D8362789D4E1328870452118E5E694084A63CB25BAB63F9EF54E58D3B07DE617F163C9141FBBB1FACB4CA07
Malicious:	false
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.;O......................+.. ................@.........................../......U,....... ......................@).b....`)..6....).4........................n............................)......................h)..............................text...h...........................`.p`.data...............................@.`..rdata...\.......^..................@.`@.bss......... %.......................`..edata..b....@).. ....%.............@.0@.idata...6...`)..6...0%.............@.0..CRT..........)......f%.............@.0..tls.... .....)......h%.............@.0..rsrc...4.....)......j%.............@.0..reloc...n.......p....*.............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.ini Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8181
Entropy (8bit):	5.254381953517471
Encrypted:	false
SSDEEP:	192:RhyMjbrQoXWoi4WH4XgJzxsNTALMnKQcFhqLPiuXB+ng2+JBZJ6b0:RhyZ/Cy2jA4mqc/+JJ6g
MD5:	193F3E1849B376A93DBD08E6EFA81588
SHA1:	A769A170CE428245953E834F1B1A0D0BAAD4CC9D
SHA-256:	F7CF9D1B1DE760F0431BE6616747894C1B245D8397BD82DE640F584654DE6143
SHA-512:	B55E5B64ED9E651C2146073813EEE7EB1ADDF487C6E455E20C911C841A07EE45D0F1B5A4BC3BE4CA204909C2E67175890C9DC9E9B74D8C30FDEEAB27AA0B7883
Malicious:	false
Preview:	# Proxy settings:..# Use Proxy = 0 : Dont use proxy..# Use Proxy = 1 : Use proxy..# Use Proxy = 2 : Use proxy with BASIC auth..[Proxy]..Use Proxy=0..Proxy Ip=0.0.0.0..Proxy Port=0..[Settings]..Auto update=1..Check DLL versions=0..Show toolbar=1..Status in toolbar=0..Use hardware breakpoints to step=0..Restore windows=4271..Scroll MDI=0..Horizontal scroll=0..Topmost window=0..Index of default font=1..Index of default colours=0..Index of default syntax highlighting=0..Log buffer size index=2..Run trace buffer size index=1..Group adjacent commands in profile=1..Highlighted trace register=-1..IDEAL disassembling mode=0..Disassemble in lowercase=0..Separate arguments with TAB=0..Extra space between arguments=0..Show default segments=1..NEAR jump modifiers=0..Use short form of string commands=0..Use RET instead of RETN=0..Size sensitive mnemonics=1..SSE size decoding mode=0..Top of FPU stack=1..Always show memory size=1..Decode registers for any IP=0..Show symbolic addresses=1..Show local

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\LICENSE.txt Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	19286
Entropy (8bit):	4.728361636288109
Encrypted:	false
SSDEEP:	384:Epybj0a0OijIpP1z7kH0QD6NEnrX5j8AAOvmG:ECj/0WsH0Q6NSrX5jjAq
MD5:	B3A145AE6C9D69EBD02342CD6467B958
SHA1:	84296C6F8F6C97D0A1AB05901D3090A7FBD59B5F
SHA-256:	710C63494EEB4630BA1C6E68F1C047BE40B54D93DD71BD7AF138CAE6B3F269E7
SHA-512:	D9A0E0AADC7400E757F9FE26315B245EBF6874158230B7C0E59A98EAE01DCBC77F04A67C2DEEEF238BD2B3549150DD94828526A721916ECD00964DFC90FE9EFE
Malicious:	false
Preview:	Last Updated: February 11, 2009....IMMUNITY, INC.....SOFTWARE LICENSE AGREEMENT....THIS LICENSE AGREEMENT (with the schedules annexed hereto, the "Agreement") is made as of the day when registered on the download server between "Licensee", the user of the software, whether corporate entity or individual, and Immunity, Inc, "Licensor", a New York State based company with primary offices at 1130 Washington Avenue, Floor 8, Miami Beach FL, 33139. If the Licensee does not agree to the terms described within this document, the Licensee is not authorized to install, copy, or otherwise use the Software.....W I T N E S S E T H:....WHEREAS, Licensor is in the business, among other things, of licensing the proprietary software more particularly described in Schedule "A" attached hereto and made a part hereof, which, together with the object code, registration key, documentation and other materials are collectively referred to herein as the "Software"; and....WHEREAS, Licensor owns or has the lic

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\__init__.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.066108939837481
Encrypted:	false
SSDEEP:	3:gJm+HJjTIGQ+c:g39IGVc
MD5:	083CE59FA1F01B0CFCA3AA28FE8F817B
SHA1:	DC8FC5D89C094CA5934FF8AE2DB8D38CAD1AEFD0
SHA-256:	25C7E17B3576BCF4F237BDA942772741CDC7684F616893F9C94F5034A3C3B896
SHA-512:	B08AE1E18F4F98C71F9772C5D4875698842390E0F4144099893C7D199CF7445233923374503C47568FE2CB3B91E9B54D2739A14FF2EB11BA621600D4CE16274C
Malicious:	false
Preview:	all = ["immutils"] #for now.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\codegraph.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	7964
Entropy (8bit):	4.1536842630846955
Encrypted:	false
SSDEEP:	48:x/Jhp844JCLUC6e5lOs2PpChE27gwLFdl7glL8DrQNCzgh6KdQdYDd4+EdOJdGkT:x/Jhp89UDxd7LFzsL8DihEWlpu+sw75
MD5:	8A5435D8A12FBA55533D0A52D5DCD639
SHA1:	501073066D2E8146B606AAD553B68009A6A0591E
SHA-256:	D16B1AACABF3F18BDB3EC24597929353D61C517FB42EEAE8835959F8245B64E5
SHA-512:	73A583B0978F147C99292E5E64F9AED05DA9327E5F4CFE3FB829974ED7343C926537896A70197F829E07C179040005C97FA109E86420558D70185D32B262A535
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	from immlib import *....class BasicBlock:.... def __init__(self, start_addr=None, start_op=None):.. self.start_addr = start_addr.. self.end_addr = None .... self.start_op = start_op.. self.end_op = None .....# A list of instruction objects in the current Basic Block in ...# address order...self.ops = [start_op].... def __iter__(self):...for op in self.ops:... yield op.... def __str__(self):...return ["\n".join([op.address for op in self.ops])].... def log(self, imm):...imm.log("BB @ %s" % hex(self.start_addr))...for op in self.ops:... imm.log(" %s" % hex(op.address), op.address)....class BasicBlockGraph:.... def __init__(self):.. # Dictionary of addresses to basic blocks .. self.basic_blocks = {}.. # The outgoing edges for a basic block identified by its.. # starting address. A dictionary of addresses to a list of.. # addresses of basic blocks that the address may branch to .. se

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\debugtypes.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	35028
Entropy (8bit):	4.524937941933262
Encrypted:	false
SSDEEP:	384:fUYFtbiXUcEszhqYLUfJo2pesssR2NScc5:Hs4YLUfJo2pOT4
MD5:	7953856FB7D77187C5D7A61F7E569FAE
SHA1:	3B658FE896049955BCC58AC06EE2FBF710FB6DBA
SHA-256:	3DC3D51E2B2163EC34B1ACC912B1C25544478C844D8A24468C6824C4551D4EF7
SHA-512:	EB057CD47E866D788EE57DBDA39EAC98AF9B6BB06E0A49A3E96A629DC8A3A0AB8837CC7DC091942D0086D32CBC6061364B17F6359BAEE0092478CF02394E1815
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/usr/bin/env python..#..# vim: sw=4 ts=4 expandtab...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}......"""....__version__ = '1.0'....import debugger..import struct....###ulong..# handle = handle..# handles[handle][0]=type..# handles[handle][1]=access..# handles[handle][2]=data1..# handles[handle][3]=data2..### int..# handles[handle][4]=refcount..###char..# handles[handle][5]=htype..# handles[handle][6]=username ..# handles[handle][7]=nativename....class Handle:.. def __init__(self, handle):.. self.handle = handle.. self.type = 0.. self.access = 0 .. self.data1 = 0.. self.data2 = 0.. self.refcount = 0.. self.htype = "".. self.username = "".. self.nativename = "".. .. def _getfromtuple(self, mem):.. self.type = mem[0].. self.access = mem[1] .. self.data1 = mem[2].. sel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\deplib20.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	42631
Entropy (8bit):	4.246103980406698
Encrypted:	false
SSDEEP:	768:W7T/Wq4H34iKd5cOehSV69QE+/LoFdJa6AH+at3TlNxUdjQPM+1GKmW:k/Dq8Ex8+U3TlN+djQPM+4KmW
MD5:	2620B52641546491E7B12C24B010B137
SHA1:	0BD6CFA9A9BDB7BD40A973D0FBADF245EAD17A50
SHA-256:	0B99BBA73E82CBD6ADE7370B4F7A1C718700234CD53C7446A54A22636ACA650A
SHA-512:	CE1A85F42DC5EF8793885EDB66FFD2AEBD1900A69647DF76EEDA8F165334B203D22942734A5A079A2225A607217C626180C714E4FC877AAE701262A016E41CBC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	from x86smt.sequenceanalyzer import StateMachine.from x86smt.prettysolver import PrettySolver, Expression.from libgadgets import GadgetsDB, HashesDictionary, PropertiesDictionary.from immlib import .from copy import deepcopy,copy.from vars import VAR..class deplibCompiler:. def __init__(self):. self.operations={}. self.handlers={}. self.cmdList=[]. self.uses={}. self.defines={}. self.variables={}. self.protectedVarsRegs={} # this is a dict using the same index that cmdList, vars/regs here should be considered protected. # on command's ENTRANCE. self.labels={}. self.searchHandlers().. ############### generic handlers management ###################. def searchHandlers(self):. tricks=__import__("deplib.tricks", globals(), locals(), ""). for modname in tricks.__all__:. if hasattr(tricks, modname):. mod = getattr(tricks, modname).

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libfinder.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3641
Entropy (8bit):	4.422608310148451
Encrypted:	false
SSDEEP:	96:5eNHq/5Ac902/VcdPFrFCNuQ3rlP9SJ3K:5gkL02y7w13ra3K
MD5:	832789FEB81B3F903C93EB5DFC586EDC
SHA1:	A44F4F583AD2F04D7A51F593DBF724CE46993EBE
SHA-256:	15E5ACFEE80C891EB3C0FC82D6537484E7EAE9DEB1B0B01F000A7017C0BEBFFD
SHA-512:	804518177654733C97A7F6435B6F94A43B409DB4E4862009DDB8D268C0F76683B5C8F50C6AD9C3D750AD221F2FC966061B99EFC3F3E5B553C9B958D7C500468A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	from deplib.libgadgets import *..class GadgetFinder:. def __init__(self, imm, modules=None, dbname=None, dbtype=None, host=None, username="", passwd=""):. self.imm = imm. self.gdb = GadgetsDB(imm, dbtype, dbname, host, username, passwd). . if not modules:. self.modules=self.gdb.get_all_module_ids(). else:. self.modules = self.gdb.get_module_ids(modules). . self.bases = self.gdb.get_module_base_from_id(self.modules). self.hashesDict = HashesDictionary(self.gdb, self.modules). self.propsDict = PropertiesDictionary(self.gdb, self.modules). self._debug = False.. def allOK(self):. if not self.gdb.db_connection:. self.imm.log("[!] Could not connect to db, exiting..."). return False. . if not self.modules:. self.imm.log("[!] No valid module was found"). return False. . return True. . def searchByProperties(se

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\libgadgets.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	32270
Entropy (8bit):	4.467113837664544
Encrypted:	false
SSDEEP:	384:Z5/hQQt+2hwnOru9kMs+1iLxNk3C1DkyGjDk/xjOSJR4UAWOtcmxkSHAqD+QkJV/:D5EK4tAHVZH/1C/6B5CMnwmV
MD5:	F2749C7C311800C49B81212516638C18
SHA1:	013CCB8F49BA03C994F4296AE4AE5F1CBA35A5F2
SHA-256:	1B441FA408A6D3C67FC110FCBFCE8FC1349F9D44BB184E08823A8FEFA92C4899
SHA-512:	68C6A78CE75C1681D166A67B60114DD3548C083EBA462FF4E8854292483F3F06358FA2F0EE8258AAA9162EF30B4E9D2C75287CD19BAD8671111BF506BCC83406
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	""".This library has two main uses:.- To create and populate a gadget's database (mainly using the function add_module_entry..- To retrieve a specific gadget from a database, either by hash searching or by property searching...To do a hash-search you need the output of hashState() from a StateMachine class instance, so the typical .usemode is to use an empty (just instantiated) StateMachine instance to model your gadget needs (like setting a register or whatever).and using it to calculate the hashes for the search..It also needs a cache of hashes, so that we dont search for the same hashes twice, this is accomplished by instantiating a .HashesDictionary class..Using this two arguments, you can execute search_by_hashes(), which is a generator that returns a 3-tuple (module_id, offset, complexity) .for each gadget it founds that meets the given requirements...A properties-search is quite similar to this, but it might be executed without a StateMachine instance, using the translate_proper

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\tricks\__init__.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.595771751139549
Encrypted:	false
SSDEEP:	3:JSxzMdMVwujXPHBwCnEodivRFo+iQWcdF/M5wMRRlLKFp/YCFHLs/n+LE/A1Yln:azLVzz6uEosRIzcdFE5PHuvrtQA1C
MD5:	F56AF2B5B1DE2B7C3F1D6D46C743EAC6
SHA1:	850BE01140783B985DE03B338AE1C4BA81954E5A
SHA-256:	9A552854755DF948E4778542060DD0877B075FF8E569BCB9DDF7135A02A2E408
SHA-512:	5B33A2ED7B30DD23C5013002985E1863516E144E72EB11FF16B0802A48615FD7CC197AE90362D0AA6ED045A91FC73BA8E3DBF96D0AAF251ACA73EEEFEC73B2E2
Malicious:	false
Preview:	import os..files=os.listdir(os.path.join("Libs","deplib","tricks"))..__all__ = [].for f in files:. if "__init__" not in f and f[-3:] == ".py":. __all__.append(f[:-3]).

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\tricks\basic_arith_tricks.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	139
Entropy (8bit):	4.832770412421141
Encrypted:	false
SSDEEP:	3:P42NhsacqSQkcacq1FGNAGOFf4RF1JKRDRELvgQACNtNR2XX9EyqInn:w2N6anTaJ8S70FDCDo4QACNtDYJqInn
MD5:	03DA1A5E64D5B183EC79303D8986A91E
SHA1:	7F777AB0750E8DCBDB638DFC12F926900AA4770B
SHA-256:	B6FBC96FA6CB55F7244C11F5075DC5469ECFD98682DE47EA516E23199EC33E26
SHA-512:	EB61C63A16B408625E9284EFA3AAB0ED5B90E4D603F1B843933821544AC953CB52AD8563B2895C8D24A9C79987A0ED263AB449974CC7D451677DD489745ED1CE
Malicious:	false
Preview:	""".- ARITH R1, R2.- ARITH R1, CONST.- ARITH R1, CONTEXT.- check context if handling constant values (it might already have that value)."""

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\tricks\basic_mov_tricks.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.0920968953266375
Encrypted:	false
SSDEEP:	6:wQfnPasNlSqzNnL6ULRc9YJqInvh5yj2bGuc3DAI9ymGuc3mEs7HiEUCs82yjvZS:wAPasNlSqzNLHlGYJvvhsj2bGuc3DB9S
MD5:	1E5D357FBDD6A1F2169BE01244F99074
SHA1:	527E0C27F942BBDAD37A88184A7192AE8A114A91
SHA-256:	90583772C6790BC5198CDF48DEB643B6EAF103A5D5F25733B98E323F2B9E40DA
SHA-512:	D96A107043A9901F6028FEF24CCAADA488287A6A95A74AC9CD443D800A1CAC6D9D3982768E99A6F14A96112A665B99F0E598E79A08B2C564AE183F8EEA2E8583
Malicious:	false
Preview:	""".- pop REG.- POP R1/POP R2/SUB\|ADD R1,R2.- POP R1/SUB\|ADD R1, CONTEXT.- MOV REG, CONST (check current context, it might already have that value)."""..def init(instance):. instance.register_operation("mov"). instance.register_handler("mov", myhandler, pref=10)..def myhandler(finder, args):. print "myhandler:",repr(args). return True..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\tricks\labels.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.502660296636254
Encrypted:	false
SSDEEP:	6:IThbgAFcvXEGC0sPksB5yj2bGuc3DAI9WEE+gZBnbGsNF8UFGukQGuNha3Q/FSTz:olFmfE02sj2bGuc3DB9WEHgrniqFyukb
MD5:	5317F053030E34E7E53B66B332F51A10
SHA1:	AC4C2F7CEB744A998F47C6622759FD88F9EBFA89
SHA-256:	E8F994AD96132DDAA24072A1AB10F5A203547DB57812940D655FD31EDC23ADC3
SHA-512:	8A27382522194C9A722FE2B051E6A2C56327951C8673EE3F646F0E387E5C619E13F99EB16B9DCE5B47709A6ED4E1B71EE1C01E6D0032E149C4C3ACAAC1362B92
Malicious:	false
Preview:	""".Used to define labels where you can jump to, it doesnt specify a new command per se..."""..def init(instance):. instance.register_operation("label", analyzer)..def analyzer(c_instance, name):. currentCmd = len(c_instance.cmdList). c_instance.labels[name]=currentCmd. . return None #do not add a command for this.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\deplib\vars.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	11080
Entropy (8bit):	3.9997701111565602
Encrypted:	false
SSDEEP:	192:94GUo5NbK4fcKV4e8CcZc2k0BLqYaknkQvWzGknpkvpkWkLzPkzk3LqkzksCk17n:9we30Oknk7zGkpkvpkWk3Pkzk3WkzkxG
MD5:	F70F52B59316F5FFC2D8D514760A0B1E
SHA1:	BB75086054A59109358B1059336C6A972838E2FC
SHA-256:	447089656287AD34BD91A2EF5015489238A0EED1D1C32ED7BC25B2D3299D21AE
SHA-512:	27D19D5D0986E52F0B5809C6E59BDD1F91E1F232BF75CE4B3E0C73B3E372D65395864FAA399335C9DF64FC7912DCC842A0D85BB354004A2953F3EC376C630652
Malicious:	false
Preview:	""".Variables are always DWORD size (on x86 processors).."""..import random..class VAR:. def __init__(self, compiler=None):. self.containerType = None. self.containerValue = None. self.compilerInstance = compiler. self.uniqid = random.randint(0, 0xffffffff). self.forcedReg = None. self.allocatedMem = False.. def release(self):. self.containerType = None. self.containerValue = None.. def bind(self, containerType, value):. """. Bind a variable to a real container (a reg or a mem area). containerType == reg/mem. value = if type == reg: Register Name. if type == mem: a tuple with:. ([index1, index1factor], [index2, index2factor], constant). it accept smaller versions, ex:. EAX, ([EAX,2]), (someVAR, 2), (EAX,[EBX,4]), (EAX,[EBX,4], 0xcafe). if type == memexp: direct Expression (as returned by finder.alloc() for example)

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\driverlib.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13944
Entropy (8bit):	3.990451631016729
Encrypted:	false
SSDEEP:	96:z5u+EFQaQdn0GyZ2kUPPJrL/8hYlryff38G3rCYeLwDjf9hvL4f+Lj9P+gNQ+aRi:wtN2kU5rL/8qlryf3NeLWf9JjMJjrA
MD5:	C88F0F1A770DC61A5FEA1A790B7AD1B2
SHA1:	33880C345DA645140720E4F8B8EC648BDE3F277C
SHA-256:	FBE67B37399F1E3D1DD5FCFA92A0A1A4E41318CB4C41804481F49D33E08C248F
SHA-512:	61230D9B67BE3C8511B13B8046E8E4E9946240EF46AB550D86F651492F2500C17644A5415F2B6321A923EE3BE6DC556636F72568E777504E1D3420FE358B0A45
Malicious:	false
Preview:	#!/usr/bin/env python..""".Immunity Static Driver Analysis for Immunity Debugger..(c) Immunity, Inc. 2004-2006...U{Immunity Inc.<http://www.immunityinc.com>} Debugger Driver Library for python..."""..__VERSION__ = '1.0'..from immutils import .from immlib import ..import struct..class Driver:. . def __init__(self):. . # Globals. self.imm = Debugger(). self.IOCTLDispatchFunction = None. self.IOCTLDispatchFunctionAddress = 0x00000000. self.IOCTLCodes = []. self.IOCTLCodesLanding = {}. self.deviceNames = []. self.module = self.imm.getModule( self.imm.getDebuggedName() ). . # Do some quick setup. if not self.module.isAnalysed:. self.imm.analyseCode( self.module.getCodebase() ). .. def getIOCTLCodes( self ):. """. Useful function to root out IOCTL codes from a driver. .

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\graphclass.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	12534
Entropy (8bit):	4.505074441933443
Encrypted:	false
SSDEEP:	384:fbuMwsLEyKKAn9VBqR44EpQv4lElc3FEOb:fbn15llG
MD5:	57E879293A379672BD24B7E49FF1CE4E
SHA1:	961A2D4B78E9C2F48ABF2D42309EA2811CAFC991
SHA-256:	A361A6A1656EE54CF18F46578AC9E2B635B3490B499C39257DACA632CA7B3945
SHA-512:	68956885EC9C929D3A5B60360768EF3025E1D7E56AC91640C3D86F475D7D45CEFD71BC0B4A1E6C03FDF8D53A4595331FCF72691304CFEAA703AE60C51B9B050C
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Immunity Debugger Graph Lib....(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>} Graph API......"""....__version__ = '1.1'....import debugger....#colors from graphics.hpp....ImmDrawColors = {"Black":0,"Maroon":128,"Green":32768,"Olive":32896,"Navy":8388608,"Purple":8388736,"Teal":8421376,\.. "Gray":8421504,"Silver":12632256,"Red":255,"Lime":65280,"Yellow":65535,"Blue":16711680,"Fuchsia":16711935,\.. "Aqua":16776960,"LightGray":12632256,"DarkGray":8421504,"White":16777215,"MoneyGreen":12639424,\.. "SkyBlue":15780518,"Cream":15793151,"MedGray":10789024,"red":255,"darkgreen":32768}........class Graph:.. def __init__(self):.. self.vertices=[].. self.edges=[].. self.nvertices=0.. self.nedges=0.. self.handler=0.. self.height=0.. self.width=0.. .. .. def setHandler(self,handler):.. self.handler=handler.. ..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\immlib.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	99078
Entropy (8bit):	4.383216997889504
Encrypted:	false
SSDEEP:	1536:TYpW+sG+hCgkBD9s1UpTQsXogIxxCNOq6wTTsnG3J:TJ+sG+hCgOZs1UpTQsXoENOq6wPsnG3J
MD5:	852E127FD6DB5C4853565FBAC5EA5B95
SHA1:	F4084A306BC1FCF19FFC96B19488CE301AF2F89B
SHA-256:	2EB75DB6C1B3B2FFF687A564875F7198765E4302790E1E8E35A888D3D3B7AAD6
SHA-512:	EE9FC6210AF5D1ADA3C1731A8FD961EB158B99CF17B86C8E9451181DEBD8918DE7B673F050DF77C6CE6BC4D1A11B6B53186A364E13D2AF0EE8B3B5DF3F343948
Malicious:	false
Preview:	#!/usr/bin/env python.""". Immunity Debugger API for python.. (c) Immunity, Inc. 2004-2007... U{Immunity Inc.<http://www.immunityinc.com>} Debugger API for python... """..__VERSION__ = '1.3'...import debugger.import immutils.import string.import time.import struct.import pickle.import cPickle.import libheap.import sys..from libhook import .from libevent import .from debugtypes import .from libanalyze import .from librecognition import FunctionRecognition.from libcontrolflow import ControlFlowAnalysis..# CONSTANT.BpKeys = {"VK_F2": 0x71, "VK_F4" : 0x73}.BpFlags = {"TY_STOPAN": 0x80L, "TY_SET": 0x100L, "TY_ACTIVE": 0x200L, "TY_DISABLED":0x400,\. "TY_ONESHOT": 0x800L, "TY_TEMP":0x1000L, "TY_KEEPCODE":0x2000L, "TY_KEEPCOND": 0x4000L,\. "TY_NOUPDATE":0x8000, "TY_RTRACE": 0x10000}..# Hardware breakpoint type flags..HB_FREE=0 # Breakpoint is not used.HB_CODE=1 # Active on command execution.HB_ACCESS=2 # Active on

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\immutils.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	23368
Entropy (8bit):	4.91052236306356
Encrypted:	false
SSDEEP:	384:2blnII4DzmDQEopG8E1I7XWzsAbEtHQm2kprgk2Xoe6wSgi+qspgViwt6f2X4uTM:25TozcQEopG8E27XWzs20Bfprgk2Xoep
MD5:	84D50AB88158720F57FA9949BA045FBD
SHA1:	F79E1E9543D74C58EFCE1141E4D17BD04BE0665C
SHA-256:	6967B354B3249E733B39F705F810000C56F13EFFEF33355F0F2A2C8FA6914DEF
SHA-512:	F37D6477F9F50578A1051E60F7CBA6A4EE15C5C99F3ECF983728BBF03A303976DCABA3E6FE51B8BEE1637AD1F05E58641FF74A6B6DC9A1B09D76D323D3BBEBF1
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}...MOSDEF utils for non-CANVAS users.."""...__VERSION__ = '1.0'..# TODO check:.# -----------.# cparse: dInt.# spark: prettyprint.# x86opcodes: issignedbyte, intel_byte, intel_2byte.# pelib: hexdump.# mosdef: isprint, strisprint.# makeexe: binstring?..import sys, os..#try:.# from internal import .#except:.def __ignore(args, **kargs):. return False.def __retsamearg(arg):. return arg.devlog = __ignore.isdebug = __ignore.warnings_safely_ignore = __ignore.warning_restore = __ignore.deprecate = __ignore.uniqlist = __retsamearg..#####################################################.#.#.# dictionary class that hold floats as integers.#.#.#####################################################..import types..class antifloatdict(types.DictType):. . def __init__(self, arg = {}):. if type(arg) == types.DictType:. d = {}. for item in arg.items():.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\immvcglib.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	55277
Entropy (8bit):	4.413414961257396
Encrypted:	false
SSDEEP:	768:9ocIDa/zd0I6UO8hDAadujoxDu9sn2/lKW:9ZIDaqUnFuO2/lB
MD5:	60B53112F8A6194CCAC13DB6C809EB4D
SHA1:	CC6283725649625C092A9CF4F83F6F2B7B0AEC79
SHA-256:	4C41BBEA7D3EDE855A31DA80C898A1C819DEA158CE26193FECD768BB9E036BE7
SHA-512:	87AF68E3673F5C460F3396C2FAE9B493B62119767714B037FDC7DF7EE020AE00C082E45B05FB9EFA1B4168EF95CA7BE6AC4FDDD151898C8C4BCD5451067A7FCC
Malicious:	false
Preview:	#!/usr/bin/env python..""".Reads vcg buffer and creates the graph using Immunity Debugger lib..(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}..."""..__VERSION__ = '1.2'...""".NOTES:.need to divide graph in layers.save max layer in graph.every set of childs [unique and different part vertex] E a different layer.save vertex of layer in each layer.mark blank path points in each layer [i preffer path points to dummy vertices] ..for layer in layers:. move east and west vertices, depending on their type *..pathfinder(graph). search empy spots where edge lines might travel. . .a cool thing might be mark the whole graph as east-slanted or west-slanted, according the graph.the n east or n west it will move..if the graph is slanting too much to east from center point, we can start thinking on going west.that can be too fuzzy, but will try to make an aproach for human eye...new lib against old lib:.orphan vertices from old lib has been solved, now every vertex ha

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\internals.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	4.804609846305207
Encrypted:	false
SSDEEP:	24:zcWC2Z5fEtyQLzLGaKAhVEF4PBo89EQLzLGaKpThVEF4kBludRsvE:z/CmfENGavsuPBo8bGa6TsukBEj
MD5:	96EE9B421E6D6B1B390F32ED741214EA
SHA1:	DAF20812E24AFDE891FD22E92E1C7E7482DF9BA9
SHA-256:	3C08E268A4B52244FE2364070364E6B49F9377AA0819B2ABFD32ACB7E29C37B7
SHA-512:	FAFDCEE3980C862E143CAECD4BC1AD1E121EC5F163B95F4598C38D07128ECCBFF85A30425D0B2AA4D82F651CEC54AE5F2661EC5C615010ECDF45381A7B229F39
Malicious:	false
Preview:	#!/usr/bin/env python.."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}......Internal libs......"""....__VERSION__ = '1.0'....import pickle..import immlib..........def hookmain(pickled_hook,regs):.. """Auxiliar hook function.. get pickled hook instance and execute run()""".. imm= immlib.Debugger().. hook=pickle.loads(pickled_hook).. if hook.enabled==True: #only enabled hooks will execute.. hook._run(regs) #be sure this method is actually the one you want executed with your hook......def hookmaintimeout(pickled_hook,regs):.. """Auxiliar hook function.. get pickled hook instance and execute runtimeout()""".. imm= immlib.Debugger().. hook=pickle.loads(pickled_hook).. if hook.enabled==True: #only enabled hooks will execute.. hook._runTimeout(regs) #be sure this method is actually the one you want executed with your hook.. .... .. ..def addGenHook(object):.. imm=immlib.Debugger().. imm.addGenHook(o

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libanalyze.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	36638
Entropy (8bit):	4.476328347697063
Encrypted:	false
SSDEEP:	384:Qm8tyOwr28RnbzCYOAwEELGJ7Cdd/9OgfluBcqrq+ge05R0YduGuDZXuSNb:QyOwr28JzCYVELGJersgixrJgFG1Z+SF
MD5:	741D1317D98A7B1DE42D30C49E652337
SHA1:	1CACC5F2D1336FD973AB790D73DC894C12E5A984
SHA-256:	5F93E0ECA473F09DAB647719DF85EB33F11CFAFB9444FF00C0A5C5FD098BB896
SHA-512:	ED910F96F43C730D0324AEDB4B7935A187D3DF303D548A2525CA5B3B36CE505F3F780CC0F7A5934DC092E9C59A3E2949BBB42D56CD23FCAF59F0A1FCD9CA2342
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}......"""....__VERSION__ = '1.3'....import UserList..import debugger....# REGISTER STATUS..RST_INVALID = 0 # Register undefined..RST_VALUE = 1 # Register contains regdata..RST_VFIXUP = 2 # Reg contains regdata that is fixup..RST_INDIRECT = 3 # Register contains [regdata]......# DISASM MODE..DISASM_SIZE = 0 # Determine command size only..DISASM_DATA = 1 # Determine size and analysis data..DISASM_TRACE = 2 # Trace integer registers..DISASM_FILE = 3 # Disassembly, no symbols/registers..DISASM_CODE = 4 # Disassembly, registers undefined..DISASM_ALL = 5 # Completely disassembly..DISASM_RTRACE = 6 # Disassemble with run-trace registers....# Types for Opcode..C_TYPEMASK = 0xF0 # Mask for command type..C_CMD =

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libcontrolflow.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.180955806633602
Encrypted:	false
SSDEEP:	96:ajNeMRznz6NkBU4mkbVsMJk4rU7DA/TIBIbdm/seViZxJNSPqRuKEWX7n:Nyjz6Nke4mkF9/TIBIpm/seVvMHb
MD5:	9B351052DF940193F1607D9C418BD6F0
SHA1:	0649C36BFC8171B60859F849D58DC376FD0B7D0F
SHA-256:	750F8F036C45D99C29002D1BED5A249787961546A592741C33E2B72BF0C7466E
SHA-512:	8CE9B454B2EDC1491BBC9530A4FDA8342A72B67605054FF70A4CF9E2EB164E56544174C89200C2CCE6DBE35312E973F7F27D88B8DE31F38CE07E9B0F5F06151C
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}......"""....__VERSION__ = '1.0'....#############################################################################..class DominatorTree:.. def __init__(self, imm, addr, blocks = False, recursion = False):.. """.. This class takes a function start address and calculate all Dominator Tree related tables:.. - Predecessors.. - Iterated Predecessors.. - Dominators.. - Immediate Dominators.. - Post Dominators.. - Immediate Post Dominators.... @type imm: Debbuger OBJECT.. @param imm: Debbuger.... @type addr: DWORD.. @param addr: function start address.... @type blocks: DICTIONARY\|False.. @param blocks: Optionally you can provide a dictionary with the node address as key and a list of edges (mainly for testing purposes)... """.. .. self.address = addr.. self.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libdatatype.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	12197
Entropy (8bit):	4.527474934881546
Encrypted:	false
SSDEEP:	192:aobCgLIoH4gRdSC/hcpQcUeA7Gf5onqPSyA6H0CJAaR:3XLIoYgRdSC/hhcUeA7Gf5onsSyAs0Cv
MD5:	C603B4386FA7417DCCB3735E048941E3
SHA1:	2384E92862F9A1BDF45F54241FCA6CFFEDFF7FFB
SHA-256:	51108CBA0597FB030BFA498612ECFC65849DB11290DA6BEFD6B954D0CBCF0550
SHA-512:	7DCE8FA468531CA6ACEC15D6045ADDF1D415BD62E4E6A434141DB68EF9AD3A327CEF2187F6B841CFDBD7BDA043B39FB8EC56B6E538FEA41A4F07067896D7E4BC
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Immunity Discovery Data Type API for Immunity Debugger....(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>} Discovery Data Type API for python........"""....__VERSION__ = '1.1'....import immutils..import struct....MEM = 1..DWORD = 2..MEM_ADDR = 3....INT = 0..STRING = 1..UNICODE = 2..POINTER = 3..DOUBLEL = 4....PLAINASCII = 0x01..DIACRITICAL = 0x02..RAREASCII = 0x10....ctable = [ .. # 0x00.. 0x0F (TAB, Line feed, Carriage Return).. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,.. 0x00, 0x13, 0x13, 0x00, 0x00, 0x13, 0x00, 0x00,.. # 0x10.. 0x1F.. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,.. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,.. # 0x20.. 0x2F (space, punctuation, parentheses).. 0x03, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,.. 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,.. # 0x30.. 0x3F (digits, punctuation).. 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,.. 0x03, 0x03, 0x13, 0x13, 0x

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libevent.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	8558
Entropy (8bit):	4.939003990481614
Encrypted:	false
SSDEEP:	96:nDMQhE+ep4EBIayapiYdkwa/xE/0WFITNpZVxapxpKdpPptpWRTGp/Mpirw:AQS8MqwGSORxcmw
MD5:	F1E4CB847E89EE69AF6536DABD0940A7
SHA1:	991177B84CCBE1F336B395CDF9DC609F9E2EA058
SHA-256:	EB417BB621E98683215D1273D708BF4D18C231A6F8CA331F06EF278911864D83
SHA-512:	F625C69DDC98BE22B297CE32C095AE2F26BAF2BF5DD672C44B2E76B40EADAFB1A6DFF8C8B825986BB8505196FB904508373440707E3AE030DE7BCE797601462A
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}........"""....__VERSION__ = '1.0'..import debugger....class Event:.. def __init__( self, event ):.. self.dwDebugEventCode = event[0][0].. self.dwProcessId = event[0][1].. self.dwThreadId = event[0][2].. self._GetValues(event).. .. def isCreateProcess(self):.. return self.dwDebugEventCode == debugger.CREATE_PROCESS_DEBUG_EVENT.... def isCreateThread(self):.. return self.dwDebugEventCode == debugger.CREATE_THREAD_DEBUG_EVENT.... def isException(self):.. return self.dwDebugEventCode == debugger.EXCEPTION_DEBUG_EVENT.... def isExitProcess(self):.. return self.dwDebugEventCode == debugger.EXIT_PROCESS_DEBUG_EVENT.... def isExitThread(self):.. return self.dwDebugEventCode == debugger.EXIT_THREAD_DEBUG_EVENT.... def isLoadDll(self):.. return self.dwDebugEventCode == de

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libheap.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with very long lines
Category:	dropped
Size (bytes):	43954
Entropy (8bit):	4.591498178411837
Encrypted:	false
SSDEEP:	384:1GMnBoTm6coKGSh7TPvek4zIjH1ynDMuJrKWQQaM8rHkLweMsrqm/ZakhiM2SrGr:hBQqT7njVyn4uJeKaM8QDswnAS2
MD5:	5420ABF2803700296859045303ECEF48
SHA1:	5123F3778E5EC29C87F4D9C814250BED7EE15E0A
SHA-256:	EEAC895BDFF96D48ACF4E29BA1D2112B1C3FD1BF3D1B81AE87353F665ACEDF08
SHA-512:	C2555F3E24FAD6B17FD3E457D42417982793AF6C381ED784D910DF83160B70FCF8379B32FE7F3345DECC5F498C777244FC163ADC0473655BE54A9A5F6475A202
Malicious:	false
Preview:	#!/usr/bin/env python.""".Immunity Heap API for Immunity Debugger..(c) Immunity, Inc. 2004-2006...U{Immunity Inc.<http://www.immunityinc.com>} Debugger Heap Library for python..."""..__VERSION__ = '1.3'..import immutils.import struct.import string.from UserList import UserList.HEAP_MAX_FREELIST = 0x80.DEBUG = False....class PHeap:. def __init__(self, imm, heapddr = 0, restore = False):. """. Windows 32 Heap Class.. @rtype: PHEAP object. """ . self.imm = imm. self.address = heapddr. self.chunks = []. self.restore = restore. self.Segments = []..self.HeapCache = None..self.Lookaddr = None..self.Lookaside = None.. if heapddr:. self._grabHeap().. def _grabHeap(self):. try:. heaps = self.imm.readMemory( self.address, 0x588 ). except WindowsError, msg:. raise Exception, "Failed to get heap at address : 0x%08x" % heapaddr.. index = 0x8. (self.Signature, se

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libhook.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13041
Entropy (8bit):	4.532587419133059
Encrypted:	false
SSDEEP:	192:Ds9rXdLm3Fves5KfEGuLOXMgPPMM1gNOk0TXt+wTUQ:erXVm3FveALMPMM1gNOk0Td+wTUQ
MD5:	F36C77C9DFD4F33315ACE2D94BC01C42
SHA1:	5F5AA04B0FDFFA8333E0E8FB413ED3AC42AEA3C3
SHA-256:	13D647BF35C8F90BA3D9A8582AF373ABAEAB1B1F513F6B992B8B3E3E69DB156F
SHA-512:	DCBA15F3FD00B473DC57A5FB8F025D309943796549646E02B8C2AF31537258AE3A3401B9482062A2DC67BEA796720F931407D4450411098F94E498A95175BD7D
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}..."""..__VERSION__ = '1.1'..import struct.import debugger .import pickle..FS_UNHOOK = 0 .FS_HOOK = 1 # hooked and running.FS_PAUSE = 2..HookTypes = {"ORDINARY_BP_HOOK" : 3900, "LOG_BP_HOOK" : 3909,\. "EVERY_EXCEPTION_HOOK" : 3901,\. "POST_ANALYSIS_HOOK" : 3902, "ACCESS_VIOLATION_HOOK": 3910,\. "LOAD_DLL_HOOK" : 3903, "UNLOAD_DLL_HOOK" : 3904,\. "CREATE_THREAD_HOOK" : 3905, "EXIT_THREAD_HOOK" : 3906,\. "CREATE_PROCESS_HOOK" : 3907, "EXIT_PROCESS_HOOK" : 3908,\. "PRE_BP_HOOK" : 3911}..HOOK_REG = {'ESI': '[ESP+4 ]', 'EDI': '[ESP]',\. 'EBX': '[ESP+0x10]', 'EAX': '[ESP+0x1C]',\. 'ECX': '[ESP+0x18]', 'EDX': '[ESP+0x14]',\. 'EBP': '[ESP+0x8 ]', 'ESP': '[ESP+0xC ]'}...class FastLogHook:. def __init__(self, imm):. self.address = None. self.tbl = [].

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\librecognition.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	30358
Entropy (8bit):	4.388894028992661
Encrypted:	false
SSDEEP:	384:9hLbViq4RVzLU8A8ZIYYrk7Dg3DDzWP6GwNSIWC/mxzvnlqQ:PVn4LDZIYY8kzDzWwKF/
MD5:	F40B31444457081869B8230706D42BCE
SHA1:	C3CB67B6E0A4CFD278649732F9DC10564595C8A6
SHA-256:	1809E64F5B24F6D7B2928D629B6B82029ED0B42FE396E595651CD90A2D00C70D
SHA-512:	5B01AACAABD99A2BFCD8DD5AB103EAA1FC0F9FAA7AA0A78DC59B2CA5FB4085CF52A6A2BC93878EECE3E3FCDF3F7474A00062D82AABD8542DBF185B557BC7E9EF
Malicious:	false
Preview:	"""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}......Library for function recognizing...."""..__VERSION__ = '1.2'......from libanalyze import ..from libdatatype import ..from libstackanalyze import *..import binascii..import struct..import hashlib..import re..import string..import debugger..import csv..import os....class MultiCSVIterator:.. def __init__(self, dictionaries):.. if not isinstance(dictionaries, list):.. dictionaries = [ dictionaries ].... self.iterators = [].. self.fds = [].. self.idx = 0.. for d in dictionaries:.. try:.. fd = open(d, "rb").. except:.. fd = open(d, "w+b").. self.iterators.append(csv.reader(fd)).. self.fds.append(fd).. def __iter__(self):.. for i in range(0, self.idx+1):.. self.fds[i].seek(0).. self.idx = 0.. return self.... def __del__(self):.. while sel

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libregistry.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with very long lines
Category:	dropped
Size (bytes):	16687
Entropy (8bit):	5.0068186901266545
Encrypted:	false
SSDEEP:	192:tMtxTw+MN0LtXU93qKJHiNcQjpZ3TRy5kKxfOPuxtvZm86gm0m8dEE:tMSQUqKJHiNcQjpZQ5k8fOMnm86gmN8f
MD5:	CC35B0E5A5C9DCC010FD0041C12DB6C7
SHA1:	5802A57DD1ACBD2C14264DA7D57756E4FAAA32E1
SHA-256:	4A544C263D293B7C8D36CEBCFA1459128ADB3DA79F120A9B56213073FBAFA87E
SHA-512:	C008382986BF2976EC233EABF2271CC9BE81CF394700FA6A3A9F104E682E0E04807140A56FCF8E1BB38612E62A0BF884BE4BC4BECAB57CEDEE7152F03031A227
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}...""".#.__version__ = '1.0'..import _winreg..# Documentation.# http://msdn2.microsoft.com/en-us/library/cc265944.aspx.# http://msdn2.microsoft.com/en-us/library/cc265944.aspx...#Systemwide settings ("Registry") .HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\GlobalFlag.#Program-specific settings ("Image file") for all users of the computer. .HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\GlobalFlag.#Program-specific settings ("Image file") for a specified user of the computer. .HKEY_USERS\SID\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\GlobalFlag.#Page heap options for an image file for all users of the computer .HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\PageHeapFlags.#Page heap options for an im

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\libstackanalyze.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	26095
Entropy (8bit):	4.267787471444017
Encrypted:	false
SSDEEP:	384:gxjVbloM6IcEE4nhR3wcW7KRk7qg4hMVN8NE3ySOX:MjIvLEfRPk7CgOX
MD5:	5DCF21A95AB9AF216B06A3E19188E2C4
SHA1:	CAD34CEF4A9A65120265E39D7A0E5A6996F6AE36
SHA-256:	54CCF1CA17C008BCDFEB4B89709272E4A199C897A7EDCE99C10945FC5B661115
SHA-512:	4642FC0DA8993412A5556B13A206D91A58673D0C13972CDD14301F5F80183763BC2662F537E9492589426B5ECFED4B67EA0E3CEBE73042ADF1E9EEA546187333
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Immunity Debugger Stack Analysis Lib....(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>} Stack Analysis Lib...."""....__VERSION__ = "1.1"....from libanalyze import ..from libdatatype import ....class StackFunction(Function):.. """.. This is an inherited class from Function that add stack analysis capabilities... .. The params are the same as the Function class... """.. .. def analyzeStack(self, base = None):.. """.. Analyze the stack of a function, searching frame-based local variables... .. @type base: StackFunction OBJECT \| None.. @param base: represent the object where we want to do the searchHits (for cache reasons), it can be "self"... .. @rtype: LIST.. @return: in order:.. - calls: (dictionary) key: caller addy, value: (list) callee addy and args.. - myVarHits: (dictionary) key: stack constant, value: (list) hits addresse

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\operations.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4475
Entropy (8bit):	5.201744969993402
Encrypted:	false
SSDEEP:	96:KBDtWM2ABGNRDFVTV0jVTXoGam8Wugu6u3bJdH0qCAZiSffhuc4oBNxBaBNBaB+A:KBD1cNRhVTV0jVTXoGam8Wugu6u3bJdt
MD5:	E41797F56E0A153E670D204DC1088A3F
SHA1:	E46724F009E0C3C0AFA9E1289534012FB8513E6B
SHA-256:	610C27D3B109429223E3D131E1ABF3B5FA2E1791617BEED50DA633241A21F804
SHA-512:	2C1DCBE57A80BE2F83DD614AB07A5D5FAA031B94AD53C9C6E11762B932B0734915D44C72EC650EA4971DD157ADE63430395945AC326F3BDEC363DA9B8E26FFF2
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc...This is some code that will be sort of ugly by design. Its purpose is to hide.the guts of Immunity Debugger from the rest of DEPLib and make the DEPLib code.more readable..""".."""Status:.For now, we only have here methods necessary to get the register tuples out of.sequenceanalyzer.py. Other 'ugly' things we should get rid of:.multi-layer tuples (e.g., op.operand[0][1]).memory state tuples.remove need for fixOP2().op.dump?."""..from immlib import *..class operation(opCode):..def __init__(self,op):...self.__dict__ = op.__dict__.copy() ...self.imm = op.imm.....def constantOperand(self, value, size=4):..."""Returns an operand with the specified constant value. ...Size is 4 bytes (32 bits) unless otherwise specified...."""...return (DEC_CONST,size,(0,0,0,0,0,0,0,0), value)....def emptyOperand(self):...return (0,0,(0,0,0,0,0,0,0,0), 0)....def memoryOperand(self, reg, offset=0):..."""Returns an operand that accesses memory at a register + of

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\pathgenerator.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2597
Entropy (8bit):	4.07005470394695
Encrypted:	false
SSDEEP:	48:mKcKZFnvPj93DLyH55RDLj/NCSDLc2fhNiBt5+9qclPt7PT+MwDH/+Qs:mKF2V/NCifhEc3P+MwDHI
MD5:	B82586C5EECF5CF759D8C5A1FD6DF3DE
SHA1:	6E862A466871C948EFF75A4111EFE538B4F12865
SHA-256:	0C6187F6947F3B5CFD7872DB26A8477EF0EC9F84A94A4EDCE82868B63F239429
SHA-512:	43B05648BCAD76A9F395BEBEBF2C97B9CD16E22125918431734620EE0F0A1CFD319A7FADFF79792C3F391AD41B3A5CE9876952A4B9ABF8A0C8A49B336C50A45B
Malicious:	false
Preview:	class PathGenerator:.... def __init__(self, basic_blocks, bb_edges):.. self.basic_blocks = basic_blocks.. self.bb_edges = bb_edges.. self.path_addrs = set().. .. def generatePaths(self, start_addr):.. if start_addr not in self.basic_blocks:.. raise Exception("Unknown address %s" % \.. hex(start_addr)).... start_bb = self.basic_blocks[start_addr].. .. if start_addr not in self.bb_edges: .. p = Path(start_addr, self.basic_blocks, self.bb_edges).. yield p.. else:.. self.path_addrs.add(start_addr).. .. for next_bb_addr in self.bb_edges[start_addr]:.. if next_bb_addr in self.path_addrs:.. p = Path(start_addr, self.basic_blocks,.. self.bb_edges).. p.has_loop = True.. yield p.. continue..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\pefile.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	174126
Entropy (8bit):	4.511639101337314
Encrypted:	false
SSDEEP:	3072:NnFJ4AIhc/BdpJgl/R82S1gt4woVPzYiIgF6b6rDEeCPkyAtN3qVdRK:NnFJhIhCpKn82SOt4woVPzYiIgF6b6rX
MD5:	72B1F077D157025141F0F4E8B27DDD35
SHA1:	CBE3BC465426FC7B63AD715E122D077381449DE4
SHA-256:	102CD5C8ABD3D6BC33797A3FA689B19A178E55696EE49DEEB9C35F3CEAD1B8ED
SHA-512:	58BC6804743993B65F11DE19214E38873B6186B8318823A47C28FB51F45FA580C3272CE18CC41CA18B03A006E1C5FF94E4723774E846860CA0BDC24802EF1109
Malicious:	false
Preview:	# -- coding: Latin-1 --."""pefile, Portable Executable reader module...All the PE file basic structures are available with their default names.as attributes of the instance returned...Processed elements such as the import table are made available with lowercase.names, to differentiate them from the upper case basic structure names...pefile has been tested against the limits of valid PE headers, that is, malware..Lots of packed malware attempt to abuse the format way beyond its standard use..To the best of my knowledge most of the abuses are handled gracefully...Copyright (c) 2005, 2006, 2007 Ero Carrera <ero@dkbza.org>..All rights reserved...For detailed copyright information see the file COPYING in.the root of the distribution archive.."""..__author__ = 'Ero Carrera'.__version__ = '1.2.8'.__contact__ = 'ero@dkbza.org'..import os.import struct.import time.import math.import re.import exceptions.import string.import array..fast_load = False..IMAGE_DOS_SIGNATURE = 0x5A4D.IM

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\pelib.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	a /usr/bin/env python script, ASCII text executable
Category:	dropped
Size (bytes):	53314
Entropy (8bit):	4.163600541823021
Encrypted:	false
SSDEEP:	1536:dVk8LBf4NdW1crKUKSKlMBnjjYKMXYN5c1yxNhM:dVPqjjYKa
MD5:	0689A56871BA4CE18413D987DD0650FE
SHA1:	C6D8C99C53F015FFD7059BF9F8C345E38D4AEEBC
SHA-256:	881C0A2F47EFF7B9FE8B91E6EBBE3F59BD3BFEC08A5DBA9371CA11DDFA708973
SHA-512:	9468E78477120FA9067D2CD864C99C2DDCE6CEC3914100D325FF6F1BB72FD84F3EAA869F457BDCF1EA2D101EAEDEC34F525FB6B60DCC9D0C73F467874050DA84
Malicious:	false
Preview:	#! /usr/bin/env python.""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>} pelib..Proprietary CANVAS source code - use only under the license agreement.specified in LICENSE.txt in your CANVAS distribution.Copyright Immunity, Inc, 2002-2007.http://www.immunityinc.com/CANVAS/ for more information.."""..__VERSION__ = '1.0'..import struct, sys.#try:.# import mosdefutils.#except ImportError:.# # Is this IMdbug.# import immutils. .try:. import mosdef.except ImportError:. pass.try:. from shellcode import shellcodeGenerator.except ImportError:. pass..IMAGE_SIZEOF_FILE_HEADER=20.MZ_MAGIC = 0x5A4D.PE_MAGIC = 0x4550.IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16.IMAGE_ORDINAL_FLAG = 0x80000000L..# PE documentation:.# http://win32assembly.online.fr/files/pe1.zip..def hexdump(buf):. tbl=[]. tmp="". hex="". i=0. for a in buf:. hex+="%02X "% ord(a). i+=1.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\peutils.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13655
Entropy (8bit):	3.9831105016893105
Encrypted:	false
SSDEEP:	192:7P7854akTEbQig22MTiNfuQ2k8O2D+7KPCHBrn2:7zQ4akg8iwM2mDk72DIT4
MD5:	D87E2D0CCABD98680FE64E15D065B6D7
SHA1:	9506C3A3D550A9A187AEF1DC19C9650D0C1B053F
SHA-256:	3354504B958EBF861735EE74A976E9B6BA387F27A76DC267A6CB63FAFE2B6A79
SHA-512:	8B8D1D2396EA733F892C503DB5F64A29474AAF0C3C012A271EEB6E3FD5FB25B43E6DC0A82A66595AC6C50E48674C890BB8AC879B1491609B52ED35889052E3BD
Malicious:	false
Preview:	# -- coding: Latin-1 --."""peutils, Portable Executable utilities module...Copyright (c) 2005, 2006, 2007 Ero Carrera <ero@dkbza.org>..All rights reserved...For detailed copyright information see the file COPYING in.the root of the distribution archive.."""..import os.import re.import string.import urllib..__author__ = 'Ero Carrera'.__version__ = '1.0.0'.__contact__ = 'ero@dkbza.org'.....class SignatureDatabase:. """This class loads and keeps a parsed PEiD signatute database.. . Usage:. . sig_db = SignatureDatabase('/path/to/signature/file'). . and/or.. sig_db = SignatureDatabase(). sig_db.load('/path/to/signature/file'). . Signature databases can be combined by performing multiple loads.. . The filename parameter can be a URL too. In that case the. signature database will be downloaded from that location.. """... def __init__(self, filename=None, data=None):. . # RegExp to match a signature block. #

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\bugcheckers\bugchecker.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	428
Entropy (8bit):	4.5951345048706855
Encrypted:	false
SSDEEP:	6:jHkmmjXxk1AkLJ6XmziXdLVaeJmHk1AQVCTXTFZXgX2uyyFCAkYu6AFP9/uQgEB:7k7jO1AkLJPkQecE1AQVCfFt3up8
MD5:	C1D5C420E7B7D8C2663065FCA7BB62D9
SHA1:	D8EA53AC66FE2794E9E97368496B8C96FC5D95EC
SHA-256:	0147637BEEF618F33ACA996310271B4734239C7C6333E6A9B5F11A953FE4D705
SHA-512:	F5975E64691BFECBD7358F92F605D97D42B4E77F9CF33D37461268F1E11A0B4BFDF1AFCEC86C5ED6618800E0BBB3D69EF769CB333D84205C0A609CB3711A1F1C
Malicious:	false
Preview:	MAX_INT_32 = 2 ** 32 - 1....class BugCheckResults:.... def __init__(self, addr, concrete_model):.. self.addr = addr.. self.concrete_model = concrete_model....class BugChecker:.... def __init__(self, imm, debug=False):.. self.imm = imm.. self.debug = debug.... def checkIns(self, sa, ins):.. err = "You must subclass BugChecker and override this method".. raise Exception(err)..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\bugcheckers\intoverflow.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	4.283029188544101
Encrypted:	false
SSDEEP:	24:CC7U0TU1aZsrkIM2ujzQ2T3yGQbcCVQDRQJ:CUU0TUUCAIM2ujM2TiGhCKQJ
MD5:	C99C717B23A11876F821AD4A41755B9C
SHA1:	8B0A4EEE4C1177EAACC48BB814AD86ACEAAA9D26
SHA-256:	869874C373B1789F77381D6A1294716D6E7AC3664A247BBEE3EDA8D75680AE24
SHA-512:	E2C488A394FCB549E9D9C39BA2A16FA4EE5CD1C824082C903BD00B743D9CC9E862899A46AC45AF45D4BE802C6AE7B167CB230922990CE8189F6B79C496201AC9
Malicious:	false
Preview:	import operations....from libanalyze import DISASM_FILE..from bugchecker import MAX_INT_32, BugChecker, BugCheckResults....class IntOverflowChecker(BugChecker):.. def checkIns(self, sa, ins):.. res = None.. status = False.. op = operations.operation(ins).. disasm_str = op.removeLockPrefix().. solver = sa.state.solver.. .. if self.debug:.. self.imm.log("check_ins (%s): %s" % \.. (hex(ins.getAddress()), disasm_str),.. ins.getAddress()).. .. if disasm_str == "ADD":.. dst = sa.buildState(ins.operand[0]).. src = sa.buildState(ins.operand[1]).. .. dst_val = sa.getValueFromState(dst).. src_val = sa.getValueFromState(src).... res_64 = solver.addExpr(dst_val, src_val, 64).... # Check if the result temporarily saved as 64 bit int is .. # greater than 2**32-1.. gt_expr =

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\formulaparsing\formulaparser.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5371
Entropy (8bit):	4.602305045094148
Encrypted:	false
SSDEEP:	96:ldEPQe2forYoOEOA24ehjeQiBnyz1TWHVz4QbKYrz3y8eYCwE1XhmwrU:lK4dilO1A24eRXun+1TWHVz4QbKu3Xek
MD5:	73D8EFF55DA1230D1272BB22F6C1C3E2
SHA1:	E75590659741AE4EC279C1A5AA1D9F33B5E37E98
SHA-256:	94BF05573A0A85C95EB472ACF40EC4EC26BD73AD0FB29C5FBBA3940FBD68AF2F
SHA-512:	488540982FD6252E45D63C02FEF2151D7F523A82740E64F05F891731E0F2526E91C92F216A2C6553EBC3FCC92A783889EFAFC8B0CD1BB8C92CE0F670BDA88DDA
Malicious:	false
Preview:	from pyparsing import ParseException..from grammar import HEXNUM, EQ_SYMBOL, REGISTER, RELATION .from grammar import MEMREF, FORMULA, CONNECTIVE.from grammar import equality_symbols, logical_connectives..class InvalidRelationalSymbolException(Exception):. pass..class InvalidConnectiveSymbolException(Exception):. pass..class FormulaParser:.. def __init__(self, debug_mode=False, verbose=False):. self.debug_mode = debug_mode.. if self.debug_mode:. self.enable_debug(verbose).. def relationToExpr(self, r, lhs, rhs, signed=False):. exp = None.. if r == '<':. if signed:. exp = self.solver.sltExpr(lhs, rhs). else:. exp = self.solver.ltExpr(lhs, rhs). elif r == '>':. if signed:. exp = self.solver.sgtExpr(lhs, rhs). else:. exp = self.solver.gtExpr(lhs, rhs). elif r == '=':. exp = self.solver.eqExpr(lhs, rhs). el

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\formulaparsing\grammar.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1840
Entropy (8bit):	5.323544213824176
Encrypted:	false
SSDEEP:	48:vk/IHHGAFkvR672K8zpOyqgXY0VvB9FGXcVWqGvBkyXrvv3WKL8ZM:vWIHHGAFk5JVNOCY0VPLGyGH3WKL8G
MD5:	F6E212D57F053BC9AD0D3F35B7E0EEAE
SHA1:	CABD65C263E7EEA9D6F449103CA1797F5C67CEAE
SHA-256:	485F0BDE04A0B8E5453EF26271CB344249F630DC622B17A774FB130196E00DBD
SHA-512:	CBBA9DF52BAA282457F2C752DF117E5EB5E63C94BABF68DCEEA5F27FF366519FB51500A65AAFA3D9B27C7A2A522FDC85FF7D24E7449A08D26BD1CA26DD3835DC
Malicious:	false
Preview:	import operator.import string..from pyparsing import Word, Literal.from pyparsing import ZeroOrMore, Forward, Optional.from pyparsing import StringEnd..""".FORMULA ::= RELATION (CONNECTIVE RELATION)* \| '(' FORMULA ')'.RELATION ::= LHS_EXPR EQ_SYMBOL RHS_EXPR \| '(' RELATION ')'.RHS_EXPR ::= LHS_EXPR \| HEXNUM.LHS_EXPR ::= REGISTER \| MEMREF.MEMREF ::= '[' MEMREF_EXPR ']' \| '[' MEMREF ']'.MEMREF_EXPR ::= MEMREF_PTR (+ \| -) MEMREF_PTR.MEMREF_PTR ::= HEXNUM ^ REGISTER.CONNECTIVE ::= '^' \| 'v' .REGISTER ::= 'eax' \| 'ebx' ... .EQ_SYMBOL ::= '<' ^ '>' ....HEXNUM ::= '0x' HEXDIGITS ^ HEXDIGITS.HEXDIGITS ::= a-fA-F0-9."""..hex_nums = '0123456789'.hex_letters = 'abcdef'.hex_letters_upper = hex_letters.upper().hex_digits = ''.join([hex_nums, hex_letters, hex_letters_upper])..equality_symbols = ['<', '>', '=', '!=', '<=', '>='].equality_literals = map(Literal, equality_symbols)..registers = ['eax', 'ebx', 'ecx', . 'edx', 'esi', 'edi',. 'ebp', 'esp',

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\formulaparsing\testformulaparser.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3592
Entropy (8bit):	4.6855738529507605
Encrypted:	false
SSDEEP:	48:pZRUHwxUCysZmLGbm+23nZReBWNO5J7zPzSfQtUlWSGSA8+aMc:pv4wUaZmLGbpHc4cXAP2
MD5:	FF14C17AE38A2B2109B3DDB66BB88C1A
SHA1:	295863E2E4BF4502E82A5BDBFDB1CF8AEF5D0B97
SHA-256:	2B688D025EECDBFD151547858517E608995580AF0B211B1CAE7D9645E1E6E0C5
SHA-512:	73BF751ED5A026DDE56514D6DA38B1ED4AA98AC123C7CABC8C15C9DDFF6D169399194299A43BB6A79F720AC457E97C558CF5A09BC65F775B2CC8F0419509FB24
Malicious:	false
Preview:	import unittest..from formulaparser import FormulaParser..class MockConstExpr:.. def __init__(self, val):. self.val = val..class MockBinaryExpr:.. def __init__(self, lhs, rhs):. self.lhs = lhs. self.rhs = rhs..class MockEqExpr(MockBinaryExpr):. pass..class MockNeExpr(MockBinaryExpr):. pass..class MockLeExpr(MockBinaryExpr):. pass..class MockBoolOrExpr(MockBinaryExpr):. pass..class MockBoolAndExpr(MockBinaryExpr):. pass..class MockSolver:.. def __init__(self):. self.regs = {'EAX' : MockConstExpr(0x0),. 'EBX' : MockConstExpr(0x1),. 'ECX' : MockConstExpr(0x2),. }.. def constExpr(self, val, width=32):. return MockConstExpr(val).. def leExpr(self, lhs, rhs):. return MockLeExpr(lhs, rhs).. def eqExpr(self, lhs, rhs):. return MockEqExpr(lhs, rhs). . def neExpr(self, lhs, rhs):. return MockNeExpr(lhs, rhs).. def boolAndExpr(self, lhs, rhs):. retu

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\formulaparsing\testgrammar.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1688
Entropy (8bit):	4.999650479711363
Encrypted:	false
SSDEEP:	24:otdS3hkD69INm3n3fou3fic936RqWX5T0NgzYGjB0ghEsypS/IaMc:adEhkD6iG3w4Tt4XV0qnN009PwaMc
MD5:	17CFB069EEE17741202E0E3D5A6A7E07
SHA1:	BFD4253A6FA3E40479BC14289BA81209C119D4AF
SHA-256:	882619AF6C695E27A143309346940C3219BBD39738E63BFC6F5FA1A4F0DD2714
SHA-512:	20F622CBC0D64D9C280DB7592D8CD5282407124287C788F776FDC8A7E7E7B59AFFF60B5C7885C59E22BCD64048F0A97395C307223DBF473C5950A86783642326
Malicious:	false
Preview:	import unittest.from pyparsing import ParseException..from grammar import HEXNUM, EQ_SYMBOL, REGISTER, RELATION.from grammar import MEMREF, CONNECTIVE, FORMULA..class TestGrammar(unittest.TestCase):. . def testHEXNUM(self):. HEXNUM.parseString('0x123abCD'). HEXNUM.parseString('123abCD').. def testEQ_SYMBOL(self):. EQ_SYMBOL.parseString('<='). EQ_SYMBOL.parseString('='). self.assertRaises(ParseException, EQ_SYMBOL.parseString, '!').. def testREGISTER(self):. REGISTER.parseString('EAX'). REGISTER.parseString('eax').. def testCONNECTIVE(self):. CONNECTIVE.parseString('v').. def testMEMREF(self):. MEMREF.parseString('[EAX]'). MEMREF.parseString('[[EAX]]'). MEMREF.parseString('[[EAX+4]]'). MEMREF.parseString('[[EAX+EBX]]'). MEMREF.parseString('[0x50+4]'). MEMREF.parseString('[0x50]').. def testRELATION(self):. RELATION.parseString('EAX <= EBX'). RELATION.parse

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\interceptor.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5296
Entropy (8bit):	4.493096541546032
Encrypted:	false
SSDEEP:	48:CIIndy7+/9rXd5iGuluYfezdsVDrOXslk+4FJZNXiGYQp/7V4LCv5f8VYLAia4Yz:6dL/+luYfjLl1cZyyAomN
MD5:	529872EDBB95337344EF9EACC5D65A6A
SHA1:	9C01C295340DFF4D68546D175065335B812EFAF4
SHA-256:	77E175DDED6B9AC0A1D24886B60EAD2BEE3B73DFD07DC2FE38937A9D8033AD51
SHA-512:	DA6B28DF651DD0C0B03E19A0F2D2AC12F59758EA94068E60298A5AC06BB6B1A9B846F79F3CA9743BE0294B053EDE98989A000376A11EE01C8640452DC7CE2E72
Malicious:	false
Preview:	""".This functions let us intercept a function call (or a part of a function)."""..class FunctionInterceptor:. calleeclean = False. protectedregs=["EBX","ESI","EDI","EBP"]. returnreg = "EAX". . def __init__(self, address, name, argc, emulator):. self.address=address. self.name=name. self.argc=argc. self.emulator=emulator. . def getArgs(self):. #get the function argument from a symbolic machine according to a given calling convention. pass. . def cleanStack(self):. self.sa.state.regs['ESP'] = self.sa.state.solver.addExpr(self.sa.state.regs['ESP'], self.sa.state.solver.constExpr(self.argc * 4)). . def run(self, sa):. """. receives a sequence analyzer instance.. """. . self.sa=sa. args=self.getArgs(). if self.emulator(self, args) == True: . #emulator must return TRUE if we should follow usual cleaning and return steps, otherwise the emulator itself.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libcvc3.2.1.1.dll Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10777518
Entropy (8bit):	6.304372231979568
Encrypted:	false
SSDEEP:	196608:xeWm5UO1+phfJbIbMg0vDBxPBvy7S9m5zlaUBPSKLxMrHFV8rx+LQfK4MZ8zZSV+:xbm5UO1mfhYMHvtORl3PSKkD8rxBfK4V
MD5:	0434C902AC56FDA22D99DFC5F74409A6
SHA1:	E2CA867E9C842D605C8140A806CFD7AAA9E9CC52
SHA-256:	895FB779BB8C4E4D46423D80F03433B654EFE9AF61E0657AB75F7D66DB8F3955
SHA-512:	F063F830C182D2EE07E4D6A16AAB0ED42672F21E8F04050F73016FD9EE60B08831CC6CBAFDAA107D34BC4CA33DFE2CA4BD361448FAFB1697BD72F14479B5B76D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....nM....^d.....!...8.h.........................g................................~........ ......................P...~.....x................................j...................................................................................text...8g.......h..................`.P`.data....Z.......\...l..............@.`..rdata...K.......L.................@.`@.bss....(....0........................@..edata...~...P......................@.0@.idata..x..........................@.0..reloc...j.......l..................@.0B/4...... ....P.........................B/19.....?....`.........................B/35..........p.........................B/47.....,..............................B/61....................................B/73...................................0B/86....................................B................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\libgmp-10.dll Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	343552
Entropy (8bit):	6.552333559080254
Encrypted:	false
SSDEEP:	6144:XdzncEZmtMjg1JQVj+haAh16mv9jHOL88pLX3gl:XaEZmtMU1J4ChaA36mljHOLNlngl
MD5:	277B80251ECCDA70D280C171987BB531
SHA1:	8AE6B5A09196D9DCD4A57CDFE07E14E334F68AEB
SHA-256:	3921CC2355D8F6119B3E3E755319FF67B54084DFC41263F3B021B5312D04F294
SHA-512:	85020AD43B930FAE4EFCE913D4074688EB0766A6D97416BF915307C958F24E858FA7C314E754D391BC79837CF0A2F8A6BEF4EBAC97427910F085F3F9833E2CF0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MtyK...........#...8.D...:...............`.....j................................~7........ ......................@...7......0....................................................................................................................text...TB.......D..................`.``.data...@a...`...b...H..............@.`..rdata.. F.......H..................@.`@.eh_framt.... ......................@.0@.bss....p....0........................@..edata...7...@...8..................@.0@.idata..0............,..............@.0..reloc...............2..............@.0B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\pathwalker.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	5852
Entropy (8bit):	4.171589674641057
Encrypted:	false
SSDEEP:	96:mNwNXfFF/q9aKpWkSTb/hz8ly/YI+bNoXH1eX/Y/KzXci30D8:5F/qERk8b/FEy/LXH8X/Y/KzXci30D8
MD5:	0A31B2BA941B6E61DBCBF3712D63CB62
SHA1:	DA177A4690B8F6015694465F21F7FB1F74EB0091
SHA-256:	15CFB52410DA4A4ACADF4F52F2B117925BF2928763CA9C3FCC36D099228918BF
SHA-512:	F298EB41CB4B467F1B86A1AE00D6B62B667CBAA3BCDBF28DE88388CF8904C124DB202022BB3C90D63C0FB5A47C8FBF4625E055E25AD7BFB69BFC757C2A4A9868
Malicious:	false
Preview:	from sequenceanalyzer import SequenceAnalyzer....class UnsatPathConditionException(Exception):.. pass....class NoFollowSequenceAnalyzer(SequenceAnalyzer):.. def __init__(self, imm, analysis_mods=[]):.. SequenceAnalyzer.__init__(self, imm, analysis_mods=analysis_mods).. .. # Either of these should be set if only one direction of a.. # conditional jmp instruction should be analysed.. self.check_jcc_taken = True.. self.check_jcc_not_taken = False.. .. def analyzeJMP(self, op):.. return.. .. def analyzeCALL(self, op):.. return.. .. def analyzeJcc(self, condition, finaladdress):.. """.. Analyze conditional jumps without following them... Used in replacement of 'analyzeJcc' by some tools like pathogen.py... .. @condition: generaly a flag (ie. OF for jo)... @finaladdress: destination address (unused here)... """.. .. if self.check_jcc_taken

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\prettysolver.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	39199
Entropy (8bit):	4.412500592494379
Encrypted:	false
SSDEEP:	384:wc3hGKtG36kkbgXLW7qYHi/PqyZMrN/r5FcFb/3DjSTWcy5:VhxL5bgXLGG/PqyOx/r5FcFb/3DjeWF5
MD5:	639D39656F20FD98411AAAFED0112E6A
SHA1:	BB97C8CC96D6B9A5DF777B906D1A9F993AFCD4C4
SHA-256:	F1DC10EB29FB8D5E23C5022946ACB938753B0AF69FC14EFE680C1FB5B143D8B0
SHA-512:	F852BC13CC9670A18D8951BC37765F3CDFB73C6E97F7C00ECC8B6D5A539A9F096E7499691C020D941575971BE24C6ACA925E8D0F4F74A17002F3724D23ACFC19
Malicious:	false
Preview:	""".Here we support Expression and Type classes which work as wrappers against the PrettySolver class (which is itself a wrapper around Solver)...Doing so, we can support native python operators over Solver Expressions:.- All comparision expressions are supported (doing a queryFormula over the comparision if we are in a boolean context).- Conversion to boolean only returns True if it's a VALID answer..- All arithmetical and logical operations are supported (if you're working with BOOLEAN expressions it uses the appropiate boolean operations).- It allows you to interact with non-expression operands by casting them to Expression instances where possible:. - int/longs to constExpr. - strings to varDef. - tuples to loadExpr. - boolean to trueExpr/falseExpr.- It imports expressions from other solver instances automatically.- len(expr) returns the number of bits on a BV (it returns None if BOOLEAN).- allows slice getting/setting: expr[0:16] returns the lower 16bits of a BV.- cast to int/

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\sequenceanalyzer.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	140438
Entropy (8bit):	4.599788275532778
Encrypted:	false
SSDEEP:	1536:Pse5RFgx9D4NOifwbXAVceVQQRN6R1nCJfvqQo:PJ5RFgx547IMVcebY1nCJfvqQo
MD5:	7C531E67A940ABE977D2F1E8C8FEF194
SHA1:	E7D250A3A3217761DCA56697686C59477B776938
SHA-256:	F4FAC8CBAFBB084F093FE57453282EA4F65AFCB1B2525C8D8528BAC2228CAB41
SHA-512:	D306CC7D7E83F8E8CAA824AF823DC691D1429EAFF33265F2BA1FEA0E4BF7CFC63CA71BD7280C03EF5273A7555C0D0C3DD342A5792DBEC91CAA7B1CB974A1938E
Malicious:	false
Preview:	from immlib import .import cPickle.import traceback.import getopt.import string..from solver_cvc3 import Solver.from prettysolver import .from binascii import crc32.from copy import deepcopy, copy.import operations #abstraction.import sys.import time..class MyDebugger(Debugger):. def __init__(self, template="sequenceanalyzer-log-"):. super(MyDebugger, self).__init__(). self.datetime=time.strftime("%Y%m%d-%H%M%S"). self.template=template.. def log(self, msg, address = 0,highlight = False, gray = False , focus = 0):. if gray and not highlight:. highlight = -1. . fd=open("%s%s.txt"%(self.template,self.datetime),"ab"). fd.write("%08X:%s\n"%(address,msg)). fd.close(). return debugger.add_to_list( address, int(highlight), msg[:255],focus)..class MemoryDictionary(dict):. """. Maintains a list of memory addresses and values.. Keys might be an expression, an expression dump or a memory key hash (MEM<CRC32

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\solver_cvc3.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	50172
Entropy (8bit):	4.58805435821931
Encrypted:	false
SSDEEP:	1536:I029cMbFJ/Cy5OQfcvWd/uiNufWTyZdeVNb:I029cMbFJ/Cy5OiDb
MD5:	806F58573B14406A3193A6CE8888FF7F
SHA1:	39DEFC7604EECB18559CC08EAD4A809F805373F6
SHA-256:	71AC664295BE2FBE7475F77CB04E8574D65DDBBE08A1330B89CC86613060B87B
SHA-512:	D6C225F9A6A075BB091B5FFDCEF9DD24161ABD03E72E8FE22F26B3C9E8F5E73C66B6396191D5BDF5DD72838241D1F437BBDEC517C11E2864D0FBDB37C9B75828
Malicious:	false
Preview:	from ctypes import *.from sys import platform,exit.from binascii import crc32.import os.path..class Solver(object):. . #kind of expressions. _TRUE_EXPR = 0x1. _FALSE_EXPR = 0x2. _RATIONAL_EXPR = 0x3. _BVCONST = 0x50. _BOOLEAN = 0x67. _EQ = 0x6D. _NEQ = 0x6E. _DISTINCT = 0x6F. _NOT = 0x70. _AND = 0x71. _OR = 0x72. _XOR = 0x73. _IFF = 0x74. _IMPLIES = 0x75. _ITE = 0x79. _FORALL = 0x7A. _EXISTS = 0x7B. _APPLY = 0x7D. _BOUND_VAR = 0x0AC. _LAMBDA = 0x0B6. _UCONST = 0x0BA. _SKOLEM_VAR = 0x0BE. _BITVECTOR = 0x1F40. _CONCAT = 0x1F41. _EXTRACT = 0x1F42. _BOOLEXTRACT = 0x1F43. _LEFTSHIFT = 0x1F44. _CONST_WIDTH_LEFTSHIFT = 0x1F45. _RIGHTSHIFT =

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Libs\x86smt\symbolicexecutor.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	31270
Entropy (8bit):	4.464093705937543
Encrypted:	false
SSDEEP:	768:5J9aQnNkppEYcSmwAztJSgoQxsz1inCFgzVFlaRWr:daQNkp5cSmwARJu8sz1inC5Wr
MD5:	757B83BC734500E767EEFFF82E991C3D
SHA1:	1478C34592BDC0182EB2B07A76474554DECC57E9
SHA-256:	531687E094F1CEF63F826140C46F2702AE6A2FAB3018F5B376D507C7BBDB781A
SHA-512:	A4F7108132A38B82264D2EA0A3BAC960FF5A48C7D21801B326D0A3D6574A76B235CB53E755A3F4BBD32FB443EFAF524F87D43C58917C7A330FF2EBAE1397D732
Malicious:	false
Preview:	""".SymbolicExecutor usemode and API..imm = immlib.Debugger().se = SymbolicExecutor(imm)..# Initialize the State Machine, if no regs/flags are provided they're obtained from the debugger..se.initializeMachine(regs=None, flags=None)..# raise an UnconditionalStopException when the address is reached..se.addStop(0x12345678)..# raise a ConditionalStopException if EAX == 0xcafecafe in ANY address..se.addConditionalStop( ("EAX", Expression(0xcafecafe)), address=None )..# execute "python_callback" before the instruction, return True to replace the instruction completely..se.addMonitor(python_callback, 0x12345678)..#execute the given python emulator instead of the native function. the python callback receives an args array.#it must return True if the emulation was successful, or False to indicate that the native function must be executed.se.addFunctionEmulator(python_callback, address=0x12345678, argc=3, cc="cdecl")...#use a dummy emulator to avoid calling a real function that could slow down

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\acrocache.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5635
Entropy (8bit):	4.375045426541284
Encrypted:	false
SSDEEP:	96:jfYENeCo0w6KoGMwp6ilfeRz6GjkPKQSiV0Y:jxNeCof6KogfeRpkPeDY
MD5:	9984AA7372E4C1021AD814697BD36507
SHA1:	520302CB1C1746DDCBDAA11E67B7BFA6E1A8FF30
SHA-256:	39369D5643D5F4D1E4A8EA5DA7140A668262EBD42F81EC60315C16257256945E
SHA-512:	43CEBB0721C489334F61BF8BDE95E6A64FC8168E1E1BF76F23BD5204A2F81175D9DF0E447499CA5083F395577456663E7057E1E5361D8C3C39FF50D8F68C9EC3
Malicious:	false
Preview:	#/usr/bin/env python..import getopt.import struct.import immutils.from immlib import *..copyright="(C) Immunity, Inc.".DESC = "Dumps Acrobat Reader Cache state"..class AdobeHeap:. def __init__(self,AcroPool):. '''. AcroManagingPool (hardcoded address depens on version of the AcroRd32.dll). From this address it's possible to access all managing structures of their custom heap implementation.. '''. self.AcroPool = AcroPool. self.imm = Debugger(). self.pAcroCacheList = []. self.CacheHeadersInfo = []. self.AcroManagingPool(). . def AcroManagingPool(self):. self.AcroPool += 0xC #Reserved . self.mem = self.imm.readMemory(self.AcroPool,128) #Managing structures for AcroCache. self.lpCacheManaging = struct.unpack("32L",self.mem). self.AcroPool += (0x90 - 0xC)

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\activex.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6043
Entropy (8bit):	4.841763186549369
Encrypted:	false
SSDEEP:	96:lIyGxlpg4+ljXdCF34UjcFvmv8nP2dcVjpJpf0C3KB/FfUBlwH7usFANXL4U5:h0yLe4scF5P2dcb04KB/irwHas6p48
MD5:	755997DDEBDB74AADD78D014E12B7542
SHA1:	CC2CC979DD3DA8EBEBF70CCC74E505373BAC78C1
SHA-256:	98604B0F51B51431569832AC67C0F8DEFDDCAC73ADCED873F6FEA5EECCCB1F39
SHA-512:	32CF12DA35974B9EA2DD205395CB911B3E1E80D5B9C418A5F1A448B05BAE598E759908A208E252DD48C704354D1AF5A610FE3EBBB0C21287889FABCB140FBAB8
Malicious:	false
Preview:	"""..This is just a little script for ImmunityDebugger that will resolve..exposed COM functions to their relative address. Check usage for some TODO items.....NOTE: Requires comtypes http://sourceforge.net/projects/comtypes/..Also comtypes .exe requires MS VC 9.0 redistributables:.. http://www.microsoft.com/downloads/thankyou.aspx?familyId=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displayLang=en....You will need to register your activex that you are auditing. Use "regsvr32 activexthing.dll"..IUf you're doing this on Vista, remember to run regsvr32 from an elevated cmd.exe!.."""..from ctypes import ..from ctypes.wintypes import ..try:.. from comtypes import .. from comtypes.typeinfo import .. from comtypes.automation import ..except ImportError:.. raise Exception("Comtypes library needed")....from immlib import ....ole32 = windll.ole32..kernel32 = windll.kernel32....class MEMORY_BASIC_INFORMATION(Structure):.... _fields_ = [.. ('BaseAddress', c_void_p),.. ('Allocati

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\apitrace.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4889
Entropy (8bit):	4.4286304902356175
Encrypted:	false
SSDEEP:	48:9VnUBiZTr52J7PAS7lIY9tm7Z6zPjoe1ix5X27oNEEhJb5PM8LJSJbFpc13fnG/j:9V+2uT7GB7MYnXYy5Plc/pwGVRf
MD5:	8BEB49714B5DDF69179CC483FDC9EEE9
SHA1:	EDE388501847857B6A542633CE29C733A536CBC5
SHA-256:	E2F84D25744BCBA1352B819C51936E2C50457E4D0D02282B41F5F9C744277ED9
SHA-512:	6D9C2447ED0582FF7DD6F23E6EF667DB6069D300F17F9DFB4C6866DADC38EF6E47000779DA1A6F5672AF24DE774519E14DD71F436E55E398BE9DB2FA066E1D16
Malicious:	false
Preview:	# apitrace PyCommand - (c)Immunity Inc..# Justin Seitz <justin@immunityinc.com>.# TODO: .# - dereference stack params if the function doesn't contain symbols..import getopt..from immlib import ..NAME = "apitrace"..def usage(imm):. imm.log("!%s Hooks all intermodular function calls" % (NAME)). imm.log(" (excluding Rtl by default). The -i and -e options"). imm.log(" specify strings that if found in a function name"). imm.log(" result in it being included or excluded from the"). imm.log(" trace"). imm.log("-i Include pattern"). imm.log("-e Exclude pattern"). imm.log(" "). imm.log("e.g. !apitrace -i msvcrt -e printf"). imm.log("The above will hook all calls with msvcrt in the name"). imm.log("excluding those with printf. So msvcrt.memset will be"). imm.log("logged but not msvcrt._vsnwprintf")..class ExportHooks(LoadDLLHook):. . def __init__(self):. LoadDLLHook.__init__(self). self.imm = Debugger

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\bpxep.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6385
Entropy (8bit):	4.768117781325224
Encrypted:	false
SSDEEP:	192:a10YEHPmCWoT/cKE6oGxQCJCZOp+Oy+6f:aBbKE6ooQCJoOx6f
MD5:	C7073E4892EB077A84F203062CBCD947
SHA1:	5995C67844F1DEAF4CEEC9496341A79F74243057
SHA-256:	105DB1049AD1FE56D7A481E859E37546757444F2201891B9D0F625D3AA875020
SHA-512:	242D4AA6DD95545559141EA4661F49AC8563C350D0BF679E3CF51E090DFA4DD54EC718A4BB3D2669CA26072ABB966E9309A411756FA8B4454548B9D8B212B909
Malicious:	false
Preview:	#!/usr/bin/env python....#-------------------------------------------------------------------------------..#..# By BoB -> Team PEiD..# http://www.SecretAsHell.com/BobSoft/..# BobSoft@GMail.Com..#..#-------------------------------------------------------------------------------..#..# Thanks to JMS for some TLS code used in this script .. ;)..#..#-------------------------------------------------------------------------------..#..# V1.01..# Fixed a missing var in getAddressInTlsCallbacks() ....#..#-------------------------------------------------------------------------------....import immlib..import pefile....__VERSION__ = '1.01'..DESC = "Sets a breakpoint on entrypoint of main module .."..ProgName = 'BpxEP'..ProgVers = __VERSION__......#-------------------------------------------------------------------------------....def usage(imm):.. imm.log(" ").. imm.log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers),focus=1, highlight=1).. imm.log("Descripti

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\chunkanalyzehook.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4556
Entropy (8bit):	4.711072790372782
Encrypted:	false
SSDEEP:	96:0qCfZ6oSYbQKcn0Wo2/UIYXerCMZXrTVRviWUWtEmmOpGb5t5cz56P:VWy0Wo2/UIYeTXrTVRviFyEOoFDcd6P
MD5:	B88CF8FA0CF36AE61469788FC713D0EA
SHA1:	617A572307A1BFAA2B2EA41F477AB97BEBEA490C
SHA-256:	581D1D0F7F329D76DBDF15B5A7F591C1275B473696862341AD19AFCA2ACBCDDC
SHA-512:	F2872AF668BF0138F9B4BC6E0B6C0F292E4631BB3976A734C9F231701BC32C0546825B49FD056606C19E721FA2C7F2F9E80A86A7365A752B1326989DDA4A3C0D
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}."""..import immlib.import getopt.from libheap import .from immlib import LogBpHook.import libdatatype..DESC = "Analize a Specific Chunk at a specific moment"..def usage(imm):. imm.log("!chunkanalyzehook -a ADDRESS < exp >", focus=1). imm.log(" ADDRESS of the place where you want to set a hook"). imm.log(" < exp > expression to calculate the chunk address"). imm.log("ex: !chunkanalyzehook -a 0x1006868 EDI - 4")..FunctionsType = [ "+", "-", "", "/", "&", "^"]..# Hook and Dump some Chunks based on the Expression.class HookAndInform(LogBpHook):. Functions = { "+": lambda a,b: a+b,. "-": lambda a,b: a-b,. "": lambda a,b: ac,.. "/": lambda a,b: a/c,.. "&": lambda a,b: a&c,.. "^": lambda a,b: a^c.... }.. def __init__(self, exp, discover = False, nchunks = 3, heap = 0):. LogBpHook.__init__(self).

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\cmpmem.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2034
Entropy (8bit):	4.395698546149308
Encrypted:	false
SSDEEP:	24:WWRq8f4yXJ+Vo4kXSbNrGFUSIoHKrMCs+ICOFiTifmm5INzHFoPfRuqUo+yaJtv:tR0A4kBCyvCs+3ifmKOFSfpUltv
MD5:	4A95EFAC8B6E8D7D17678AFE2B72AAC8
SHA1:	2C6BBF8744EF6982C77605B03638729DF4886FD1
SHA-256:	0A10F678BA806EB82E23CFE6EC3D43BA437A3E9F4A6DF57FAF3E2A9B305F1E76
SHA-512:	E79C38031CB31DC4646E63E583613CFB811C07B44D4A5286A3B64A290D118C9CC0BC870ED34122DCE0B6B9A3E033A763A10B3FA35DF072B267F765A84ABAE22D
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007....U{Immunity Inc.<http://www.immunityinc.com>}.."""....import immlib..from libheap import *..import getopt, string..import immutils....DESC = "Compare memory with a file (file been a dump from prettyhexprint)"..NAME = "cmpmemp"....def usage(imm):.. imm.log("!%s -a ADDR -f FILE_PATH" % NAME).. imm.log("%s" % DESC)....def main(args):.. imm = immlib.Debugger().. address = 0x0.. f_name = None.. try:.. opts, argo = getopt.getopt(args, "a:f:").. except getopt.GetoptError:.. return "Usage: !cmpmem -a ADDRESS -f FILETOCMP" % str(args).... for o,a in opts:.. if o == "-a":.. try:.. address = int(a, 16).. except ValueError, msg:.. return "Invalid heap address: %s" % a.. elif o == "-f":.. f_name = a.... if f_name and address:.. lines = open(f_name).readlines().. fmem = [].. for line in lines:..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\dependencies.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	721
Entropy (8bit):	4.543824837636943
Encrypted:	false
SSDEEP:	12:eA4hci8y3hc7CqU6qpHn2GAcAUGfxLAJfjG5rWroJL63AQUofyIn:eA4WWW+H/H2iOJefK5r917I
MD5:	521DD4038FB569024FA2F96AC9B70B4F
SHA1:	4119DD1DD7318D7DAA62CFFEA4A407898BD8C4B2
SHA-256:	821BBC148ED81F330B806F36834C1061C009CE64ADC60C8DEF7A023B370044BA
SHA-512:	021DBCD4A14B28E9FF59A857AD929B4B6D2C5475E458DE034BCA5D9BFB8A98AD13B30D86C6DDE1A045272B23C51086C4DDD1B794B282B7575527519D42293B2C
Malicious:	false
Preview:	"""pycmd example"""....DESC="""Find a exported function on the loaded dll"""....import immlib..def usage(imm):.. imm.log("!dependencies Find an exported function on the loaded dll").. imm.log("!dependencies module.function").. imm.log("ex: !dependencies rpcrt4.rpcserveruseprotseqw")....def main(args):.. imm=immlib.Debugger().. if len(args) !=1:.. usage(imm).. return "Error: Wrong arguments".. .. result = imm.findDependecies( [ args[0] ] ).. ret = 0.. for modname in result.keys():.. for mod in result[modname]:.. imm.log("Found: %20s on %s" % (modname, mod.name), address = mod.address).. ret +=1.. return "Found %d dependencies" % ret

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\deplibtest.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.093776693845739
Encrypted:	false
SSDEEP:	12:1e5tgLW1Fyha9o5EO1Vgh5xfOX2IGuUAVUAcCmIB5VcBKvVqVcBA:1eIa1Fyh4oro/BJX1BIPhNqD
MD5:	A19E0D0A52B87A4471E3C4E4F498D638
SHA1:	FC6713EF5E6B8A349BB57FBC12D83B1B69FF1CB7
SHA-256:	38357DF012A67C7806C057D65396B27C080F2F592168ECA598A6ED5915C12242
SHA-512:	8E0E4AAF73D9FCF08D69FE4DC94F14416AE06B124260C2C8BA7558EAF2F3F1F0FF3843E50743150779086F94EB4D94889A0850081C5FFB4E11B436FB3542B244
Malicious:	false
Preview:	from immlib import .from deplib.deplib20 import .import pprint.import sys.pp=pprint.PrettyPrinter()..a=deplibCompiler().a.setLocals(sys.modules[__name__]).imm=Debugger()...f=DeplibFinder({"stackpage":4, "dbname":"gadgets.sq3", "modules":"notepad.exe"}).f.processCommands(a).f.currentCommand={}.f.currentCommand["protectedcmd"]=False.exp=f.state.regs["EBX"]+f.state.regs["EBP"].imm.log("%s"%f.moveExprToReg(exp)).for k,v in f.gadgets.iteritems():. imm.log("%s:%08x"%(str(k),int(v)))..for k,v in f.rop.iteritems():. imm.log("%s:%02x"%(str(k),int(v))).

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\find_gadget.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	15964
Entropy (8bit):	4.1065587432134025
Encrypted:	false
SSDEEP:	192:5AmhNyncV6Qg/6oWDUvc+ypYImGAorzrKWjYfK8wFyzEzUpitbrrvwA5:sQgfWu6YImyrzrHClAnwO
MD5:	E0E450DA9214EDDFAA9EA7BC95DD9820
SHA1:	F727730485DB33C9BD42EF8E3615A537205AD705
SHA-256:	91ED89C8759EFE318AB84D6B04C873C233F637BDAAA12042E2CF7C424DBEEC2F
SHA-512:	23C553E7BC227809EEAD06628AF270012A905CCB8796972EAB2D408C283FAB30B3155801011557EB61EDB8F4AA8EE7837C8EE3FEDF47075818EA5B566A095C4B
Malicious:	false
Preview:	import pickle.import getopt..from x86smt.sequenceanalyzer import SequenceAnalyzer, MyDebugger.from immlib import *..""".This script takes a pickle file describing a set of candidate gadgets.and looks for a sequence that satisfies the constraints we specify...For now it takes a destination register (-d) and a src register (-s) or.value (-v) that we wish to put in the destination. The default mode is.to search for generic gadgets, that is those which regardless of the .context will satisfy the constraints. In other words we look for a .valid formula. ..e.g. !find_gadget -g Secur32.dll_gadgets.pkl -d EAX -v 0x0..(Finds instructions like xor eax, eax; ret; among other things)..!find_gadget -g Secur32.dll_gadgets.pkl -d EAX -s [EAX+10].!find_gadget -g Secur32.dll_gadgets.pkl -d EAX -s EAX+10..(The first finds gadgets that move the value at [EAX+10] into EAX. .Where 10 is in hex btw. The second looks for those that move the .number given by adding 0x10 to EAX into EAX)..By passing the -c fla

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\finder.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4136
Entropy (8bit):	5.018004945634979
Encrypted:	false
SSDEEP:	96:26VN7FsE7B1VmHwfyDMTfKiu439Da537xfVSB:26VNJnrVmHsyDMTyiuagxVSB
MD5:	58BF056B3724575F3DD2686E7E2194F8
SHA1:	8767FC005BDA3FCEEE04145F78478624246C3D78
SHA-256:	8EA52DB6EE27F0639555C5230F0D1DD545027B9D800A5B90CF294EFE5E587A67
SHA-512:	69625864530CA665AD814F94A1B1B997E8A2DBDAA98A2BCC191F8F8018A99438DF444ACB1C26964A6151704A7F59B0946B69F0C126AB5EEDB3E804C220347D05
Malicious:	false
Preview:	""".Two main functions are defined in the GadgetFinder class: searchByHashes and searchByProperties and .both return an iterator over the results from the database. Each result is a 3-tuple: module_id, module_offset, gadget_complexity...Hash searching is very fast and it provides EXACT results. You model what you need by changing an empty state machine instance...The state machine provides a set of registers, flags and memory variables that you can use to interact between them almost as natural python variables using PrettySolver notation...So, if you need a stack pivot for EAX you could try something like:.sm.regs["ESP"]=sm.regs["EAX"] #Emulate something like MOV ESP,EAX or XCHG EAX,ESP.sm.EIP = sm.readMemory(sm.regs["ESP"], 4) #Emulate a RETN.sm.regs["ESP"]+=4 #This would be for a clean RETN, other possibilities are +8 = RETN 4, etc etc. ..Remember that this type of search is EXACT, so it will look up exactly what you model...If you need to assi

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\findpivot.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6343
Entropy (8bit):	4.590118284096941
Encrypted:	false
SSDEEP:	192:qPWEZRpeQHNQBwj3s3pQL31I5h4Im3eILq:q+SeQtRI3pQL31ghJm3eqq
MD5:	F8EA65F685D2D98170E0EF817DE02C28
SHA1:	8875F0FBEAD88AA9C20B44B13490144AEA345599
SHA-256:	1DA903540B73F25AE7DAA38E3CD3E10973C8992E6658AF54D4BDC654464A712A
SHA-512:	9C98DCD90F509AB3CA8B2BEA8C4997F497134BD26999782CC8EC410340A99904489E93E11CEE4E177DCE83A4A6A8ABD7FE10EDBADD0680383447D4C44EE93D68
Malicious:	false
Preview:	from x86smt.sequenceanalyzer import MyDebugger.import getopt.from immlib import .from deplib.libfinder import GadgetFinder.from x86smt.prettysolver import .from x86smt.sequenceanalyzer import StateMachine.from immlib import *...def usage(imm):. imm.log("!findpivot"). imm.log("Defaults between square brackets"). imm.log(" -e = An expression for memory controlled by the attacker to pivot to."). imm.log(" -r = How many results to show. [100]"). imm.log(" -t sqlite3\|mysql = Type of DB [sqlite3]"). imm.log(" -n dbname = DB name ['gadgets.sq3' if sqlite3 or 'gadgets' if mysql]"). imm.log(" -h host = host for the DB connection [127.0.0.1]"). imm.log(" -u username = username for the DB connection"). imm.log(" -p password = password for the DB connection"). imm.log(" -m module = Module to use [use all modules in the DB]"). imm.log(" -d = Activate debugging"). imm.log(" -l

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\gadgets.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3368
Entropy (8bit):	4.563361110409559
Encrypted:	false
SSDEEP:	48:CJCutEExYZPkUij70bWO0FMJrscBwc8nIb3apHsSVG3a0RS5Skp:CJTtEYEM3Sk1+whkkME5SQ
MD5:	4C4B3D8BCE13A459C5CB3145FAA6FB35
SHA1:	9ED902E243B8165F4EF1E4704ADC316B7D1B5CC6
SHA-256:	70E1DABE0EB8C1AD6212322F7166DFEBEC1BC21E6EB381783C67874C5B154D00
SHA-512:	C748F0BE6A187F590F0E8E66494A83B2F74ECD2EF446FDE30D978502AA79630FDB73EAC543D6FABA566A637A577D7CBA93116F91300C3F523D0A4518D93DCB2D
Malicious:	false
Preview:	""".gadgets.py: started by modifying searchdep.py..Check out main for an example of how to use it.!gadgets as is will take a few minutes to run in ID."""..import cPickle.import os..import operations..from immlib import *.from x86smt.sequenceanalyzer import SequenceAnalyzer.from deplib.libgadgets import searchOpcodesRETN..class Gadget:. def __init__(self, addr, ins_cnt, byte_cnt):. self.addr = addr. self.ins_cnt = ins_cnt. self.byte_cnt = byte_cnt. self.sa = None. . def analyze(self, imm):. self.sa = SequenceAnalyzer(imm). if not self.sa.analyze(self.addr, depth=self.ins_cnt, stopEIP=self.addr+self.byte_cnt):. return False. . return True. .def main(args):. imm = Debugger(). . sear=searchOpcodesRETN(imm, filter_jumps=True, filter_calls=True). imm.markBegin().. doProperties = False. . if len(args)<1:. imm.log('Usage:'). imm.log('!gadgets <dllname> [-p]'). imm.log('-

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\deplib\gadgets_db.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3558
Entropy (8bit):	4.289632273628604
Encrypted:	false
SSDEEP:	48:Z+eJobbWZj6jmD5p7fBH/5B1KPcnXmdIxP1Ehx7cIq4jCSa:Z+eKbagmXBHcPKX0IxOTHjNa
MD5:	A2E508B8086AAC87A63E4C8424348ED4
SHA1:	E8E10A67BAB71DD9E576F83407E1E7E735E4FFDA
SHA-256:	EE397BB657B05A43E5543BD8763440206FC86370A897A60F2B44EE32F360A8C3
SHA-512:	19C5757E896F2A3A09480BEB76BF889539EE1A664907384A138962BAFBB2DB53607FDAAFE003A76CA13D91CED0C32CCB38FE5BEA27A22C826C23A6BC9A26938E
Malicious:	false
Preview:	import os.import sys.import shutil.from x86smt.sequenceanalyzer import MyDebugger.from deplib.libgadgets import GadgetsDB.import time.import getopt.from immlib import *.from datetime import timedelta..def usage(imm):. imm.log("!gadgets_db"). imm.log(" -t sqlite3\|mysql = Type of DB (sqlite3)"). imm.log(" -n dbname = DB name ('gadgets.sq3' if sqlite3 or 'gadgets' if mysql)"). imm.log(" -h host = host for the DB connection (127.0.0.1)"). imm.log(" -u username = username for the DB connection"). imm.log(" -p password = password for the DB connection"). imm.log(" -m module = Module to analyze and store (you can put multiple -m)"). imm.log(" -c max = How many gadget you want to analyze (All)"). imm.log(" -f = Force module re-analysis"). imm.log(" -a = Analyze ALL modules"). imm.log(" -b = DO NOT backup sqlite DB"). imm.log(" -d = Activate debugging

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\duality.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1562
Entropy (8bit):	4.585432887928074
Encrypted:	false
SSDEEP:	24:cdeQcvgWR8NtdERcLx3fiBC8EXTyCKB440zD+eil3MoiaMCvH/5MCU7pwk:FQTWON4Rot84ze0P+ei8CHSCU7px
MD5:	62AB218639D919D536DCD19F4D86FD28
SHA1:	144561B4B378384546DD040130E1FB7163CC8AAC
SHA-256:	1CB38284B7519543FD4F59838F782682CCD810718E573FFFB99C9DE7B1C36BA9
SHA-512:	858489700D6A235DC5C5E98140C96A0ED985FF53A384C48C86632339AA90C7CC3FE3D81F3AF65EC381E654ADE979339F53299164B593819751B2080F5DD75534
Malicious:	false
Preview:	import immlib, immutils....DESC = "Looks for mapped address that can be 'transformed' into opcodes"....def str2int24_swapped( value ):.. return istr2int( value + "\x00" ) ....def usage(imm):.. imm.log("!duality Looks for mapped address that can be 'transformed' into opcodes").. imm.log("!duality <asm code>").. ....def main(args):.. imm = immlib.Debugger().. found = 0.. searchf = {1:ord, 2: immutils.str2int16_swapped,\.. 3:str2int24_swapped}.. searchm = {1:0xff, 2:0xffff, 3: 0xffffff}.. .. code = imm.assemble( " ".join(args) ).. mask = len(code).. currentmask = searchm[mask] .... try:.. what = searchf[ mask ]( code ).. except KeyError:.. return "Error, Code too big".. .. imm.log("What: 0x%08x -> %s" % (what, " ".join(args)) ).. imm.getMemoryPages().... for a in imm.MemoryPages.keys():.... mem = imm.MemoryPages[a].. size = mem.getSize().. start = mem.getBaseAddress().. end

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\findantidep.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.93737568909758
Encrypted:	false
SSDEEP:	48:2pIC/oA4Tc0XUE0papMqucVLPOSPZXYoMFQP/qq:2pIC/olTcHmvLXBoocmqq
MD5:	DADFF9B898E806AEAAEB35622F7D9C5E
SHA1:	E41C514F64AE13C9D0FD34409F5297C00D06C4F8
SHA-256:	9A3201AB9113D6923664C43B91B8CB20811C5C3BB0E2423579446DA47BCF2268
SHA-512:	A422674620EED1407EAC76CC3896FA38D36C7980470CA1E02AB0F77031200B2EBB02876310ED753631D87899CEF9F7DBE82B111CF675BA19E5B6F0D806815094
Malicious:	false
Preview:	import immlib..import immutils....NAME = "findantidep"..DESC="""Find address to bypass software DEP"""....def usage(imm):.. imm.log("!%s" % NAME).. imm.log("%s" % DESC)....def tAddr(addr):.. buf = immutils.int2str32_swapped(addr).. return "\\x%02x\\x%02x\\x%02x\\x%02x" % ( ord(buf[0]) , ord(buf[1]), ord(buf[2]), ord(buf[3]) ).. ..def main(args):.. imm=immlib.Debugger().. addylist = [].. mod = imm.getModule("ntdll.dll").. if not mod:.. return "Error: Ntdll.dll not found!".... # Finding the first ADDRESS.. ret = imm.searchCommands("MOV AL,1\nRET").. if not ret:.. return "Error: Sorry, the first addy cannot be found".. for a in ret:.. addylist.append( "0x%08x: %s" % (a[0], a[2]) ).. ret = imm.comboBox("Please, choose the First Address [sets AL to 1]", addylist).. firstaddy = int(ret[0:10], 16).. imm.log("First Address: 0x%08x" % firstaddy, address = firstaddy).. .. # Finding the Second ADDRESS.. ret = imm.search

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\finddatatype.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1089
Entropy (8bit):	4.634445906852898
Encrypted:	false
SSDEEP:	12:aVStVhY8y7KQtQuDmzAfMnGkQqSrAKnxdRSrAKzh80VlKo/vGfCcopRAc/q3hVSJ:eStVh6/DfMvu5SVlKo/g5oTA84DiBF
MD5:	A2FAB0AE7314E27CA7B221409E04395A
SHA1:	2EEDB4EC5B9616668E2EE430C2EFDFD1C7F2796A
SHA-256:	EDFDBF94A52ACA456581C8F11C1740AEA8F3B416431A9A33A9E66E15EA63ABEE
SHA-512:	0A6EB074CC8E80FD4FBCD306FB6AD02B1A293FB43FCE2986DD7F7D93415819E1C7311B41AFEF060106479C19F287B60507988A1CD7C6A400E47F68CAB19EB7A1
Malicious:	false
Preview:	import immlib..import immutils..import libdatatype....NAME = "finddatatype"....def usage(imm):.. imm.log("!%s" % NAME).. imm.log("!%s ADDRESS SIZE" % NAME).. imm.log("Attempts to find the type of the data spanning").. imm.log("ADDRESS to ADDRESS + SIZE").... return "Usage: !%s ADDRESS SIZE" % NAME....def main(args):.. imm = immlib.Debugger().. if not args:.. return usage( imm ).. if len( args ) != 2:.. return usage( imm ).. .. addr = int(args[0], 16).. size = int(args[1], 16).. .. dt = libdatatype.DataTypes(imm).. mem = imm.readMemory( addr, size ).. if not mem:.. return "Error: Couldn't read anything at address: 0x%08x" % addr.. .. ret = dt.Discover( mem, addr, what = 'all' ).. imm.log( "Found: %d data types" % len(ret) ).... for obj in ret:.. t = "obj: %d" % obj.size.. if obj.data:.. msg = obj.Print().. imm.log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize(

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\findloop.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2372
Entropy (8bit):	3.9579075652294256
Encrypted:	false
SSDEEP:	24:ckW6ee0fT5Co9I/kj1zl4tUapU/Pg1m7iZ5OKhoOTx25DuAh7O4xxh:I63UCJ+1AU/41m7mOKho6gnh7dh
MD5:	EA2174A12A41CE132C4D404A993B36FD
SHA1:	3E344C2E06578860427103B25C21D0864BD5371A
SHA-256:	82332956822ACBCC6AD51C3DB42C2A644B694ACE30F03419EFD953EB0C24ABA9
SHA-512:	DCF8DB9754A79462CEE7711ACD4418333482C91CC76CAD7EA24E6CA516B540C8FC735052E46085091FE0D083EF4221399E838EBBE195867CAEFCFD2B23C08828
Malicious:	false
Preview:	"""..(c) Immunity, Inc. 2004-2008......U{Immunity Inc.<http://www.immunityinc.com>}....findloop...."""......from immlib import ..from immutils import ..import getopt....DESC=""" Find natural loops given a function start address """....def usage(imm):.. imm.log("!findloop -a <address>").. imm.log("-a (function start address)").. imm.log("-h This help")....def main(args):.. imm = Debugger().. try:.. opts,argo = getopt.getopt(args, "a:").. except:.. return usage(imm).. for o,a in opts:.. if o == "-a":.. loops = imm.findLoops(int(a,16)).. for loop in loops:.. imm.log("LOOP! from:0x%08x, to:0x%08x"%(loop[0],loop[1]),loop[0]).. .. func = imm.getFunction(int(a,16)).. bbs = func.getBasicBlocks().. .. #find first and last node.. first = 0xffffffff.. last = 0.. for node in loop[2]:..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\findpacker.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1839
Entropy (8bit):	4.651617097486259
Encrypted:	false
SSDEEP:	48:Y/LdsH+djyzZA+66YcjypzVxbJt4/kMEolJn:SsH+d0uUWXbTvold
MD5:	29C31CCFFFDDB5E6933F0FAEB13469F6
SHA1:	EAB2C4383EBEFF2B66594045DBFA9E3BD92A247B
SHA-256:	D45D7C6B3F35CAE0BC9A0D576E3E344B3D78CF0F4DBB3471080546094828DCB0
SHA-512:	B650CA2041C26467BE51A04D0CF37F8F6D0DC0CBB9F87BA29E14A02A5EE1ED9381D3155D926DA6A2A50E75DA48383C1147B68EA58340117BA5D2294222A8F0B5
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....TODO:.. Fix the Offset in order to actually point to the address where the ID was found. (This is just a really beta version of this script).."""......__VERSION__ = '1.0'....import immlib..import getopt..import struct....DESC = """Find a Packer/Cryptor on a Module (Note: It might take some times due to the amount of signature on our db)"""....def usage(imm):.. imm.log("!findpacker [-f] -m filename/module Get the RPC information of a loaded dll or for all loaded DLL's",focus=1).. imm.log(" -m filename/module File or Module to search for").. imm.log(" -f When set, it look in the file instead of the loaded module").. imm.log(" ex: !findpacker -m notepad").. imm.log("NOTE: It might take some times due to the amount of signature on our db")....def main(args):.. imm = immlib.Debugger().. if not args:.. usage(imm).. retur

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\funsniff.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	8107
Entropy (8bit):	4.480194953913826
Encrypted:	false
SSDEEP:	96:obu9WgEVKw2P6Wni2WnWX8JwI1nVlWxYCaf5tg9qz5z7OfOzqIx+9B6ejVn0Lk3E:oyBG9jw0M2Gykn0Lk3hPFclOAn1fOSZ
MD5:	1DE083E7CFC25A81EFBFA382BA01B91E
SHA1:	3C1751AAC7D73D0CF148D30D6091986C944B3A09
SHA-256:	2DBA9FA3C29B3B1C85E05DDC227EF18AC6B87B23E565A049BB8D66534B6B9AE1
SHA-512:	16C8EA9E9BCD4FF9548F1CBEBF5A69585B7024D71E9E481109085960F690361A2DF839D27FE9C54642B16E8585526A13D1771DE49E61989049D562F247CE48B6
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}...."""........DESC="""Analize the heap pattern of a executed function"""....import immlib..import immutils..import struct..from immlib import LogBpHook..from libheap import *..import libdatatype..import getopt....# RtlAllocateHeap Hook class..ALLOCLABEL = "Alloc Hook"..class RtlAllocateHeapHook(LogBpHook):.. def __init__(self, address):.. LogBpHook.__init__(self).. #self.Heap = heap.. self.hookaddr = address.. self.Called = [].. def run(self,regs):.. """This will be executed when hooktype happens""".. imm = immlib.Debugger().. readaddr="".. size="".. .. res=imm.readMemory( regs['EBP'] + 8, 0xc).. if len(res) != 0xc or not res:.. imm.log("RtlAllocateHeap: ESP seems to broken, unable to get args").. return 0x0.. (heap, flags, size) = struct.unpack("LLL", res).. #i

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\getevent.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	898
Entropy (8bit):	4.537422107091834
Encrypted:	false
SSDEEP:	24:zwnZ4U6t2QvPgDuPF/c4VDm8IM7TMkQgnWE9s:zwnfI5P95hWd
MD5:	834C52C65560EBECA575CFEAE28D8E5B
SHA1:	22F3426A7E649871EDA2A1BAABD16F5484CA1147
SHA-256:	7A02DB8E65E3713C5C3ACE90AAF4FDEE52DC942919BEA1925C4CA90EF247C264
SHA-512:	A1FA575631EBB3C78F60ACE02D090B3BCEA5FCF2ED674F7DBDD88A8795E624FE4A5114C84406E04ECFBF955CE5905376ED28BA8A6DD7E37CB459425FD4643C05
Malicious:	false
Preview:	import immlib..from libevent import ExceptionEvent....DESC = "Get a log of current debugevent"..NAME = "getevent"....def usage(imm):.. imm.log("!%s" % NAME).. imm.log("%s" % DESC)....def main(args):.. imm=immlib.Debugger().. evento = imm.getEvent().. if evento:.. if isinstance(evento, ExceptionEvent):.. for a in evento.Exception:.. imm.log("Exception: %s (0x%08x)" % (a.getType(), a.ExceptionCode), focus = 1).. imm.log("Exception address: 0x%08x" % a.ExceptionAddress).. imm.log("Exception num param: %d" % a.NumberParameters).. for value in a.ExceptionInformation:.. imm.log(hex(value)).. else:.. imm.log("Last event type: 0x%08x (%s) " % (evento.dwDebugEventCode, str(evento) ) ).. return "Works".. else:.. return "Cannot handle this exception"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\getrpc.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4577
Entropy (8bit):	4.621843949014006
Encrypted:	false
SSDEEP:	96:kcf2f73Sp2/LcrodT+ZR+Er/dlU5QT7fBz5x/Z:CjCp7r6Tc+Q/XGQnJn/Z
MD5:	1C5828DD02F055440C4419F641CC7AE3
SHA1:	CA34C49A404E0E09145AC112872963427C81AC03
SHA-256:	D8C482E2358F68A7D5292BF69DE60EF6DCB9467D3BC4706272512A70CE69CCF4
SHA-512:	2CCD061B68126737F933745020F71BF6AAF3CB2BA908FC59F2CEAFFE513330A56007F3FBD17103F97A0D969FB854C18F3C31BE05029ED703229B0BDCB383F0AB
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....Additional feature of iterating through all DLL's added by Justin Seitz <jms@bughunter.ca> ...."""....import immlib..import getopt..import struct....DESC = """Get the RPC information of a loaded dll"""....def usage(imm):.. imm.log("!getrpc filename\|all Get the RPC information of a loaded dll or for all loaded DLL's",focus=1)....def get_rpc_info(imm,mod,module_name):.... codeaddr = mod.getBase().. size = mod.getSize().. mem = imm.readMemory(codeaddr, size).. ndx = 0.. offset = ndx.. Found = 0.. while 1:.. offset = mem[ndx:].find("\x04\x5d\x88\x8a").. if offset == -1:.. break.. offset -= 0x18.. .. try:.. length = struct.unpack("L", mem[ndx+offset : ndx+offset+4])[0].. if length == 0x44:.. Found += 1.. addr = codeaddr + ndx + offset.. ..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\gflags.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2506
Entropy (8bit):	4.147708160775154
Encrypted:	false
SSDEEP:	48:SLVw1275OOZ1T91UNkjIePDkjHWP+1WWwi:kz75fQNkMebkbWPIwi
MD5:	82607FE1ABFC8C3BCAF3D76935BFA3F5
SHA1:	21BFCB7C48207728BCDFEE017A045FC770A8614F
SHA-256:	2AC06E793F64E9D5E244FA875FD23F345F4B980D16C7BD5D455384EAD6EBACD7
SHA-512:	5EBB166CEE61527C368503EB814A0D0CB846ABF7A42AC36C76F89042D6E5BBBCDADAEE732E95072D19DD58419E77E0C51283A0313C1D9326322E6FEEBF156F2C
Malicious:	false
Preview:	#!/usr/bin/env python..""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}.."""..DESC="""gflags"""..import getopt.import immlib.import libregistry..def usage(imm):. imm.log("!gflags -[a\|d\|c] -m module Enable and Disable Global Flags", focus=1). imm.log("-m module Module to set the global flags"). imm.log("-a tag Set a Flag"). imm.log("-d tag Unset a Flag"). imm.log("-c Clear Flags"). imm.log("tags: "). for tag in libregistry.GFlagsTags:. r = libregistry.GFlagsRef[tag]. imm.log( " %s - %s" % ( tag, r[0] ) )..def main(args):. imm = immlib.Debugger(). . try:. opts, argo = getopt.getopt(args, "m:a:d:c", ["module=", "add=", "delete=", "clear"]). except getopt.GetoptError:. usage(imm) . return "Wrong Argument (Check Log Window)". . add_f = []. delete_f = []. clear_f = False. module = "". for o,a in opts:. if o in ('-a', "--ad

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\heap.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	7612
Entropy (8bit):	4.4767018176245985
Encrypted:	false
SSDEEP:	192:PXli0//b/E/o/u/n/iQ/feq/J+vG1/RQ/mio:PcyL3XGTDio
MD5:	17D31434409132BA93CBA485C360142B
SHA1:	041ED06804A39B6EB9AA26A12F589742D0231F1B
SHA-256:	32933B477DF3583471411F59E83C7A1CF10B08C304F7973018698D32CF0A83F9
SHA-512:	0E57D54F2EF0D0FD4D5DA2D64F681D381A4E06043C06313584BAE30181ABA23AB6A4BE1F16C553EE08EB9D9456C0AD330C39AC7CA1DA057184B9DFB237C8B796
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""....import immlib..import getopt..from libheap import *..import libdatatype....DESC= "Immunity Heap Dump"..def usage(imm):.. imm.log("!heap Heap dump of currents heaps").. imm.log("!heap [-h HEAP_ADDR] [-s] [-r] [-f] [-c]").. imm.log(" -h HEAPADDR Set the heap address to inspect").. imm.log(" -a CHUNKADDR Set the begging of a chunk to partially inspect").. imm.log(" -s Save heap's state").. imm.log(" -r Dump heap using restored value (in case of a broken chunk)").. imm.log(" -f Inspect the FreeList only").. imm.log(" -c Inspect the chunks only").. imm.log(" -k Shows the first 16 bytes of a chunk").. imm.log(" -d Inspect data on Chunks").. imm.log(" -q Dont show FreeList information") .. imm.log(" -l Inspec

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\hidedebug.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	32102
Entropy (8bit):	4.557904777441342
Encrypted:	false
SSDEEP:	384:MOCqF4ZukUcLoUxtCEn2a4Uw5OK9tlwAUn0I+UPI:SUOh4PP9PpQLI
MD5:	983E5EBA9E5A862CA97ECC86361522C5
SHA1:	5203B687BADEA09C9131439892DD5E565A6376D6
SHA-256:	73EDADB723D4F92E1B150626D56BB013077B57B51140C643A4CD06B837827381
SHA-512:	B99F827C4493EFAC615906FEB451ED5DEF210768CEC42F1560D9CD12740FB44444F0EB877AE0460D2452FBB879C83411EB1839AB5E90C8C9DD3D371436FE50DF
Malicious:	false
Preview:	#!/usr/bin/env python....#-------------------------------------------------------------------------------..#..# By BoB -> Team PEiD..# http://www.PEiD.info/BobSoft/..# BobSoft@GMail.Com..#..#-------------------------------------------------------------------------------....import immlib..import getopt..import random..import ctypes....#-------------------------------------------------------------------------------....__VERSION__ = '1.00'..ProgName = 'HideDebug'..ProgVers = __VERSION__..DESC = "Patches lots of anti-debug protection .. (try \"!usage %s\" for details)" % ProgName.lower()....#-------------------------------------------------------------------------------....Docs = """....Loosely based on patch.py (c) Immunity inc .. :)....Patches:.. o IsDebuggerPresent (With Poly-patch code, as too easy to detect Xor EAX, EAX).. o ZwQueryInformationProcess.. o CheckRemoteDebuggerPresent.. o PEB.IsDebugged.. o PEB.ProcessHeap.Flag.. o PEB.N

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\hippie.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6622
Entropy (8bit):	4.482781580233102
Encrypted:	false
SSDEEP:	96:GmkFcN9i1rFqPLVIJnDwQyJdaUxj/GrXCmFQJkX0a+h8mq6mmn:zkFcCdnD6xj/4XC5Qih4Sn
MD5:	2A63F9091E1FAE5D32D06053F41CA063
SHA1:	0F01EED740F2D443C5B4ED09F581925BCE690A1F
SHA-256:	F76C8F942261F624018135FDB99F21555A69D582D8A137B38FBF09C977BECB93
SHA-512:	BA19D6079098277E7AED8A50CE7331A0356E6EEEB58C75B43054C26B896B354ACC9548E5EFBEAD61B19FE2FE7E15D7BFB1EB2F9456B4740B038AD45D9FB37FAF
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}...."""....DESC="""Heap logging function"""....import immlib..import immutils..import getopt....# We need to find this specific place..def getRet(imm, allocaddr, max_opcodes = 300):.. addr = allocaddr.... for a in range(0, max_opcodes):.. op = imm.disasmForward( addr ).. if op.isRet():.. if op.getImmConst() == 0xc:.. op = imm.disasmBackward( addr, 3) .. return op.getAddress().. addr = op.getAddress().... return 0x0....def usage( imm ):.. imm.log("!hippie -[o\|s\|d\|p\|c] InjectHook on Allocate/Free Heap", focus=1).. #imm.log("-n Name Tag Name ").. imm.log("-o Enable Hook").. imm.log("-s Show Hook results").. imm.log("-d Delete Hooks").. imm.log("-p Pause Hook").. imm.log("-C Clear Hook").. imm.log("-c

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\hookheap.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	4584
Entropy (8bit):	4.5674442594681866
Encrypted:	false
SSDEEP:	96:w9E1pKwzPXE1pJwzCkotgIzA9JeQ/G/K/390:QlttgSA94Q/G/K/3S
MD5:	E3862F3797E49200A5A2053DE0CA2F46
SHA1:	B4E37868A5955E22C6C452FF97C3E486309D85AC
SHA-256:	1CC5D33643ACF45C5869F12987B26D301EBAF7A98AE82A7C4CD924713B3B9291
SHA-512:	9BA8401F302B6DC2A3F33B78546CCBBADB688D74FB5503533C4427B9C49E6B6D06C125F037B8BE790A102FD503B6E167DA0267354DB31A105CD6625D0511083A
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Hook on RtlAllocateHeap.."""....DESC = """Hook on RtlAllocateHeap/RtlFreeHeap and display information """..import immlib..from immlib import LogBpHook..import getopt..import struct....# RtlAllocateHeap Hook class..ALLOCLABEL = "Alloc Hook"..class RtlAllocateHeapHook(LogBpHook):.. def __init__(self, heap):.. LogBpHook.__init__(self).. self.Heap = heap.. .. def run(self,regs):.. """This will be executed when hooktype happens""".. imm = immlib.Debugger().. #for a in regs:.. #imm.log("%s:%08x" % (a, regs[a])).. readaddr="".. size="".. .. res=imm.readMemory( regs['ESP'] + 4, 0xc).. if len(res) != 0xc:.. imm.log("RtlAllocateHeap: ESP seems to broken, unable to get args").. return 0x0.. (heap, flags, size) = struct.unpack("LLL", res).. if heap == self.Heap:.. imm.log("RtlAllocateHeap(0x%08x, 0x%08x, 0x%08x)" % (heap, flags, si

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\hookndr.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	3860
Entropy (8bit):	4.680674683294814
Encrypted:	false
SSDEEP:	96:/F3TiKvtktb+qvKN1zvx9nVbg5SaKs/6wA/:KB+qy1zvxRVbg5SaKs/6t/
MD5:	D73BD56B4B869EE48377BE51D0D9F2EF
SHA1:	C542173D7254503F3390E073D0E3B189C8FA4504
SHA-256:	72DA56341BFBF0C0DF18717D3A23C00DB811606EB779A2EBA38FD6C7CB2705E8
SHA-512:	92F101630CF14F66FD560FA0F6DEE163C923569D2579EBDF4257C212BEDD95D87F6FA1A10FDFBCF98BAA904894FAF942F3DA04CEDAFB0925F03125D8096E2C9F
Malicious:	false
Preview:	import socket..import struct..import xmlrpclib..import traceback..import base64..from immlib import ..from immutils import ..import getopt....DESC="""Hooks the NDR unmarshalling routines and prints them out so you can see which ones worked"""......#############################################################################..class set_hooks(LogBpHook):.. def __init__(self):.. LogBpHook.__init__(self).. self.description="".. .. return .... #########################################################################.. def run(self,regs):.. '''.... '''.. imm = Debugger().. imm.log("%s"%self.description).. return ....def usage(imm): .. imm.log("!hookndr.py").. imm.log("%s" % DESC).. imm.log("-D (to uninstall hook)").. imm.log("-h This help")....# The main routine that gets run when you type !packets..def main(args):.... imm = Debugger().. imm.ignoreSingleStep("CONTINUE").. try:..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\hookssl.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	7159
Entropy (8bit):	4.561928038386425
Encrypted:	false
SSDEEP:	96:/F3xLZiKh8jZ+qBX2fCgZ/8/iLXZlwQs9E7ONY+lsL20nQOo5dxZYqYn/:vMZ+qBm6m/8iXZlIoEY+lu2yQOo5dxg/
MD5:	08A66A5AD202AA2D0A418F9EE402F4FB
SHA1:	51CF5912291123852C7477893B2538ABF2B808A1
SHA-256:	B5ABFF89BB900B4FC8ED0D690D1E8959E28CA26A17578F10869000C7D7790221
SHA-512:	B1CD2752477F3C1F6A15EBA619F07E0C51A90F4AAAF3D8BABEACC3CA69D9B2096F83E836A5C7F1C7624E48BC7CA297E7238FB6DBA3F415B1958A8D7E3F74F090
Malicious:	false
Preview:	import socket..import struct..import xmlrpclib..import traceback..import base64..from immlib import ..from immutils import ..import getopt....DESC="""Creates a table that displays packets received on the network.""".... ..#############################################################################..class set_hooks(LogBpHook):.. def __init__(self):.. LogBpHook.__init__(self).. self.xmlhost = "".. self.xmlport = 0.. return .. #########################################################################.. def run(self,regs):.. '''.. This routine is the first one hit, when a socket operation occurs... '''.. imm = Debugger().. .. .. # Retrieve the function name .. function_name = imm.getKnowledge("%08x" % regs['EIP']).. imm.log("Hook hit for %s"%function_name).. self.retrieve_packet(imm,function_name,regs) .. return .. .. ###########

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\horse.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5774
Entropy (8bit):	4.653073906001401
Encrypted:	false
SSDEEP:	96:8ER4ubHFU1jYggdOhLe/E/MkRTgLlCnR4Bz676XcO2M5po1qlWHkUz:82FbHHALe/E/MJ5iR4Bz676XcOUqlWHn
MD5:	82E622C0E347C9DBA7E77B25DB5D45A7
SHA1:	720562C2238C2CB6C6D39D1B156B44F29EF4D5E7
SHA-256:	2260BE17C817C95A0F289A7F5713C98182EB0D08C23CBEE28EF7D76C5B01BE3F
SHA-512:	2D246D34C9F3123E769022DD0B7487D069E5CE4207E171D2FBDDFD7C94407D0B6F9512EC88471963D7E4D3C2DDF321846A1EFF4F57EB1E8C32410BFB597C0C7E
Malicious:	false
Preview:	#!/usr/bin/env python....##Copyright IBM Corp. 2010..##..##Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at ..##..##http://www.apache.org/licenses/LICENSE-2.0 ..##..##Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ....import immlib..import getopt..from libheap import *..import libdatatype....DESC= "Low Fragmentation Heap Viewer"..def usage(imm):.. imm.log("!horse [-h HEAP_ADDR] [-b BLOCKS_ADDR] [-s Heap Bucket / SubSegment Info").. imm.log(" -h HEAPADDR Set the heap address to inspect").. imm.log(" -b BLOCKSADDR Set the _HEAP_LIST_LOOKUP block to inspect").. imm.log(" -n Find bins which a

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\list.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	837
Entropy (8bit):	4.854264671783712
Encrypted:	false
SSDEEP:	12:Hm1HcWs4aHAM0TWzd4RyFh2mfYEn2G7YDIaTyFqx2mfYo7DRgmAOr:YcWUXzdNF0E2UmIaWE4wFgmHr
MD5:	A2A69E7D2080E8D71D4640822821AB90
SHA1:	31816C8A349D66151F6F86ECD178AC921BD3D7F5
SHA-256:	257601DF87ED5B07F606068BEF066AA8FBC4FEF053EABC631752F626DB97B6F7
SHA-512:	A31C6A44796285114354470B2EC36209349BE5F7B7E2CE3904C6B54DF1EC5BDD2A99E238479310C06B2B3FAEEA9223B677115F93E32B7E9CF26B36F9864EA49B
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....List all pycommands with its descriptions in log window...."""....DESC="""List PyCommands"""....import immlib..import os....CMD_DIR = "./PyCommands"....def do_dir_list(imm, path):.. dir_list = os.listdir(path).. for name in dir_list:.. if name[-3:] == ".py":.. imm.log("* %s" % name)....def main(args):.. imm=immlib.Debugger().... dir_list = os.listdir(CMD_DIR).. imm.log("List of available PyCommands").... for name in dir_list:.. path = os.path.join(CMD_DIR, name).. if os.path.isdir(path):.. do_dir_list(imm, path).. elif name[-3:] == ".py":.. imm.log("* %s" % name) .... imm.log("",focus=1).. return "See log window for results".. ..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\lookaside.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2082
Entropy (8bit):	4.471127094066891
Encrypted:	false
SSDEEP:	24:YcW/5eq8fKjlRhRhwK6XkYc3iNyBe0Fmlh5oNpDmWm449rL+58ypaH1gn:Y/BeQlRDakW8NFOZR9ruKg
MD5:	22766FD746E4F4EBF4BA113E3BE72DE7
SHA1:	1DB7D1821FF33738DBB5D4E4A5F8EDBB851EB947
SHA-256:	0ECBC449375124DE676C3D95F52105C206F1880CBF5E413A2B26A0E931370162
SHA-512:	76A6CF4B712228638D0DCC9D46B9C4A12A532AF834D0531ECF912512D6506E00D3D94FC8FA25DF1979B6781B9D77711C33DCDDA5C2194A8C94C55AEEA15487AE
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""....__VERSION__ = '1.0'....DESC = """Shows the Lookaside of the Heap structure"""....import immlib..from libheap import *..import getopt..import libdatatype....def usage(imm):.. imm.log("!lookaside Shows the Lookaside of the Heap structure").. imm.log("-h Heap Address", focus=1).. imm.log("-d Discovery DataType")....def main(args):.. imm = immlib.Debugger().. heap = 0x0.. discover = None.... if not args:.. usage(imm).. return "Wrong args (Check the Log Window)".. .. try:.. opts, argo = getopt.getopt(args, "h:d").. except getopt.GetoptError:.. usage(imm).. return "Bad heap argument %s" % args[0].... for o,a in opts:.. if o == "-h":.. try:.. heap = int(a, 16).. except ValueError, msg:.. self.InfoLine("Invalid heap addres

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mark.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.28231429986574
Encrypted:	false
SSDEEP:	48:Y/s352U8ZH+wbNyLwVC0+rF+05ezndKBvFtwPFAGUl9gv1wIS:7352VHRbJGF+1RAvKU0S
MD5:	722B3C00E3BE99A2F7AB4EA4AF93199D
SHA1:	3A75DD0350BE626B01D7CAC931B59B48A9835D3D
SHA-256:	BBEEE8B73F37F36FB0D709B7C5F3E391F09071AE8BDFB775D2B251975D5F05B0
SHA-512:	FEA77F0DCC51111FCFC7501BB915C1B85F1E6ABC525090DCBF155E66A4944163120F6F5FD3C5A3084F8A4945EAAA283276CE40DC22B32D0B2325FAF97DB14BBB
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""....import immlib..import getopt......__VERSION__ = '1.1'....DESC= "Static Analysis: Mark the tiny ones" ....def usage(imm):.. """ All the options""".. imm.log("!mark search and mark given function").. imm.log("!mark [-f NAME ] [-c COMMENT] [-m MODULE]").. imm.log("Example: mark with DANGER_MOUSE string all the strcpy ones").. imm.log("!mark -f strcpy -c DANGER_MOUSE -m ALL").. .. ..def main(args):.. imm = immlib.Debugger().. .. if not args:.. imm.log("### Immunity's Mark the tiny ones script###",focus=1).. imm.log("Command ok, but no args, using defaults").. try:.. opts, argo = getopt.getopt(args, "f:c:m:").. except getopt.GetoptError: #get args, if error, show usage.. usage(imm).. return "Bad argument %s" % args[0].. .. .. #tiny ones default list.. tinyones=[].. tinyones.append("strcpy")

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mike.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	35827
Entropy (8bit):	4.4403826264411395
Encrypted:	false
SSDEEP:	384:lhiQlrwco4ebCT58/JGKyIo0AzmJ5+nj5aHdNChmhM0ar3:ljzo4zV8xGKyuAzMQEHdNCkmDD
MD5:	FD98868155B0059E770DA26D3CDC1309
SHA1:	20D26E8CE89E6B4588A8E32679A39BECF2655993
SHA-256:	133419C43E4E30948D700AE7A653541163D26DF7670578B1B9FC104C5BA20A83
SHA-512:	2C77716173E1208A79EB617314BC118E8EAAED21E048982E29E0571D183759EBB7575022C779F905745E34DA94D9AD531BA5BA4A6E79ACDD63BDAD3525EB804F
Malicious:	false
Preview:	import getopt..import struct..import time..import sys..import threading....from immutils import * ..from immlib import ..from libstackanalyze import ..from graphclass import ..from immvcglib import ..from socket import *....DESC="""Attempts to automate tracing the lifecycle of a packet's contents."""....#############################################################################..'''..Some defines for re-use...'''..PACKET_TYPE_SEND = "Send "..PACKET_TYPE_RECV = "Recv "..PACKET_PROTOCOL_UDP = "(UDP)"..PACKET_PROTOCOL_TCP = "(TCP)"....#############################################################################..class packet_analyzer(BpHook):.. .. #########################################################################.. def __init__(self, address, hook_type):.. .. BpHook.__init__(self).. self.begin_address = address.. self.imm = Debugger().. s

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\modptr.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	3867
Entropy (8bit):	4.644629952917096
Encrypted:	false
SSDEEP:	48:Y/APsq/ZmIgs3s+OLNfn+fxgpDtpmuTsSPtMeu3ZAdTYV9qvih+rl+nxCWwTD2e+:jPbfgMstLNf+amuTHjdTYyviAlO6PwYa
MD5:	4081EC9604D0BF15C7CE1C91B5B70FBC
SHA1:	41E9071F4184B681AD7822D39CE8A4C5E480D3C7
SHA-256:	4F1DB6584C04404070C9E3FF12A37200DA42DB117FE90958651ED51E22245243
SHA-512:	9CEC06CAB7861183DD37E3ABBDF0FF66F700DCE6B75978AB88B7242BBBC67C3C3090EBE6B854DF5E24EEA8C63F770D3FA0B4A4485B7FBCA8C96135EC41399CD9
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....modptr.."""..__VERSION__ = '1.0'....DESC="""!modptr Patch all Function Pointers and detect when they triggered """......import immlib..import immutils..import libdatatype..import getopt..from immlib import AccessViolationHook....INDEXER = 0xb4000000..INDEX_MASK = 0xFF000000..FNDX_MASK = 0x00FFFFFF....def usage(imm):.. imm.log("!modptr Patch all Function Pointers and detect when they triggered").. imm.log("! -a address").. imm.log("! -x 0xADDR[,0xADDR...] (Addresses to exclude)").. imm.log(" [Note: it will patch all the function pointer on the memory pages of the given address]").. return "Usage: !modptr -a ADDRESS"....# Access Violation Hook class..class FunctionTriggeredHook(AccessViolationHook):.. def __init__( self, fn_ptr):.. AccessViolationHook.__init__( self ).. #self.threadid = threadid.. self.fn_ptr = fn_ptr.... #

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\nohooks.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	336
Entropy (8bit):	4.748466552034904
Encrypted:	false
SSDEEP:	6:HWaHmFOY5kYgPuiqWHYX/SdSK50x/URBM/0IKKyAdpR+Z6HKygX:HuUY5IhdnxaKKyAd6ogX
MD5:	A38A959AEA652E97ABDD0A1C2D00F3D7
SHA1:	7DE9054B459D36122138296741C5501EB37DD740
SHA-256:	A6B346F9F3E312819E216BB5892F339C0C82691ECF4C48AE4F2D8DD71D84ACF7
SHA-512:	A513A00B26C76B96B6417FEDD46140AA9D140FAE9A6CD23557A636F0A231924255EB3325A63E71A8E98426B3ECEA5E6DAC6A7ED1E0715F216F53284B928EBA2F
Malicious:	false
Preview:	#!/usr/bin/env python.."""....nohooks...."""....__VERSION__ = '0.1'....DESC="""Clean all hooks from memory"""....import immlib.. ..def main(args):.. imm = immlib.Debugger().. for hook in imm.listHooks():.. imm.removeHook(hook).. imm.log("Removed \"%s\" hook from memory" % str(hook)).. return "Hooks removed"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\openfile.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	4.969697691832274
Encrypted:	false
SSDEEP:	12:Hm1HcWRnTMuY5DgsQY8yDbpKdDbxyMn2GlQUbHSSZKbI4pTcCrYCzfq:YcWRTU5jQCNwDtd2iFHpZKnpTNnzfq
MD5:	52C6DDD2CD07B48A08534D5C8EF76731
SHA1:	14A205C95E17756FA3847FC2A4AD76A8FB542261
SHA-256:	BAA00A4B865D5A6BCF75A41F3CF0FAF2140818CF57FC89BBBED766E5B7E0CD42
SHA-512:	C97A5BB36744C2C58386219E974D858FA8A2B38672C4D14537543C9F96BAC9B285D692E98A945FAC07A5FBE84C188F4ACA3B568DCD8BD3CD9E0C099B1C556858
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....openfile example...."""....__VERSION__ = '1.0'....DESC="""Open a File"""....import immlib....def usage(imm):.. imm.log("!openfile file").. imm.log("ex: !openfile c:\\boot.ini", focus=1)....def main(args):.. imm=immlib.Debugger().. if not args:.. usage(imm).. return "Wrong Arguments (Check Log Windows for the usage information)".. ret = imm.openTextFile( args[0] ).. if ret == 0:.. return "File %s open" % args[0] .. else:.. return "Cannot open %s" % args[0].. ..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\packets.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	10886
Entropy (8bit):	4.5129925838405365
Encrypted:	false
SSDEEP:	192:2xO9G1YqJmYf16qJXKLeOw/rE/YUL40eNw5ExQ9C/:H9GDjfNaabuL40eNwCx3
MD5:	929F9B31BE8847F3A1B73A5DA420A4E4
SHA1:	B2D62C442484B6901798B9259483E9B04AA044DF
SHA-256:	021D723B3EA23ACC824A189629EB2C4CE7C792EE8B88D1A69A7B77B9E60FE15C
SHA-512:	C7879146C53899CFAE2A2786F3C3737C1B45D44BDCAA4C5D43C091FA99D02FBF7FF4413EEC442931D9E3F6103BC69C3E030A4FFEEFD1DDD17755A398E40C4AD6
Malicious:	false
Preview:	import socket..import struct....from immlib import *......DESC="""Creates a table that displays packets received on the network."""....#############################################################################..'''..Some defines for re-use...'''..PACKET_TYPE_SEND = "Send "..PACKET_TYPE_RECV = "Recv "..PACKET_PROTOCOL_UDP = "(UDP)"..PACKET_PROTOCOL_TCP = "(TCP)"......#############################################################################..class simple_hooks(LogBpHook):.... #########################################################################.. def __init__(self):.. LogBpHook.__init__(self).. .. .. ######################################################################### .. def run(self,regs):.. .. imm = Debugger().. .. (payload_ptr,type,function_name) = imm.getKnowledge("%08x" % regs['EIP']).. .. # The length is stored as a function return argument, so let's read EAX..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\pyexec.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	887
Entropy (8bit):	4.682800008800844
Encrypted:	false
SSDEEP:	12:Hm1HcWTmvhf3RWQkJY8y9+Dn9zPJ4+QfUmLWpcEdBkLwG3FkSEpsKkJMGY2R:YcWTmvhf3RYJoU1J4amLWvw3FkP26Gf
MD5:	86EE82172932BCA71F763C3C8F45E646
SHA1:	1341A67771F743645ACBADB09F39EB2BCE83D974
SHA-256:	981C57B049A134908C8EC941191796CF84C1514C17FB3D9647DAE2151EA183CA
SHA-512:	165CB3C9E2271E575F5A1D91181D67147CE47EF14365497A3A5280454195D98D5203E782678B2265B9CFEAF2ECC2BF7B6540A0A30D5B3A80CA0905F7379CCA08
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""..__VERSION__ = '1.0'....import immlib, string..import traceback..import sys....DESC = "Non interactive python shell [immlib already imported]"....def usage(imm):.. imm.log("!pyexec code").. imm.log("%s" % DESC)....def main(args):.. imm = immlib.Debugger().. if args:.. commands = string.joinfields(args, "").. try:.. exec commands.. except: .. error = traceback.format_exception_only(sys.exc_type, sys.exc_value).. imm.log("Error on: %s" % commands, focus = 1).. for line in error: # Its just one line anyways, for format_exception_only.. line = line.strip().. imm.log(line) .. return line.. else:.. return "No python command given"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\recognize.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	8241
Entropy (8bit):	4.487037585872193
Encrypted:	false
SSDEEP:	96:yLbHkWk+csycWi5oZRAuCnmGOtXfNos5HaU9ZXZQBfrvOkPQ/3vjohKNzMdp86Er:AbecnKrJvDpHXsejoU6p86BY
MD5:	8686046CCF3F046A9BC05DEAF543798B
SHA1:	AF8DC558F18E232EFABC8B9AE87C1D77D70E76AD
SHA-256:	1AB6F60B3E27A8E3094F1C81A8CAC26E71B1148E5C1F4B6AE0CC0EBEDF150E86
SHA-512:	56C3F72832EC0A30B50F214275CA3DFA51BC4C5C88A0BE80D5D64BF03AC8886196124277A4A4FC6656BB3599B6B210F3B590CBAC524AEDB8F2CBB158C6C61249
Malicious:	false
Preview:	""".recognize.py - Function Recongnizing using heuristic patterns...(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}.."""...__VERSION__ = '1.0'.import immlib.import immutils.import getopt.import string.import os.import csv.from librecognition import *..DESC="Function Recognizing using heuristic patterns."..def usage(imm):. imm.log("!recognize -{a\|m} -n name [ -x address ] [ -i filename ] [-v version/extra]"). imm.log("!recognize -d [ -i filename ] -n name"). imm.log("!recognize -l [-i filename] [-n name]"). imm.log("!recognize -f -n name [-i filename] [-v version/extra] [-o module] [-h heuristic_threasold]"). imm.log("!recognize -r -x address [-i filename] [-h heuristic_threasold]"). imm.log(" ex (find a pattern, accept 80%% of match): !recognize -f -n iTunes.AntiDebuggers -h 80 -o iTunes.exe"). imm.log(" ex (resolv an address, accept 93%% of match): !recognize -r -x 004EDE00 -h 93"). imm.log(" ex (add a pattern): !recognize -a -x 0

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\safeseh.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	3226
Entropy (8bit):	4.811529441151031
Encrypted:	false
SSDEEP:	48:9L/Bre71TQ5QyRXWFLhF2UTGMdmeBWmZZlfPM64RFGztt4i7O:9lre71TiZRGFLCUTGCM64Cztt4i7O
MD5:	8E34CF4C4291F0BDCF33CE1D575A4363
SHA1:	FABC0C79943F88AB48BDE4F324D67FFE60E275BB
SHA-256:	E0FC343A9F4B436C810DBF037270B4E9330EAB800DFF30975E33267BCD1DBA98
SHA-512:	0621C7717B7E1E5E0CC4ED3619C8D7B2651CA7A3B2B1388E05E9D1CEADD06A0D2D6798A67F55B0678058FEE0F959BA948A495D0108380267117B8BFB7139E470
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Immunity Debugger safeseh search....(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""....__VERSION__ = '1.1'....import immlib..import getopt..from immutils import *..import struct....LOG_HANDLERS=True....DESC= "Looks for exception handlers registered with SafeSEH"....def usage(imm):.. imm.log("!safeseh (-m module)",focus=1).. ..def main(args):.. imm = immlib.Debugger().. .. module = None.... try:.. opts, argo = getopt.getopt(args, "m:s").. except getopt.GetoptError:.. usage(imm).. return "Bad argument %s" % args[0].. .. for o,a in opts:.. if o == "-m":.. module = a.. .. allmodules=imm.getAllModules().. table=imm.createTable('SafeSEH Table',['Module','Handler']).. for key in allmodules.keys():.. if module is not None and module != key:.. continue.... mod=imm.getModule(key).. mzbase=mod.getBaseAddress()..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\scanpe.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	7252
Entropy (8bit):	4.772609746633252
Encrypted:	false
SSDEEP:	96:aE3f3jPAsGKIvsnnaYgqiWD2VJofKBTl3zOzim6utU5gQIdkvvlvfgOgnA/:Z3TksnaDayJZ9Izimf+7GkFIl8
MD5:	580EE3C9DB2306646A9B5CBCEFB52402
SHA1:	228D3368DBB302F90AC8BBDADE905742BEA3EE68
SHA-256:	35FE74BA64B8D488CA9A56E0C4ED4D45B3F144F6AEC11E73A70B70709EF84352
SHA-512:	CEFF7865F4431077B7C2EC53FBD84E6EB59ECFB894B0151B7C4EEDDBF79D08F5C415DA4105321A14D89896D0AED19FB78E2FF75CFD7E300C56E7CA6486FAE4A7
Malicious:	false
Preview:	#!/usr/bin/env python....#-------------------------------------------------------------------------------..#..# By BoB -> Team PEiD..# http://www.SecretAsHell.com/BobSoft/..# BobSoft@GMail.Com..#..#-------------------------------------------------------------------------------..#..# Based on findpacker.py, this script will scan the entrypoint or whole file of..# the main module, using Ero's PEFile and my UserDB.txt as before ....# Also added is logging of the entropy of the file and a guess based on the..# entropy as to whether the file is packed or not...#..# By BoB, whilst freezing in England.. ;)..# I only started with Python a week ago, and this is my first ever script ....# So, please excuse any bad Python coding :P..#..# Thanks to JMS for checking my dodgy code .. :)..#..#-------------------------------------------------------------------------------......__VERSION__ = '1.00'..ProgName = 'ScanPE'..ProgVers = __VERSION__..DESC = "Detect a Packer

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\search.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	823
Entropy (8bit):	5.1087152942641065
Encrypted:	false
SSDEEP:	24:nj6WBO5zfhlLKHKmguY1z6wfkUkpZVmQ6fafSxo8w7:nNI5zhlLKqeCmUkpF60Sxo8y
MD5:	63B1781E1704C4352D98C4A0CA3EF685
SHA1:	E8FE1A242C15A26F473B41D749D01975FE057D77
SHA-256:	94523500ECA2F18AAEB42E72A78FE4AC7631ECCFAD95BFA4182D95269FBC6B92
SHA-512:	91D23A9C337F14ECE35855C0173E58B6AF921C845DBA0AB6C370635B5915A3F8FD955510526A45CF63C0DCFBF10D222E165D2D4790CE96E772B59D8650032C10
Malicious:	false
Preview:	""".Immunity Debugger Regexp Search..(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}..search.py - simple script that lets you quickie search for regexp."""..__VERSION__ = '1.1'...import immlib..# TODO: -a <ASM> -m <modname>, search all on no -m.# TODO: migrate/replace searchcode.py..DESC = "Search for given assembly code"..def usage(imm):. imm.log("!search <ASM>"). imm.log("For example: !search pop r32\\npop r32\\nret")..def main(args):. if not args:. return "Usage: !search <ASM>". imm = immlib.Debugger(). code = " ".join(args).replace("\\n","\n"). ret = imm.searchCommands(code.upper()). for a in ret:. result=imm.disasm(a[0]). imm.log("Found %s at 0x%X (%s)"% (result.result, a[0], a[2]), address=a[0], focus=1). return "Search completed!"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\searchcode.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.724478328942401
Encrypted:	false
SSDEEP:	24:YcWY5F8We/276/iINN40nC7ACTJwDtVTvzDmFBJuYk:Y/mF8Wew6qI/KLuGjHk
MD5:	35D46782D95089D2889B56CBD8546B39
SHA1:	95B5EA23F6412982256FB28D53ED8180B08882D6
SHA-256:	70FDFB4D29C37881055BD9EEE91D04BCA4A1224398E52446B2C7E03A1F4A2FCF
SHA-512:	3AA2C4795E3E4ECCC53E3869FDAF0CAABF0300CD32189EEBBDCF78862409FFECE04781A682E374E901F6A3141BD1F808D56F8D491F36689799B7803103E1C79C
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""......__VERSION__ = '1.0'..import immlib....DESC = "Search code in memory"....def usage(imm):.. imm.log("!searchcode Search code in memory").. imm.log("!searchcode <asm code>")....def main(args):.. imm = immlib.Debugger().... look = " ".join(args).. ret = imm.search( imm.assemble( look ) ).... for a in ret:.... module = imm.findModule(a).. if not module:.. module = "none".. else:.. module = module[0].. .. # Grab the memory access type for this address.. page = imm.getMemoryPageByAddress( a ).. access = page.getAccess( human = True ).. .. imm.log("Found %s at 0x%08x [%s] Access: (%s)" % (look, a, module, access), address = a).. if ret:.. return "Found %d address (Check the Log Windows for details)" % len(ret).. else:.. return "Sorry, no code found"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\searchcrypt.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with very long lines
Category:	dropped
Size (bytes):	9495
Entropy (8bit):	4.825955643000335
Encrypted:	false
SSDEEP:	96:cLHd1YCDfWCE8iyJuqwjrGn8KZeBPjasSHk585SjFudyWBPeIzEpBybpapHohjVI:GPxDfcYUqwjQgBPmssltdyMeIcBQxA
MD5:	CC209C7B575DECE584913AB1A6C1D3EC
SHA1:	8FD985373D31851078921195FCF3CD13FE75A205
SHA-256:	3355542A599DBBDD0B3E720520392A522F79C0113F273C0F18711CBB91CD1CE1
SHA-512:	F19CDCC1C33B25A4236E00B7401E2CCB82DB959F5063C458019F7A9E5490224C97B8BE6696411CD1866B38DF06E00C1FA0D64421FF9F182948C0FB7D2330AE82
Malicious:	false
Preview:	""".(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>}..Search a defined memory range looking for cryptographic routines."""...__VERSION__ = '1.0'.import immlib.import getopt.from immutils import *..DESC = "Search a defined memory range looking for cryptographic routines"..def usage(imm):. imm.log("!searchcrypt [-a FROMADDRESS] [-t TOADDRESS] [-o OWNER]", focus=1). imm.log(" FROMADDRESS start address"). imm.log(" TOADDRESS end address"). imm.log(" OWNER memory page owner"). imm.log("ex: !searchcrypt -a 0x70000000")..def main(args):. imm = immlib.Debugger().. try:. opts, notused = getopt.getopt(args, "a:t:o:"). except getopt.GetoptError:. usage(imm). return "Wrong Arguments (Check usage on the Log Window)".. fromaddy = toaddy = owner = None. . for o,a in opts:. if o == '-a':. try: . fromaddy = int( a, 16 ). except ValueError:

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\searchheap.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2286
Entropy (8bit):	4.533175305823178
Encrypted:	false
SSDEEP:	24:YcWY5kpJqqKPGJK3m8tB1jyVe31umXQoKaqcBeVFqq9/dqY3/N9miHPtSSzSnxf4:Y/muDgfZN+cVpuFqq9/BUatSZDo3
MD5:	7C88FAF387169F170AA35E33AB16492E
SHA1:	897E0B002927DC43354F822B0E23F0FE444EFDE5
SHA-256:	2B0E7CEB551B760E52C959E52527DDE13F53C1D3C53919ED340E4EC27725C839
SHA-512:	98B4060BD08BD80D23DCE6137777EF2D8C0130C1B602BCADFBED3ECE046869C98BE5845BC425685629368B2898D277911A4AE1C49D9F1415392E636B9EDEDDE0
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}.."""......__VERSION__ = '1.0'....import immlib..import getopt..from libheap import *....DESC = "Search the heap for specific chunks"....def usage(imm):.. imm.log("!searchheap Search the heap for specific chunks").. imm.log("!searchheap [-h HEAP_ADDR] [-s] [-r] [-f] [-c]").. imm.log(" -h HEAPADDR Set the heap address to inspect").. imm.log(" -w what What to search for: size, prevsize, flags, address, next, prev").. imm.log(" -a action Search action: =, !=, >, <, >=, <=, &, not").. imm.log(" -v value Value to be searched").. imm.log(" -k Show the content of the chunk").. imm.log(" -r Use the restored heap (see !heap for more details)").. .. ..def main(args):.. imm = immlib.Debugger().. imm.log("### Immunity's Search Heap ###") .... try:.. opts, argo = getopt.getopt(args, "h:w:

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\searchspray.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.61411287498812
Encrypted:	false
SSDEEP:	24:lHIf/LKSIqyKZcg8EfoCGlKiUaUPRGNRyZ:4LKalMEfM8KyZ
MD5:	5D22BD6C365E78E890ECE49FDD12B9A9
SHA1:	861CA5E0AEF057DA8E9BD01C60EBCCF2426FFFB0
SHA-256:	58608217D7FB98216416E5C8AAE79CDA25825974B369ACEF2BED45E4E37862AA
SHA-512:	AD40F3D7944BD032E68C5275F5D9B2B94F7F4548EA75226E619E5750C7D126CF791FBAD12DA9EDFAB42E118A5747A9EB253D9A45F4813D9CF06CB4FE8CF453AE
Malicious:	false
Preview:	# -- coding: utf-8 --.from immlib import *.import getopt..def main(args):. """. Script to search all occurences of a string in memory and. display them on a table. Useful (for me) to visualize heap. layout created by heap spray... !searchspray -h fe ca fe ca 11 11 11 11. !searchspray -s I am evil homer. """. imm = Debugger().. try:. opts, argo = getopt.getopt(args, "s:h:", ["string", "hex"]). except getopt.GetoptError, err:. usage(dbg). return str(err).. opt = " ".join(args[1:]).strip('"').. if args[0] == "-s":. string = opt. elif args[0] == "-h":. string = "".join(["%c" % int(i, 16) for i in opt.split()]).. log = imm.createTable("Heap Spray", ["#", "Adddress", "What?"]). i = 0. for a in imm.search(string):. i += 1. log.add(a, [str(i), str(hex(a)), " ".join(["%x" %ord(j) for j in string])]).. return "Logging to Heap Spray Window".

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\shellcodediff.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2362
Entropy (8bit):	4.906785912725964
Encrypted:	false
SSDEEP:	48:nqS2YRzXNa6ZBCJ292jU6paucDmiiM2KK:qS2ezpCxj/JFM2KK
MD5:	C47F4AB470DDF31F26C12A7F61A143C7
SHA1:	AEF400036F645E32C8F1484040D7348622FD8027
SHA-256:	DD9FD5E92B12B70026066858E3CEFEAFCDFCB5DB86E666B4058E5C6C9D1C2ACD
SHA-512:	1A6B985521149AC163E154CB52EF26D1452A7E1DF44CE5A12CA15DB54DDC470EC267775CDC7A770029C340D00E2DFFB7996CC346505CA95816D9ECBFBA9B2C68
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2008......U{Immunity Inc.<http://www.immunityinc.com>}....Shellcode diff...."""....DESC="""Check for badchars"""....from immlib import *..import sys....NAME = "shellcodediff"..USAGE = "address"....def main(args):.. imm = Debugger().. .. if len(args) != 1:.. imm.log("Usage: !" + NAME + " " + USAGE)...return "See log window for usage info".... address = 0.. length = 0.. bad_byte_offset = 0.. mangled = False.. .. address = int(args[0],16).... fd = open("shellcode.txt","r").. canvas_byte_list = fd.readlines().. fd.close().... canvas_shellcode = "".. # Just pretty this up.. for i in canvas_byte_list:.. canvas_shellcode += i.rstrip("\x0a").. length = len(canvas_shellcode) / 2.... id_shellcode = imm.readMemory( address, length ).. id_shellcode = id_shellcode.encode("HEX").. imm.log("Address: 0x%08x" % address).. imm.log("SC Len : %d" % length).... imm.log("CAN

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\sqlhooker.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6477
Entropy (8bit):	4.723924689011292
Encrypted:	false
SSDEEP:	96:tlQhl/d3vn3Vd1Vm6B7/Wz7X5LqMcoywmpX/80MATMEddHBZy0LIzY:G/Zn3S6B7Of3ywmd/80/MIZymIzY
MD5:	7873E0BE14DD62525B1C51781DF75EEC
SHA1:	382E9C574E6AFFB85E3CE461F28077A339707B88
SHA-256:	BA60708A41401C5698DAF79B6831A25D50F6FBC4052965DA07C2E749DBFC0655
SHA-512:	0225E10B1A76D968134AEC35239D72344FBA01C371052BBA003565BD9D0073AE7AA94AE658DE54A56901E90A85B8A7530E015CA9D44557F53AD30D28BDD562F0
Malicious:	false
Preview:	#/usr/bin/env python....import getopt..import xmlrpclib..import traceback..import struct..import debugger #needed on old ID for removeHook....from immlib import *....LICENSE="BSD 3-clause non-attribution" #yay!..copyright="(C) Immunity, Inc., jms@bughunter.ca"...."""....This script supports the SQLOLEDB method of executing queries and, when..combined with sql_listener.py will send you all the queries executed by a web..application. Server-side filtering (necessary to avoid sending thousands of..queries a second to you on a busy server) is stubbed in for later. We hooked..IIS rather than SQL Server because common practice is to have your SQL tier..un-routable, but the web tier is likely to have Internet access.....Somewhat later we'll have this integrate into SPIKE Proxy and other tools to..automate detection of blind-sql attacks/detection and sql injection in..general.....In order to use this script:....1. Run a few queries against your target server, this will start up two..dllhost.ex

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\stackvars.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2852
Entropy (8bit):	4.715057202271794
Encrypted:	false
SSDEEP:	48:ZmDVXrCPpVXrsyyhQJ4RGsTxel9XgLqNHeN+K+bndwfi9CzHBw9BpY:UqT2k4XAl9Xg+N+UKkdyIC69BpY
MD5:	94238C8BF057C209414A5BE675FB61BA
SHA1:	8C081A1517CD2D52BAB345D8373814DC42CFCB98
SHA-256:	AF82D034EBC9DC15704C549FFF28C4BF05D49B3462285F40C1945357A84B4FEA
SHA-512:	31A9B0F44FC2B617E67E038CB77565F58DCEB602DD037007847B478CD20CF00F49B85923E901320EF5C13695301B709271EEA46EAB7123F00F84AFF75FF48B2A
Malicious:	false
Preview:	#!/usr/bin/env python.""".Immunity Debugger stackvars..(c) Immunity, Inc. 2004-2007...U{Immunity Inc.<http://www.immunityinc.com>} Debugger API for python..stackvars.py - set comments around the code to follow stack variables size and content..."""..__VERSION__ = "1.2"..import immlib.import immutils.import getopt.from libstackanalyze import *..DESC="Set comments around the code to follow stack variables size and content"..def usage(imm):. imm.log("!stackvars address_or_expresion [steps_to_decode]"). imm.log("%s" % DESC). imm.log("Note: each step represent one call further from the base function")..def main(args):. imm = immlib.Debugger().. if not args:. imm.log("you must define the address of the function to analyze"). usage(imm). return "not enough args".. address = imm.getAddress(args[0]). if address < 0:. imm.log("invalid address or expresion"). usage(imm). return "address error!". . if len(args) > 1:. steps

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\syscall.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	52241
Entropy (8bit):	5.039433087878704
Encrypted:	false
SSDEEP:	768:66WmkoBOrq8z6oKzwsKo2uQBnSJy6Lj6cPITntwL1/+513:66WPoBnQBKzFKoBqSJyyjtPmtwLZS13
MD5:	3DADDDD1F43C4C54DF2DC9E35B0DBE22
SHA1:	38A021195C4257DA2FA784B118736F6C0BD60552
SHA-256:	C2A373506E84080B496CD09A1138C4EACF35AFA879112CD099AA40271AF60610
SHA-512:	62376C61467126F29DCA197E77EA5E6A65CC804F47E7413DF90DF7EF345A91707FD5AB0621CB00C2992E0C7FBDECEBDFCAAE3FF8EBDC3999D81B64F439D341B0
Malicious:	false
Preview:	# (c) Immunity Inc. .# This is a port of Ero Carrera's script that he wrote for .# IDAPython. This is the same deal, however it can be easily .# expanded to track hits to these calls. The beauty of a debugger..#.# http://www.openrce.org/blog/view/1077/Digging_up_system_call_ordinals.#.import getopt.from immlib import *..syscall_table = {'2003': . {'0x0103': 'NtSignalAndWaitForSingleObject',. '0x009e': 'NtQueryInformationFile',. '0x0079': 'NtOpenEventPair',. '0x0078': 'NtOpenEvent',. '0x00c9': 'NtReplaceKey',. '0x0073': 'NtModifyDriverEntry',. '0x0072': 'NtModifyBootEntry',. '0x0071': 'NtMapViewOfSection',. '0x0070': 'NtMapUserPhysicalPagesScatter',. '0x0077': 'NtOpenDirectoryObject',. '0x0076': 'NtNotifyChangeMultipleKeys',. '0x0075': 'NtNotifyChangeKey',. '0x0074': 'NtNotifyChangeDirectoryFile',. '0x008f': 'NtProtectVirtualMemory',. '0x00db': 'NtSetBootEntryOrder',. '0x008d': 'NtPrivilegeObjectAuditAlarm',. '0x008e': 'NtPrivilegedServiceAuditAlarm',. '0x008b': 'NtPowerInformation',. '

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\template.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1549
Entropy (8bit):	4.72658813000319
Encrypted:	false
SSDEEP:	24:YcWK8U5bsMKZZHZag/oJk/D3VqgXXEbbpByisMl1:Y/K8aQMoNZNRDkWEbbvyisMl1
MD5:	B78F255C7D5E47453B29F1008165F378
SHA1:	90C87064EA46FA3ADD41CF0258FBEB989FC0E787
SHA-256:	F47836D5B679744383B73B495257B8B268514572E2547E99CCA6467C9D0ED020
SHA-512:	9C5287FBCAD9B9BB6113F6E826C549326CA5E00B9ACC8BE55E771C95315851541EC03A7A47F99FD0309E4F4E485CCAA6F95C1EEE0DF83CCFE9C80537CBE8E2FA
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....Immunity PyCommand Template...."""....__VERSION__ = '0.0'....import immlib..import getopt....DESC= "Immunity PyCommand Template" #description used by PyCommands GUI....def usage(imm):.. """ All the options""".. imm.log("!template example command").. imm.log("!template [-a] [-b] [-c] ",focus=1) # focus the usage.. .. ..def main(args):.. imm = immlib.Debugger().. .. if not args:.. imm.log("### Immunity's PyCommand template ###").. return "Command ok - no args" .. try:.. opts, argo = getopt.getopt(args, "a:bc:").. except getopt.GetoptError: #get args, if error, show usage.. usage(imm).. return "Bad argument %s" % args[0].. .. #parsing args.. for o,a in opts:.. if o == "-a":.. #processing args.. ret=processA(imm,a).. elif o == "-b":.. ret=processB(imm,a)..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\traceargs.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2895
Entropy (8bit):	4.370821434806518
Encrypted:	false
SSDEEP:	48:Y/qy8Bn2PCTMVPfkJ9XG0XGyCHfXFIDb/nW/3cBzTULFQwkJRL/:7bBS1fkjW0WdvFIDb/u3QT1RL/
MD5:	46B18040FDF0D53D89B0D9297C631EEF
SHA1:	06D6333200A177D13C47BCF6B72390DA5D7A24A4
SHA-256:	E8C8E8F30CB0F4BA99E9C5A9C7C5CFFD4D471778C566B593026B083F589460DD
SHA-512:	D4BCAFC7147B382DD16C10032841A360421A965B25417081B5B5281E847579C0A1E7848FBBAC423FDE5B65987AD95C6E99C24E06CE79F1B5AA8550E0822BB525
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>}....Traceargs example...."""....__VERSION__ = '1.0'....DESC="""TraceArgs -> Find User supplied arguments into a given function"""....import immlib..import immutils..import getopt..modarg = []..visited = []..COUNT = 100 # LOOP LIMIT....def usage(imm):.. imm.log( "!traceargs Find user-supplied arguments into a given function" ) .. imm.log( "!traceargs -a ADDRESS -n ARG <-s> <-b>" ).. imm.log(" -a ADDRESS Address of the function").. imm.log(" -n ARG Argument number you want to look for").. imm.log(" -s Wheter or not, show all the result (including non user-supplied)") .. imm.log(" -b Wheter or not, breakpoint on the calling instructions")....def main(args):.. imm=immlib.Debugger().. if not args:.. usage(imm).. return "Wrong Arguments (Check usage on the Log Window)".... try:.. opt

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\treedll.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	3040
Entropy (8bit):	4.854584551909092
Encrypted:	false
SSDEEP:	48:ocfYof+Fn0iNMsvj2qkbiYS9XCKfbutXkkAuYTutjfbyP8MfYYH2DmBofmTfcBuA:xfYomFn0iN+MCKfCdk8lUP8MAcBrkB7v
MD5:	DF6628B8A34F631B91B8101391562DCD
SHA1:	B9D3DE948C0C87AD8CA8444BEDE65C1DB534DD80
SHA-256:	712B3DC136B26F82869F5C8E94540E3BE1C630F2E1775336CF86F98952EF1E7F
SHA-512:	598A49A750BAAE9859218421A9512B683B73D2626C05BF36A077AED3275C96CEECE67F9B754F80746B00CEFD8715F4E5F3487789F8512E4B0A8A5DA3D1FF61D4
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004-2008....U{Immunity Inc.<http://www.immunityinc.com>}....Tree Dll...."""....__VERSION__ = '1.0'....NAME = "treedll"..DESC="""Creates imported dll tree"""....import immlib..import immutils..import getopt....def usage(imm):.. imm.log("!%s" % NAME).. imm.log("%s" % DESC).. imm.log("-p process name").. imm.log("-l max tree level")....class Node:...def __init__(self, name):....self.name = name....self.imports = []...def getName(self, name):....return name...def getImports(self):....return self.imports...def addImport(self, tl):....self.imports.append( tl )....class DLLTree:...def __init__(self, imm, entry = "", maxlevel = 3):.. self.imm = imm... if not entry:.... self.entry = imm.getDebuggedName()... else:.... self.entry = entry... self.node = None... self.maxlevel = maxlevel.. self.sym = None.....def Initalize(self):... self.sym = self.imm.getAllSymbols()......def Get(self):..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\usage.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	827
Entropy (8bit):	4.665861690439515
Encrypted:	false
SSDEEP:	12:Hmn3cWd5QGIFlgiY8yI8IFlgDnLDb4iI2R4GfnvihDaSsorFVlI5gYXbEXt3G:6cWd5QlBblcLDk8Lnvih5FHI5gvs
MD5:	4FCF23DA9E5F90AEC97A6097BB432267
SHA1:	AC7D270244950783E90860ECD8C4D2D91D3B7D32
SHA-256:	58FA0C64CF1B51CD66447CD85A6059043EE650B6CB229EBB4717A3A9DF7C1736
SHA-512:	BEEA2C19A7997330777BEDBA5ED11626789C933ED9C8C88DBCB7255F3B7AD2C519B1B2A2B60E609251B1B4259E5AC7E2D00F2D9C2DE68F747ACBA5900339414E
Malicious:	false
Preview:	#!/usr/bin/env python...."""..(c) Immunity, Inc. 2004 - 2007......U{Immunity Inc.<http://www.immunityinc.com>}...."""......__VERSION__ = '1.0'....import immlib....DESC = "Return the usage information for a python command"....def usage(imm):.. imm.log("!usage Returns the usage information for a pytho command")....def main(args):.. imm = immlib.Debugger().. ret_str = None.... if args:.. try:.. mod = __import__(args[0]).. except ImportError:.. return "Error: %s is not a python command" % args[0].. try:.. ret_str = mod.usage(imm).. except AttributeError:.. return "Sorry, no usage available for this command".. else:.. return "No arguments given".... if ret_str is None:.. return "See log window for usage information"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\vcthook.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2365
Entropy (8bit):	4.696265896044942
Encrypted:	false
SSDEEP:	48:9Kq6Ps6bCXocqLzX9FeNf1uf64+XSdp+haxaHJCmYFZ3ALOxnM:9B6xbCXJaxif1uC4+XSdp+scpChFZ3kB
MD5:	FCD854A03C32C47F3A3D2466890DAEBE
SHA1:	F887B51D612FB08FD5F641D8B2EBBD959E7D9A9A
SHA-256:	704EFA7DD61D7817ED1C5BF04D0E37B02A2A06270E3C00C0067EFE6151A972F9
SHA-512:	B8B3DCCF38A256748EEAFC23A5A331411284BC997C2CFD60F6F66C8D029BB3A87FC12CDDC9556C4E0975073BC67031AF5FC9BB505002503342B8C61913306DF9
Malicious:	false
Preview:	import immutils.from immlib import .import getopt..# Hook names, no need for an explanation.HOOK_NAME = "vct_hook"..# Symbol names of the functions we want to hook.HOOK_SYMS = ["VariantChangeTypeEx"]..# Module name, just to know where we are.HOOK_MODULE = "OLEAUT32"..class VCTHook(LogBpHook):. """. VariantChangeType Hook. . This hook is used to check if the arguments of VariantChangeType are pointers. to the same object. There might be vulnerabilities in code that call this function. in such a manner.. """. def __init__(self):. LogBpHook.__init__(self). self.dbg = Debugger(). self.count = 0.. def run(self, regs):. pvargDest = self.dbg.readLong(regs['ESP'] + 0x4). pvarSrc = self.dbg.readLong(regs['ESP'] + 0x8). third = self.dbg.readLong(regs['ESP'] + 0xc).. if pvargDest == pvarSrc:. self.dbg.log("-"80). call_stack = self.dbg.callStack(). for frame in call_stack:.

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\x86smt\find_int_overflow.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2495
Entropy (8bit):	4.738468339450009
Encrypted:	false
SSDEEP:	48:tIdhWSCfdsydIXdQblgqR7JCsbMdzHRg1WWWdBdnNAUl0rQl:tIdhWPfdsydmdElbRIZzRcWbgUQ4
MD5:	20009887B1B3C703E6D41C894DBAB229
SHA1:	853A14B31B7FA7334ED343998DFB0691606A2924
SHA-256:	7253C8443CE54B4879C76DA52C894DAAD8B80562A51485AC080FDF00868BAF9A
SHA-512:	465FA7DFC07835260E0FCF421F77C7C6E061C2B45885A4599F85C1C7F99980C9642CF6BC53044881F160B9BFB2002F8BACB89D551BE936ADB7E42F6575E0B856
Malicious:	false
Preview:	import getopt....from immlib import *....from x86smt.sequenceanalyzer import SequenceAnalyzer..from codegraph import CodeStructureAnalyzer..from pathgenerator import PathGenerator..from x86smt.pathwalker import PathWalker..from x86smt.pathwalker import UnsatPathConditionException..from x86smt.bugcheckers.intoverflow import IntOverflowChecker....NAME = 'find_int_overflow'..DEBUG = False....def usage(imm):.. imm.log("!%s" % NAME).. imm.log(" -s start_addr [hex]")....def logTraceback(imm):.. imm.log("Traceback:").. .. tb = sys.exc_info()[2].. for line in traceback.extract_tb(tb):.. f_name = line[0].. line_num = line[1].. function = line[2].. src_line = line[3].. imm.log("File %s:%d" % (f_name, line_num)).. imm.log(" Function: %s" % function).. imm.log(" Code: %s" % src_line)....def main(args):.. imm = Debugger().. imm.log("### %s ###" % NAME).. .. start_addr = None.... try:.. opts, argo = geto

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\x86smt\pathogen.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2531
Entropy (8bit):	4.538966002098773
Encrypted:	false
SSDEEP:	48:ICisvIsHX2cJGs8pFLD10n7lQCm+pjKAneV6eeDL:Jisv76ZE5jmYLnNeeDL
MD5:	F2F4EB992A0F1C0E6142988BB11EBEE4
SHA1:	804AF4F6EE808CF9D04F431DC6B0606FB3E6C35D
SHA-256:	DD6198669B275855A2CC5B3007CDABDED81858618A04CF14E2968F19464D7340
SHA-512:	94901A4842B12DDF2A60590543F8BFFDAF0386062AD1D80EA27A8EC2E940EDDD75BE21F4157719802E9BEAF3F11D697107F56B1261DAA71147A355DD46717179
Malicious:	false
Preview:	import getopt.import traceback.from immlib import *..from codegraph import CodeStructureAnalyzer.from pathgenerator import PathGenerator.from x86smt.pathwalker import PathWalker.from x86smt.pathwalker import UnsatPathConditionException..NAME = "pathogen.py". .def usage(imm):. imm.log("!pathogen"). imm.log(" -s start_addr [hex]"). imm.log(" -p prune_paths [use solver to prune paths]")..def log_traceback(imm):. imm.log("Traceback:"). . tb = sys.exc_info()[2]. for line in traceback.extract_tb(tb):. f_name = line[0]. line_num = line[1]. function = line[2]. src_line = line[3]. imm.log("File %s:%d" % (f_name, line_num)). imm.log(" Function: %s" % function). imm.log(" Code: %s" % src_line). .def main(args):. imm = Debugger(). imm.log("### %s ###" % NAME). . start_addr = None. prune_paths = False.. try:. opts, argo = getopt.getopt(args, "s:p"). except getopt.GetoptError, reason

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\x86smt\symexec.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	7031
Entropy (8bit):	4.317958299049873
Encrypted:	false
SSDEEP:	192:nvSjbhjopSy4SDD/MrNDe4nIi6sj8Kco/tXhwypA:nvMNy9Gc5
MD5:	0BF3948E03DA7C231E66BC16F2DECF91
SHA1:	9316F960D2298F2AE3E2263B0EE33F08EABA1194
SHA-256:	4E23AAEE6FCC4A8329E430F42FFC7C87D5C8E2B382CF58A194F02AA2DF5E62F5
SHA-512:	746AF168A85690610CD7375A876B583F3686449249AE1392DBB89E9F659459B6EE39E8C34B2353374DF4F2B73E17755D6DB3A009FC99B5BFBF50DA5C82A66494
Malicious:	false
Preview:	import re..import sys..import getopt..import traceback....from x86smt.sequenceanalyzer import SequenceAnalyzer..from immlib import *....DEBUG = False..VALID_RELATIONS = ['<', '>', '=', '!=', '<=', '>=']....def usage(imm):.. imm.log("!symexec").. imm.log(" -s start_addr [hex]").. imm.log(" -e end_addr [hex]").. imm.log(" -r output_reg [Valid register name e.g. EAX]").. imm.log(" -n relation [(In)Equality symbol e.g. %s]" %.. VALID_RELATIONS).. imm.log(" (Prefix the above symbol with an 's' for signed comparisons)").. imm.log(" -v output_val [hex]").. imm.log(" -w val_width [0-32, default=32]").. imm.log(" -u user_regs [Comma separated list of user controlled registers e.g EAX,EBX]")....def logTraceback(imm):.. imm.log("Traceback:").. .. tb = sys.exc_info()[2].. for line in traceback.extract_tb(tb):.. f_name = line[0].. line_num = line[1].. function = line[2].. src_line = line[3].. imm

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\x86smt\varbounds.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	11254
Entropy (8bit):	4.307440589596522
Encrypted:	false
SSDEEP:	192:k3co5ROSQvOmot27/X4nIi/8Dmco/eUhY1MpuC:ksKMOcfURj
MD5:	09AA31EB47E758E67265AB59D2B257A9
SHA1:	4A126EDB95449A8E42C20E71CAC6680F347C26AE
SHA-256:	0556B0F7B695F343D3A4E6E444C7F08604963015EE1920F38F53076F6C28A5AF
SHA-512:	6D84A6DFAF7F27BEC8B17E81E03774AEC09A363F726289AB352A45A5543281610CA7107D5F9C73B823CB38913E51647E525BC2445063FE8A3B3D6E2D4DE2A426
Malicious:	false
Preview:	import sys..import getopt..import traceback....from x86smt.sequenceanalyzer import SequenceAnalyzer, MyDebugger..from immlib import ....DEBUG = False..LOWER = 0..UPPER = 232 - 1..RANGE_MIN = 2*16....class AddressRange:.... def __init__(self, start, end):.. self.start = start.. self.end = end....def usage(imm):.. imm.log("!varbounds").. imm.log(" -s start_addr [hex]").. imm.log(" -e end_addr [hex]").. imm.log(" -r output_reg [Valid register name e.g. EAX]").. imm.log(" -u user_regs [Comma separated list of user controlled registers e.g EAX,EBX]").. imm.log(" -v value_range [colon separated bounds to investigated default=%s:%s]" % (hex(LOWER), hex(UPPER))).. imm.log(" -a range_size [Size of buckets to split ranges into as part of the first pass, default=%d" % RANGE_MIN).. imm.log(" -t timeout [A timeout in seconds after which we abort, default=None]").. imm.log(" -p precise [If specified then we look for exact values instead

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Python.inst\python-2.7.1.msi Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python MSI Library
Category:	dropped
Size (bytes):	16003072
Entropy (8bit):	7.980871298957496
Encrypted:	false
SSDEEP:	393216:OlmFF7GVT9qhQEHPWhRB5csK0uRKEag8i:imr7G2hdvwRBRr7EYi
MD5:	A69CE1B2D870BE29BEFD1CEFB4615D82
SHA1:	023C6837F5AB3139CDCB9F9F8B8CA36212D56E2D
SHA-256:	0AF8BC05A5F9ED15DF120150C6A6DDD0FC50D018E35B891CBA22040E0404DFB6
SHA-512:	18720C73D5B9413DF16B9A43BB7391E66D9C1C754FFD73DE0EC2F5B106978E295441BEA26DEDF629A9089E02515987AAF600B00B9BAF7178511B7A9A3F5FAE3A
Malicious:	false
Preview:	......................>...................................9...................~...............n...........@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...\|...}...~...................................................................................................................................................................[................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...I.......;...<...=...>...?...@...A...B...C...D...E...F..._...H....z..J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...]...\...a...^...f...`.......b...c...d...e...?...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Tools\cmdcli.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6587
Entropy (8bit):	5.074876752904398
Encrypted:	false
SSDEEP:	192:c5tTmEqq3ueLs2RCPHsei9oftgp20n0Wc1/p:c5tTJ3fLs24PHsei9K0U
MD5:	6192915F4AD1C881757AF6A9830D798C
SHA1:	81A783C278FF4DCB91BA194862C38DFB9D5DBE1F
SHA-256:	5B36E7C3A1B8AE4333EC8037089A881A594A7EB5B12EC911CA9B1CE6D37C2060
SHA-512:	2E9B16CC580B8BFB0DD815675F7D8EFE2AA5F751C56194860F69D99E9D00438B69960D153885EA56D6568222578EA8E2A957222C713BB48BAFB61D5A2A569782
Malicious:	false
Preview:	#!/usr/bin/env python.."""..Immunity Debugger Command Line Client....(c) Immunity, Inc. 2004-2007......U{Immunity Inc.<http://www.immunityinc.com>} Remote Command Line Client.."""....import socket..import sys...."""..NOTE: Most of this cmdclient comes from Bas's PDB client.."""....__VERSION__ = '1.0'...... ..class clientCore():.. def __init__(self,ip,port):...self.ip=ip...self.port=port...self.s=None..... return.. .. def writeLine(self, line): .. sys.stdout.write(line).. sys.stdout.flush().. return.. .. def readLine(self): .. line = sys.stdin.readline().. sys.stdin.flush().. return line.. .. def getCommandLine(self, prompt):.. self.writeLine(prompt) .. try:.. line = self.readLine().. except:.. line = None.. return line.. .. def listCommands(self):..... cmd = "Available commands:\n\n"...cmd +="Expressions"...cmd +="==========="...cmd +="\n"..

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Tools\pyshell.py Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1581
Entropy (8bit):	4.46816843036326
Encrypted:	false
SSDEEP:	48:3VIROJqFrtl2hu4UC9/RT2vqgxdGhOVa0xuGcorfdpOO7:3/JqF5O9/n1Cl
MD5:	15181FFABCB6BCC1E9840ECA264C345C
SHA1:	F4AE863114656A8F16B5294BE88FBF458998E6B3
SHA-256:	5BABB0E5EBA1287254815C608969DB70B0890A1571ECDE9688E58849B1FD8C29
SHA-512:	C0EA97B922B4A89B4DEF37BD0846ABB9D22A831BE507FE083F58CEE46A32FCFFD4EFC824F0B2CAB555BEC0EC7C4D5007B099D21BB32C4126465E65D59ACDEB07
Malicious:	false
Preview:	"""..A simple python shell wrapper mostly based on this:..http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/355319...."""....__VERSION__ = '1.0'....import sys..from code import InteractiveConsole....class FileCacher:.. "Cache the stdout/stderr text so we can analyze it before returning it".. def __init__(self): .. self.reset().. def reset(self): .. self.out = [].. def write(self,line): .. self.out.append(line).. def flush(self):.. output=''.join(self.out).. self.reset().. return output.. ....class Shell(InteractiveConsole):.. "Wrapper around Python that can filter input/output to the shell".. def __init__(self):.. self.stdout = sys.stdout.. self.stderr = sys.stderr.. self.stdout_cacher = FileCacher().. self.stderr_cacher = FileCacher().. InteractiveConsole.__init__(self).. return.... def get_stdout(self): .. sys.stdout = self.stdout_cacher.. self.stdout

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Updater.pem Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2238
Entropy (8bit):	6.037607054209419
Encrypted:	false
SSDEEP:	48:LrLxgDH6N9+KE9s58dnvXAPSA5u/dRunWF8da7z7AEnF7UN3Ac0KuYg9EZu:LrLxgj67+KysM/APSEu2WCd8AEF7UNX8
MD5:	22C9AD6B05F3E8C2FDCC289C4264671D
SHA1:	189871A56941CA7D1DFAED22EA908E54ED43A956
SHA-256:	DB8310BF27D7E7694714C040435A49953D948493AA8EAD138E940E1049D0AB0B
SHA-512:	0498E8C7E8C724B74A7C129171CB6467754BD5E88AF2F8D50EFAA6425C59D5ACD4B6BF90682EA38A258A18985B59D5F3E11397BBE048D691CE2CC586C676B22E
Malicious:	false
Preview:	-----BEGIN PUBLIC KEY-----.MIIGSDCCBDoGByqGSM44BAEwggQtAoICAQDmGvbRrENAekfrth3gI7Xu3/9otdYB.+TtjTGlptIlBC1LHiJgxzHOQNPmIfUUTvs56r/cAa2efauuzApKgYhvj/ThR1Aqf.H53UIeZktm52gW4T3x6ToXQBMnB3D2XTPIofC9sBzv+jTeQhKJwr3x/Ybsp0BOQe.hP5J8mW90VYlg3T+rYx8QEoEQn22rmfHz33Mqj6DSiGxcpHSQ/4bIu1MDqZeEFN7.iU3WzRQo3B6vgNJ3o2IlWZdwPhNe6VkfJsfFcLandWrgYlwZbjGSYNzS1y+8QqW2.EVJLNma1gMvz7DLxeeZatrQzI/ySNUbKb47WT9LszEzr5NL80AshGN+ahvh0Enn3.FEGWjJxYNHRKDJ2MCHRm/tv2OTh7KNCbA6kxIBn3/GfkC6prhuxRdIGOVATmoA1m.P/PKlRoARmGHN12Nk3CJEAf5/E/JtW5zLah2M5bbuawblFLKEMLIYMyROV47e0W4.6tWf5a0I96NiCla5fq8i8Bscu8koQJ9zAnuVOgumfTnGZZ537cUSLmQ6vnwwdQd2./j0iSqHjQw9WQNU0+uxXeKLlxoSMSPfT+Zho2h4C8AcHnlXHgsdSkrgjz5oP4zpv.OKGpC++lPSJH/VaBbvHb2eX3UajKpLlI9+VEzpnUW6mhVFCbTsgL4EiaUDUumjSv.VHikznZyZ5xuuQIhAJ9jiPRK4DO6Ef2nKLxhB4tRZTq2RsAIpXDjtECRkAEtAoIC.AQCo4q4Izu0/q5LSCKJafUAxZWPJC4Y+PXgnoyP7uvoj2v37wJm/Axo2Ik0ZdEPB.zRyg23phPwH0sCHTl1Udrrd+Xx9cQ+ETAZPfxNaZf+C+EayfkqjDny3fGKCtmdzx.1EFklrw9elh8llnUEu6++eXcyorBIYSkJWx6+4c9EdzQd+oUu6EBxA7BXqATj0R

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\debugger.pyd Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	6.234492017333306
Encrypted:	false
SSDEEP:	1536:CU8W1tc1o5RM89AgLA84its/18gc3LMf:Csc1o5RM8V4ks/1RSwf
MD5:	1D0C2DB47C02D972EA10F58203AE9B1E
SHA1:	6D80ED578966A11099D0DCE8E867C670C7D3104A
SHA-256:	B31419DC7D2B43B6B7A260236B6B30923D481DF907E77AA759364E0001E10036
SHA-512:	BD2449B6E32C80962650FBE2A90A695A26DF59FD1687FDA60E4824F5782AAC7B317ABA3A78AD8AAED66C34F8FC9F90D5A3AFF05AE0A662290E04935F3F5261A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.;O...........#.........0......`..............a.......................................... ......................0..k....@..t...............................x............................p.......................C...............................text..............................`.P`.data...H...........................@.`..rdata...8.......:..................@.0@.bss......... ........................`..edata..k....0......................@.0@.idata..t....@......................@.0..CRT.........`......................@.0..tls.... ....p......................@.0..rsrc...............................@.0..reloc..x............ ..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\loaddll.exe Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	3.128061782167876
Encrypted:	false
SSDEEP:	48:OEP8PUIOvqWs1zaN2qRic4HB0rpuxg8skxtHq1uefbwZIr:nP/IF1rqR6Hmrg4kxF8fWIr
MD5:	89D432E3E47CB9546BF4D9A91F6FDA79
SHA1:	4B88A28A7A67E5F17CF7515CF49826550400FD7B
SHA-256:	A5B900567491B222FC82D11C964DB7C5085520369D1A5CE43937E092F865BE81
SHA-512:	7E7F3ACF6C9419643EE51A9383AC756BAC65DDEB52ACC3275163B16115C8125CCDA927939A6DAC3FD767EBC12F177875A15175BF13CB6F603D620A729CA1EE3B
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...O6.L............................p.............@.............................................. ......................N...........................................................................................................................CODE................................ ..`DATA.....0..........................@....idata..............................@....edata..............................@..@.rsrc.... ..........................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\uninstall.exe Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	75305
Entropy (8bit):	6.096225651763943
Encrypted:	false
SSDEEP:	768:yNAxLx9WjRNt8mxZ6VUNN/99ZSI9AAsxjiS6tw5tCjX4lVeo2ZXzOU2JOCP8nn31:YAg1xvVuIUxjB649lEAJ5YRN6QcILl
MD5:	BFB50B69B34592CD8824E8E37D0418D1
SHA1:	738B31749CD03FE152E449103E160CE505226741
SHA-256:	50336364E5EC5EBDF43315879EEB8959283B213B8C7775FAE45FC95303CA65DC
SHA-512:	43962122AFF7B74A8260AE5FB1939E5C58AAA7ABE72E13B17D3FDE7265A2174006EC5F3127ECDDE787F8EB0535DEA5DEA2194B441A2F475F93EBDDA8E4E5D5EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hN.....................:...Z...@............@..........................0............... .............................. ..........`j...........................................................................................................text............................... .0`.data...............................@.0..rdata..0...........................@.0@.bss.....X............................0..idata....... ......................@.0..ndata.......@......................@.0..rsrc...`j.......l..................@.0.........................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Immunity Debugger.lnk Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 15 13:34:34 2012, mtime=Mon May 17 17:08:35 2021, atime=Wed Feb 15 13:34:34 2012, length=2853888, window=hide
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	4.606702108197601
Encrypted:	false
SSDEEP:	24:8mmJeHpqdOENNWE0aQAkm/3dtBdtYUU87aB6m:8mmJeHpqdOKNWynkm/3dtBdttmB6
MD5:	94E69BD3D1A62755F24185FE4EA63B6E
SHA1:	FB84A7FF7C951DA83C8B06F0ABE2C1D42641A6F5
SHA-256:	669F3EF8D1EA9746EB413902553F10A129D58D627B2BD05FBDD6A4F691EEB3B1
SHA-512:	012058976F349362A1D59CBB2B844D03683A89CA0601A70BEFC6E900C05F02D56080E8A8B25D0F6E5657C8AD6F73B6CEF6A58EFADD450D1384B6977F746550FF
Malicious:	false
Preview:	L..................F.... ....9......V...GK...9........+..........................P.O. .:i.....+00.../C:\.....................1.....>Q.u..PROGRA~2.........L..R......................V.......E.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......R....IMMUNI~1..J......R...R......QZ......................4.I.m.m.u.n.i.t.y. .I.n.c.....l.1......R....IMMUNI~1..T......R...R......l[....................a...I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.....v.2...+.O@Qt .IMMUNI~1.EXE..Z......O@Qt.R.......[........................I.m.m.u.n.i.t.y.D.e.b.u.g.g.e.r...e.x.e.......y...............-.......x...........R........C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe..\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.\.I.m.m.u.n.i.t.y.D.e.b.u.g.g.e.r...e.x.e.5.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Uninstall.lnk Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon May 17 17:08:38 2021, mtime=Mon May 17 17:08:38 2021, atime=Mon May 17 17:08:38 2021, length=75305, window=hide
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.641528809408097
Encrypted:	false
SSDEEP:	24:8mTibXFiY+OdOEPNhIzKhAnqdt+9dtYUUAxD7aB6m:8mTiLFiY+OdOoNS+ynqdt+9dtt9xaB6
MD5:	A2E6D994E0730458D03194030CBA7C6A
SHA1:	A934568EA97675ECE55243AB2642AFDEB561AC9B
SHA-256:	227F03B1003D56A4632018DB2DEAEBD7062DAB0A942E21A12CA2134016A4E4A3
SHA-512:	CCCDF38766F68F5F9217AEE97FA49B33C4031B5104AA75FEF03360D6F83C056948B7A055CD66D55A72F0F083CAAB484573E1FCE6A51F0160E592BA9F741D007F
Malicious:	false
Preview:	L..................F.... ..../R.GK....T.GK....T.GK..)&...........................P.O. .:i.....+00.../C:\.....................1......R....PROGRA~2.........L..R......................V.......4.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......R....IMMUNI~1..J......R...R......QZ......................4.I.m.m.u.n.i.t.y. .I.n.c.....l.1......R....IMMUNI~1..T......R...R......l[....................qT..I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.....h.2.)&...R.. .UNINST~1.EXE..L......R...R......d.........................u.n.i.n.s.t.a.l.l...e.x.e.......r...............-.......q...........R........C:\Program Files (x86)\Immunity Inc\Immunity Debugger\uninstall.exe..U.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.\.u.n.i.n.s.t.a.l.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.........*..........

C:\Users\Public\Desktop\Immunity Debugger.lnk Download File
Process:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 15 13:34:34 2012, mtime=Mon May 17 17:08:35 2021, atime=Wed Feb 15 13:34:34 2012, length=2853888, window=hide
Category:	dropped
Size (bytes):	1346
Entropy (8bit):	4.616168658955484
Encrypted:	false
SSDEEP:	24:8mmJiY+OdOEPNFE0aQAkm/rdtBdtYUU87aB6m:8mmJiY+OdOoNFynkm/rdtBdttmB6
MD5:	FB921A1AA7C498AEDC0DC99EA035A247
SHA1:	8B647B373960C45CEA3E3C5FE39C3CA13978D24A
SHA-256:	C4CB329200994642ABD10BBDF151FC5208179A36E8929E34C34224A1629F19D9
SHA-512:	3C6D622409FCCAF92D5219058F27799DC2D2335A9FC1179B740E27488ED802D16A6EE2AC7B1817C79F7A15F0DDB81BA4C669492B98362ADEC62106335D0D472B
Malicious:	false
Preview:	L..................F.... ....9......V...GK...9........+..........................P.O. .:i.....+00.../C:\.....................1......R....PROGRA~2.........L..R......................V.......4.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......R....IMMUNI~1..J......R...R......QZ......................4.I.m.m.u.n.i.t.y. .I.n.c.....l.1......R....IMMUNI~1..T......R...R......l[....................qT..I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.....v.2...+.O@Qt .IMMUNI~1.EXE..Z......O@Qt.R.......[........................I.m.m.u.n.i.t.y.D.e.b.u.g.g.e.r...e.x.e.......y...............-.......x...........R........C:\Program Files (x86)\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe..P.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.\.I.m.m.u.n.i.t.y.D.e.b.u.g.g.e.r...e.x.e.5.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.m.m.u.n.i.t.y. .I.n.c.\.I.m.m.u.n.i.t.y. .D.e.b.u.g.g.e.r.........

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999571169441987
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ImmunityDebugger_1_85_setup.exe
File size:	22749412
MD5:	b94ff046f678a5e89d06007ea24c57ec
SHA1:	e01a72a487ac0e2ec02ddfc20fd2994919ef1e9a
SHA256:	9c15cd47d018ccd99a6c8865baba20134c67061ae0e19232c32ecd0139ccfd42
SHA512:	10257deb8fa9662cb36cf1a20bcadc8d2ac3958b5c5f5a6fad871c1b6c8c77136d539ac8c4bcfa2388f2491a5a5145d15a989c6a4a7280e063ade4a4d4c08100
SSDEEP:	393216:tU0lXeTIj/ZrW8n6MWja0Xja/ggbvNgV1JKp7lZ+HrS4G0Mbnz+BfmxOyoH/5:m0lXAudh6pG0TUzbvKU77urS4gM4O/R
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hN.....................:...Z...@............@..........................0................ ............................

File Icon


Icon Hash:	f8eafc64dcdccc44

Static PE Info

General
Entrypoint:	0x40407f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4E68EAA5 [Thu Sep 8 16:17:41 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	28a099a911237a28521d8b7ea250f089

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 000001ACh
call 00007F9AF476DDBDh
mov dword ptr [esp], 00008001h
call 00007F9AF476DA61h
push ebx
mov dword ptr [esp], 00000000h
call 00007F9AF476DDCCh
push esi
mov dword ptr [004307F4h], eax
mov dword ptr [esp], 00000008h
call 00007F9AF476C112h
mov dword ptr [00430850h], eax
lea eax, dword ptr [ebp-0000017Ch]
push edi
mov dword ptr [esp+10h], 00000000h
mov dword ptr [esp+0Ch], 00000160h
mov dword ptr [esp+08h], eax
mov dword ptr [esp+04h], 00000000h
mov dword ptr [esp], 0040B2A9h
call 00007F9AF476DCF6h
sub esp, 14h
mov dword ptr [esp+04h], 0040B2AAh
mov dword ptr [esp], 0043085Ch
call 00007F9AF476BC06h
push eax
push eax
call 00007F9AF476D9F8h
mov dword ptr [esp], 00439000h
mov dword ptr [esp+04h], eax
call 00007F9AF476BBEFh
push eax
push eax
mov dword ptr [esp], 00000000h
call 00007F9AF476D94Ah
cmp byte ptr [00439000h], 00000022h
push edx
mov edx, 00439001h
mov dword ptr [00430858h], eax
mov eax, 00439000h
cmove eax, edx
sete byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32000	0x1304	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x6a60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8810	0x8a00	False	0.56006567029	data	6.06456052057	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0xa000	0x90	0x200	False	0.158203125	data	1.19914821626	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xd30	0xe00	False	0.505580357143	data	5.28213288274	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0xc000	0x25884	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x32000	0x1304	0x1400	False	0.3779296875	data	5.26205088874	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.ndata	0x34000	0x8000	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x6a60	0x6c00	False	0.441261574074	data	5.63614738336	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c328	0x25a8	data	English	United States
RT_ICON	0x3e8d0	0x10a8	data	English	United States
RT_ICON	0x3f978	0xea8	data	English	United States
RT_ICON	0x40820	0x8a8	data	English	United States
RT_ICON	0x410c8	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 248, next used block 32512	English	United States
RT_ICON	0x41730	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x41c98	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x42100	0x2e8	data	English	United States
RT_ICON	0x423e8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x42510	0x168	data	English	United States
RT_DIALOG	0x42678	0x118	data	English	United States
RT_DIALOG	0x42790	0x128	data	English	United States
RT_DIALOG	0x428b8	0xc0	data	English	United States
RT_DIALOG	0x42978	0x60	data	English	United States
RT_GROUP_ICON	0x429d8	0x84	data	English	United States

Imports

DLL	Import
ADVAPI32.DLL	RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
COMCTL32.DLL	ImageList_AddMasked, ImageList_Create, ImageList_Destroy, InitCommonControls
GDI32.dll	CreateBrushIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SelectObject, SetBkColor, SetBkMode, SetTextColor
KERNEL32.dll	CloseHandle, CompareFileTime, CopyFileA, CreateDirectoryA, CreateFileA, CreateProcessA, CreateThread, DeleteFileA, ExitProcess, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentProcess, GetDiskFreeSpaceA, GetExitCodeProcess, GetFileAttributesA, GetFileSize, GetFullPathNameA, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress, GetShortPathNameA, GetSystemDirectoryA, GetTempFileNameA, GetTempPathA, GetTickCount, GetVersion, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, LoadLibraryA, LoadLibraryExA, MoveFileA, MulDiv, MultiByteToWideChar, ReadFile, RemoveDirectoryA, SearchPathA, SetCurrentDirectoryA, SetErrorMode, SetFileAttributesA, SetFilePointer, SetFileTime, Sleep, WaitForSingleObject, WriteFile, WritePrivateProfileStringA, lstrcatA, lstrcmpA, lstrcmpiA, lstrcpynA, lstrlenA
OLE32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
SHELL32.DLL	SHBrowseForFolderA, SHFileOperationA, SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA
USER32.dll	AppendMenuA, BeginPaint, CallWindowProcA, CharNextA, CharPrevA, CheckDlgButton, CloseClipboard, CreateDialogParamA, CreatePopupMenu, CreateWindowExA, DefWindowProcA, DestroyWindow, DialogBoxParamA, DispatchMessageA, DrawTextA, EmptyClipboard, EnableMenuItem, EnableWindow, EndDialog, EndPaint, ExitWindowsEx, FillRect, FindWindowExA, GetClassInfoA, GetClientRect, GetDC, GetDlgItem, GetDlgItemTextA, GetMessagePos, GetSysColor, GetSystemMenu, GetSystemMetrics, GetWindowLongA, GetWindowRect, InvalidateRect, IsWindow, IsWindowEnabled, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadImageA, MessageBoxIndirectA, OpenClipboard, PeekMessageA, PostQuitMessage, RegisterClassA, ScreenToClient, SendMessageA, SendMessageTimeoutA, SetClassLongA, SetClipboardData, SetCursor, SetDlgItemTextA, SetForegroundWindow, SetTimer, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, SystemParametersInfoA, TrackPopupMenu, wsprintfA
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: ImmunityDebugger_1_85_setup.exe PID: 6200 Parent PID: 5668

General

Start time:	11:08:14
Start date:	17/05/2021
Path:	C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe'
Imagebase:	0x400000
File size:	22749412 bytes
MD5 hash:	B94FF046F678A5E89D06007EA24C57EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ImmunityDebugger_1_85_setup.exe PID: 6200 Parent PID: 5668 ImmunityDebugger_1_85_setup.exeCOMMON

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	1295
Total number of Limit Nodes:	31

Executed Functions

Function 00406B9F, Relevance: 65.1, APIs: 36, Strings: 1, Instructions: 339
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00406B9F(struct HWND__* __edx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* _v16;
				char _v32;
				struct tagRECT _v48;
				intOrPtr _v64;
				struct HWND__* _v68;
				int _v80;
				void* _v88;
				struct HWND__* _v96;
				struct HWND__* _v100;
				struct HWND__* _v120;
				int _v124;
				long _v128;
				int _v132;
				struct tagRECT* _v136;
				struct HWND__* _v140;
				int _v144;
				long _t123;
				struct HMENU__* _t124;
				long _t127;
				int _t128;
				long _t131;
				int _t132;
				void* _t134;
				int _t137;
				void* _t138;
				struct HWND__* _t142;
				int _t143;
				struct HWND__* _t144;
				struct HWND__* _t149;
				struct HWND__* _t150;
				int _t151;
				struct HWND__* _t154;
				void* _t155;
				intOrPtr _t159;
				struct HWND__* _t163;
				int _t164;
				intOrPtr _t167;
				int _t169;
				struct HWND__* _t177;
				struct HWND__* _t181;
				int _t182;
				intOrPtr _t183;
				int _t185;
				intOrPtr _t189;
				struct HMENU__* _t190;
				int _t191;
				long _t192;
				void* _t193;
				struct HWND__* _t195;
				struct HWND__* _t197;
				struct HWND__* _t204;
				void* _t207;
				struct HWND__* _t208;
				short* _t210;
				struct HWND__* _t212;
				struct HWND__* _t215;
				intOrPtr _t217;
				int _t218;
				struct tagRECT* _t219;
				void* _t220;
				void* _t221;
				struct HWND__* _t223;
				struct HWND__* _t224;
				long _t225;
				void* _t226;
				struct HMENU__** _t227;
				void* _t228;
				void* _t229;
				void* _t232;

				_t204 = __edx;
				_t189 = _a8;
				_t217 = _a12;
				_t224 =  *0x431064; // 0x3020e
				if(_t189 != 0x110) {
					if(_t189 != 0x405) {
						if(_t189 != 0x111) {
							if(_t189 == 0x404) {
								if( *0x43105c == 0) {
									_t142 =  *0x430854; // 0xe0176
									_t143 = ShowWindow(_t142, 8); // executed
									_push(_t143);
									_push(_t143);
									if( *0x4307c8 == 0) {
										E00406A5D(_t193, _t204,  *((intOrPtr*)( *0x42cc54 + 0x34)), 0); // executed
									}
									_t144 = 1; // executed
								} else {
									 *0x42cc50 = 2;
									_t144 = 0x78;
								}
								E0040479E(_t144); // executed
							}
						} else {
							if(_t217 == 0x403) {
								_t149 =  *0x431060; // 0x60072
								_t150 = ShowWindow(_t149, 0);
								_v140 = _t224;
								_v136 = 8;
								_t151 = ShowWindow(_t150, _t150);
								_push(_t151);
								_push(_t151);
								E00404741(_t224);
							}
						}
					} else {
						_t197 = _a4;
						_t154 = GetDlgItem(_t197, 0x3ec);
						_t204 =  &_v32;
						_v120 = _t204;
						_v124 = 0;
						_v128 = _t154;
						_v132 = E00404874;
						_v136 = 0;
						_v140 = 0; // executed
						_t155 = CreateThread(_t204, ??, ??, ??, ??, ??); // executed
						_t226 = _t226 - 0x18;
						_v144 = _t155; // executed
						CloseHandle(_t204); // executed
						_push(_t197);
					}
					if(_t224 != _t217 || _t189 != 0x7b) {
						_t218 = E00404BAE(_t189, _a16, _t217);
					} else {
						_v128 = 0;
						_t218 = 0;
						_v132 = 0;
						_v136 = 0x1004;
						_v140 = _t224;
						_t123 = SendMessageA(??, ??, ??, ??);
						_t227 = _t226 - 0x10;
						_v96 = _t123;
						if(_t123 <= 0) {
							goto L37;
						}
						_t124 = CreatePopupMenu();
						_v136 = 0xffffffe1;
						_v140 = 0;
						_t190 = _t124;
						_v136 = E00407769();
						_v140 = 1;
						_v144 = 0;
						 *_t227 = _t190;
						AppendMenuA(_t204, _t204, ??, ??);
						_t228 = _t227 - 0x10;
						if(_a16 != 0xffffffff) {
							_t127 = _a16;
							_t207 = _a16 >> 0x10;
						} else {
							GetWindowRect(_t224,  &_v48);
							_t127 = _v48.left;
							_t207 = _v48.top;
							_push(0);
							_push(0);
						}
						_t195 = _a4;
						_t218 = 0;
						 *(_t228 + 0x18) = 0;
						_v124 = 0;
						_v128 = _t207;
						_v120 = _t195;
						_v132 = _t127;
						_v136 = 0x180;
						_v140 = _t190;
						_t128 = TrackPopupMenu(??, ??, ??, ??, ??, ??, ??);
						_t229 = _t228 - 0x1c;
						if(_t128 == 1) {
							_t191 = _v96;
							_t219 = 1;
							_v80 = 0;
							_v68 = 0x42bc18;
							_v64 = 0xfff;
							do {
								_t191 = _t191 - 1;
								_t131 = SendMessageA(_t224, 0x102d, _t191,  &_v88);
								_t229 = _t229 - 0x10;
								_t107 =  &(_t219->left); // 0x2
								_t219 = _t131 + _t107;
							} while (_t191 != 0);
							_t132 = OpenClipboard(0);
							EmptyClipboard();
							_v136 = _t219;
							_v140 = 0x42;
							_t134 = GlobalAlloc(_t132, ??);
							_push(_t207);
							_t220 = _t134;
							_v140 = _t134;
							_t208 = GlobalLock(_t207);
							_push(_t195);
							do {
								_v68 = _t208;
								_v132 = _t191;
								_t191 = _t191 + 1;
								_v100 = _t208;
								_v128 =  &_v88;
								_v136 = 0x102d;
								_v140 = _t224;
								_t210 = _v100 + SendMessageA(??, ??, ??, ??);
								_t229 = _t229 - 0x10;
								 *_t210 = 0xa0d;
								_t208 = _t210 + 2;
							} while (_t191 != _v96);
							_t137 = GlobalUnlock(_t220);
							_v136 = _t220;
							_t218 = 0;
							_v140 = 1;
							_t138 = SetClipboardData(_t137, ??);
							_push(_t138);
							_push(_t138);
							CloseClipboard();
						}
					}
					goto L37;
				} else {
					_t221 =  &_v88;
					memset(_t221, 0, 8 << 2);
					_t159 =  *0x4307fc; // 0x11f030
					_v88 = 2;
					_v80 = 0xffffffff;
					_v68 = 0xffffffff;
					_t192 =  *(_t159 + 0x5c);
					_t225 =  *(_t159 + 0x60);
					 *0x431060 = GetDlgItem(_a4, 0x403);
					_v136 = 0x3ee;
					_v140 = _a4;
					 *0x43107c = GetDlgItem(_t204, _t204);
					_v136 = 0x3f8;
					_v140 = _a4;
					_t163 = GetDlgItem(0, 0);
					_t223 = _t163;
					 *0x431064 = _t163;
					_t164 =  *0x431060; // 0x60072, executed
					E00404741(_t164); // executed
					_t167 = E004046D0(4);
					 *0x431068 = 0;
					_v140 = _t223;
					 *0x431070 = _t167;
					_v136 =  &_v48;
					_t169 = GetClientRect(_t221 + 8, _t221 + 8);
					_t212 = _v48.right;
					_v96 = _t212;
					_v140 = 0x15;
					_v80 = _v96 - GetSystemMetrics(_t169);
					_v128 =  &_v88;
					_v132 = 0;
					_v136 = 0x101b;
					_v140 = _t223; // executed
					SendMessageA(_t212, _t169, ??, ??); // executed
					_v128 = 0x4000;
					_v132 = 0x4000;
					_v136 = 0x1036;
					_v140 = _t223; // executed
					SendMessageA(??, ??, ??, ??); // executed
					_t232 = _t226 + 0xc;
					if(_t192 >= 0) {
						SendMessageA(_t223, 0x1001, 0, _t192);
						SendMessageA(_t223, 0x1026, 0, _t192);
						_t232 = _t232;
					}
					if(_t225 >= 0) {
						SendMessageA(_t223, 0x1024, 0, _t225);
						_t232 = _t232 - 0x10;
					}
					E00404836(_a4,  *((intOrPtr*)(_a16 + 0x30)), 0x1b);
					if(( *0x430844 & 0x00000003) != 0) {
						_t181 =  *0x431060; // 0x60072
						_t182 = ShowWindow(_t181, 0); // executed
						_push(_t182);
						_push(_t182);
						if(( *0x430844 & 0x00000002) != 0) {
							 *0x431060 = 0;
						} else {
							_t185 = ShowWindow(_t223, 8); // executed
							_push(_t185);
							_push(_t185);
						}
						_t183 =  *0x43107c; // 0x30214, executed
						E00404741(_t183); // executed
					}
					_t177 = GetDlgItem(_a4, 0x3ec);
					_t218 = 0;
					_v128 = 0x75300000;
					_v132 = 0;
					_v136 = 0x401;
					_v140 = _t177;
					_v100 = _t177;
					SendMessageA(_t223, _t223, ??, ??);
					_t215 = _v100;
					if(( *0x430844 & 0x00000004) != 0) {
						SendMessageA(_t215, 0x409, 0, _t225);
						SendMessageA(_v100, 0x2001, 0, _t192);
					}
					L37:
					return _t218;
				}
			}

0x00406b9f
0x00406ba8
0x00406bab
0x00406bae
0x00406bba
0x00406e32
0x00406e8f
0x00406ed4
0x00406edd
0x00406ef0
0x00406f00
0x00406f0c
0x00406f0d
0x00406f0e
0x00406f23
0x00406f29
0x00406f2a
0x00406edf
0x00406edf
0x00406ee9
0x00406ee9
0x00406f2f
0x00406f2f
0x00406e91
0x00406e96
0x00406e9c
0x00406eac
0x00406eb3
0x00406eb6
0x00406ebe
0x00406ec3
0x00406ec4
0x00406ec7
0x00406ec7
0x00406e96
0x00406e34
0x00406e34
0x00406e42
0x00406e49
0x00406e4c
0x00406e50
0x00406e58
0x00406e5c
0x00406e64
0x00406e6c
0x00406e73
0x00406e78
0x00406e7b
0x00406e7e
0x00406e83
0x00406e83
0x00406f36
0x004070f0
0x00406f45
0x00406f45
0x00406f4d
0x00406f4f
0x00406f57
0x00406f5f
0x00406f62
0x00406f67
0x00406f6c
0x00406f6f
0x00000000
0x00000000
0x00406f75
0x00406f7a
0x00406f82
0x00406f89
0x00406f92
0x00406f96
0x00406f9e
0x00406fa6
0x00406fa9
0x00406fae
0x00406fb5
0x00406fd3
0x00406fd7
0x00406fb7
0x00406fc1
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcd
0x00406fcd
0x00406fda
0x00406fdd
0x00406fdf
0x00406fe7
0x00406fef
0x00406ff3
0x00406ff7
0x00406ffb
0x00407003
0x00407006
0x0040700b
0x0040700f
0x00407015
0x00407018
0x0040701c
0x00407023
0x0040702a
0x00407031
0x00407031
0x00407048
0x0040704d
0x00407052
0x00407052
0x00407052
0x0040705f
0x00407065
0x0040706a
0x0040706e
0x00407075
0x0040707a
0x0040707b
0x0040707e
0x00407086
0x00407088
0x00407089
0x0040708c
0x0040708f
0x00407093
0x00407094
0x00407097
0x0040709b
0x004070a3
0x004070ae
0x004070b0
0x004070b3
0x004070b8
0x004070bb
0x004070c3
0x004070c9
0x004070cd
0x004070cf
0x004070d6
0x004070db
0x004070dc
0x004070dd
0x004070dd
0x0040700f
0x00000000
0x00406bc0
0x00406bc7
0x00406bca
0x00406bcc
0x00406bd1
0x00406bd8
0x00406bdf
0x00406be6
0x00406be9
0x00406c04
0x00406c09
0x00406c11
0x00406c1e
0x00406c23
0x00406c2b
0x00406c2e
0x00406c35
0x00406c37
0x00406c3c
0x00406c41
0x00406c4b
0x00406c50
0x00406c5a
0x00406c5d
0x00406c65
0x00406c69
0x00406c6e
0x00406c71
0x00406c76
0x00406c8b
0x00406c8e
0x00406c92
0x00406c9a
0x00406ca2
0x00406ca5
0x00406cad
0x00406cb5
0x00406cbd
0x00406cc5
0x00406cc8
0x00406ccd
0x00406cd2
0x00406ceb
0x00406d0a
0x00406d0f
0x00406d0f
0x00406d14
0x00406d2d
0x00406d32
0x00406d32
0x00406d43
0x00406d4f
0x00406d51
0x00406d61
0x00406d6d
0x00406d6e
0x00406d6f
0x00406d85
0x00406d71
0x00406d7c
0x00406d81
0x00406d82
0x00406d82
0x00406d8f
0x00406d94
0x00406d94
0x00406da7
0x00406dae
0x00406db0
0x00406db8
0x00406dc0
0x00406dc8
0x00406dcb
0x00406dce
0x00406dd3
0x00406de0
0x00406dfd
0x00406e1f
0x00406e24
0x004070f2
0x004070fb
0x004070fb

APIs

GetDlgItem.USER32 ref: 00406BFA
GetDlgItem.USER32 ref: 00406C14
GetClientRect.USER32 ref: 00406C69
GetSystemMetrics.USER32 ref: 00406C7D
SendMessageA.USER32 ref: 00406CA5
SendMessageA.USER32 ref: 00406CC8
SendMessageA.USER32 ref: 00406CEB
SendMessageA.USER32 ref: 00406D0A
SendMessageA.USER32 ref: 00406D2D
ShowWindow.USER32 ref: 00406D61
ShowWindow.USER32(00000000,00000000), ref: 00406D7C
GetDlgItem.USER32 ref: 00406DA7
SendMessageA.USER32 ref: 00406DCE
SendMessageA.USER32 ref: 00406DFD
SendMessageA.USER32 ref: 00406E1F
ShowWindow.USER32 ref: 00406EAC
ShowWindow.USER32(00000000,00000000), ref: 00406EBE
GetDlgItem.USER32 ref: 00406C2E

Part of subcall function 00404741: SendMessageA.USER32 ref: 00404763

GetDlgItem.USER32 ref: 00406E42
CreateThread.KERNEL32 ref: 00406E73
CloseHandle.KERNEL32 ref: 00406E7E
SendMessageA.USER32 ref: 00406F62
CreatePopupMenu.USER32 ref: 00406F75
AppendMenuA.USER32 ref: 00406FA9
GetWindowRect.USER32 ref: 00406FC1
TrackPopupMenu.USER32 ref: 00407006
SendMessageA.USER32 ref: 00407048
OpenClipboard.USER32 ref: 0040705F
EmptyClipboard.USER32(00000000), ref: 00407065
GlobalAlloc.KERNEL32(00000000), ref: 00407075
GlobalLock.KERNEL32 ref: 00407081
SendMessageA.USER32 ref: 004070A6
GlobalUnlock.KERNEL32 ref: 004070C3
SetClipboardData.USER32 ref: 004070D6
CloseClipboard.USER32(00000000,00000000,00000000), ref: 004070DD

Strings

Immunity Debugger Setup: Completed, xrefs: 00407023

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$ItemWindow$ClipboardShow$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Immunity Debugger Setup: Completed
API String ID: 3345910698-3110964495
Opcode ID: 2e7e44f58e1fe7d5e36a84fbd02a7a9e00080dcb08a4fad5597fdb4f72587284
Instruction ID: 69632327c9f5cfd11b49eaa5ab9f05f8e88b18c42747804196c550a0ceeac204
Opcode Fuzzy Hash: 2e7e44f58e1fe7d5e36a84fbd02a7a9e00080dcb08a4fad5597fdb4f72587284
Instruction Fuzzy Hash: 5AE10AB0808344AFD700EF6AC58476EBBF4EF84308F11C92EE59867392D7799845CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040407F, Relevance: 49.3, APIs: 20, Strings: 8, Instructions: 331
filecomstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			_entry_() {
				char _v32;
				int _v372;
				char _v380;
				int _v384;
				char* _v400;
				int* _v404;
				struct _SECURITY_ATTRIBUTES* _v436;
				intOrPtr _v440;
				struct _SECURITY_ATTRIBUTES* _v444;
				struct _SECURITY_ATTRIBUTES* _v448;
				CHAR* _v460;
				char* _v464;
				CHAR* _v468;
				struct _SECURITY_ATTRIBUTES* _v472;
				CHAR* _v476;
				struct _SECURITY_ATTRIBUTES* _v480;
				CHAR* _v484;
				struct _SECURITY_ATTRIBUTES* _v488;
				int _t65;
				intOrPtr _t66;
				void* _t69;
				CHAR* _t70;
				CHAR* _t71;
				CHAR* _t75;
				char* _t76;
				char* _t77;
				long _t80;
				void* _t81;
				char* _t83;
				char* _t85;
				void* _t86;
				void* _t88;
				char* _t89;
				char* _t92;
				char* _t93;
				void* _t95;
				char* _t96;
				char* _t101;
				CHAR* _t102;
				int _t103;
				void* _t104;
				intOrPtr _t105;
				int _t110;
				intOrPtr _t112;
				CHAR* _t115;
				void* _t119;
				void* _t120;
				signed int _t121;
				char* _t122;
				char* _t124;
				char* _t125;
				CHAR* _t126;
				CHAR* _t127;
				void* _t128;
				CHAR* _t133;
				void* _t138;
				char* _t139;
				signed int _t140;
				char* _t141;
				intOrPtr* _t144;
				CHAR** _t145;
				intOrPtr* _t146;

				InitCommonControls();
				_t65 = SetErrorMode(0x8001); // executed
				_v444 = 0; // executed
				L004097D0(); // executed
				 *0x4307f4 = _t65;
				_v448 = 8; // executed
				_t66 = E00407B28(_t126, _t128, _t140); // executed
				 *0x430850 = _t66;
				_v436 = 0;
				_v440 = 0x160;
				_v444 =  &_v384;
				_v448 = 0;
				 *_t144 = 0x40b2a9; // executed
				SHGetFileInfoA(??, ??, ??, ??, ??); // executed
				_t145 = _t144 - 0x14;
				_v468 = "NSIS Error";
				_v472 = 0x43085c;
				_t69 = E00407667(_t138, _t120);
				_t70 = GetCommandLineA();
				_v480 = 0x439000;
				_v476 = _t70;
				_t71 = E00407667(_t69, _t69);
				_v488 = 0;
				 *0x430858 = GetModuleHandleA(_t71);
				_t74 =  ==  ? 0x439001 : 0x439000;
				_v484 = (0x439000 |  *0x439000 == 0x00000022) + 0x439021;
				_v488 =  ==  ? 0x439001 : 0x439000; // executed
				_t75 = E0040726F(_t120, _t128, _t71); // executed
				_push(_t126);
				 *_t145 = _t75;
				_t76 = CharNextA(_t126);
				_t139 = _t76;
				_push(_t120);
				_t121 = 0;
				while(1) {
					_t148 =  *_t76;
					if( *_t76 != 0) {
						goto L2;
					} else {
						break;
					}
					L5:
					__eflags =  *_t76 - 0x2f;
					if( *_t76 != 0x2f) {
						L13:
						_t77 = E0040726F(_t121, _t76, _t127);
						__eflags =  *_t77 - 0x22;
						_t133 = 0 |  *_t77 == 0x00000022;
						_t76 = _t77 + _t133;
						__eflags = _t76;
						continue;
					}
					__eflags = _t76[1] - 0x53;
					if(_t76[1] == 0x53) {
						_t140 = _t121 | 0x00000002;
						_t133 = _t76[2] | 0x00000020;
						__eflags = _t133 - 0x20;
						_t121 =  ==  ? _t140 : _t121;
					}
					__eflags = _t76[1] - 0x4352434e;
					if(_t76[1] == 0x4352434e) {
						_t140 = _t121 | 0x00000004;
						_t133 = _t76[5] | 0x00000020;
						__eflags = _t133 - 0x20;
						_t121 =  ==  ? _t140 : _t121;
					}
					__eflags =  *(_t76 - 1) - 0x3d442f20;
					if(__eflags == 0) {
						 *(_t76 - 1) = 0;
						E00407667(0x439400,  &(_t76[3]));
						break;
					} else {
						_t76 =  &(_t76[1]);
						goto L13;
					}
					L2:
					_t133 =  *_t76;
					__eflags = _t133 - 0x20;
					if(_t133 == 0x20) {
						_t76 =  &(_t76[1]);
						__eflags = _t76;
						goto L2;
					} else {
						__eflags = _t133 - 0x22;
						_t127 = 0x20;
						if(_t133 == 0x22) {
							_t76 =  &(_t76[1]);
							__eflags = _t76;
							_t127 = 0x22;
						}
						goto L5;
					}
				}
				_t80 = GetTempPathA(0x400, 0x43a400);
				_push(_t80);
				_push(_t80); // executed
				_t81 = E00403FDC(_t121, _t127, _t133, _t148); // executed
				_t149 = _t81;
				if(_t81 != 0) {
					L17:
					DeleteFileA(0x43a000); // executed
					_v468 = _t121;
					_t122 = 0; // executed
					_t83 = E00403CB7(_t127, _t133, _t150, _t140); // executed
					_t141 = _t83;
					_push(_t133);
					if(_t83 != 0) {
						L40:
						E0040403F(_t127);
						L004097D8();
						_t154 = _t141;
						if(_t141 == 0) {
							__eflags =  *0x4307d0;
							if( *0x4307d0 != 0) {
								_v400 = E00407B28(_t127, _t133, 3);
								_v472 = 4;
								_t139 = E00407B28(_t127, _t133);
								_v476 = 5;
								_t92 = E00407B28(_t127, _t133, _t133);
								__eflags = _t139;
								_t141 = _t92;
								_push(_t127);
								if(_t139 != 0) {
									__eflags = _v400;
									if(_v400 != 0) {
										__eflags = _t92;
										if(_t92 != 0) {
											_t95 = GetCurrentProcess();
											_t133 =  &_v32;
											_v460 = _t133;
											_v464 = 0x28;
											_v468 = _t95;
											_t96 = _v400();
											_t145 = _t145 - 0xc;
											__eflags = _t96;
											if(_t96 != 0) {
												_v404 =  &_v384;
												_v472 =  &_v380;
												_v476 = "SeShutdownPrivilege";
												_v480 = 0;
												 *_t139();
												_t133 = _v404;
												_v384 = 1;
												_v372 = 2;
												_t146 = _t145 - 0xc;
												_v472 = 0;
												_v476 = 0;
												_v480 = 0;
												_v484 = _t133;
												_v488 = 0;
												 *_t146 = _v32;
												 *_t141();
												_t145 = _t146 - 0x18;
											}
										}
									}
								}
								_t93 = ExitWindowsEx(2, 0);
								__eflags = _t93;
								_push(_t141);
								_push(_t141);
								if(_t93 == 0) {
									E00403813(_t127, 9);
								}
							}
							_t85 =  *0x4307e8; // 0xffffffff
							__eflags = _t85 - 0xffffffff;
							_t123 =  !=  ? _t85 : _t122;
							_v468 =  !=  ? _t85 : _t122;
						} else {
							_t85 = E004071B9(_t141, 0x200010);
							_v476 = 2;
						}
						ExitProcess();
						L52:
						 *_t85 = 0;
						_t64 =  &(_t85[4]); // 0x4
						_t124 = _t64;
						_v464 = _t124;
						_t86 = E00407A78(_t124, _t127, _t133, _t154);
						_push(_t133);
						if(_t86 == 0) {
							L38:
							_t141 = "Error launching installer";
							L39:
							_t122 = 0;
							__eflags = 0;
							goto L40;
						}
						E00407667(0x439400, _t124);
						_v468 = _t124;
						_v472 = 0x439800;
						_t88 = E00407667();
						_push(_t88);
						_push(_t88);
						L36:
						 *0x4307e8 = 0xffffffff; // executed
						_t89 = E00405B86(_t127, _t133); // executed
						_t122 = _t89;
						goto L40;
					}
					if( *0x430848 == 0) {
						goto L36;
					}
					_t85 = E0040726F(0, 0x439000, 0);
					while(_t85 >= 0x439000) {
						_t154 =  *_t85 - 0x3d3f5f20;
						if( *_t85 != 0x3d3f5f20) {
							_t85 = _t85 - 1;
							__eflags = _t85;
							continue;
						}
						goto L52;
					}
					_v464 = "~nsu.tmp";
					_v468 = 0x43a400;
					E00407697();
					_v472 = 0x439c00;
					_v476 = 0x43a400;
					_t101 = lstrcmpiA(_t133, _t133);
					__eflags = _t101;
					_push(_t127);
					_push(_t127);
					if(_t101 == 0) {
						goto L38;
					}
					_t102 = CreateDirectoryA(0x43a400, 0);
					_push(_t102);
					_v476 = 0x43a400;
					_t103 = SetCurrentDirectoryA(_t102);
					__eflags =  *0x439400;
					_push(_t103);
					if( *0x439400 == 0) {
						E00407667(0x439400, 0x439c00);
					}
					_v472 = _t139;
					_t125 = 0x1a;
					_t141 = "Error launching installer";
					_v476 = 0x434000;
					_t104 = E00407667();
					 *0x434400 = 0x41;
					_push(_t104);
					_push(_t104);
					do {
						_t105 =  *0x4307fc; // 0x11f030
						_v476 = 0x42b810;
						_v472 =  *(_t105 + 0x120);
						E00407769();
						_push(_t127);
						_v484 = 0x42b810;
						DeleteFileA(_t127);
						__eflags = _t141;
						_push(_t139);
						if(_t141 != 0) {
							_t110 = CopyFileA(0x43ac00, 0x42b810, 1);
							_t145 = _t145 - 0xc;
							__eflags = _t110;
							if(_t110 != 0) {
								E00407B78(_t127, _t133, 0x42b810, 0);
								_t112 =  *0x4307fc; // 0x11f030
								_v484 = 0x42b810;
								_v480 =  *(_t112 + 0x124);
								_push(E00407769());
								 *_t145 = 0x42b810;
								_t115 = E00407100(_t114);
								__eflags = _t115;
								_push(_t133);
								if(_t115 != 0) {
									_v476 = _t115;
									_t141 = 0;
									__eflags = 0;
									_push(CloseHandle(??));
								}
							}
						}
						 *0x434400 =  *0x434400 + 1;
						_t125 = _t125 - 1;
						__eflags = _t125;
					} while (_t125 != 0);
					E00407B78(_t127, _t133, 0x43a400, 0);
					goto L39;
				}
				GetWindowsDirectoryA(0x43a400, 0x3fb);
				_push(_t127);
				_push(_t127);
				_v464 = "\\Temp";
				_v468 = 0x43a400;
				E00407697();
				_push(_t140);
				_push(_t140);
				_t119 = E00403FDC(_t121, _t127, _t133, _t149);
				_t150 = _t119;
				if(_t119 == 0) {
					_t141 = "Error writing temporary file. Make sure your temp folder is valid.";
					goto L39;
				}
				goto L17;
			}

0x0040408b
0x00404097
0x0040409d
0x004040a4
0x004040aa
0x004040af
0x004040b6
0x004040bb
0x004040c7
0x004040cf
0x004040d7
0x004040db
0x004040e3
0x004040ea
0x004040ef
0x004040f2
0x004040fa
0x00404101
0x00404108
0x0040410d
0x00404114
0x00404118
0x0040411f
0x00404138
0x00404142
0x0040414f
0x00404153
0x00404156
0x0040415b
0x0040415d
0x00404160
0x00404165
0x00404167
0x00404168
0x004041fc
0x004041fc
0x004041ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00404181
0x00404181
0x00404184
0x004041e4
0x004041eb
0x004041f4
0x004041f7
0x004041fa
0x004041fa
0x00000000
0x004041fa
0x00404186
0x0040418a
0x00404191
0x00404194
0x00404197
0x0040419a
0x0040419a
0x0040419d
0x004041a4
0x004041ab
0x004041ae
0x004041b1
0x004041b4
0x004041b4
0x004041b7
0x004041be
0x004041c3
0x004041d8
0x00000000
0x004041c0
0x004041c0
0x00000000
0x004041c0
0x00404170
0x00404170
0x00404172
0x00404175
0x0040416f
0x0040416f
0x00000000
0x00404177
0x00404177
0x0040417a
0x0040417c
0x0040417e
0x0040417e
0x0040417f
0x0040417f
0x00000000
0x0040417c
0x00404175
0x00404214
0x00404219
0x0040421a
0x0040421b
0x00404220
0x00404222
0x0040425d
0x00404264
0x0040426a
0x0040426d
0x0040426f
0x00404276
0x00404278
0x00404279
0x00404465
0x00404465
0x0040446a
0x0040446f
0x00404471
0x00404491
0x00404498
0x004044ab
0x004044b1
0x004044be
0x004044c0
0x004044c7
0x004044cc
0x004044ce
0x004044d0
0x004044d1
0x004044d7
0x004044de
0x004044e4
0x004044e6
0x004044ec
0x004044f1
0x004044f4
0x004044f8
0x00404500
0x00404503
0x00404509
0x0040450c
0x0040450e
0x0040451c
0x00404522
0x00404526
0x0040452e
0x00404535
0x00404537
0x00404540
0x0040454a
0x00404554
0x00404557
0x0040455f
0x00404567
0x0040456f
0x00404573
0x0040457b
0x0040457e
0x00404580
0x00404580
0x0040450e
0x004044e6
0x004044de
0x00404592
0x00404597
0x00404599
0x0040459a
0x0040459b
0x004045a4
0x004045a9
0x0040459b
0x004045aa
0x004045af
0x004045b2
0x004045b5
0x00404473
0x0040447e
0x00404485
0x00404485
0x004045b8
0x004045bd
0x004045bd
0x004045c0
0x004045c0
0x004045c3
0x004045c6
0x004045cd
0x004045ce
0x0040445e
0x0040445e
0x00404463
0x00404463
0x00404463
0x00000000
0x00404463
0x004042fa
0x00404301
0x00404305
0x0040430c
0x00404311
0x00404312
0x00404444
0x00404444
0x0040444e
0x00404453
0x00000000
0x00404453
0x00404286
0x00000000
0x00000000
0x0040429b
0x004042a5
0x004042ac
0x004042b2
0x004042a4
0x004042a4
0x00000000
0x004042a4
0x00000000
0x004042b4
0x004042b9
0x004042c1
0x004042c8
0x004042cf
0x004042d7
0x004042de
0x004042e3
0x004042e5
0x004042e6
0x004042e7
0x00000000
0x00000000
0x00404327
0x0040432c
0x0040432e
0x00404335
0x0040433a
0x00404341
0x00404342
0x00404353
0x00404359
0x0040435a
0x0040435e
0x00404363
0x00404368
0x0040436f
0x00404374
0x0040437d
0x0040437e
0x0040437f
0x0040437f
0x0040438a
0x00404391
0x00404395
0x0040439a
0x0040439c
0x004043a3
0x004043a8
0x004043aa
0x004043ab
0x004043c4
0x004043c9
0x004043cc
0x004043ce
0x004043df
0x004043e6
0x004043f1
0x004043f8
0x00404401
0x00404403
0x0040440a
0x0040440f
0x00404411
0x00404412
0x00404414
0x00404417
0x00404417
0x0040441e
0x0040441e
0x00404412
0x004043ce
0x0040441f
0x00404425
0x00404425
0x00404425
0x0040443b
0x00000000
0x00404441
0x00404233
0x00404238
0x00404239
0x0040423a
0x00404242
0x00404249
0x0040424e
0x0040424f
0x00404250
0x00404255
0x00404257
0x00404457
0x00000000
0x00404457
0x00000000

APIs

InitCommonControls.COMCTL32 ref: 0040408B
SetErrorMode.KERNEL32 ref: 00404097
OleInitialize.OLE32 ref: 004040A4

Part of subcall function 00407B28: GetModuleHandleA.KERNEL32(?,?,004040BB), ref: 00407B3D
Part of subcall function 00407B28: LoadLibraryA.KERNEL32(?,?,?,004040BB), ref: 00407B4C
Part of subcall function 00407B28: GetProcAddress.KERNEL32 ref: 00407B68

SHGetFileInfoA.SHELL32 ref: 004040EA

Part of subcall function 00407667: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404106), ref: 00407682

GetCommandLineA.KERNEL32(00000000,00000000), ref: 00404108
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404126
CharNextA.USER32(?,?,?,00000000,00000000,00000000,00000000), ref: 00404160
GetTempPathA.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00404214
GetWindowsDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00404233
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00404264
lstrcmpiA.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 004042DE
CreateDirectoryA.KERNEL32(?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404327
SetCurrentDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404335
DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000), ref: 004043A3
CopyFileA.KERNEL32(00000000), ref: 004043C4
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00404419
OleUninitialize.OLE32(?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040446A
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004044EC

Part of subcall function 00405B86: lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D04
Part of subcall function 00405B86: GetFileAttributesA.KERNEL32 ref: 00405D12

ExitWindowsEx.USER32 ref: 00404592
ExitProcess.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004045B8

Strings

"C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe" , xrefs: 0040410D, 0040413D, 00404294, 004042A5
NCRC, xrefs: 0040419D
Error launching installer, xrefs: 00404363, 0040445E
Immunity Debugger Setup, xrefs: 004040FA
/D=, xrefs: 004041B7
_?=, xrefs: 004042AC
(, xrefs: 004044F8
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00404457

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcmpi$AddressAttributesCharCloseCommandCommonControlsCopyCreateErrorInfoInitInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcpyn
String ID: /D=$ _?=$"C:\Users\user\Desktop\ImmunityDebugger_1_85_setup.exe" $($Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Immunity Debugger Setup$NCRC
API String ID: 2156070416-4025553918
Opcode ID: fe1b933928032489bfdb5efd542def1a008dca207dad4dc477cb23958a6f15d2
Instruction ID: dc8a88e994c5e7fd44e825188efbcf51d7a0b64bbe487fd097ddf371021d448e
Opcode Fuzzy Hash: fe1b933928032489bfdb5efd542def1a008dca207dad4dc477cb23958a6f15d2
Instruction Fuzzy Hash: 4EC120F0409300AED710AF65C94976BBAE8EF94308F01997EE5C8A7382D7BD5845CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004053A4, Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E004053A4(signed int __ecx, signed int _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				void* _v16;
				char _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v100;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char* _v140;
				char* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int _v164;
				signed int _v168;
				char _v176;
				void* __ebx;
				intOrPtr _t92;
				intOrPtr _t94;
				intOrPtr _t96;
				signed int _t98;
				int _t103;
				signed int _t105;
				signed int _t121;
				int _t122;
				int _t126;
				void* _t127;
				signed int _t130;
				intOrPtr _t133;
				signed int _t134;
				intOrPtr _t136;
				signed int _t137;
				CHAR* _t138;
				int _t139;
				struct HWND__* _t144;
				signed int _t145;
				int _t146;
				signed int _t157;
				signed int _t163;
				signed int _t165;
				void* _t166;
				signed int* _t171;
				intOrPtr _t172;
				struct HWND__* _t176;
				signed int* _t177;
				signed int _t178;
				void* _t179;
				signed int _t180;
				signed int* _t181;
				signed int* _t182;

				_t167 = __ecx;
				_t92 =  *0x42cc54;
				_t180 = _a4;
				_v116 = _t92;
				_t171 =  *((intOrPtr*)(_t92 + 0x38));
				_t163 = ( *(_t92 + 0x3c) << 0xa) + 0x434000;
				if(_a8 != 0x40b) {
					__eflags = _a8 - 0x110;
					if(_a8 != 0x110) {
						__eflags = _a8 - 0x111;
						if(__eflags == 0) {
							_t130 = _a12 & 0x0000ffff;
							__eflags = _t130 - 0x3fb;
							if(_t130 != 0x3fb) {
								__eflags = _t130 - 0x3e9;
								if(__eflags == 0) {
									_t179 =  &_v100;
									memset(_t179, 0, 8 << 2);
									_t181 =  &(_t181[3]);
									_t176 = _t179 + 8;
									_t167 = 0;
									_v152 = _t171;
									_v100 = _t180;
									_v92 = 0x42bc18;
									_v80 = E00404B16;
									_v76 = _t163;
									 *_t181 = 0x42cc58;
									_t133 = E00407769();
									_v84 = 0x41;
									_push(_t171);
									_push(_t171);
									_v88 = _t133;
									_t134 =  &_v100;
									_v164 = _t134;
									L00409750();
									__eflags = _t134;
									_push(0);
									if(__eflags == 0) {
										_a8 = 0x40f;
									} else {
										 *_t181 = _t134;
										L004097E0();
										_v164 = _t163;
										E0040722C(_t163, 0, _t171, 0);
										_t136 =  *0x4307fc; // 0x11f030
										_push(_t176);
										_t137 =  *(_t136 + 0x11c);
										__eflags = _t137;
										if(__eflags != 0) {
											__eflags = _t163 - 0x439400;
											if(__eflags == 0) {
												_t181[1] = _t137;
												_v164 = 0;
												_t138 = E00407769();
												_v168 = 0x42bc18;
												 *_t181 = 0x431084;
												_t139 = lstrcmpiA(_t138, _t138);
												__eflags = _t139;
												_push(_t171);
												_push(_t171);
												if(__eflags != 0) {
													_t181[1] = 0x431084;
													_v164 = 0x439400;
													E00407697();
													_push(_t139);
													_push(_t139);
												}
											}
										}
										 *0x42d058 =  *0x42d058 + 1;
										_t181[2] = _t163;
										_t181[1] = 0x3fb;
										_v164 = _t180;
										E00407180();
										_t181 = _t181 - 0xc;
									}
								}
							} else {
								__eflags = _a12 >> 0x10 - 0x300;
								_t143 =  !=  ? _a8 : 0x40f;
								_a8 =  !=  ? _a8 : 0x40f;
							}
						}
					} else {
						_v152 = 0x3fb;
						 *_t181 = _t180;
						_t144 = GetDlgItem(??, ??);
						_push(_t167);
						_t176 = _t144;
						 *_t181 = _t163;
						_t145 = E004072CF(_t167);
						__eflags = _t145;
						_push(_t171);
						if(_t145 != 0) {
							 *_t181 = _t163;
							_t157 = E004072FD(_t167, _t171);
							__eflags = _t157;
							_push(_t171);
							if(_t157 == 0) {
								 *_t181 = _t163;
								E0040722C(_t163, _t167, _t171);
								_push(_t167);
							}
						}
						 *0x431074 = _t180;
						_v152 = _t163;
						 *_t181 = _t176; // executed
						_t146 = SetWindowTextA(??, ??); // executed
						_push(_t146);
						E00404836(_t180,  *((intOrPtr*)(_a16 + 0x34)), 1);
						_t171 = 0x14;
						_t167 =  *((intOrPtr*)(_a16 + 0x30));
						E00404836(_t180, _t167, 0x14);
						E00404741(_t176); // executed
						 *_t181 = 7;
						__eflags = E00407B28(_t167, 0x14, _t146);
						_push(0x14);
						if(__eflags != 0) {
							 *_t181 = _t176;
							_v152 = 1;
							SHAutoComplete(??, ??); // executed
							_push(_t176);
							_push(_t176);
						}
					}
				} else {
					_v152 = _t163;
					 *_t181 = 0x3fb; // executed
					E00407189(); // executed
					_push(__ecx);
					_v164 = _t163;
					E004076A0(__ecx, __ecx);
					_push(_t176);
				}
				if(_a8 == 0x405) {
					L21:
					_v152 = _t163;
					 *_t181 = 0x3fb; // executed
					E00407189(); // executed
					_v164 = _t163; // executed
					_t94 = E00407A78(_t163, _t167, _t171, _t185, _t176); // executed
					_v124 = _t94;
					_v164 = _t163;
					_v168 = 0x42d05c;
					E00407667(_t171, _t176);
					_push(_t167);
					_v176 = 0;
					_t96 = E00407B28(_t167, _t171, _t167);
					_push(_t176);
					_v120 = _t96;
					if(_t96 == 0) {
						L28:
						_v152 = _t163;
						 *_t181 = 0x42d05c;
						E00407667();
						_push(_t167);
						_v164 = 0x42d05c;
						_t98 = E004072FD(_t167, _t171, _t167);
						__eflags = _t98;
						_push(_t163);
						if(_t98 != 0) {
							 *_t98 = 0;
						}
						_t177 = 0;
						_v140 =  &_v32;
						_v144 =  &_v36;
						_v148 =  &_v40;
						_v152 =  &_v44;
						 *_t181 = 0x42d05c;
						_t103 = GetDiskFreeSpaceA(??, ??, ??, ??, ??);
						_t182 = _t181 - 0x14;
						__eflags = _t103;
						if(_t103 != 0) {
							_t177 = 1;
							_v148 = 0x400;
							_v152 = _v36;
							_t121 = _v44 * _v40;
							__eflags = _t121;
							 *_t182 = _t121;
							_t122 = MulDiv(??, ??, ??);
							_t182 = _t182 - 0xc;
							_v112 = _t122;
						}
						goto L32;
					} else {
						_t178 = 0;
						while(1) {
							_v144 =  &_v52;
							_v148 =  &_v60;
							_v152 =  &_v68;
							 *_t181 = 0x42d05c; // executed
							_t126 = GetDiskFreeSpaceExA(??, ??, ??, ??);
							_t181 = _t181 - 0x10;
							if(_t126 != 0) {
								break;
							}
							__eflags = _t178;
							if(_t178 != 0) {
								 *_t178 = 0;
							}
							 *_t181 = 0x42d05c;
							_t127 = E00407298(_t163, _t167, _t171);
							_push(_t178);
							_t57 = _t127 - 1; // -1
							_t178 = _t57;
							__eflags = _t178 - 0x42d05c;
							 *(_t127 - 1) = 0x5c;
							if(_t178 != 0x42d05c) {
								continue;
							} else {
								goto L28;
							}
						}
						_t177 = 1;
						_v112 = (_v64 << 0x00000020 | _v68) >> 0xa;
						L32:
						_t105 = E004046D0(5);
						if(_v112 >= _t105) {
							L34:
							_t165 = 0 | _v124 == 0x00000000;
							L35:
							_t172 =  *0x431080; // 0x128c48
							if( *((intOrPtr*)(_t172 + 0x10)) != 0) {
								_t167 = _t105;
								_t172 = 0xfffffffb;
								E004048FE(0x3ff, _t105, 0xfffffffb);
								if(_t177 == 0) {
									_v148 = 0x40b2e2;
									_v152 = 0x400;
									 *_t182 = _t180;
									E00407180();
									_t182 = _t182 - 0xc;
								} else {
									_t167 = _v112;
									_t172 = 0xfffffffc;
									E004048FE(0x400, _v112, 0xfffffffc);
								}
							}
							 *0x4307e0 = _t165;
							if(_t165 == 0) {
								 *_t182 = 7;
								_t165 = E00403813(_t167);
								_push(_t172);
							}
							_t166 =  !=  ? 0 : _t165;
							E0040481B(0 | _t166 == 0x00000000, _t167);
							if(_t166 == 0 &&  *0x42d058 == 0) {
								E00404703();
							}
							 *0x42d058 = 0;
							L45:
							return E00404BAE(_a8, _a16, _a12);
						}
						_t165 = 2;
						if(_t177 != 0) {
							goto L35;
						}
						goto L34;
					}
				}
				_t185 = _a8 - 0x40f;
				if(_a8 != 0x40f) {
					goto L45;
				}
				goto L21;
			}

0x004053a4
0x004053b0
0x004053b5
0x004053bb
0x004053be
0x004053c4
0x004053d1
0x004053f3
0x004053fa
0x0040549f
0x004054a6
0x004054ac
0x004054b0
0x004054b5
0x004054d2
0x004054d7
0x004054e5
0x004054e8
0x004054e8
0x004054e8
0x004054e8
0x004054ea
0x004054ee
0x004054f1
0x004054f8
0x004054ff
0x00405502
0x00405509
0x0040550e
0x00405515
0x00405516
0x00405517
0x0040551a
0x0040551d
0x00405520
0x00405525
0x00405527
0x00405528
0x004055b8
0x0040552e
0x0040552e
0x00405531
0x00405537
0x0040553a
0x0040553f
0x00405544
0x00405545
0x0040554b
0x0040554d
0x0040554f
0x00405555
0x00405557
0x0040555b
0x00405562
0x00405569
0x00405571
0x00405578
0x0040557d
0x0040557f
0x00405580
0x00405581
0x00405583
0x0040558b
0x00405592
0x00405597
0x00405598
0x00405598
0x00405581
0x00405555
0x00405599
0x0040559f
0x004055a3
0x004055ab
0x004055ae
0x004055b3
0x004055b3
0x00405528
0x004054b7
0x004054bd
0x004054c6
0x004054ca
0x004054ca
0x004054b5
0x00405400
0x00405400
0x00405408
0x0040540b
0x00405410
0x00405411
0x00405414
0x00405417
0x0040541c
0x0040541e
0x0040541f
0x00405421
0x00405424
0x00405429
0x0040542b
0x0040542c
0x0040542e
0x00405431
0x00405436
0x00405436
0x0040542c
0x00405437
0x0040543d
0x00405441
0x00405444
0x0040544e
0x00405458
0x00405460
0x00405465
0x0040546a
0x00405471
0x00405476
0x00405482
0x00405484
0x00405485
0x0040548b
0x0040548e
0x00405496
0x00405498
0x00405499
0x00405499
0x00405485
0x004053d3
0x004053d3
0x004053d7
0x004053de
0x004053e3
0x004053e5
0x004053e8
0x004053ed
0x004053ed
0x004055c6
0x004055d5
0x004055d5
0x004055d9
0x004055e0
0x004055e7
0x004055ea
0x004055f0
0x004055f3
0x004055f7
0x004055fe
0x00405603
0x00405605
0x0040560c
0x00405613
0x00405614
0x00405617
0x0040567f
0x0040567f
0x00405683
0x0040568a
0x0040568f
0x00405691
0x00405698
0x0040569d
0x0040569f
0x004056a0
0x004056a2
0x004056a2
0x004056a8
0x004056aa
0x004056b1
0x004056b8
0x004056bf
0x004056c3
0x004056ca
0x004056cf
0x004056d2
0x004056d4
0x004056d9
0x004056dd
0x004056e5
0x004056ec
0x004056ec
0x004056f0
0x004056f3
0x004056f8
0x004056fb
0x004056fb
0x00000000
0x00405619
0x00405619
0x0040561b
0x0040561e
0x00405625
0x0040562c
0x00405630
0x00405637
0x0040563a
0x0040563f
0x00000000
0x00000000
0x00405658
0x0040565a
0x0040565c
0x0040565c
0x00405661
0x00405668
0x0040566d
0x0040566e
0x0040566e
0x00405671
0x00405677
0x0040567d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040567d
0x00405644
0x00405650
0x004056fe
0x00405703
0x0040570b
0x00405716
0x0040571c
0x0040571f
0x0040571f
0x00405729
0x0040572b
0x0040572d
0x00405737
0x0040573e
0x00405754
0x0040575c
0x00405764
0x00405767
0x0040576c
0x00405740
0x00405740
0x00405743
0x0040574d
0x0040574d
0x0040573e
0x00405771
0x00405777
0x00405779
0x00405785
0x00405787
0x00405787
0x00405794
0x0040579e
0x004057a5
0x004057b0
0x004057b0
0x004057b5
0x004057bf
0x004057d4
0x004057d4
0x0040570f
0x00405714
0x00000000
0x00000000
0x00000000
0x00405714
0x00405617
0x004055c8
0x004055cf
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 0040540B
SetWindowTextA.USER32 ref: 00405444
SHAutoComplete.SHLWAPI(?,00000000,00000000), ref: 00405496
GetDiskFreeSpaceExA.KERNELBASE ref: 00405637

Part of subcall function 00407189: GetDlgItemTextA.USER32 ref: 004071AD

Part of subcall function 004076A0: CharPrevA.USER32(?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407745

GetDiskFreeSpaceA.KERNEL32(?), ref: 004056CA
MulDiv.KERNEL32 ref: 004056F3

Strings

A, xrefs: 0040550E
: Completed, xrefs: 00405571, 00405583
Immunity Debugger Setup: Completed, xrefs: 004054F1, 00405569
C:\Program Files (x86)\, xrefs: 004055F7, 00405630, 00405661, 00405671, 00405683, 00405691, 004056C3

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: DiskFreeItemSpaceText$AutoCharCompletePrevWindow
String ID: : Completed$A$C:\Program Files (x86)\$Immunity Debugger Setup: Completed
API String ID: 3682569580-3023180201
Opcode ID: 61eda7e18f855fc26c25bdb7954bd8b84d499240bdab979cd0ab1ecf092bb8e3
Instruction ID: c67038c6d13bb592c3da1f9d24891529de744bbb008f74d9bf560de01f059fc7
Opcode Fuzzy Hash: 61eda7e18f855fc26c25bdb7954bd8b84d499240bdab979cd0ab1ecf092bb8e3
Instruction Fuzzy Hash: BAB12BB0908704ABDB10AF65D98466EBBF8EF84304F50843EE989A7391D77C9845CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407769, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004077ED
GetSystemDirectoryA.KERNEL32 ref: 00407899
GetWindowsDirectoryA.KERNEL32 ref: 004078B4
SHGetSpecialFolderLocation.SHELL32 ref: 00407917
SHGetPathFromIDListA.SHELL32 ref: 0040792D
CoTaskMemFree.OLE32 ref: 0040793D
lstrcatA.KERNEL32 ref: 0040796B
lstrlenA.KERNEL32(00000000,00000000), ref: 004079DF

Strings

: Completed, xrefs: 00407786, 00407791, 00407A07, 00407A1D, 00407A36, 00407A37

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: : Completed
API String ID: 900638850-2954849223
Opcode ID: 608cb61275edad0d99438b48f1c2d68df9fc4aed5687b8157996a25d9a5a2de4
Instruction ID: 99c595f24bfece36cecc166755ba77c64cac09c54202c60b04fe0e862e326f71
Opcode Fuzzy Hash: 608cb61275edad0d99438b48f1c2d68df9fc4aed5687b8157996a25d9a5a2de4
Instruction Fuzzy Hash: F28161B1D0C2549FDB14AF69C98066EBBE5AF49304F05853FE894A7391D338A841CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004028AD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
comCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004028AD(void* __ebx, void* __edx, void* __eflags) {
				signed int _t56;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed int _t69;
				void* _t70;
				signed int _t71;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				signed int _t84;
				int _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t92;
				void* _t93;
				void* _t96;
				signed int _t98;
				void* _t105;
				signed int _t108;
				signed int _t115;
				signed int _t117;
				signed int _t118;
				void* _t121;
				signed int* _t123;
				signed int* _t124;

				_t102 = __edx;
				_t96 = __ebx;
				_t56 = E0040140C(0xfffffff0, __ebx, __edx); // executed
				 *(_t121 - 0x18c) = _t56;
				_t115 = E0040140C(0xffffffdf, _t96, __edx);
				 *(_t121 - 0x190) = E0040140C(2, _t96, __edx);
				_t117 = E0040140C(0xffffffcd, _t96, __edx);
				_t64 = E0040140C(0x45, _t96, _t102);
				 *_t123 = _t115;
				 *(_t121 - 0x194) = _t64;
				_t65 = E004072CF();
				_push(_t96);
				if(_t65 == 0) {
					E0040140C(0x21, _t96, _t102);
				}
				_t66 = _t121 - 0x1c;
				_t123[4] = _t66;
				_t123[3] = 0x40b760;
				_t123[2] = 1;
				_t123[1] = 0;
				 *_t123 = 0x40b650; // executed
				L004097C8(); // executed
				_t124 = _t123 - 0x14;
				if(_t66 < 0) {
					L13:
					 *_t124 = 0xfffffff0;
					_t118 = 1;
					E00401615();
					_push(_t96);
				} else {
					_t69 =  *(_t121 - 0x1c);
					_t98 = _t121 - 0x20;
					_t124[2] = _t98;
					_t124[1] = 0x40bb50;
					 *_t124 = _t69;
					_t70 =  *((intOrPtr*)( *_t69))();
					_t124 = _t124 - 0xc;
					_t96 = _t70;
					if(_t70 >= 0) {
						_t74 =  *(_t121 - 0x1c);
						_t105 =  *_t74;
						_t124[1] = _t115;
						 *_t124 = _t74; // executed
						_t96 =  *((intOrPtr*)(_t105 + 0x50))();
						_t76 =  *(_t121 - 0x1c);
						_t124[1] = 0x439800;
						 *_t124 = _t76;
						 *((intOrPtr*)( *_t76 + 0x24))(_t105, _t105);
						_t108 =  *(_t121 - 0x2c) & 0x000000ff;
						_push(_t98);
						_push(_t98);
						if(_t108 != 0) {
							_t92 =  *(_t121 - 0x1c);
							_t124[1] = _t108;
							 *_t124 = _t92;
							_t93 =  *((intOrPtr*)( *_t92 + 0x3c))();
							_push(_t93);
							_push(_t93);
						}
						_t78 =  *(_t121 - 0x1c);
						_t124[1] =  *(_t121 - 0x2a) & 0x0000ffff;
						 *_t124 = _t78;
						_t79 =  *((intOrPtr*)( *_t78 + 0x34))();
						_push(_t79);
						_push(_t79);
						if( *_t117 != 0) {
							_t90 =  *(_t121 - 0x1c);
							_t124[2] =  *(_t121 - 0x2c) & 0x000000ff;
							_t124[1] = _t117;
							 *_t124 = _t90;
							 *((intOrPtr*)( *_t90 + 0x44))();
							_t124 = _t124 - 0xc;
						}
						_t80 =  *(_t121 - 0x1c);
						_t98 =  *(_t121 - 0x190);
						_t124[1] = _t98;
						 *_t124 = _t80;
						_t81 =  *((intOrPtr*)( *_t80 + 0x2c))();
						_t117 =  *(_t121 - 0x194);
						_t82 =  *(_t121 - 0x1c);
						_t124[1] = _t117;
						 *_t124 = _t82;
						_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t81, _t81);
						_push(_t83);
						_push(_t83);
						if(_t96 >= 0) {
							_t96 = 0x80004005;
							_t124[5] = 0x400;
							_t124[4] = 0x40d444;
							_t124[3] = 0xffffffff;
							_t124[2] =  *(_t121 - 0x18c);
							_t124[1] = 0;
							 *_t124 = 0;
							_t87 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
							_t124 = _t124 - 0x18;
							if(_t87 != 0) {
								_t88 =  *(_t121 - 0x20);
								_t124[2] = 1;
								_t124[1] = 0x40d444;
								 *_t124 = _t88; // executed
								_t89 =  *((intOrPtr*)( *_t88 + 0x18))();
								_t124 = _t124 - 0xc;
								_t96 = _t89;
							}
						}
						_t84 =  *(_t121 - 0x20);
						 *_t124 = _t84;
						 *((intOrPtr*)( *_t84 + 8))();
						_push(_t115);
					}
					_t71 =  *(_t121 - 0x1c);
					 *_t124 = _t71;
					 *((intOrPtr*)( *_t71 + 8))();
					_push(_t117);
					if(_t96 >= 0) {
						 *_t124 = 0xfffffff4;
						_t118 = 0; // executed
						E00401615(); // executed
						_push(_t98);
					} else {
						goto L13;
					}
				}
				 *0x4307c4 =  *0x4307c4 + _t118;
				return 0;
			}

0x004028ad
0x004028ad
0x004028b2
0x004028b7
0x004028c7
0x004028d3
0x004028e3
0x004028ea
0x004028ef
0x004028f2
0x004028f8
0x004028ff
0x00402900
0x00402904
0x00402904
0x00402909
0x0040290c
0x00402910
0x00402918
0x00402920
0x00402928
0x0040292f
0x00402934
0x00402939
0x00402a8c
0x00402a8c
0x00402a93
0x00402a98
0x00402a9d
0x0040293f
0x0040293f
0x00402942
0x00402947
0x0040294b
0x00402953
0x00402956
0x00402958
0x0040295d
0x0040295f
0x00402965
0x00402968
0x0040296a
0x0040296e
0x00402974
0x00402976
0x0040297d
0x00402985
0x00402988
0x0040298e
0x00402993
0x00402994
0x00402995
0x00402997
0x0040299c
0x004029a0
0x004029a3
0x004029a6
0x004029a7
0x004029a7
0x004029a8
0x004029b1
0x004029b5
0x004029b8
0x004029bb
0x004029bc
0x004029c0
0x004029c2
0x004029cb
0x004029cf
0x004029d3
0x004029d6
0x004029d9
0x004029d9
0x004029dc
0x004029df
0x004029e7
0x004029eb
0x004029ee
0x004029f1
0x004029f9
0x004029fe
0x00402a02
0x00402a05
0x00402a0a
0x00402a0b
0x00402a0c
0x00402a14
0x00402a19
0x00402a21
0x00402a29
0x00402a31
0x00402a35
0x00402a3d
0x00402a44
0x00402a49
0x00402a4e
0x00402a50
0x00402a55
0x00402a5d
0x00402a65
0x00402a68
0x00402a6b
0x00402a6e
0x00402a6e
0x00402a4e
0x00402a70
0x00402a75
0x00402a78
0x00402a7b
0x00402a7b
0x00402a7c
0x00402a81
0x00402a84
0x00402a89
0x00402a8a
0x00402aa3
0x00402aaa
0x00402aac
0x00402ab1
0x00000000
0x00000000
0x00000000
0x00402a8a
0x00403754
0x00403765

APIs

CoCreateInstance.OLE32 ref: 0040292F
MultiByteToWideChar.KERNEL32(00000000), ref: 00402A44

Strings

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Uninstall.lnk, xrefs: 00402A21, 00402A5D

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immunity Inc\Immunity Debugger\Uninstall.lnk
API String ID: 123533781-3025201177
Opcode ID: 6059fd5daab697ec0e4df11bb8106f9c2257d37498f84f2fd4f36d1ee527b0c7
Instruction ID: 384a29a4f933aecd360a66649d6a628072f260205a288bbed96ae969aac2c3e3
Opcode Fuzzy Hash: 6059fd5daab697ec0e4df11bb8106f9c2257d37498f84f2fd4f36d1ee527b0c7
Instruction Fuzzy Hash: B551F9B4A047059FD700AF69C58866EFBF4EF88304F00866EE999A7391D7789841CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00407B28, Relevance: 4.5, APIs: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,004040BB), ref: 00407B3D
LoadLibraryA.KERNEL32(?,?,?,004040BB), ref: 00407B4C
GetProcAddress.KERNEL32 ref: 00407B68

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a1834024c3915cb0e01cf0b8c4af231bf8bfbc6f15882e951c2fa50ca2926f34
Instruction ID: 5a7e5605dfdfc60f47df4a05f02b04e10eb82ed38232dab0b8ad9b817824c7ee
Opcode Fuzzy Hash: a1834024c3915cb0e01cf0b8c4af231bf8bfbc6f15882e951c2fa50ca2926f34
Instruction Fuzzy Hash: DAF0A7719046046BD700BF2598814AFBBACDF84754F00843EF944A3355E634ED60879A

Uniqueness

Uniqueness Score: -1.00%

Function 00407A42, Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 00407A56
FindClose.KERNEL32 ref: 00407A67

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 93fe2887c7538e5eee152ba9e4b28784e66262beba100a8d0bb2d4442d6ad80c
Instruction ID: 06e4cbadabc4d1f3235d0ad24e34dd826b25d40128849119b46e9d5e108373eb
Opcode Fuzzy Hash: 93fe2887c7538e5eee152ba9e4b28784e66262beba100a8d0bb2d4442d6ad80c
Instruction Fuzzy Hash: 04D0C2B16082001BC300BB398C0591F76F96A81318FC0C63D7480A73D2D238D80A879E

Uniqueness

Uniqueness Score: -1.00%

Function 00404C82, Relevance: 61.7, APIs: 32, Strings: 3, Instructions: 433
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00404C82(signed int __eax, struct HWND__* __ecx, struct HWND__* _a4, intOrPtr _a8, struct HWND__* _a12, int _a16) {
				void* _v16;
				int _v40;
				void* _v44;
				struct HWND__* _v48;
				signed int _v52;
				void* _v68;
				void* _v72;
				intOrPtr _v76;
				int _v80;
				int _v84;
				int _v88;
				struct HWND__* _v92;
				int _v96;
				struct HWND__* _v100;
				char _v104;
				int _v108;
				struct HWND__* _v112;
				void* _v116;
				signed int _t108;
				signed int _t109;
				struct HWND__* _t114;
				int _t119;
				intOrPtr _t120;
				struct HWND__* _t122;
				struct HWND__* _t129;
				struct HWND__* _t133;
				struct HWND__* _t137;
				int _t142;
				struct HMENU__* _t143;
				struct HWND__* _t147;
				void* _t149;
				long _t154;
				struct HWND__* _t155;
				int _t156;
				long _t157;
				int _t160;
				long _t161;
				struct HWND__* _t163;
				struct HWND__* _t168;
				void* _t171;
				struct HWND__* _t172;
				int _t173;
				void* _t179;
				struct HWND__* _t180;
				long _t183;
				struct HWND__* _t185;
				int _t188;
				long _t190;
				signed int _t192;
				struct HWND__* _t193;
				struct HWND__* _t197;
				long _t199;
				int _t202;
				struct HWND__* _t204;
				int _t210;
				struct HWND__* _t213;
				long* _t216;
				struct HWND__* _t217;
				struct HWND__* _t220;
				signed int _t231;
				long _t232;
				signed int _t234;
				long _t235;
				int _t237;
				struct HWND__* _t239;
				struct HWND__* _t240;
				void* _t241;

				_t217 = __ecx;
				_t239 = _a4;
				_t213 = _a12;
				_t108 = __eax & 0xffffff00 | _a8 == 0x00000110;
				if(_a8 == 0x408 || _t108 != 0) {
					 *0x42cc44 = _t213;
					if(_t108 != 0) {
						 *0x430854 = _t239;
						 *0x42cc48 = GetDlgItem(_t239, 1);
						_v88 = 2;
						_v92 = _t239;
						_t185 = GetDlgItem(_t217, _t217);
						_t217 = _t217 | 0xffffffff;
						 *0x42cc4c = _t185;
						E00404836(_t239, _t217, 0x1c);
						_t188 =  *0x43106c; // 0x303cd
						_v88 = 0xfffffff2;
						_v92 = _t239;
						_v84 = _t188;
						SetClassLongA(_t213, ??, ??); // executed
						_t241 = _t241 - 0xc;
						_v92 = 4;
						_t190 = E00403813(_t217, _t213);
						 *0x42cc44 = 1;
						 *0x43105c = _t190;
					}
					_t109 =  *0x40a014;
					_t216 = (_t109 << 6) +  *0x430800;
					if(_t109 < 0) {
						L9:
						E0040476D(0x40b); // executed
						while(1) {
							_t231 =  *0x42cc44;
							__eflags =  *0x40a014 + _t231 -  *0x430804; // 0x4
							 *0x40a014 =  *0x40a014 + _t231;
							if(__eflags == 0) {
								E00403813(_t217, 1);
							}
							__eflags =  *0x43105c;
							if( *0x43105c != 0) {
								break;
							}
							_t120 =  *0x430804; // 0x4
							__eflags =  *0x40a014 - _t120;
							if( *0x40a014 < _t120) {
								_t216 = _t216 + (_t231 << 6);
								_t234 = _t216[5];
								_v92 = 0x43b800;
								_v88 = _t216[9];
								_t122 = E00407769();
								E00404836(_t239, _t216[8], 0xfffffc19);
								E00404836(_t239, _t216[7], 0xfffffc1b);
								_t217 = _t216[0xa];
								E00404836(_t239, _t217, 0xfffffc1a);
								_v96 = 3;
								_v100 = _t239;
								_t129 = GetDlgItem(_t122, _t122);
								__eflags =  *0x4307c8;
								_push(0xfffffc1a);
								_push(0xfffffc1a);
								_v48 = _t129;
								if( *0x4307c8 != 0) {
									_t234 = _t234 & 0xfffffefd | 0x00000004;
									__eflags = _t234;
								}
								_t133 = ShowWindow(_v48, _t234 & 0x00000008); // executed
								_v88 = _t234 & 0x00000100;
								_v92 = _v48; // executed
								_t137 = EnableWindow(_t133, _t133); // executed
								_t235 = _t234 & 0x00000004; // executed
								E0040481B(_t234 & 0x00000002, _t217); // executed
								_v88 = _t235;
								_v92 =  *0x42cc4c;
								_t142 = EnableWindow(_t137, _t137);
								__eflags = _t235;
								_push(_t142);
								_push(_t142);
								_v88 = 0;
								_v92 = _t239;
								if(_t235 == 0) {
									_t143 = GetSystemMenu();
									_push(_t217);
									_push(_t217);
									_v84 = 1;
								} else {
									_t143 = GetSystemMenu();
									_push(_t235);
									_push(_t235);
									_v84 = 0;
								}
								EnableMenuItem(_t143, 0xf060);
								SendMessageA(_v48, 0xf4, 0, 1);
								_t147 =  *0x42cc48;
								_t241 = _t241 - 0xfffffffffffffffc;
								__eflags =  *0x4307c8;
								if( *0x4307c8 != 0) {
									SendMessageA(_t239, 0x401, 2, 0);
									_t147 =  *0x42cc4c;
									_t241 = _t241 - 0x10; // executed
								}
								E00404741(_t147); // executed
								_t149 = E00407667(0x42bc18, 0x43085c);
								_v100 = 0x42bc18;
								E0040768E();
								_push(0xfffffc1a);
								_v100 = _t216[6];
								_v104 = _t149 + 0x42bc18;
								E00407769();
								_v108 = 0x42bc18;
								_v112 = _t239; // executed
								SetWindowTextA(_t217, _t217); // executed
								_v108 = 0;
								_v112 = _t216[2];
								_t154 = E00403766(0xfffffc1a, _t216[6], _t216[6]);
								__eflags = _t154;
								_push(0xfffffc1a);
								_push(0xfffffc1a);
								if(_t154 != 0) {
									continue;
								} else {
									__eflags =  *_t216;
									if( *_t216 == 0) {
										continue;
									}
									__eflags = _t216[1] - 5;
									if(_t216[1] == 5) {
										__eflags =  *0x4307c8;
										if( *0x4307c8 != 0) {
											L60:
											_t232 = 0;
											__eflags = 0;
											goto L61;
										}
										__eflags =  *0x4307bc;
										if( *0x4307bc != 0) {
											continue;
										}
										goto L60;
									}
									_t155 =  *0x431074; // 0x7006c
									_t156 = DestroyWindow(_t155); // executed
									 *0x42cc54 = _t216;
									_push(_t156);
									_t157 =  *_t216;
									__eflags = _t157;
									if(_t157 > 0) {
										_v80 = _t216;
										_v88 = _t239;
										_v92 = _t157 +  *0x431078 & 0x0000ffff;
										_t160 =  *0x430858; // 0x400000
										_v96 = _t160;
										_v84 =  *((intOrPtr*)(0x40b370 + _t216[1] * 4));
										_t161 = CreateDialogParamA(??, ??, ??, ??, ??); // executed
										__eflags = _t161;
										 *0x431074 = _t161;
										if(_t161 == 0) {
											goto L33;
										}
										_t220 = _t216[0xb];
										_t237 =  &_v44;
										E00404836(_t161, _t220, 6);
										_t163 = GetDlgItem(_t239, 0x3fa);
										_v96 = _t237;
										_v100 = _t163;
										GetWindowRect(6, 6);
										_v96 = _t237;
										_v100 = _t239;
										ScreenToClient(_t220, _t220);
										_t232 = 0;
										_v88 = _v40;
										_v76 = 0x15;
										_v80 = 0;
										_v84 = 0;
										_v92 = _v44;
										_t168 =  *0x431074; // 0x7006c
										_v96 = 0;
										_v100 = _t168;
										SetWindowPos(??, ??, ??, ??, ??, ??, ??);
										_v96 = 0;
										_v100 = _t216[3];
										_t171 = E00403766(6, _t237, _t237);
										__eflags =  *0x43105c;
										_push(_t171);
										_push(_t171);
										if( *0x43105c != 0) {
											goto L61;
										}
										_t172 =  *0x431074; // 0x7006c
										_t173 = ShowWindow(_t172, 8); // executed
										_push(_t173);
										_push(_t173);
										E0040476D(0x405); // executed
										goto L33;
									}
									goto L33;
								}
							}
							break;
						}
						_t114 =  *0x431074; // 0x7006c
						DestroyWindow(_t114);
						 *0x430854 = 0;
						_v88 =  *0x42cc50;
						_v92 = _t239;
						EndDialog(_t217, ??);
						_push(_t216);
						_push(_t216);
						goto L33;
					}
					if( *0x42cc44 != 1) {
						L8:
						_t232 = 0;
						__eflags =  *_t216;
						if( *_t216 == 0) {
							goto L61;
						}
						goto L9;
					}
					_v88 = 0;
					_v92 = _t216[4];
					_t179 = E00403766(0x1c);
					_push(0x1c);
					_push(0x1c);
					if(_t179 == 0) {
						goto L8;
					}
					_t180 =  *0x431074; // 0x7006c
					SendMessageA(_t180, 0x40f, 0, 1);
					_t183 = 0 |  *0x43105c == 0x00000000;
					goto L59;
				} else {
					__eflags = _a8 - 0x47;
					if(_a8 != 0x47) {
						__eflags = _a8 - 5;
						if(_a8 != 5) {
							__eflags = _a8 - 0x40d;
							if(_a8 != 0x40d) {
								__eflags = _a8 - 0x11;
								if(_a8 != 0x11) {
									__eflags = _a8 - 0x111;
									if(_a8 != 0x111) {
										L58:
										_t183 = E00404BAE(_a8, _a16, _t213);
										L59:
										_t232 = _t183;
										L61:
										return _t232;
									}
									_t192 = _t213 & 0x0000ffff;
									_v92 = _t239;
									_v52 = _t192;
									_v88 = _t192;
									_t193 = GetDlgItem(??, ??);
									__eflags = _t193;
									_t240 = _t193;
									_push(_t217);
									_push(_t217);
									if(_t193 == 0) {
										L47:
										__eflags = _v52 - 1;
										_t194 = 1;
										if(_v52 == 1) {
											L51:
											E0040479E(_t194); // executed
											goto L58;
										}
										__eflags = _v52 - 3;
										if(_v52 != 3) {
											__eflags = _v52 - 2;
											if(_v52 != 2) {
												L57:
												_v84 = _t213;
												_v88 = 0x111;
												_v80 = _a16;
												_t197 =  *0x431074; // 0x7006c
												_v92 = _t197;
												SendMessageA(??, ??, ??, ??);
												goto L58;
											}
											__eflags =  *0x4307c8;
											if( *0x4307c8 == 0) {
												_v92 = 3;
												_t199 = E00403813(_t217);
												__eflags = _t199;
												_push(_t240);
												if(_t199 != 0) {
													goto L58;
												}
												 *0x42cc50 = 1;
												_t194 = 0x78;
												goto L51;
											}
											_v92 = 2;
											E00403813(_t217);
											_t194 = 0x78;
											 *0x42cc50 = 2;
											_push(_t230);
											goto L51;
										}
										__eflags =  *0x40a014;
										if( *0x40a014 <= 0) {
											goto L57;
										}
										_t194 = 0xffffffffffffffff; // executed
										__eflags = 1;
										goto L51;
									}
									_v80 = 0;
									_t232 = 0;
									_v84 = 0;
									_v88 = 0xf3;
									_v92 = _t193;
									SendMessageA(??, ??, ??, ??);
									_t241 = _t241 - 0x10;
									_t202 = IsWindowEnabled(_t240);
									__eflags = _t202;
									_push(0x1c);
									if(_t202 == 0) {
										goto L61;
									}
									goto L47;
								}
								_v84 = 0;
								_t232 = 1;
								_v88 = 0;
								_v92 = _t239;
								SetWindowLongA(??, ??, ??);
								goto L61;
							}
							_t204 =  *0x431074; // 0x7006c
							DestroyWindow(_t204);
							 *0x431074 = _t213;
							_push(_t230);
							L33:
							_t232 = 0;
							__eflags =  *0x42bc14;
							if( *0x42bc14 == 0) {
								__eflags =  *0x431074;
								if( *0x431074 != 0) {
									_t119 = ShowWindow(_t239, 0xa); // executed
									 *0x42bc14 = 1;
									_push(_t119);
									_push(_t119);
								}
							}
							goto L61;
						}
						__eflags = _t213 - 1;
						_t210 = ShowWindow( *0x42cc40, (0 | _t213 != 0x00000001) + (0 | _t213 != 0x00000001) * 4);
						_push(_t210);
						_push(_t210);
						goto L58;
					}
					SetWindowPos( *0x42cc40, _t239, 0, 0, 0, 0, 0x13);
					goto L58;
				}
			}

0x00404c82
0x00404c8b
0x00404c95
0x00404c98
0x00404ca2
0x00404cae
0x00404cb4
0x00404cb6
0x00404cce
0x00404cd3
0x00404cdb
0x00404cde
0x00404ce3
0x00404ced
0x00404cf4
0x00404cf9
0x00404cfe
0x00404d06
0x00404d09
0x00404d0d
0x00404d12
0x00404d15
0x00404d1c
0x00404d21
0x00404d2c
0x00404d2c
0x00404d31
0x00404d3b
0x00404d43
0x00404dab
0x00404db0
0x00404db5
0x00404dba
0x00404dc2
0x00404dc8
0x00404dcd
0x00404dd6
0x00404ddb
0x00404ddc
0x00404de3
0x00000000
0x00000000
0x00404de5
0x00404dea
0x00404df0
0x00404e25
0x00404e2a
0x00404e2d
0x00404e34
0x00404e38
0x00404e49
0x00404e58
0x00404e5d
0x00404e67
0x00404e6c
0x00404e74
0x00404e77
0x00404e7c
0x00404e83
0x00404e84
0x00404e85
0x00404e88
0x00404e90
0x00404e90
0x00404e90
0x00404ea2
0x00404eb0
0x00404eb7
0x00404eba
0x00404ec6
0x00404ec9
0x00404ed3
0x00404ed7
0x00404eda
0x00404edf
0x00404ee1
0x00404ee2
0x00404ee3
0x00404eeb
0x00404eee
0x00404f01
0x00404f06
0x00404f07
0x00404f08
0x00404ef0
0x00404ef0
0x00404ef5
0x00404ef6
0x00404ef7
0x00404ef7
0x00404f1b
0x00404f41
0x00404f46
0x00404f4b
0x00404f4e
0x00404f55
0x00404f72
0x00404f77
0x00404f7c
0x00404f7c
0x00404f7f
0x00404f93
0x00404f9d
0x00404fa4
0x00404fae
0x00404faf
0x00404fb3
0x00404fb6
0x00404fbd
0x00404fc5
0x00404fc8
0x00404fcf
0x00404fda
0x00404fdd
0x00404fe2
0x00404fe4
0x00404fe5
0x00404fe6
0x00000000
0x00404fec
0x00404fec
0x00404fef
0x00000000
0x00000000
0x00404ff5
0x00404ff9
0x0040501a
0x00405021
0x00405335
0x00405335
0x00405335
0x00000000
0x00405335
0x00405027
0x0040502e
0x00000000
0x00000000
0x00000000
0x00405034
0x00404ffb
0x00405003
0x00405008
0x0040500e
0x0040500f
0x00405011
0x00405013
0x0040503f
0x00405046
0x0040504d
0x00405051
0x0040505d
0x00405060
0x00405064
0x0040506c
0x0040506e
0x00405073
0x00000000
0x00000000
0x00405079
0x00405081
0x00405084
0x00405094
0x0040509b
0x0040509f
0x004050a2
0x004050a9
0x004050ad
0x004050b0
0x004050ba
0x004050bc
0x004050c3
0x004050cb
0x004050d3
0x004050db
0x004050df
0x004050e4
0x004050ec
0x004050ef
0x004050f7
0x00405102
0x00405105
0x0040510a
0x00405111
0x00405112
0x00405113
0x00000000
0x00000000
0x00405119
0x00405129
0x0040512e
0x0040512f
0x00405135
0x00000000
0x00405135
0x00000000
0x00405015
0x00404fe6
0x00000000
0x00404df0
0x00404df2
0x00404dfa
0x00404e04
0x00404e0f
0x00404e13
0x00404e16
0x00404e1b
0x00404e1c
0x00000000
0x00404e1c
0x00404d4c
0x00404da0
0x00404da0
0x00404da2
0x00404da5
0x00000000
0x00000000
0x00000000
0x00404da5
0x00404d4e
0x00404d59
0x00404d5c
0x00404d63
0x00404d64
0x00404d65
0x00000000
0x00000000
0x00404d67
0x00404d87
0x00404d98
0x00000000
0x00405177
0x00405177
0x0040517b
0x004051be
0x004051c2
0x004051e7
0x004051ee
0x00405209
0x0040520d
0x00405234
0x0040523b
0x00405324
0x0040532c
0x00405331
0x00405331
0x00405337
0x00405340
0x00405340
0x00405241
0x00405244
0x00405247
0x0040524a
0x0040524e
0x00405253
0x00405255
0x00405257
0x00405258
0x00405259
0x00405291
0x00405291
0x00405295
0x0040529a
0x004052ae
0x004052ae
0x00000000
0x004052ae
0x0040529c
0x004052a0
0x004052b5
0x004052b9
0x00405301
0x00405304
0x00405308
0x00405310
0x00405314
0x00405319
0x0040531c
0x00000000
0x00405321
0x004052bb
0x004052c2
0x004052e2
0x004052e9
0x004052ee
0x004052f0
0x004052f1
0x00000000
0x00000000
0x004052f3
0x004052fd
0x00000000
0x004052fd
0x004052c4
0x004052cb
0x004052d0
0x004052d5
0x004052df
0x00000000
0x004052df
0x004052a2
0x004052a9
0x00000000
0x00000000
0x004052ab
0x004052ab
0x00000000
0x004052ab
0x0040525b
0x00405263
0x00405265
0x0040526d
0x00405275
0x00405278
0x0040527d
0x00405283
0x00405288
0x0040528a
0x0040528b
0x00000000
0x00000000
0x00000000
0x0040528b
0x0040520f
0x00405217
0x0040521c
0x00405224
0x00405227
0x00000000
0x0040522c
0x004051f0
0x004051f8
0x004051fd
0x00405203
0x0040513a
0x0040513a
0x0040513c
0x00405143
0x00405149
0x00405150
0x00405161
0x00405166
0x00405170
0x00405171
0x00405171
0x00405150
0x00000000
0x00405143
0x004051c6
0x004051db
0x004051e0
0x004051e1
0x00000000
0x004051e1
0x004051b1
0x00000000
0x004051b6

APIs

GetDlgItem.USER32 ref: 00404CC7
GetDlgItem.USER32 ref: 00404CDE
SetClassLongA.USER32(?,?), ref: 00404D0D
SendMessageA.USER32 ref: 00404D87
SetWindowPos.USER32 ref: 004051B1

Part of subcall function 0040476D: SendMessageA.USER32 ref: 00404794

DestroyWindow.USER32 ref: 00404DFA
EndDialog.USER32 ref: 00404E16
GetDlgItem.USER32 ref: 00404E77
ShowWindow.USER32(?,?,00000000), ref: 00404EA2
EnableWindow.USER32(00000000,00000000), ref: 00404EBA
EnableWindow.USER32(00000000,00000000), ref: 00404EDA
GetSystemMenu.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00404EF0
GetSystemMenu.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00404F01
EnableMenuItem.USER32 ref: 00404F1B
SendMessageA.USER32 ref: 00404F41
SendMessageA.USER32 ref: 00404F72
SetWindowTextA.USER32 ref: 00404FC8
DestroyWindow.USER32(?,?,?,?,?,?,?,00000000,00000000), ref: 00405003
CreateDialogParamA.USER32(00000000,?,?,?,?), ref: 00405064
GetDlgItem.USER32 ref: 00405094
GetWindowRect.USER32 ref: 004050A2
ScreenToClient.USER32 ref: 004050B0
SetWindowPos.USER32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004050EF
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00405129
ShowWindow.USER32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00405161
ShowWindow.USER32 ref: 004051DB
DestroyWindow.USER32 ref: 004051F8
SetWindowLongA.USER32 ref: 00405227
GetDlgItem.USER32 ref: 0040524E
SendMessageA.USER32 ref: 00405278
IsWindowEnabled.USER32 ref: 00405283
SendMessageA.USER32 ref: 0040531C

Strings

Immunity Debugger Setup: Completed, xrefs: 00404F8C, 00404F9D, 00404FA9, 00404FBD
Immunity Debugger Setup, xrefs: 00404F84
G, xrefs: 00405177

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Window$ItemMessageSend$Show$DestroyEnableMenu$DialogLongSystem$ClassClientCreateEnabledParamRectScreenText
String ID: G$Immunity Debugger Setup$Immunity Debugger Setup: Completed
API String ID: 1069383609-1284254305
Opcode ID: d392a769c1ddc51aa97fe58b3a18815a551e149e755212ce61e853c38907679c
Instruction ID: 6f03b73395fa585a407221e2bafb6f0f8f6331a6b2aef8c9706254c11f9cb5b3
Opcode Fuzzy Hash: d392a769c1ddc51aa97fe58b3a18815a551e149e755212ce61e853c38907679c
Instruction Fuzzy Hash: 96021AB1504700EFD710AF2AD98576ABBE4EB84708F00893EF984A7391D77C9945CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004057D7, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004057D7(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				void* _v16;
				char* _v32;
				int _v36;
				char _v40;
				int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _v72;
				void* _v76;
				int _v80;
				int _v84;
				int _v88;
				struct HICON__* _v92;
				struct HWND__* _t88;
				struct HWND__* _t89;
				struct HWND__* _t91;
				struct HICON__* _t98;
				struct HWND__* _t102;
				signed int _t103;
				signed int _t107;
				char* _t108;
				void* _t109;
				intOrPtr _t124;
				long _t125;
				int _t128;
				intOrPtr _t134;
				struct HWND__* _t135;
				struct HWND__* _t136;
				int _t138;
				struct HINSTANCE__* _t139;
				intOrPtr _t145;
				char _t147;
				CHAR* _t148;
				signed int _t150;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t159;
				struct HWND__* _t160;
				int _t161;
				void* _t162;
				struct HWND__** _t167;
				struct HWND__** _t169;

				_t156 = _a8;
				_t160 = _a4;
				_t134 = _a16;
				_t145 =  *0x42cc54;
				if(_t156 != 0x110) {
					if(_t156 != 0x111) {
						if(_t156 != 0x4e) {
							if(_t156 == 0x40b) {
								 *0x42d470 =  *0x42d470 + 1;
							}
							L24:
							_t161 = E00404BAE(_t156, _t134, _a12);
							goto L25;
						}
						_t88 = GetDlgItem(_t160, 0x3e8);
						_push(_t145);
						_push(_t145);
						if( *((intOrPtr*)(_t134 + 8)) == 0x70b &&  *((intOrPtr*)(_t134 + 0xc)) == 0x201) {
							_t147 =  *((intOrPtr*)(_t134 + 0x18));
							_t138 =  *((intOrPtr*)(_t134 + 0x1c));
							_v32 = 0x431084;
							_v40 = _t147;
							_v36 = _t138;
							_t139 = _t138 - _t147;
							if(_t139 <= 0x7ff) {
								_t148 =  &_v40;
								SendMessageA(_t88, 0x44b, 0, _t148);
								_v92 = LoadCursorA(0, 0x7f02);
								SetCursor(_t148);
								ShellExecuteA(_t160, "open", _v32, 0, 0, 1);
								_t162 = _t162 - 0xfffffffffffffff8;
								_v88 = 0x7f00;
								_v92 = 0;
								_t98 = LoadCursorA(_t139, _t148);
								_push(_t160);
								_v92 = _t98;
								_push(SetCursor(_t160));
							}
						}
						if( *((intOrPtr*)(_t134 + 8)) != 0x700 ||  *((intOrPtr*)(_t134 + 0xc)) != 0x100) {
							goto L24;
						} else {
							if( *((intOrPtr*)(_t134 + 0x10)) == 0xd) {
								_t91 =  *0x430854; // 0xe0176
								SendMessageA(_t91, 0x111, 1, 0);
								_t162 = _t162 - 0x10;
							}
							_t161 = 1;
							if( *((intOrPtr*)(_t134 + 0x10)) == 0x1b) {
								_t89 =  *0x430854; // 0xe0176
								SendMessageA(_t89, 0x10, 0, 0);
							}
							goto L25;
						}
					}
					if(_a12 >> 0x10 == 0 &&  *0x42d470 == 0 && ( *(_t145 + 0x14) & 0x00000020) != 0) {
						_v56 = _t145;
						_t102 = GetDlgItem(_t160, 0x40a);
						_v80 = 0;
						_v84 = 0;
						_v88 = 0xf0;
						_v92 = _t102;
						_t103 = SendMessageA(_t136, _t136, ??, ??);
						 *(_v56 + 0x14) =  *(_v56 + 0x14) & 0xfffffffe | _t103 & 0x00000001;
						E0040481B(_t103 & 0x00000001,  *(_v56 + 0x14) & 0xfffffffe | _t103 & 0x00000001);
						E00404703();
					}
					goto L24;
				} else {
					_t107 =  *(_t134 + 0x30);
					if(_t107 < 0) {
						_t155 =  *0x431080; // 0x128c48
						_t107 =  *(_t155 +  !_t107 * 4);
					}
					_t108 = _t107 +  *0x430818;
					_t150 =  *_t108;
					_t109 = _t108 + 1;
					_v48 = _t109;
					_v40 = _t109;
					_v36 = 0;
					_v52 = _t150;
					_v32 = E004047D5;
					E00404836(_t160,  *((intOrPtr*)(_t134 + 0x34)), 0x22);
					_t159 = ( *(_t134 + 0x14) | _t150 & 0xffffff00 | ( *(_t134 + 0x14) & 0x00000020) == 0x00000000) & 0x00000001;
					E00404836(_t160,  *((intOrPtr*)(_t134 + 0x38)), 0x23);
					CheckDlgButton(_t160,  ~_t159 + 0x40b, 1);
					E0040481B(_t159,  *((intOrPtr*)(_t134 + 0x38))); // executed
					_t135 = GetDlgItem(_t160, 0x3e8);
					E00404741(_t121); // executed
					_v80 = 0;
					_v84 = 1;
					_v88 = 0x45b;
					_v92 = _t135;
					SendMessageA(0x23, 0x23, ??, ??);
					_t124 =  *0x4307fc; // 0x11f030
					_t125 =  *(_t124 + 0x68);
					_t167 = _t162 - 0xfffffffffffffffc;
					if(_t125 < 0) {
						_t125 = GetSysColor( ~_t125);
						_push(_t159);
					}
					SendMessageA(_t135, 0x443, 0, _t125);
					SendMessageA(_t135, 0x445, 0, 0x4010000);
					_t128 = _v48;
					 *0x42d46c = 0;
					_t169 = _t167;
					_v92 = _t128;
					E0040768E();
					_t161 = 0;
					_v84 = _t128;
					_v88 = 0;
					_v92 = 0x435;
					 *_t169 = _t135;
					SendMessageA(_t160, ??, ??, ??);
					_v84 =  &_v40;
					_v88 = _v52;
					_v92 = 0x449;
					 *(_t169 - 0x10) = _t135; // executed
					SendMessageA(??, ??, ??, ??); // executed
					 *0x42d470 = 0;
					L25:
					return _t161;
				}
			}

0x004057e0
0x004057e3
0x004057e6
0x004057e9
0x004057f5
0x00405984
0x00405a04
0x00405b64
0x00405b66
0x00405b66
0x00405b6c
0x00405b78
0x00000000
0x00405b78
0x00405a15
0x00405a1a
0x00405a1b
0x00405a23
0x00405a36
0x00405a39
0x00405a3c
0x00405a43
0x00405a46
0x00405a49
0x00405a51
0x00405a57
0x00405a71
0x00405a8f
0x00405a92
0x00405ac2
0x00405ac7
0x00405aca
0x00405ad2
0x00405ad9
0x00405ade
0x00405ae0
0x00405ae8
0x00405ae8
0x00405a51
0x00405af0
0x00000000
0x00405afb
0x00405aff
0x00405b01
0x00405b21
0x00405b26
0x00405b26
0x00405b2d
0x00405b32
0x00405b34
0x00405b54
0x00405b59
0x00000000
0x00405b32
0x00405af0
0x0040598c
0x004059a9
0x004059b7
0x004059be
0x004059c6
0x004059ce
0x004059d6
0x004059d9
0x004059ef
0x004059f2
0x004059f7
0x004059f7
0x00000000
0x004057fb
0x004057fb
0x00405800
0x00405802
0x0040580a
0x0040580a
0x0040580d
0x00405816
0x00405819
0x0040581a
0x0040581d
0x00405823
0x0040582a
0x0040582d
0x00405844
0x00405851
0x00405856
0x00405873
0x0040587d
0x00405893
0x00405896
0x0040589b
0x004058a3
0x004058ab
0x004058b3
0x004058b6
0x004058bb
0x004058c0
0x004058c3
0x004058c8
0x004058cf
0x004058d4
0x004058d4
0x004058ec
0x0040590f
0x00405914
0x00405917
0x00405921
0x00405924
0x00405927
0x0040592d
0x0040592f
0x00405933
0x0040593b
0x00405943
0x00405946
0x00405954
0x00405958
0x0040595c
0x00405964
0x00405967
0x0040596c
0x00405b7a
0x00405b83
0x00405b83

APIs

CheckDlgButton.USER32 ref: 00405873
GetDlgItem.USER32 ref: 0040588D
SendMessageA.USER32 ref: 004058B6
GetSysColor.USER32 ref: 004058CF
SendMessageA.USER32 ref: 004058EC
SendMessageA.USER32 ref: 0040590F
SendMessageA.USER32 ref: 00405946
SendMessageA.USER32 ref: 00405967
GetDlgItem.USER32 ref: 004059B7
SendMessageA.USER32 ref: 004059D9
GetDlgItem.USER32 ref: 00405A15
SendMessageA.USER32 ref: 00405A71
LoadCursorA.USER32 ref: 00405A88
SetCursor.USER32 ref: 00405A92
ShellExecuteA.SHELL32 ref: 00405AC2
LoadCursorA.USER32 ref: 00405AD9
SetCursor.USER32(?,?), ref: 00405AE3
SendMessageA.USER32 ref: 00405B21
SendMessageA.USER32 ref: 00405B54

Strings

: Completed, xrefs: 00405A3C

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShell
String ID: : Completed
API String ID: 2553919181-2954849223
Opcode ID: ad1590fbe91a4b29fdb21a43d7330a840b3fbb0c7036aaed1e8ac24b6cc7db51
Instruction ID: d900616bdbe3f02b67ea61e18f747819da7cb1aa859f65d720a53d66b4e6cd1b
Opcode Fuzzy Hash: ad1590fbe91a4b29fdb21a43d7330a840b3fbb0c7036aaed1e8ac24b6cc7db51
Instruction Fuzzy Hash: 52A10AB19047049FD700EF69C58575FBBF4EB84318F00892EE9886B282D77DA945CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B86, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 251
registrylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00405B86(int __ecx, int __edx) {
				void* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				void _v32;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				signed int _v96;
				CHAR* _v100;
				intOrPtr _v104;
				void* __ebx;
				intOrPtr* _t64;
				signed int _t67;
				void* _t69;
				void* _t70;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t73;
				int _t76;
				CHAR* _t80;
				struct HINSTANCE__* _t81;
				int _t82;
				intOrPtr _t83;
				int _t86;
				int _t87;
				void* _t88;
				short _t93;
				struct HINSTANCE__* _t96;
				struct HWND__* _t101;
				intOrPtr _t104;
				char* _t108;
				CHAR* _t109;
				int _t112;
				signed char _t113;
				signed short _t116;
				CHAR* _t119;
				int _t120;
				int _t121;
				int _t123;
				struct HINSTANCE__* _t124;
				CHAR* _t125;
				void* _t126;
				intOrPtr* _t127;
				void* _t128;
				void* _t130;

				_t123 = __edx;
				_t121 = __ecx;
				_t127 = _t126 - 0x50;
				_t125 =  *0x4307fc; // 0x11f030
				_v92 = 6;
				_t64 = E00407B28(__ecx, __edx);
				_t133 = _t64;
				_push(__ecx);
				if(_t64 == 0) {
					 *0x43a000 = 0x7830;
					_v76 = 0;
					_v80 = 0x42bc18;
					_v84 = 0;
					_v88 = "Control Panel\\Desktop\\ResourceLocale";
					_v92 = 0x80000001;
					E004074FE(_t119);
					_t127 = _t127 - 0x14;
					__eflags =  *0x42bc18;
					if(__eflags == 0) {
						_v76 = 0;
						_v80 = 0x42bc18;
						_v84 = "Locale";
						_v88 = ".DEFAULT\\Control Panel\\International";
						_v92 = 0x80000003;
						E004074FE(_t119);
						_t127 = _t127 - 0x14;
					}
					_v88 = 0x42bc18;
					_v92 = 0x43a000;
					E00407697();
				} else {
					_t116 =  *_t64();
					_v92 = 0x43a000;
					_v88 = _t116 & 0x0000ffff;
					E004075A4();
				}
				_push(_t119);
				E00404A1F(_t133);
				_t67 =  *0x430844; // 0x81
				 *0x4307d8 = 0x10000;
				_v100 = 0x439400;
				 *0x4307bc = _t67 & 0x00000020;
				_t69 = E00407A78(_t119, _t121, _t123, _t133, _t119);
				_push(_t123);
				if(_t69 == 0) {
					_t123 = _t125[0x48];
					if(_t123 != 0) {
						_t104 =  *0x430818; // 0x121f5c
						_v84 = 0;
						_v88 = 0x431084;
						_t121 = _t125[0x4c] + _t104;
						_v92 = _t121;
						_v96 = _t104 + _t123;
						_v100 = _t125[0x44];
						E004074FE(_t119);
						_t108 =  *0x431084; // 0x3a
						_t127 = _t127 - 0x14;
						if(_t108 != 0) {
							_t119 = 0x431084;
							if(_t108 == 0x22) {
								_v96 = 0x22;
								_t119 = 0x431085;
								_v100 = 0x431085;
								_t108 = E0040726F(0x431085);
								_push(_t121);
								_push(_t121);
								 *_t108 = 0;
							}
							_v100 = _t119;
							E0040768E();
							_t109 =  &(_t119[_t108 - 4]);
							_push(_t123);
							if(_t109 > _t119) {
								_t112 = lstrcmpiA(_t109, ".exe");
								_push(_t121);
								_push(_t121);
								if(_t112 == 0) {
									_t113 = GetFileAttributesA(_t119);
									_push(_t123);
									if(_t113 == 0xffffffff) {
										L14:
										E00407298(_t119, _t121, _t123, _t119);
									} else {
										_t141 = _t113 & 0x00000010;
										if((_t113 & 0x00000010) == 0) {
											goto L14;
										}
									}
								}
							}
							_v104 = E0040722C(_t119, _t121, _t123, _t119);
							 *_t127 = 0x439400;
							E00407667();
							_push(_t119);
							_push(_t119);
						}
					}
				}
				_v100 = 0x439400;
				_t70 = E00407A78(_t119, _t121, _t123, _t141);
				_push(_t123);
				if(_t70 == 0) {
					E00407769(0x439400, _t125[0x118]); // executed
				}
				_t71 =  *0x430858; // 0x400000
				_t72 = LoadImageA(_t71, 0x67, 1, 0, 0, 0x8040); // executed
				_t128 = _t127 - 0x18;
				 *0x43106c = _t72;
				if(_t125[0x50] == 0xffffffff) {
					L21:
					_v100 = 0;
					_t120 = 2; // executed
					_t73 = E00403813(_t121); // executed
					_t146 = _t73;
					_push(_t121);
					if(_t73 == 0) {
						E00404A1F(_t146);
						if( *0x4307dc != 0) {
							_v100 = 0;
							_t76 = E00404874(_t121, _t123);
							__eflags = _t76;
							_push(_t123);
							if(_t76 == 0) {
								_v100 = 1;
								_t120 = 0;
								__eflags = 0;
								E00403813(_t121);
								_push(_t121);
							} else {
								__eflags =  *0x43105c;
								if( *0x43105c == 0) {
									_v100 = 2;
									E00403813(_t121);
									goto L31;
								}
							}
						} else {
							_t80 = ShowWindow( *0x42cc40, 5); // executed
							_push(_t80);
							_v100 = "RichEd20"; // executed
							_t81 = LoadLibraryA(_t80); // executed
							_push(_t123);
							if(_t81 == 0) {
								LoadLibraryA("RichEd32");
								_push(_t125);
							}
							_t82 = GetClassInfoA(0, "RichEdit20A", 0x42cc18);
							_t130 = _t128 - 0xc;
							if(_t82 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42cc18);
								 *0x42cc3c = "RichEdit20A";
								_t130 = _t130 - 0xc;
								RegisterClassA(0x42cc18);
								_push(_t120);
							}
							_t83 =  *0x431078; // 0x0
							_v84 = 0;
							_v88 = E00404C82;
							_v92 = 0;
							_v96 = _t83 + 0x00000069 & 0x0000ffff;
							_t86 =  *0x430858; // 0x400000
							_v100 = _t86; // executed
							_t87 = DialogBoxParamA(??, ??, ??, ??, ??); // executed
							_t120 = _t87;
							_t88 = E00403813(_t121, 5);
							 *(_t130 - 0x14) = 1;
							E004045DC(_t88);
							L31:
							_push(_t125);
						}
					}
				} else {
					_t124 =  *0x430858; // 0x400000
					_t125 =  &_v16;
					_v16 = 0x624e5f;
					 *0x42cc1c = E00401000;
					 *0x42cc2c = _t72;
					 *0x42cc28 = _t124;
					 *0x42cc3c = _t125;
					_t93 = RegisterClassA(0x42cc18);
					_push(_t119);
					_t120 = 0;
					if(_t93 != 0) {
						SystemParametersInfoA(0x30, 0,  &_v32, 0);
						_t96 =  *0x430858; // 0x400000
						_t121 = _v28;
						_t123 = _v32;
						_t101 = CreateWindowExA(0x80, _t125, 0, 0x80000000, _t123, _t121, _v24 - _t123, _v20 - _t121, 0, 0, _t96, 0);
						_t128 = _t128 - 0xffffffffffffffe0;
						 *0x42cc40 = _t101;
						goto L21;
					}
				}
				return _t120;
			}

0x00405b86
0x00405b86
0x00405b8b
0x00405b8e
0x00405b94
0x00405b9b
0x00405ba0
0x00405ba2
0x00405ba3
0x00405bbf
0x00405bc9
0x00405bd1
0x00405bd9
0x00405be1
0x00405be9
0x00405bf0
0x00405bf5
0x00405bf8
0x00405bff
0x00405c01
0x00405c09
0x00405c11
0x00405c19
0x00405c21
0x00405c28
0x00405c2d
0x00405c2d
0x00405c30
0x00405c38
0x00405c3f
0x00405ba5
0x00405ba5
0x00405ba7
0x00405bb1
0x00405bb5
0x00405bb5
0x00405c44
0x00405c46
0x00405c4b
0x00405c50
0x00405c5a
0x00405c64
0x00405c69
0x00405c70
0x00405c71
0x00405c77
0x00405c7c
0x00405c82
0x00405c87
0x00405c8f
0x00405c9a
0x00405c9e
0x00405ca2
0x00405ca9
0x00405cac
0x00405cb1
0x00405cb6
0x00405cbb
0x00405cc3
0x00405cc8
0x00405cca
0x00405cd2
0x00405cd7
0x00405cde
0x00405ce3
0x00405ce4
0x00405ce5
0x00405ce5
0x00405ce8
0x00405ceb
0x00405cf0
0x00405cf6
0x00405cf7
0x00405d04
0x00405d0b
0x00405d0c
0x00405d0d
0x00405d12
0x00405d1a
0x00405d1b
0x00405d21
0x00405d24
0x00405d1d
0x00405d1d
0x00405d1f
0x00000000
0x00000000
0x00405d1f
0x00405d1b
0x00405d0d
0x00405d33
0x00405d37
0x00405d3e
0x00405d43
0x00405d44
0x00405d44
0x00405cbb
0x00405c7c
0x00405d45
0x00405d4c
0x00405d53
0x00405d54
0x00405d67
0x00405d6d
0x00405d6e
0x00405d9e
0x00405da3
0x00405daa
0x00405daf
0x00405e87
0x00405e87
0x00405e8e
0x00405e93
0x00405e98
0x00405e9a
0x00405e9b
0x00405ea1
0x00405ead
0x00405f95
0x00405f9c
0x00405fa1
0x00405fa3
0x00405fa4
0x00405fbe
0x00405fc5
0x00405fc5
0x00405fc7
0x00405fcc
0x00405fa6
0x00405fa6
0x00405fad
0x00405faf
0x00405fb6
0x00000000
0x00405fb6
0x00405fad
0x00405eb3
0x00405ec3
0x00405ec8
0x00405eca
0x00405ed1
0x00405ed8
0x00405ed9
0x00405ee2
0x00405ee7
0x00405ee7
0x00405eff
0x00405f04
0x00405f09
0x00405f22
0x00405f27
0x00405f31
0x00405f3b
0x00405f40
0x00405f40
0x00405f41
0x00405f46
0x00405f4e
0x00405f56
0x00405f64
0x00405f68
0x00405f6d
0x00405f70
0x00405f78
0x00405f81
0x00405f87
0x00405f8e
0x00405fbb
0x00405fbb
0x00405fbb
0x00405ead
0x00405db5
0x00405db5
0x00405dbb
0x00405dbe
0x00405dc5
0x00405dcf
0x00405dd4
0x00405dda
0x00405de7
0x00405dec
0x00405ded
0x00405df2
0x00405e16
0x00405e1b
0x00405e20
0x00405e23
0x00405e7a
0x00405e7f
0x00405e82
0x00000000
0x00405e82
0x00405df2
0x00405fd5

APIs

Part of subcall function 00407B28: GetModuleHandleA.KERNEL32(?,?,004040BB), ref: 00407B3D
Part of subcall function 00407B28: LoadLibraryA.KERNEL32(?,?,?,004040BB), ref: 00407B4C
Part of subcall function 00407B28: GetProcAddress.KERNEL32 ref: 00407B68

lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D04
GetFileAttributesA.KERNEL32 ref: 00405D12

Part of subcall function 004075A4: wsprintfA.USER32 ref: 004075BF

LoadImageA.USER32 ref: 00405D9E
RegisterClassA.USER32 ref: 00405DE7
SystemParametersInfoA.USER32 ref: 00405E16
CreateWindowExA.USER32 ref: 00405E7A

Part of subcall function 00404874: OleInitialize.OLE32 ref: 0040489B
Part of subcall function 00404874: OleUninitialize.OLE32(?,?,?,?,?,?,00000002,0011F030,00000000,?,00405FA1), ref: 004048EA

ShowWindow.USER32 ref: 00405EC3
LoadLibraryA.KERNEL32(00000000,00000000), ref: 00405ED1
LoadLibraryA.KERNEL32(?,00000000,00000000), ref: 00405EE2
GetClassInfoA.USER32 ref: 00405EFF
GetClassInfoA.USER32 ref: 00405F22
RegisterClassA.USER32 ref: 00405F3B
DialogBoxParamA.USER32 ref: 00405F70

Strings

: Completed, xrefs: 00405C8F, 00405CB1, 00405CC3, 00405D43, 00405D44
Immunity Debugger Setup: Completed, xrefs: 00405BD1, 00405BF8, 00405C09, 00405C30
g, xrefs: 00405D93
_Nb, xrefs: 00405DBE

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageInitializeModuleParamParametersProcShowSystemUninitializelstrcmpiwsprintf
String ID: : Completed$Immunity Debugger Setup: Completed$_Nb$g
API String ID: 3004232066-1381467634
Opcode ID: 81919589d0ca6184ffca81f14c7676b1ea17b0381bf8652bb8e84ba07e42264e
Instruction ID: 5dca316a5fa23e45a8214aa3990432fbcd68b78c8195de07feb9d1e04cb9ad64
Opcode Fuzzy Hash: 81919589d0ca6184ffca81f14c7676b1ea17b0381bf8652bb8e84ba07e42264e
Instruction Fuzzy Hash: 30B1F7B05087419ED710AF66D94572FBBE4EB44308F01C93EE4C8A7392D7BD98858F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 198
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00403CB7(void* __ecx, signed int __edx, void* __eflags, signed int _a4) {
				void* _v16;
				char _v32;
				intOrPtr _v36;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int* _v64;
				signed int _v68;
				intOrPtr _v80;
				long _v84;
				signed int _v88;
				signed int* _v92;
				char _v100;
				signed int _v108;
				void* __ebx;
				long _t67;
				signed int* _t70;
				intOrPtr _t73;
				void* _t74;
				signed int _t75;
				signed int _t76;
				void* _t79;
				signed int _t80;
				intOrPtr _t86;
				signed int _t87;
				long _t88;
				signed int _t90;
				void* _t93;
				intOrPtr _t96;
				signed int _t100;
				intOrPtr _t103;
				char* _t105;
				signed int _t106;
				void* _t107;
				signed int _t108;
				signed int* _t111;
				signed int _t112;
				void* _t114;
				void* _t115;
				void* _t117;
				intOrPtr* _t120;

				_t108 = __edx;
				_t107 = __ecx;
				_t105 = "Error launching installer";
				_t67 = GetTickCount();
				_v84 = 0x400;
				_v88 = 0x43ac00;
				_v92 = 0;
				 *0x430840 = _t67 + 0x3e8;
				GetModuleFileNameA(??, ??, ??);
				_v84 = 3;
				_v88 = 0x80000000;
				_v92 = 0x43ac00; // executed
				_t70 = E0040743D(_t105, _t107); // executed
				_t120 = _t117 - 0x34;
				_t111 = _t70;
				 *0x40a010 = _t70;
				if(_t70 == 0xffffffff) {
					L29:
					return _t105;
				}
				E00407667(0x439c00, 0x43ac00);
				_v100 = 0x439c00;
				_t73 = E00407298(_t105, _t107, _t108);
				_push(_t112);
				_v100 = _t73;
				 *_t120 = 0x43b000;
				_t74 = E00407667();
				_v108 = 0;
				 *_t120 = _t111;
				_t75 = GetFileSize(_t74, _t74);
				_v68 = 0;
				_v64 = 0;
				_push(_t108);
				_t106 = _t75;
				_push(_t108);
				 *0x40dc44 = _t75;
				while(_t106 > 0) {
					__eflags =  *0x43084c - 1;
					_v92 = 0x40dc50;
					asm("sbb esi, esi");
					_t114 = (_t112 & 0xffff8200) + 0x8000;
					__eflags = _t114 - _t106;
					_t112 =  >  ? _t106 : _t114;
					_v88 = _t112;
					_t76 = E00403985(_t106); // executed
					__eflags = _t76;
					_push(_t107);
					_push(_t107);
					if(_t76 != 0) {
						__eflags =  *0x43084c;
						if( *0x43084c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E004038ED(_t107, _t108, 0);
							}
							L16:
							__eflags = _t106 -  *0x40dc44; // 0x15b20e4
							if(__eflags < 0) {
								_v84 = _t112;
								_v88 = 0x40dc50;
								_v92 = _v64;
								_t96 = E004080FC();
								_t120 = _t120 - 0xc;
								_v64 = _t96;
							}
							 *0x40dc48 =  *0x40dc48 + _t112;
							_t106 = _t106 - _t112;
							__eflags = _t106;
							continue;
						}
						_v92 =  &_v60;
						_v84 = 0x1c;
						_v88 = 0x40dc50;
						E004073E4();
						_t100 = _v60;
						_t120 = _t120 - 0xc;
						__eflags = _t100 & 0xfffffff0;
						if((_t100 & 0xfffffff0) != 0) {
							goto L16;
						}
						__eflags = _v56 - 0xdeadbeef;
						if(_v56 != 0xdeadbeef) {
							goto L16;
						}
						__eflags = _v44 - 0x74736e49;
						if(_v44 != 0x74736e49) {
							goto L16;
						}
						__eflags = _v48 - 0x74666f73;
						if(_v48 != 0x74666f73) {
							goto L16;
						}
						__eflags = _v52 - 0x6c6c754e;
						if(_v52 != 0x6c6c754e) {
							goto L16;
						}
						_a4 = _a4 | _t100;
						_t108 =  *0x40dc48; // 0x15b20e0
						 *0x4307dc =  *0x4307dc | _a4 & 0x00000002;
						_t103 = _v36;
						 *0x43084c = _t108;
						__eflags = _t103 - _t106;
						if(_t103 > _t106) {
							L28:
							_t105 = "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L13:
							_t106 = _t103 - 4;
							_v68 = _v68 + 1;
							__eflags = _t112 - _t106;
							_t112 =  >  ? _t106 : _t112;
							goto L16;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L13;
					}
					E004038ED(_t107, _t108, 1);
					goto L28;
				}
				_v92 = 1;
				_t105 = "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
				E004038ED(_t107, _t108);
				if( *0x43084c == 0) {
					goto L29;
				}
				if(_v68 == 0) {
					L24:
					_t105 = "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
					_t79 = GlobalAlloc(0x40, _v40); // executed
					_t115 = _t79;
					_t80 =  *0x43084c; // 0x12200
					_push(_t108);
					_v92 = _t80 + 0x1c; // executed
					E004039D0(_t108); // executed
					_push(_t107);
					_v84 = _v40;
					_v88 = _t115;
					_v92 = 0;
					 *_t120 = 0xffffffff;
					if(E00403A01(_t107) != _v40) {
						goto L29;
					}
					 *0x4307fc = _t115;
					 *0x430844 =  *_t115;
					_t86 =  *0x430848; // 0x0
					asm("sbb eax, 0xffffffff");
					 *0x430848 = _t86;
					_t87 = 8;
					do {
						_t87 = _t87 - 1;
						 *((intOrPtr*)(_t115 + 4 + _t87 * 8)) =  *((intOrPtr*)(_t115 + 4 + _t87 * 8)) + _t115;
					} while (_t87 != 0);
					_v80 = 1;
					_t105 = 0;
					_v84 = 0;
					_v88 = 0;
					_v92 = _t111; // executed
					_t88 = SetFilePointer(??, ??, ??, ??); // executed
					 *(_t115 + 0x3c) = _t88;
					_v84 = 0x40;
					_v88 = _t115 + 4;
					_v92 = 0x430800;
					E004073E4();
					goto L29;
				}
				_t90 =  *0x40dc48; // 0x15b20e0
				_v92 = _t90; // executed
				E004039D0(); // executed
				_push(_t112);
				_v92 = 4;
				 *_t120 =  &_v32; // executed
				_t93 = E00403985(_t105); // executed
				_push(_t108);
				_push(_t108);
				if(_t93 == 0 || _v64 != _v32) {
					goto L29;
				} else {
					goto L24;
				}
			}

0x00403cb7
0x00403cb7
0x00403cbd
0x00403cc5
0x00403cca
0x00403cd2
0x00403cda
0x00403ce6
0x00403ceb
0x00403cf3
0x00403cfb
0x00403d03
0x00403d0a
0x00403d0f
0x00403d15
0x00403d17
0x00403d1c
0x00403fd0
0x00403fd9
0x00403fd9
0x00403d31
0x00403d38
0x00403d3f
0x00403d44
0x00403d45
0x00403d49
0x00403d50
0x00403d57
0x00403d5f
0x00403d62
0x00403d67
0x00403d6e
0x00403d75
0x00403d76
0x00403d78
0x00403d79
0x00403e9b
0x00403d83
0x00403d8a
0x00403d91
0x00403d99
0x00403d9f
0x00403da1
0x00403da4
0x00403da8
0x00403dad
0x00403daf
0x00403db0
0x00403db1
0x00403dc4
0x00403dcb
0x00403e5c
0x00403e60
0x00403e69
0x00403e69
0x00403e6e
0x00403e6e
0x00403e74
0x00403e79
0x00403e7d
0x00403e85
0x00403e88
0x00403e8d
0x00403e90
0x00403e90
0x00403e93
0x00403e99
0x00403e99
0x00000000
0x00403e99
0x00403dd4
0x00403dd7
0x00403ddf
0x00403de7
0x00403dec
0x00403def
0x00403df2
0x00403df7
0x00000000
0x00000000
0x00403df9
0x00403e00
0x00000000
0x00000000
0x00403e02
0x00403e09
0x00000000
0x00000000
0x00403e0b
0x00403e12
0x00000000
0x00000000
0x00403e14
0x00403e1b
0x00000000
0x00000000
0x00403e1d
0x00403e23
0x00403e2c
0x00403e32
0x00403e35
0x00403e3b
0x00403e3d
0x00403fcb
0x00403fcb
0x00000000
0x00403fcb
0x00403e43
0x00403e47
0x00403e4f
0x00403e4f
0x00403e52
0x00403e55
0x00403e57
0x00000000
0x00403e57
0x00403e49
0x00403e4d
0x00000000
0x00000000
0x00000000
0x00403e4d
0x00403dba
0x00000000
0x00403dba
0x00403ea3
0x00403eaa
0x00403eaf
0x00403ebb
0x00000000
0x00000000
0x00403ec5
0x00403efe
0x00403f01
0x00403f11
0x00403f16
0x00403f18
0x00403f1d
0x00403f22
0x00403f25
0x00403f2d
0x00403f2e
0x00403f32
0x00403f36
0x00403f3e
0x00403f50
0x00000000
0x00000000
0x00403f52
0x00403f5d
0x00403f62
0x00403f6d
0x00403f70
0x00403f75
0x00403f7a
0x00403f7a
0x00403f7b
0x00403f7f
0x00403f83
0x00403f8b
0x00403f8d
0x00403f95
0x00403f9d
0x00403fa0
0x00403fa5
0x00403fae
0x00403fb6
0x00403fba
0x00403fc1
0x00000000
0x00403fc6
0x00403ec7
0x00403ecc
0x00403ecf
0x00403ed7
0x00403ed8
0x00403ee0
0x00403ee3
0x00403eea
0x00403eeb
0x00403eec
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403CC5
GetModuleFileNameA.KERNEL32(?,?,?,?,00000000,?,00404274,?,00000000,00000000), ref: 00403CEB

Part of subcall function 0040743D: GetFileAttributesA.KERNEL32 ref: 0040744A
Part of subcall function 0040743D: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,Error launching installer,?,00403D0F), ref: 00407488

Part of subcall function 00407667: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404106), ref: 00407682

Part of subcall function 00407298: lstrlenA.KERNEL32 ref: 004072A5
Part of subcall function 00407298: CharPrevA.USER32 ref: 004072B9

GetFileSize.KERNEL32(00000000,00000000,?,Error launching installer,Error launching installer,?,?,?,?,?,?,?,?,?,00000000), ref: 00403D62

Part of subcall function 004038ED: DestroyWindow.USER32 ref: 00403905

GlobalAlloc.KERNEL32(?,?,?,?,00000000,00000000,?,Error launching installer,Error launching installer), ref: 00403F11
SetFilePointer.KERNEL32(?,?,?,?,Error launching installer,Error launching installer,?,?,?,?,?,?,?,?,?,00000000), ref: 00403FA0

Part of subcall function 004039D0: SetFilePointer.KERNEL32(?,?,?,?,00000000,?,Error launching installer,Error launching installer), ref: 004039F5

Part of subcall function 00403985: ReadFile.KERNEL32(?,?,?,?,?,?,00000000,?,00403DAD,?,?,00000000,00000000,?,Error launching installer,Error launching installer), ref: 004039B1

Strings

Inst, xrefs: 00403E02
Error launching installer, xrefs: 00403CBD, 00403D36, 00403D37
Null, xrefs: 00403E14
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403EAA, 00403F01, 00403FCB
soft, xrefs: 00403E0B
@, xrefs: 00403FAE

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: File$Pointer$AllocAttributesCharCountCreateDestroyGlobalModuleNamePrevReadSizeTickWindowlstrcpynlstrlen
String ID: @$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 3829796190-693753142
Opcode ID: d3ee3ab9e85551d06f40c049d1026f8ef554829c9f4140700c43bdf25ac80ea2
Instruction ID: 5281b5d1b26c925c6c6ecfe62c0f2ec6efbc3d6b4f4992a463940d00bd5b1bc0
Opcode Fuzzy Hash: d3ee3ab9e85551d06f40c049d1026f8ef554829c9f4140700c43bdf25ac80ea2
Instruction Fuzzy Hash: 00816CB08083049FD710AF69D58575EBFF8EB44319F10863EE888A72D1D7B89944CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403A01, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403A6B

Part of subcall function 004039D0: SetFilePointer.KERNEL32(?,?,?,?,00000000,?,Error launching installer,Error launching installer), ref: 004039F5

Part of subcall function 00403985: ReadFile.KERNEL32(?,?,?,?,?,?,00000000,?,00403DAD,?,?,00000000,00000000,?,Error launching installer,Error launching installer), ref: 004039B1

GetTickCount.KERNEL32 ref: 00403B2F
MulDiv.KERNEL32 ref: 00403B67
wsprintfA.USER32 ref: 00403B81
WriteFile.KERNEL32(?,?,?,Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error,Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error), ref: 00403BCB
WriteFile.KERNEL32(?,?,Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error,Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error), ref: 00403C58

Strings

d, xrefs: 00403B55
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403A10, 00403A53, 00403A54

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: File$CountTickWrite$PointerReadwsprintf
String ID: Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$d
API String ID: 1419457180-1624645521
Opcode ID: f6eec7674ccd49cbcc85160daa8744a8ba0aa78c01b248d275ff14dc6ff36ac5
Instruction ID: 5c8d4c26249811b3cb00692e32cf30328336c06c22fde009fdad36fd576dca37
Opcode Fuzzy Hash: f6eec7674ccd49cbcc85160daa8744a8ba0aa78c01b248d275ff14dc6ff36ac5
Instruction Fuzzy Hash: BF716BB1A087149FEB109F69C84469EBBF8FF84349F10863FE854B7281D37899458F99

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareFileTime.KERNEL32(?,00000000), ref: 00401B59

Part of subcall function 00407667: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404106), ref: 00407682

Part of subcall function 004071B9: MessageBoxIndirectA.USER32 ref: 00407222

Part of subcall function 00406A5D: SetWindowTextA.USER32(00000000,00000000), ref: 00406AF3
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B2C
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B5D
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B7F

Strings

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Python.inst, xrefs: 00401C13, 00401C3A
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Python.inst\python-2.7.1.msi, xrefs: 00401AEC, 00401B02, 00401B27, 00401B39, 00401B77, 00401BA0, 00401BF6, 00401C68, 00401D14, 00401D26, 00401D3C, 00401D52
pyinst, xrefs: 00401BE8, 00401C21

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Message$Send$CompareFileIndirectTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Python.inst$C:\Program Files (x86)\Immunity Inc\Immunity Debugger\Python.inst\python-2.7.1.msi$pyinst
API String ID: 645384303-3643263547
Opcode ID: c52074a3b083e3a8cd5017130e25673c6564adbb629509276e569a7f1e6f4265
Instruction ID: 41e43962a05efe88a124b621b364e640410f1abcd72afbeb249d14450974e872
Opcode Fuzzy Hash: c52074a3b083e3a8cd5017130e25673c6564adbb629509276e569a7f1e6f4265
Instruction Fuzzy Hash: A4614DB0809301EED700BFA9858156EBAE8AF84718F118A3FF595A32D1D77958418B6B

Uniqueness

Uniqueness Score: -1.00%

Function 004033BA, Relevance: 10.6, APIs: 7, Instructions: 130
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00403423
GlobalAlloc.KERNEL32(00000000,00000000,00000000), ref: 00403468
GlobalFree.KERNEL32 ref: 004034F6
WriteFile.KERNEL32(?,?,00000000), ref: 0040351C
GlobalFree.KERNEL32 ref: 00403527
CloseHandle.KERNEL32 ref: 0040355B
DeleteFileA.KERNEL32 ref: 00403573

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: f347bfff35ec1589b73c0e5770882ad0c401878adb55233e88f6205227f00251
Instruction ID: da9c018ad9740825a32562184e22ad7c72d19956a8ce3abff7bf0b800a4bb466
Opcode Fuzzy Hash: f347bfff35ec1589b73c0e5770882ad0c401878adb55233e88f6205227f00251
Instruction Fuzzy Hash: 0A511DB09087149FC710EF29C88165EBBF4AF89314F118A6EF598A73D1D73899418F96

Uniqueness

Uniqueness Score: -1.00%

Function 00406A5D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00406A5D(void* __ecx, void* __edx, signed int _a4, long _a8) {
				void* _v16;
				CHAR* _v48;
				long _v60;
				int _v64;
				void* _v68;
				long _v80;
				void* _v100;
				void* _v104;
				CHAR* _v108;
				long _v112;
				long _t30;
				long _t31;
				struct HWND__* _t38;
				long _t39;
				struct HWND__* _t41;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t46;
				CHAR** _t48;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 =  *0x431064; // 0x3020e
				if(_t41 == 0) {
					L12:
					return _t30;
				}
				_t46 =  *0x4307f0; // 0x0
				_t45 = _t46 & 0x00000001;
				if(_t45 == 0) {
					_t30 = E00407769(0x42d474, _a4);
				}
				_v108 = 0x42d474;
				E0040768E();
				_push(_t42);
				_v80 = _t30;
				if(_a8 == 0) {
					L6:
					if((_t46 & 0x00000004) == 0) {
						_t38 =  *0x43107c; // 0x30214
						_t30 = SetWindowTextA(_t38, 0x42d474); // executed
						_push(_t30);
						_push(_t30);
					}
					if((_t46 & 0x00000002) == 0) {
						_v68 = 1;
						_v48 = 0x42d474;
						_t31 = SendMessageA(_t41, 0x1004, 0, 0); // executed
						_v60 = 0;
						_v64 = _t31 - _t45;
						SendMessageA(_t41, 0x1007 - _t45, 0,  &_v68); // executed
						_t30 = SendMessageA(_t41, 0x1013, _v64, 0); // executed
					}
					if(_t45 != 0) {
						_t30 = _v80;
						0x42d474[_t30] = 0;
					}
					goto L12;
				} else {
					_t39 = _a8;
					_v112 = _t39;
					E0040768E();
					_t30 = _t39 + _v80;
					_push(_t43);
					if(_t30 > 0x7ff) {
						goto L12;
					}
					_t30 = _a8;
					 *_t48 = 0x42d474;
					_v112 = _t30;
					E00407697();
					_push(_t30);
					_push(_t30);
					goto L6;
				}
			}

0x00406a5d
0x00406a5d
0x00406a66
0x00406a6e
0x00406b95
0x00406b9c
0x00406b9c
0x00406a74
0x00406a7c
0x00406a7f
0x00406a8f
0x00406a95
0x00406a96
0x00406a9d
0x00406aa6
0x00406aa7
0x00406aaa
0x00406adb
0x00406ae1
0x00406ae3
0x00406af3
0x00406af8
0x00406af9
0x00406af9
0x00406afd
0x00406b03
0x00406b0a
0x00406b2c
0x00406b31
0x00406b3d
0x00406b5d
0x00406b7f
0x00406b84
0x00406b89
0x00406b8b
0x00406b8e
0x00406b8e
0x00000000
0x00406aac
0x00406aac
0x00406aaf
0x00406ab2
0x00406ab7
0x00406abf
0x00406ac0
0x00000000
0x00000000
0x00406ac6
0x00406ac9
0x00406ad0
0x00406ad4
0x00406ad9
0x00406ada
0x00000000
0x00406ada

APIs

SetWindowTextA.USER32(00000000,00000000), ref: 00406AF3
SendMessageA.USER32 ref: 00406B2C
SendMessageA.USER32 ref: 00406B5D
SendMessageA.USER32 ref: 00406B7F

Strings

Completed, xrefs: 00406A84, 00406A96, 00406AC9, 00406AE8, 00406B0A

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$TextWindow
String ID: Completed
API String ID: 1596935084-3087654605
Opcode ID: ee8874c953a4c44c42b20a70881a0835918c43291b080bd210f5e4e55a6b0083
Instruction ID: 1b59726b306c4ffe213a1a24a6d49f458a097bbd2ae74c7e6ce796ff290fd825
Opcode Fuzzy Hash: ee8874c953a4c44c42b20a70881a0835918c43291b080bd210f5e4e55a6b0083
Instruction Fuzzy Hash: 3E312CB1D04344AFD700AF69C5847AEBBF4EB40314F41C92EE998AB242D77DA844CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401834, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00401834(void* __ebx, CHAR* __ecx, void* __edx, void* __eflags) {
				char _t12;
				intOrPtr _t13;
				void* _t16;
				CHAR* _t17;
				int _t18;
				char* _t19;
				int _t21;
				char _t27;
				CHAR* _t29;
				void* _t30;
				char* _t31;
				void* _t33;
				void* _t36;
				intOrPtr* _t38;

				_t30 = __edx;
				_t29 = __ecx;
				_t33 = 0; // executed
				_t12 = E0040140C(0xfffffff0, __ebx, __edx); // executed
				_t27 = _t12;
				 *_t38 = _t12;
				_t13 = E004072FD(_t29, __edx);
				_push(_t29);
				if(_t13 != 0) {
					 *((intOrPtr*)(_t36 - 0x18c)) = _t27;
					do {
						 *((intOrPtr*)(_t38 + 4)) = 0x5c;
						 *_t38 = _t13;
						_t19 = E0040726F(_t27);
						_t31 = _t19;
						_t27 =  *_t19;
						 *_t19 = 0;
						 *((intOrPtr*)(_t38 + 4)) = 0;
						 *_t38 =  *((intOrPtr*)(_t36 - 0x18c)); // executed
						_t21 = CreateDirectoryA(_t29, _t29); // executed
						_push(_t30);
						_push(_t30);
						if(_t21 == 0) {
							if(GetLastError() == 0xb7) {
								 *_t38 =  *((intOrPtr*)(_t36 - 0x18c)); // executed
								GetFileAttributesA(??); // executed
								_push(_t30);
								asm("adc esi, 0x0");
							} else {
								_t33 = _t33 + 1;
							}
						}
						 *_t31 = _t27;
						_t6 = _t31 + 1; // 0x1
						_t13 = _t6;
					} while (_t27 != 0);
					_t27 =  *((intOrPtr*)(_t36 - 0x18c));
				}
				if( *((intOrPtr*)(_t36 - 0x38)) == 0) {
					 *_t38 = 0xfffffff5; // executed
					E00401615(); // executed
					_push(_t31);
				} else {
					 *_t38 = 0xffffffe6; // executed
					_t16 = E00401615(); // executed
					_push(_t16);
					 *((intOrPtr*)(_t38 + 4)) = _t27;
					 *_t38 = 0x439800;
					_t17 = E00407667();
					_push(_t17);
					 *_t38 = _t27; // executed
					_t18 = SetCurrentDirectoryA(_t17); // executed
					_push(_t18);
				}
				 *0x4307c4 =  *0x4307c4 + _t33;
				return 0;
			}

0x00401834
0x00401834
0x00401839
0x0040183b
0x00401840
0x00401842
0x00401845
0x0040184c
0x0040184d
0x0040184f
0x00401855
0x00401855
0x0040185d
0x00401860
0x00401866
0x00401869
0x0040186b
0x00401874
0x0040187c
0x0040187f
0x00401886
0x00401887
0x00401888
0x00401894
0x0040189f
0x004018a2
0x004018ad
0x004018ae
0x00401896
0x00401896
0x00401896
0x00401894
0x004018b3
0x004018b5
0x004018b5
0x004018b5
0x004018ba
0x004018ba
0x004018c4
0x004018f3
0x004018fa
0x004018ff
0x004018c6
0x004018c6
0x004018cd
0x004018d2
0x004018d3
0x004018d7
0x004018de
0x004018e3
0x004018e5
0x004018e8
0x004018ed
0x004018ed
0x00403754
0x00403765

APIs

Part of subcall function 004072FD: CharNextA.USER32(?,00407AA0,?,?,?,?,?,?,00407E28), ref: 0040730B
Part of subcall function 004072FD: CharNextA.USER32(?,?,00407AA0,?,?,?,?,?,?,00407E28), ref: 00407316

CreateDirectoryA.KERNEL32 ref: 0040187F
GetLastError.KERNEL32 ref: 0040188A
GetFileAttributesA.KERNEL32 ref: 004018A2
SetCurrentDirectoryA.KERNEL32(00000000,00000000,00000000), ref: 004018E8

Strings

\, xrefs: 00401855

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CharDirectoryNext$AttributesCreateCurrentErrorFileLast
String ID: \
API String ID: 108874544-2967466578
Opcode ID: 08037986fb4db037d30b2fdccd3b1c69cf8bf0198b6da8bf11eab4b9e20cec99
Instruction ID: ae5fa251a3aa94e781b2bd4e77ab9fd80b79f1e48566c81353f32a556bdac87c
Opcode Fuzzy Hash: 08037986fb4db037d30b2fdccd3b1c69cf8bf0198b6da8bf11eab4b9e20cec99
Instruction Fuzzy Hash: 51219FB1908200AAD7007F79888076EBBA8EB45314F05897EF898A73D2D73859408B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00402D38, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00402D38(intOrPtr __esi) {
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				long _t36;
				void* _t43;
				intOrPtr _t44;
				void* _t48;
				signed int _t52;
				signed int _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t64;

				_t56 = __esi;
				if(__esi == 0) {
					_t60 =  *0x4307c0; // 0x1
					_t56 = _t60 - 0x7fffffff;
				}
				_t44 =  *((intOrPtr*)(_t61 - 0x2c));
				 *((intOrPtr*)(_t61 - 0x18c)) =  *((intOrPtr*)(_t61 - 0x28));
				_t54 = E0040140C(2, _t44,  *((intOrPtr*)(_t61 - 0x28)));
				_t31 = E0040140C(0x11, _t44,  *((intOrPtr*)(_t61 - 0x28)));
				 *((intOrPtr*)(_t63 + 0x1c)) = _t61 - 0x20;
				_t52 =  *0x4307ec; // 0x0
				 *_t63 = _t56;
				_t57 = 1;
				 *((intOrPtr*)(_t63 + 0x20)) = 0;
				 *((intOrPtr*)(_t63 + 0x18)) = 0;
				_t53 = _t52 | 0x00000002;
				 *(_t63 + 0x14) = _t53;
				 *((intOrPtr*)(_t63 + 0x10)) = 0;
				 *((intOrPtr*)(_t63 + 0xc)) = 0;
				 *((intOrPtr*)(_t63 + 8)) = 0;
				 *((intOrPtr*)(_t63 + 4)) = _t31;
				_t32 = RegCreateKeyExA(??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				_t64 = _t63 - 0x24;
				if(_t32 == 0) {
					if(_t44 != 1) {
						if(_t44 != 4) {
							_t34 = 0;
							if(_t44 == 3) {
								 *((intOrPtr*)(_t64 + 0xc)) = 0xc00;
								 *((intOrPtr*)(_t64 + 8)) = 0x40c804;
								 *((intOrPtr*)(_t64 + 4)) = 0;
								 *_t64 =  *((intOrPtr*)(_t61 - 0x30));
								_t34 = E00403A01(_t48);
								_t64 = _t64 - 0x10;
							}
						} else {
							 *0x40c804 = E0040145B(3, _t48);
							_t34 = 4;
						}
					} else {
						_t43 = E0040140C(0x23, _t44, _t53);
						 *_t64 = 0x40c804;
						E0040768E();
						_t34 = _t43 + 1;
						_push(_t53);
					}
					 *((intOrPtr*)(_t64 + 0x14)) = _t34;
					 *((intOrPtr*)(_t64 + 0x10)) = 0x40c804;
					 *((intOrPtr*)(_t64 + 8)) = 0;
					 *((intOrPtr*)(_t64 + 0xc)) =  *((intOrPtr*)(_t61 - 0x18c));
					 *((intOrPtr*)(_t64 + 4)) = _t54;
					 *_t64 =  *((intOrPtr*)(_t61 - 0x20)); // executed
					_t36 = RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					_t57 = 0 | _t36 != 0x00000000;
					 *((intOrPtr*)(_t64 - 0x18)) =  *((intOrPtr*)(_t61 - 0x20));
					_push(RegCloseKey(??));
				}
				 *0x4307c4 =  *0x4307c4 + _t57;
				return 0;
			}

0x00402d38
0x00402d3a
0x00402d3c
0x00402d42
0x00402d42
0x00402d50
0x00402d53
0x00402d5e
0x00402d65
0x00402d6d
0x00402d71
0x00402d77
0x00402d7a
0x00402d7f
0x00402d87
0x00402d8f
0x00402d92
0x00402d96
0x00402d9e
0x00402da6
0x00402dae
0x00402db2
0x00402db7
0x00402dbc
0x00402dc5
0x00402de1
0x00402df9
0x00402dfe
0x00402e03
0x00402e0b
0x00402e13
0x00402e1b
0x00402e1e
0x00402e23
0x00402e23
0x00402de3
0x00402ded
0x00402df2
0x00402df2
0x00402dc7
0x00402dc9
0x00402dce
0x00402dd5
0x00402dda
0x00402ddb
0x00402ddb
0x00402e2e
0x00402e35
0x00402e3d
0x00402e45
0x00402e49
0x00402e4d
0x00402e50
0x00402e60
0x00402e62
0x00402e6a
0x00402e6a
0x00403754
0x00403765

APIs

RegCreateKeyExA.ADVAPI32 ref: 00402DB2
RegSetValueExA.ADVAPI32 ref: 00402E50
RegCloseKey.ADVAPI32 ref: 00402E65

Strings

pyinst, xrefs: 00402DCE, 00402DED, 00402E0B, 00402E35

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CloseCreateValue
String ID: pyinst
API String ID: 1818849710-423620463
Opcode ID: 3040434da96e2b26564a103f79ef4e30425acbde6cf0f9fc2f635a489a04446a
Instruction ID: ceca056729aa78fa5761359d58f91656080aceb04fe425fbfade262cc3c7fda1
Opcode Fuzzy Hash: 3040434da96e2b26564a103f79ef4e30425acbde6cf0f9fc2f635a489a04446a
Instruction Fuzzy Hash: CB314EB1904311CFD700EF6AC58439EBBE4FB84314F108A3EE884A7391D37989458F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004074FE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,: Completed,?,00407867), ref: 00407538
RegQueryValueExA.ADVAPI32 ref: 00407572
RegCloseKey.ADVAPI32 ref: 00407597

Strings

: Completed, xrefs: 00407501

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: bc8bdf0b487b9454ac1d4c39736aac56665da942461c37182bab1d4800a8cf73
Instruction ID: 7b1c651f453375e2f466e900a10ad4df63881d56597be76653d098498abd0ecc
Opcode Fuzzy Hash: bc8bdf0b487b9454ac1d4c39736aac56665da942461c37182bab1d4800a8cf73
Instruction Fuzzy Hash: 2B1197B09043499FCB00EF69C58579EBBF4AB55344F50886AE894E7341E378D914CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00407A78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
stringCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00407A78(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v24;
				signed int _t13;
				int _t15;
				signed int _t16;
				long _t19;
				intOrPtr _t22;
				intOrPtr* _t24;
				signed int _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;

				_t28 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_t30 = _t29 - 0x14;
				 *_t30 = 0x42e0b8;
				_v24 = _a4;
				E00407667();
				_push(__ebx);
				 *_t30 = 0x42e0b8;
				_t24 = E004072FD(__ecx, __edx, __ebx);
				_t13 = 0;
				_push(__edx);
				if(_t24 != 0) {
					 *_t30 = _t24;
					E004076A0(__ecx);
					_push(__ecx);
					if(( *0x430844 & 0x00000080) == 0) {
						L8:
						_t26 = _t24 - 0x42e0b8;
						__eflags = _t26;
						while(1) {
							 *_t30 = 0x42e0b8;
							_t15 = lstrlenA(??);
							__eflags = _t15 - _t26;
							_push(_t28);
							 *_t30 = 0x42e0b8;
							if(_t15 <= _t26) {
								break;
							}
							_t16 = E00407A42(_t28); // executed
							__eflags = _t16;
							_push(_t28);
							if(_t16 == 0) {
								L7:
								 *_t30 = 0x42e0b8;
								E00407298(_t26, _t27, _t28);
								_push(_t27);
								continue;
							} else {
								__eflags =  *_t16 & 0x00000010;
								if(( *_t16 & 0x00000010) == 0) {
									goto L11;
								} else {
									goto L7;
								}
							}
							goto L12;
						}
						E0040722C(_t26, _t27, _t28);
						 *_t30 = 0x42e0b8; // executed
						_t19 = GetFileAttributesA(??); // executed
						_push(_t26);
						_t13 = (_t19 + 0x00000001 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
					} else {
						_t22 =  *_t24;
						if(_t22 == 0x5c) {
							L11:
							_t13 = 0;
						} else {
							if(_t22 != 0) {
								goto L8;
							} else {
								goto L11;
							}
						}
					}
				}
				L12:
				return _t13;
			}

0x00407a78
0x00407a78
0x00407a7b
0x00407a7c
0x00407a82
0x00407a89
0x00407a8d
0x00407a92
0x00407a94
0x00407aa0
0x00407aa2
0x00407aa6
0x00407aa7
0x00407aa9
0x00407aac
0x00407ab8
0x00407ab9
0x00407ae5
0x00407ae5
0x00407ae5
0x00407aeb
0x00407aeb
0x00407af2
0x00407af7
0x00407af9
0x00407afa
0x00407b01
0x00000000
0x00000000
0x00407ac7
0x00407acc
0x00407ace
0x00407acf
0x00407ad6
0x00407ad6
0x00407add
0x00407ae2
0x00000000
0x00407ad1
0x00407ad1
0x00407ad4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ad4
0x00000000
0x00407acf
0x00407b03
0x00407b09
0x00407b10
0x00407b19
0x00407b1a
0x00407abb
0x00407abb
0x00407abf
0x00407b1f
0x00407b1f
0x00407ac1
0x00407ac3
0x00000000
0x00407ac5
0x00000000
0x00407ac5
0x00407ac3
0x00407abf
0x00407ab9
0x00407b21
0x00407b25

APIs

Part of subcall function 00407667: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404106), ref: 00407682

Part of subcall function 004072FD: CharNextA.USER32(?,00407AA0,?,?,?,?,?,?,00407E28), ref: 0040730B
Part of subcall function 004072FD: CharNextA.USER32(?,?,00407AA0,?,?,?,?,?,?,00407E28), ref: 00407316

Part of subcall function 004076A0: CharPrevA.USER32(?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407745

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00407E28), ref: 00407AF2
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00407E28), ref: 00407B10

Strings

(~@, xrefs: 00407B21

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Char$Next$AttributesFilePrevlstrcpynlstrlen
String ID: (~@
API String ID: 2935448797-243260322
Opcode ID: 774a9c96f21172197df23aec3f23058df4d0fb8b57199124489c9fcb9f12000c
Instruction ID: c9c624a1feca57caac21f6bc26fc852fcde0aa37f0a16d9ee83435c72ad2ca5d
Opcode Fuzzy Hash: 774a9c96f21172197df23aec3f23058df4d0fb8b57199124489c9fcb9f12000c
Instruction Fuzzy Hash: 6A11A7A0B0C31459D7007F7A684163F7AE8AA45348F85497FF8C0622D2D7BC6846963F

Uniqueness

Uniqueness Score: -1.00%

Function 00403766, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32 ref: 004037D2
SendMessageA.USER32 ref: 004037F1

Strings

0u, xrefs: 004037BE

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend
String ID: 0u
API String ID: 3850602802-3203441087
Opcode ID: 6f0e7b944014ec4ee7f5cfa0cfe32ffac04e8b2b7af7766628b04f6b6f2d1fa7
Instruction ID: 126f3405159113c72baf0b2e57cfc62c87d0b7db88b8a1602eb6d6fe4c723f53
Opcode Fuzzy Hash: 6f0e7b944014ec4ee7f5cfa0cfe32ffac04e8b2b7af7766628b04f6b6f2d1fa7
Instruction Fuzzy Hash: EC11C6B15043009BD704BF29D88515ABFE8FB45324F10C63EE554A73E1E738D9458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407497, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004074B4
GetTempFileNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004074DE

Strings

nsa, xrefs: 004074AD

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: f4e41a9d185789e04c375b1450673dafdc98be5e90db3ad6cd508495c01c31e4
Instruction ID: fb5de100d891a19a4c1edcb839dc4129f764126159937ca1f183540be676422b
Opcode Fuzzy Hash: f4e41a9d185789e04c375b1450673dafdc98be5e90db3ad6cd508495c01c31e4
Instruction Fuzzy Hash: 80F0C231E0C204ABD710AF6AC88079FBFB5EB84354F00C03FE95467381D678591ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040743D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 0040744A
CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,Error launching installer,?,00403D0F), ref: 00407488

Strings

Error launching installer, xrefs: 00407440

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID: Error launching installer
API String ID: 415043291-66219284
Opcode ID: 0a2a1eab940d00a4da7f7e83dba3db61bace05729a0f96d82e3eb2bd9c44a656
Instruction ID: 7215bb1ce1708f84158c116b1bac3a8935ec04ca19601daf5fff0d585b82ba44
Opcode Fuzzy Hash: 0a2a1eab940d00a4da7f7e83dba3db61bace05729a0f96d82e3eb2bd9c44a656
Instruction Fuzzy Hash: 50F01CB0508305AFC700EF29C4C574EBBE4AF88354F50892DF89897382D378D9448BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00402F45, Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401487: RegOpenKeyExA.ADVAPI32 ref: 004014D3

RegEnumKeyA.ADVAPI32 ref: 00402F9E
RegEnumValueA.ADVAPI32 ref: 00402FE0
RegCloseKey.ADVAPI32 ref: 00403002

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: d25583a694eafcf0659bd9dc0b148934664811b834ae971fdc0a89a3f1108b2b
Instruction ID: fd3691915d96e7877661ecebe29b729b85a24355ae14bd5710a5d77b2ef5f085
Opcode Fuzzy Hash: d25583a694eafcf0659bd9dc0b148934664811b834ae971fdc0a89a3f1108b2b
Instruction Fuzzy Hash: 5E11EAB19043159EDB10EF6AD44439AFBF4EF44348F00C86EE858A7291D7B94A488F96

Uniqueness

Uniqueness Score: -1.00%

Function 004071B9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxIndirectA.USER32 ref: 00407222

Strings

Immunity Debugger Setup, xrefs: 004071E8

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: IndirectMessage
String ID: Immunity Debugger Setup
API String ID: 1874166685-3272910282
Opcode ID: b62b874f5f5cea3dd653fc4d818fb7bb832de82c39bd7ccd5ba1b1940b401153
Instruction ID: 622098e7a0a3ac16e29e18349bab0a4a3b89ea011a5421917ca13a88cba857e5
Opcode Fuzzy Hash: b62b874f5f5cea3dd653fc4d818fb7bb832de82c39bd7ccd5ba1b1940b401153
Instruction Fuzzy Hash: E3F03071A003088BC304EF29EE1160677E2A784308F18D33AD454B73A4D378E85ACF8E

Uniqueness

Uniqueness Score: -1.00%

Function 00404741, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00404763

Strings

(, xrefs: 00404758

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend
String ID: (
API String ID: 3850602802-3887548279
Opcode ID: dcf07c0955033e06d6d91264e3982895d229510722a60bc173ac05b467669826
Instruction ID: 5d5b5dd7304db8e8fbf1bfdfe609c9c7f38bf62751a608e7d8104b96d6fb7c94
Opcode Fuzzy Hash: dcf07c0955033e06d6d91264e3982895d229510722a60bc173ac05b467669826
Instruction Fuzzy Hash: 17D0C974408300ABD340BF3ED54A209BBE4AB4030CF80D96DE98497282E6B9D44C8F86

Uniqueness

Uniqueness Score: -1.00%

Function 00402E70, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00402E70(void* __ebx, void* __edx, intOrPtr __edi, void* __eflags) {
				intOrPtr _t27;
				intOrPtr _t29;
				long _t32;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				intOrPtr _t46;
				signed int _t48;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr* _t55;

				_t46 = __edi;
				_t39 = __ebx;
				_t48 = 1; // executed
				_t27 = E00401487(0x20019, __ebx, __edx); // executed
				 *((intOrPtr*)(_t51 - 0x18c)) = _t27;
				_t29 = E0040140C(0x33, _t39, __edx);
				 *((char*)(_t39 + 0x434000)) = 0;
				if( *((intOrPtr*)(_t51 - 0x18c)) != 0) {
					 *((intOrPtr*)(_t53 + 4)) = _t29;
					 *((intOrPtr*)(_t53 + 0x14)) = _t51 - 0x20;
					 *((intOrPtr*)(_t51 - 0x20)) = 0x3ff;
					 *((intOrPtr*)(_t53 + 0x10)) = __edi;
					 *((intOrPtr*)(_t53 + 0xc)) = _t51 - 0x1c;
					 *((intOrPtr*)(_t53 + 8)) = 0;
					 *_t53 =  *((intOrPtr*)(_t51 - 0x18c));
					_t32 = RegQueryValueExA(??, ??, ??, ??, ??, ??);
					_t55 = _t53 - 0x18;
					if(_t32 != 0) {
						L5:
						 *((char*)(_t39 + 0x434000)) = 0;
						_t48 = 1;
					} else {
						_t35 =  *((intOrPtr*)(_t51 - 0x1c));
						if(_t35 == 1 || _t35 == 4) {
							if(_t35 != 4) {
								goto L8;
							} else {
								 *_t55 = _t46;
								 *((intOrPtr*)(_t55 + 4)) =  *((intOrPtr*)(_t39 + 0x434000));
								_t48 = 0 |  *(_t51 - 0x2c) == 0x00000000;
								_t38 = E004075A4();
								_push(_t38);
								_push(_t38);
							}
						} else {
							if(_t35 == 2) {
								L8:
								_t48 =  *(_t51 - 0x2c);
								 *((char*)(_t39 +  *((intOrPtr*)(_t51 - 0x20)) + 0x434000)) = 0;
							} else {
								goto L5;
							}
						}
					}
					 *_t55 =  *((intOrPtr*)(_t51 - 0x18c));
					_push(RegCloseKey(??));
				}
				 *0x4307c4 =  *0x4307c4 + _t48;
				return 0;
			}

0x00402e70
0x00402e70
0x00402e75
0x00402e7a
0x00402e7f
0x00402e8a
0x00402e96
0x00402e9d
0x00402ea3
0x00402eb0
0x00402eb7
0x00402ebe
0x00402ec2
0x00402ec6
0x00402ece
0x00402ed1
0x00402ed6
0x00402edb
0x00402eef
0x00402eef
0x00402ef6
0x00402edd
0x00402edd
0x00402ee3
0x00402f00
0x00000000
0x00402f02
0x00402f0e
0x00402f14
0x00402f18
0x00402f1a
0x00402f1f
0x00402f20
0x00402f20
0x00402eea
0x00402eed
0x00402f23
0x00402f26
0x00402f29
0x00000000
0x00000000
0x00000000
0x00402eed
0x00402ee3
0x00402f37
0x00402f3f
0x00402f3f
0x00403754
0x00403765

APIs

Part of subcall function 00401487: RegOpenKeyExA.ADVAPI32 ref: 004014D3

RegQueryValueExA.ADVAPI32 ref: 00402ED1
RegCloseKey.ADVAPI32 ref: 00402F3A

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f957611cd7504b4c75c73d2bc8622772976d10b0cc746d6032631b5168322841
Instruction ID: ddeb8c82aea0ed46c4cabef8b89904c789d05fb68eb42fb9a33b40c66d3c7707
Opcode Fuzzy Hash: f957611cd7504b4c75c73d2bc8622772976d10b0cc746d6032631b5168322841
Instruction Fuzzy Hash: 81213CB1D042159BEB109F69D58439EB7F4EB45308F0484BAE848BB281D3B89944DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404874, Relevance: 3.0, APIs: 2, Instructions: 45
comCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00404874(void* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v16;
				signed int _v32;
				char _v60;
				signed int _t10;
				intOrPtr _t16;
				void* _t18;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;

				_t21 = __edx;
				_t20 = __ecx;
				_t25 = _t24 - 0x2c;
				_t10 =  *0x4307f4; // 0x0
				_t22 = _a4;
				_t23 =  *0x43080c; // 0x1
				_t19 =  *0x430808; // 0x11f25c
				_v32 = _t10;
				_v60 = 0;
				L004097D0();
				_push(__edx);
				 *0x4307f4 = _t10 | _v32;
				E0040476D(0); // executed
				while(_t23 != 0) {
					if(( *(_t19 + 8) & 0x00000001) == 0) {
						L4:
						_t19 = _t19 + 0x418;
						_t23 = _t23 - 1;
						continue;
					} else {
						_v60 = _t22;
						 *_t25 =  *((intOrPtr*)(_t19 + 0xc)); // executed
						_t18 = E00403766(_t21); // executed
						_push(_t20);
						_push(_t20);
						if(_t18 == 0) {
							goto L4;
						} else {
							 *0x4307c8 =  *0x4307c8 + 1;
						}
					}
					break;
				}
				E0040476D(0x404); // executed
				L004097D8();
				_t16 =  *0x4307c8; // 0x0
				return _t16;
			}

0x00404874
0x00404874
0x0040487a
0x0040487d
0x00404882
0x00404885
0x0040488b
0x00404891
0x00404894
0x0040489b
0x004048a3
0x004048a4
0x004048ab
0x004048dc
0x004048b6
0x004048d5
0x004048d5
0x004048db
0x00000000
0x004048b8
0x004048b8
0x004048bf
0x004048c2
0x004048c9
0x004048ca
0x004048cb
0x00000000
0x004048cd
0x004048cd
0x004048cd
0x004048cb
0x00000000
0x004048b6
0x004048e5
0x004048ea
0x004048ef
0x004048fb

APIs

OleInitialize.OLE32 ref: 0040489B

Part of subcall function 0040476D: SendMessageA.USER32 ref: 00404794

OleUninitialize.OLE32(?,?,?,?,?,?,00000002,0011F030,00000000,?,00405FA1), ref: 004048EA

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 719b13a42a0744619c765d518554f2f3b5eea0615f351c8855d122b257e66080
Instruction ID: 2522178fd95e80003e0d3e22187f10ff71ce39ff811405b0288512a8ace84041
Opcode Fuzzy Hash: 719b13a42a0744619c765d518554f2f3b5eea0615f351c8855d122b257e66080
Instruction Fuzzy Hash: 990188F6915204DBC754FF65D940A5ABBF4EB84314F04953BEE40A7352D338A841CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004042EF, Relevance: 3.0, APIs: 2, Instructions: 35comshutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00407667: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404106), ref: 00407682

Part of subcall function 00405B86: lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D04
Part of subcall function 00405B86: GetFileAttributesA.KERNEL32 ref: 00405D12

Part of subcall function 0040403F: CloseHandle.KERNEL32 ref: 00404052

OleUninitialize.OLE32(?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040446A
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004044EC
ExitWindowsEx.USER32 ref: 00404592
ExitProcess.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000), ref: 004045B8

Part of subcall function 004071B9: MessageBoxIndirectA.USER32 ref: 00407222

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: ExitProcess$AttributesCloseCurrentFileHandleIndirectMessageUninitializeWindowslstrcmpilstrcpyn
String ID:
API String ID: 4215313044-0
Opcode ID: 6933c65045ed254ecd30b0c5c3a8115500456405c432ef40ee5422f9eb993134
Instruction ID: 0d451dd0ee4af9d0573b0710e6c21700f2a4dd2850568666cf02a6dd73f30d17
Opcode Fuzzy Hash: 6933c65045ed254ecd30b0c5c3a8115500456405c432ef40ee5422f9eb993134
Instruction Fuzzy Hash: 68F03CF040D600AED3007F66898163EBAE8AB84308F51482FAAD5A72C3C77C5C41DA7F

Uniqueness

Uniqueness Score: -1.00%

Function 0040740D, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040741A
SetFileAttributesA.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0040742F

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0369ffeb226efda452d9e776d1131eae59c16fabb091cf9a3cc3e04145beebe6
Instruction ID: a35002efef69baa73aeca3bd9210605f81a32758d6e01112020abe55ee1b4d6a
Opcode Fuzzy Hash: 0369ffeb226efda452d9e776d1131eae59c16fabb091cf9a3cc3e04145beebe6
Instruction Fuzzy Hash: 6BD012F1504705AAC710FF79CCC195E7AAC9A59364F11472DB9A5E32C3D638EC408B66

Uniqueness

Uniqueness Score: -1.00%

Function 00401487, Relevance: 1.5, APIs: 1, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00401487(signed int __eax, void* __ebx, void* __edx) {
				void* _v8;
				void _v16;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t11;
				signed int _t15;
				signed int _t16;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t26;
				intOrPtr* _t27;

				_push(__ebx);
				_t27 = _t26 - 0x34;
				_t15 =  *0x4307ec; // 0x0
				_t16 = _t15 | __eax;
				_t11 = E0040140C(0x22, _t16, __edx);
				_t20 =  *0x40c000; // 0x524fee4
				_t21 =  *((intOrPtr*)(_t20 + 4));
				if(_t21 == 0) {
					_t24 =  *0x4307c0; // 0x1
					_t21 = _t24 - 0x7fffffff;
				}
				_v48 = _t16;
				 *_t27 = _t21;
				_v44 =  &_v16;
				_v52 = 0;
				_v56 = _t11;
				RegOpenKeyExA(??, ??, ??, ??, ??); // executed
				_t23 =  ==  ? _v16 : 0;
				_t13 =  ==  ? _v16 : 0;
				return  ==  ? _v16 : 0;
			}

0x0040148a
0x0040148b
0x0040148e
0x00401494
0x0040149b
0x004014a0
0x004014a6
0x004014ab
0x004014ad
0x004014b3
0x004014b3
0x004014bc
0x004014c0
0x004014c3
0x004014c7
0x004014cf
0x004014d3
0x004014e2
0x004014e7
0x004014e9

APIs

RegOpenKeyExA.ADVAPI32 ref: 004014D3

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cd0d38d62e454dd4776e8ace060ecb94adf3353eaa36c5a295dc13ecd8d156e0
Instruction ID: 471f788483ea1a7efaac8d81e1f2b31fe94727f75e90a9c366ecba353fd5fdee
Opcode Fuzzy Hash: cd0d38d62e454dd4776e8ace060ecb94adf3353eaa36c5a295dc13ecd8d156e0
Instruction Fuzzy Hash: C0F017B0A04304DFC700EFAAC58560ABBE9BB84704F50C77DE454933AAE734E805CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00403FDC, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00403FDC(CHAR* __ebx, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v28;
				char* _t4;
				void* _t8;
				void* _t10;
				void* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t10 = __ecx;
				E004076A0(__ecx, 0x43a400);
				 *_t13 = 0x43a400;
				_t4 = E004072CF();
				_push(_t11);
				_t12 = _t4;
				if(_t4 != 0) {
					E0040722C(__ebx, _t10, _t12, 0x43a400);
					_v28 = 0;
					 *_t13 = 0x43a400; // executed
					CreateDirectoryA(??, ??); // executed
					_v28 = 0x43a400;
					 *_t13 = 0x43a000; // executed
					_t8 = E00407497(_t12, _t12); // executed
					_push(_t10);
					_push(_t10);
					return _t8;
				}
				return 0;
			}

0x00403fdc
0x00403fdc
0x00403fe9
0x00403fef
0x00403ff6
0x00403ffb
0x00403ffc
0x00404002
0x0040400b
0x00404011
0x00404019
0x00404020
0x00404027
0x0040402f
0x00404036
0x0040403b
0x0040403c
0x00000000
0x0040403c
0x0040403e

APIs

Part of subcall function 004076A0: CharPrevA.USER32(?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407745

Part of subcall function 0040722C: lstrlenA.KERNEL32(00000000,?,00404010,?,00000000), ref: 00407239
Part of subcall function 0040722C: CharPrevA.USER32(?,00000000,?,00404010,?,00000000), ref: 00407248
Part of subcall function 0040722C: lstrcatA.KERNEL32 ref: 0040725F

CreateDirectoryA.KERNEL32(00000000), ref: 00404020

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CharPrev$CreateDirectorylstrcatlstrlen
String ID:
API String ID: 3465443332-0
Opcode ID: b5f70c48fe41abcfafac21b8b5565d6221d1581a6f160d2b37f660744602322f
Instruction ID: d4909972331db749e01f1b5fc00b94d0ffe509f29938f5bb68eb4b14b14c2041
Opcode Fuzzy Hash: b5f70c48fe41abcfafac21b8b5565d6221d1581a6f160d2b37f660744602322f
Instruction Fuzzy Hash: 11E0ACF055C2006AC300BF69890562BB9E99FE870DF42D82EB0C4A3286D7BC9451566B

Uniqueness

Uniqueness Score: -1.00%

Function 00403985, Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,?,00000000,?,00403DAD,?,?,00000000,00000000,?,Error launching installer,Error launching installer), ref: 004039B1

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6cbc58ddbce098aa6f8a876c6e87881993c160b5cb43cddde800df97a88059c7
Instruction ID: 077b163bb5256eeb45ec1732f911e169d166eb769f3f63d5501d798ccc6f0895
Opcode Fuzzy Hash: 6cbc58ddbce098aa6f8a876c6e87881993c160b5cb43cddde800df97a88059c7
Instruction Fuzzy Hash: CAF0ACB0A04309AFCB40EF6AC58564ABBF5BB88344F44C43AE89893341D774D945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040479E, Relevance: 1.5, APIs: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 004047CB

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 80ff56ca3166d42a6c71bc699fd8e8868abe1e12454ca60b9c669185238f8eca
Instruction ID: fe3cd8a90a974b12c2e5f1d30ead19554ab0d81b9d4a9396ed9b514bd5251391
Opcode Fuzzy Hash: 80ff56ca3166d42a6c71bc699fd8e8868abe1e12454ca60b9c669185238f8eca
Instruction Fuzzy Hash: E3D05EB48083009BC704BF39CA4521ABBF4A781308F50992EDA8493392D37CC44C8F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040476D, Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00404794

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8edc9a3cd14f2ddbf249e46f90b76e0cae2e2c14dabb90886a58ba03142f9af4
Instruction ID: cb656e04944bdb883067101617a01e867059b1ac721a20fb02095d34f7fc36ed
Opcode Fuzzy Hash: 8edc9a3cd14f2ddbf249e46f90b76e0cae2e2c14dabb90886a58ba03142f9af4
Instruction Fuzzy Hash: 1ED05E745043005AD300BF29C54531B7BF4ABC0308F40C92DD68457286D378C8048B86

Uniqueness

Uniqueness Score: -1.00%

Function 00407189, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32 ref: 004071AD

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 9ba612067e2f84ea1210229814f8b4c0b598404344b9ddac857c7583c6adf095
Instruction ID: 1f68b5094e8b97fe0e6c9551dc930b48396d9403a8c38e33f4a4e8b09e5994d6
Opcode Fuzzy Hash: 9ba612067e2f84ea1210229814f8b4c0b598404344b9ddac857c7583c6adf095
Instruction Fuzzy Hash: F6D017B4504304AFC300FF3CC14554ABBF4AB44308F40C92EF988D7351E234D8448B86

Uniqueness

Uniqueness Score: -1.00%

Function 004039D0, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,?,00000000,?,Error launching installer,Error launching installer), ref: 004039F5

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e9eedc59362c6f5a01372dfe8f9a4134aba9a3034491e16cfc6e0f11df8b3018
Instruction ID: 768923134963c1ef6e138eb2c3cd0e3f044cbbc50324121a1e0c6b02c7f8c42b
Opcode Fuzzy Hash: e9eedc59362c6f5a01372dfe8f9a4134aba9a3034491e16cfc6e0f11df8b3018
Instruction Fuzzy Hash: D5D092B4508304ABD300FF6DC54A74ABBE4AB84348F40C82DE89897382E278D8548BE6

Uniqueness

Uniqueness Score: -1.00%

Function 0040481B, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnableWindow.USER32 ref: 0040482D

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: EnableWindow
String ID:
API String ID: 4266128931-0
Opcode ID: 005a47866e753feac2c4556fbf7c2484b836849768f41d21d8ef56daa94fbdaf
Instruction ID: 3f5eb5a18c52c69c051aca91a5a6591f32514491357f152508fdcaa76b567b95
Opcode Fuzzy Hash: 005a47866e753feac2c4556fbf7c2484b836849768f41d21d8ef56daa94fbdaf
Instruction Fuzzy Hash: 49C08CB09083006BC304BB3E8C4680A76E89A04204F80492CA488E3282F570E800879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040726F, Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00407281

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1e06d426dc3b0ab3c733a68723e54e7676e37664fb7aec821921736a90f77a12
Instruction ID: 7bbd928733f07ddb3ef260082bfbcd7bb6a71b60830b1727881900935d972aef
Opcode Fuzzy Hash: 1e06d426dc3b0ab3c733a68723e54e7676e37664fb7aec821921736a90f77a12
Instruction Fuzzy Hash: 5ED05B6090828DAACF50FFB594C1C9B7FB95A13258B1440EDF8C46B382D13AF908C367

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407E0E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 193
filestringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00407E0E(CHAR* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				void* _v16;
				char _v44;
				char _v304;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed char* _v376;
				signed int _v384;
				void* __ebx;
				signed int _t50;
				void* _t51;
				CHAR* _t53;
				CHAR* _t58;
				char* _t61;
				signed char* _t62;
				CHAR* _t65;
				signed int _t66;
				signed int _t69;
				void* _t70;
				CHAR* _t75;
				signed int _t78;
				CHAR* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t84;
				signed int* _t86;

				_t80 = __edx;
				_t79 = __ecx;
				_t78 = _a4;
				_t82 = _a8;
				 *_t86 = _t78;
				_v352 = E00407A78(_t78, __ecx, __edx, __eflags);
				_push(__ecx);
				if((_t82 & 0x00000008) == 0) {
					_t50 = _t82 & 0x00000001;
					__eflags = _t50;
					_v356 = _t50;
					if(_t50 == 0) {
						L5:
						_v376 = _t78;
						 *_t86 = 0x42dcb8;
						_t51 = E00407667();
						__eflags = _v356;
						_push(_t51);
						_push(_t51);
						if(_v356 == 0) {
							 *_t86 = _t78;
							_push(E00407298(_t78, _t79, _t80));
						} else {
							_v376 = "\\*.*";
							 *_t86 = 0x42dcb8;
							_t75 = lstrcatA(??, ??);
							_push(_t75);
							_push(_t75);
						}
						__eflags =  *_t78;
						if( *_t78 != 0) {
							L10:
							_v376 = 0x40b384;
							 *_t86 = _t78;
							_t53 = lstrcatA(??, ??);
							_push(_t53);
							_push(_t53);
						} else {
							__eflags =  *0x42dcb8 - 0x5c;
							if( *0x42dcb8 == 0x5c) {
								goto L10;
							}
						}
						 *_t86 = _t78;
						_v360 = lstrlenA(??) + _t78;
						_v376 =  &_v348;
						 *_t86 = 0x42dcb8;
						_t50 = FindFirstFileA(_t79, ??);
						__eflags = _t50 - 0xffffffff;
						_push(_t81);
						_push(_t81);
						_t81 = _t50;
						if(_t50 != 0xffffffff) {
							do {
								_v376 = 0x3f;
								 *_t86 =  &_v304;
								_t61 = E0040726F(_t78);
								_push(_t80);
								_push(_t80);
								__eflags =  *_t61;
								if( *_t61 == 0) {
									L14:
									_t80 = _v304;
									_t62 =  &_v304;
								} else {
									_t80 = _v44;
									_t62 =  &_v44;
									__eflags = _t80;
									if(_t80 == 0) {
										goto L14;
									}
								}
								__eflags = _t80 - 0x2e;
								if(_t80 != 0x2e) {
									L19:
									_v376 = _t62;
									 *_t86 = _v360;
									E00407667();
									__eflags = _v348 & 0x00000010;
									_push(_t79);
									_push(_t79);
									if((_v348 & 0x00000010) == 0) {
										 *_t86 = _t78;
										_t65 = E0040740D(_t78, _t80);
										_v384 = _t78;
										_t66 = DeleteFileA(_t65);
										__eflags = _t66;
										_push(_t80);
										if(_t66 != 0) {
											_v376 = _t78;
											 *_t86 = 0xfffffff2;
											E00406A5D(_t79, _t80);
											goto L27;
										} else {
											__eflags = _t82 & 0x00000004;
											if((_t82 & 0x00000004) == 0) {
												 *0x4307c4 =  *0x4307c4 + 1;
											} else {
												_v376 = _t78;
												 *_t86 = 0xfffffff1;
												_t70 = E00406A5D(_t79, _t80);
												 *_t86 = _t78;
												_v384 = 0;
												E00407B78(_t79, _t80, _t70, _t70);
												goto L27;
											}
										}
									} else {
										__eflags = (_t82 & 0x00000003) - 3;
										if(__eflags == 0) {
											_v376 = _t82;
											 *_t86 = _t78;
											E00407E0E(_t79, _t80, __eflags);
											L27:
											_push(_t79);
											_push(_t79);
										}
									}
								} else {
									_t80 =  *((intOrPtr*)(_t62 + 1));
									__eflags = _t80;
									if(_t80 != 0) {
										__eflags = _t80 - 0x2e;
										if(_t80 != 0x2e) {
											goto L19;
										} else {
											__eflags =  *((char*)(_t62 + 2));
											if( *((char*)(_t62 + 2)) != 0) {
												goto L19;
											}
										}
									}
								}
								_v376 =  &_v348;
								 *_t86 = _t81;
								_t69 = FindNextFileA(??, ??);
								__eflags = _t69;
								_push(_t80);
								_push(_t80);
							} while (_t69 != 0);
							 *_t86 = _t81;
							_t50 = FindClose(??);
							_push(_t81);
						}
						__eflags = _v356;
						if(_v356 != 0) {
							_t50 = _v360;
							__eflags = _v352;
							 *((char*)(_t50 - 1)) = 0;
							if(_v352 == 0) {
								goto L36;
							} else {
								goto L32;
							}
						}
					} else {
						__eflags = _v352;
						if(_v352 == 0) {
							L36:
							 *0x4307c4 =  *0x4307c4 + 1;
						} else {
							__eflags = _t82 & 0x00000002;
							if((_t82 & 0x00000002) == 0) {
								L32:
								 *_t86 = _t78;
								_t50 = E00407A42(_t80);
								__eflags = _t50;
								_push(_t79);
								if(_t50 != 0) {
									 *_t86 = _t78;
									E0040722C(_t78, _t79, _t80);
									_v384 = _t78;
									_t58 = E0040740D(_t78, _t80, _t81);
									 *_t86 = _t78;
									_t50 = RemoveDirectoryA(_t58);
									__eflags = _t50;
									_push(_t80);
									if(_t50 != 0) {
										_v376 = _t78;
										 *_t86 = 0xffffffe5;
										_t50 = E00406A5D(_t79, _t80);
										goto L38;
									} else {
										_t83 = _t82 & 0x00000004;
										__eflags = _t83;
										if(_t83 == 0) {
											goto L36;
										} else {
											_v376 = _t78;
											 *_t86 = 0xfffffff1;
											E00406A5D(_t79, _t80);
											 *_t86 = _t78;
											_v384 = 0;
											_t50 = E00407B78(_t79, _t80, _t83, _t83);
											L38:
											_push(_t79);
											_push(_t79);
										}
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t84 =  *0x4307c4; // 0x2
					 *_t86 = _t78;
					_t50 = (DeleteFileA(??) & 0xffffff00 | _t76 == 0x00000000) & 0x000000ff;
					_push(_t80);
					 *0x4307c4 = _t84 + _t50;
				}
				return _t50;
			}

0x00407e0e
0x00407e0e
0x00407e1a
0x00407e1d
0x00407e20
0x00407e2e
0x00407e34
0x00407e35
0x00407e5d
0x00407e5d
0x00407e60
0x00407e66
0x00407e81
0x00407e81
0x00407e85
0x00407e8c
0x00407e91
0x00407e98
0x00407e99
0x00407e9a
0x00407eb4
0x00407ebc
0x00407e9c
0x00407e9c
0x00407ea4
0x00407eab
0x00407eb0
0x00407eb1
0x00407eb1
0x00407ebd
0x00407ec0
0x00407ecb
0x00407ecb
0x00407ed3
0x00407ed6
0x00407edb
0x00407edc
0x00407ec2
0x00407ec2
0x00407ec9
0x00000000
0x00000000
0x00407ec9
0x00407edd
0x00407ee8
0x00407ef4
0x00407ef8
0x00407eff
0x00407f04
0x00407f07
0x00407f08
0x00407f09
0x00407f0b
0x00407f11
0x00407f17
0x00407f1f
0x00407f22
0x00407f27
0x00407f28
0x00407f29
0x00407f2c
0x00407f38
0x00407f38
0x00407f3e
0x00407f2e
0x00407f2e
0x00407f31
0x00407f34
0x00407f36
0x00000000
0x00000000
0x00407f36
0x00407f44
0x00407f47
0x00407f63
0x00407f63
0x00407f6d
0x00407f70
0x00407f75
0x00407f7c
0x00407f7d
0x00407f7e
0x00407f98
0x00407f9b
0x00407fa1
0x00407fa4
0x00407fa9
0x00407fab
0x00407fac
0x00407fe2
0x00407fe6
0x00407fed
0x00000000
0x00407fae
0x00407fae
0x00407fb4
0x00407fda
0x00407fb6
0x00407fb6
0x00407fba
0x00407fc1
0x00407fc8
0x00407fcb
0x00407fd3
0x00000000
0x00407fd3
0x00407fb4
0x00407f80
0x00407f85
0x00407f88
0x00407f8a
0x00407f8e
0x00407f91
0x00407ff2
0x00407ff2
0x00407ff3
0x00407ff3
0x00407f88
0x00407f49
0x00407f49
0x00407f4c
0x00407f4e
0x00407f54
0x00407f57
0x00000000
0x00407f59
0x00407f59
0x00407f5d
0x00000000
0x00000000
0x00407f5d
0x00407f57
0x00407f4e
0x00407ffa
0x00407ffe
0x00408001
0x00408006
0x00408008
0x00408009
0x00408009
0x00408010
0x00408013
0x00408018
0x00408018
0x00408019
0x00408020
0x00408026
0x0040802c
0x00408033
0x00408037
0x00000000
0x00000000
0x00000000
0x00000000
0x00408037
0x00407e68
0x00407e68
0x00407e6f
0x0040808e
0x0040808e
0x00407e75
0x00407e75
0x00407e7b
0x00408039
0x00408039
0x0040803c
0x00408041
0x00408043
0x00408044
0x00408046
0x00408049
0x0040804f
0x00408052
0x00408058
0x0040805b
0x00408060
0x00408062
0x00408063
0x00408096
0x0040809a
0x004080a1
0x00000000
0x00408065
0x00408065
0x00408065
0x00408068
0x00000000
0x0040806a
0x0040806a
0x0040806e
0x00408075
0x0040807c
0x0040807f
0x00408087
0x004080a6
0x004080a6
0x004080a7
0x004080a7
0x00408068
0x00408063
0x00000000
0x00000000
0x00000000
0x00407e7b
0x00407e6f
0x00407e37
0x00407e37
0x00407e3d
0x00407e4a
0x00407e4f
0x00407e50
0x00407e50
0x004080af

APIs

DeleteFileA.KERNEL32 ref: 00407E40
lstrcatA.KERNEL32(00000000,00000000), ref: 00407EAB
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407ED6
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00407EE0
FindFirstFileA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000), ref: 00407EFF
FindNextFileA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00408001
FindClose.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00408013

Strings

?, xrefs: 00407F17

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: ?
API String ID: 2035342205-1684325040
Opcode ID: c7ceefc1af86838ee37beaba49051d6b12b384bb4b4ee5eb557f514b43821bd6
Instruction ID: eb4fe42f79c227e5d735243e6aaf1b2266f5d6d27596c4f9fdd5a832aa7b29ed
Opcode Fuzzy Hash: c7ceefc1af86838ee37beaba49051d6b12b384bb4b4ee5eb557f514b43821bd6
Instruction Fuzzy Hash: 5C616CB08087549AD710AF25CC84BAABBE8AF45304F0585BEE4C5B63C2C73D9C85CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040334A, Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040334A(void* __ebx, void* __edx) {
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t29;
				intOrPtr* _t31;

				_t18 = __ebx;
				_t12 = E0040140C(2, __ebx, __edx);
				_t23 = _t29 - 0x180;
				 *(_t31 + 4) = _t23;
				 *_t31 = _t12;
				_t13 = FindFirstFileA(??, ??);
				_push(_t23);
				_push(_t23);
				if(_t13 != 0xffffffff) {
					_t26 = 0;
					 *(_t31 + 4) = _t13;
					 *_t31 =  *((intOrPtr*)(_t29 - 0x18c));
					_t14 = E004075A4();
					 *(_t31 + 4) = _t29 - 0x154;
					 *_t31 = _t24;
					_t16 = E00407667(_t14, _t14);
					_push(_t16);
					_push(_t16);
				} else {
					_t26 = 1;
					 *((char*)( *((intOrPtr*)(_t29 - 0x194)) + 0x434000)) = 0;
					 *((char*)(_t18 + 0x434000)) = 0;
				}
				 *0x4307c4 =  *0x4307c4 + _t26;
				return 0;
			}

0x0040334a
0x0040334f
0x00403354
0x0040335a
0x0040335e
0x00403361
0x00403369
0x0040336a
0x0040336b
0x00403391
0x00403393
0x00403397
0x0040339a
0x004033a7
0x004033ab
0x004033ae
0x004033b3
0x004033b4
0x0040336d
0x00403373
0x00403378
0x0040337f
0x0040337f
0x00403754
0x00403765

APIs

FindFirstFileA.KERNEL32 ref: 00403361

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1b162d175f82738b6a275fb846f48d5b0236206bc74dde4df05a788d09ca4022
Instruction ID: 94fea2890e419ecd626e4dd8052850e7356536d2074b191df8e2e561989ef9cc
Opcode Fuzzy Hash: 1b162d175f82738b6a275fb846f48d5b0236206bc74dde4df05a788d09ca4022
Instruction Fuzzy Hash: E801A2B1908210AED7009F25D8807AAF7A8EB84718F0086BEE84DE7381D7381A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE34, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476214c78bab5078db0d3cff357ce3be603c17c056cf9d678cce3c7007b1b001
Instruction ID: b0c45c5c82f881ea74986659508c07a1b2b8e8c622e06b0830fa49b32fecdfb2
Opcode Fuzzy Hash: 476214c78bab5078db0d3cff357ce3be603c17c056cf9d678cce3c7007b1b001
Instruction Fuzzy Hash: E171253500A7D2ABC717CF31C6A65D2BFA4BF1332471845DDD8C18E453C3299692C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00424E97, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2631937ea1319530c73ceb23375ccc44f020f5cab4a1c140992f0626acb908
Instruction ID: a65de4f685b76b73472dc2306ab79a9e8016d730408bcb9c7b2f83142bae361d
Opcode Fuzzy Hash: 8f2631937ea1319530c73ceb23375ccc44f020f5cab4a1c140992f0626acb908
Instruction Fuzzy Hash: DA7121315097E28FC727CF30D6A2592BFA4FF9332475A469DC4C18E0A3C3695652C799

Uniqueness

Uniqueness Score: -1.00%

Function 0042635D, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476214c78bab5078db0d3cff357ce3be603c17c056cf9d678cce3c7007b1b001
Instruction ID: 6a54077744a981ddbf6604b0740d841e473316db9e25aab3d5956f5e1d07a1eb
Opcode Fuzzy Hash: 476214c78bab5078db0d3cff357ce3be603c17c056cf9d678cce3c7007b1b001
Instruction Fuzzy Hash: FE71223100A7E29BC727DF34D6A2592BFA4BF133247A945DED4C18E053C3299512CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D96E, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db2fc45189e47b4dd3a4d76e2c00c1f06c0c0096ca2c2b5a0b95d0ebffc12f1
Instruction ID: 19a6d7293195d9b120301bf4f8ba50582e6df322a36389ab8b8d4b5b2644c1cf
Opcode Fuzzy Hash: 6db2fc45189e47b4dd3a4d76e2c00c1f06c0c0096ca2c2b5a0b95d0ebffc12f1
Instruction Fuzzy Hash: E77101B18097A29FC727CF34C6A26D2BFA4BF13360B1846DDD4C18E057C36A5592C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041F035, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9820664adf43651cd26bfa2678151dd849f7ca926b7c214c4414d616ebc558
Instruction ID: 49015828bc2b2accec93d795b06daeedddc2b713006b7ad41f4f418fdf485e50
Opcode Fuzzy Hash: 2d9820664adf43651cd26bfa2678151dd849f7ca926b7c214c4414d616ebc558
Instruction Fuzzy Hash: DC41DC7144E3C1AFC707CF34D98A686BF61AB1331471885DDD4C15F122D37A1596CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0042655E, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9820664adf43651cd26bfa2678151dd849f7ca926b7c214c4414d616ebc558
Instruction ID: 4fadc63ab8732c1ad6cb8ae78dc6fb54732c84b106f82009f6e5d23480d12c3c
Opcode Fuzzy Hash: 2d9820664adf43651cd26bfa2678151dd849f7ca926b7c214c4414d616ebc558
Instruction Fuzzy Hash: F0410B7154A3D1AFC707CF34E98A686BF61EB03314B5845CDE4C19F122C3BA2166CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00401000(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v16;
				struct tagLOGBRUSH _v40;
				struct HDC__* _v44;
				signed int _v52;
				char _v56;
				struct tagPAINTSTRUCT _v120;
				signed int _v128;
				signed int _v132;
				struct HDC__* _v136;
				void* _v160;
				void* _v164;
				struct HBRUSH__* _v168;
				struct HWND__* _v172;
				intOrPtr _v180;
				struct HDC__* _v184;
				struct HBRUSH__* _v188;
				struct HDC__* _v192;
				void* _v196;
				long _t80;
				struct HDC__* _t82;
				int _t84;
				struct HBRUSH__* _t105;
				int _t110;
				long _t111;
				struct HFONT__* _t113;
				void* _t117;
				void* _t120;
				signed char _t126;
				struct HDC__* _t127;
				struct HDC__* _t130;
				intOrPtr _t134;
				int _t135;
				struct HDC__* _t136;
				struct HWND__* _t148;
				signed int _t150;
				struct HFONT__* _t152;
				struct HDC__* _t153;
				struct HDC__** _t155;
				struct HFONT__** _t156;

				_t135 = _a8;
				_t80 = _a16;
				if(_t135 == 0xf) {
					_t153 =  *0x4307fc; // 0x11f030
					_t82 = BeginPaint(_a4,  &_v120);
					_v40.lbStyle = 0;
					_v168 =  &_v56;
					_v172 = _a4;
					_t84 = GetClientRect(_t148, _t148);
					_t136 = _v44;
					_v44 = 0;
					_v136 = _t82;
					_v128 = _t136;
					_push(_t84);
					_push(_t84);
					while(1) {
						_t150 = _v52;
						if(_t150 >= _v128) {
							break;
						}
						_t125 =  *(_t153 + 0x54);
						_v132 = _v128 - _t150;
						asm("cdq");
						asm("cdq");
						_t126 =  *(_t153 + 0x50);
						asm("cdq");
						_t130 = ((( *(_t153 + 0x50) >> 0x00000010 & 0x000000ff) * _v132 + ( *(_t153 + 0x54) >> 0x00000010 & 0x000000ff) * _t150) / _v128 & 0x000000ff) << 0x00000010 | (( *(_t153 + 0x50) & 0x000000ff) * _v132 + ( *(_t153 + 0x54) & 0x000000ff) * _t150) / _v128 & 0x000000ff | (((_t125 & 0x000000ff) * _t150 + (_t126 & 0x000000ff) * _v132) / _v128 & 0x000000ff) << 0x00000008;
						_v40.lbColor = _t130;
						_t105 = CreateBrushIndirect( &_v40);
						_t136 =  &_v56;
						_v44 = _v44 + 4;
						_v168 = _t105;
						_v172 = _t136;
						 *_t155 = _v136;
						FillRect(??, ??, ??);
						_t155 = _t155 - 0xc;
						_v188 = _t105;
						DeleteObject(_t130);
						_v52 = _v52 + 4;
						_push(_t126);
					}
					_t127 = _v136;
					if( *((intOrPtr*)(_t153 + 0x58)) != 0xffffffff) {
						_t113 = CreateFontIndirectA( *(_t153 + 0x34));
						_t152 = _t113;
						_push(_t136);
						if(_t113 != 0) {
							_v56 = 0x10;
							_v52 = 8;
							_v172 = 1;
							 *_t155 = _t127;
							SetBkMode(??, ??);
							_v184 = _t127;
							_v180 =  *((intOrPtr*)(_t153 + 0x58));
							SetTextColor(_t136, _t136);
							_v188 = _t152;
							_v192 = _t127;
							_t117 = SelectObject(_t130, _t130);
							_v184 = 0x820;
							_v188 =  &_v56;
							_v192 = 0xffffffff;
							_v196 = 0x43085c;
							 *_t155 = _t127;
							DrawTextA(??, ??, ??, ??, ??);
							_t156 = _t155 - 0x14;
							_v196 = _t117;
							 *_t156 = _t127;
							_t120 = SelectObject(_t153, _t153);
							_push(_t120);
							 *_t156 = _t152;
							_push(DeleteObject(_t120));
						}
					}
					_t110 = EndPaint(_a4,  &_v120);
					_push(_t110);
					_push(_t110);
					_t111 = 0;
					L11:
					return _t111;
				}
				if(_t135 == 0x46) {
					_t134 =  *0x430854; // 0xe0176
					 *(_t80 + 0x18) =  *(_t80 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t80 + 4)) = _t134;
				}
				_t111 = DefWindowProcA(_a4, _t135, _a12, _t80);
				goto L11;
			}

0x0040100c
0x0040100f
0x00401015
0x00401038
0x00401045
0x0040104a
0x0040105b
0x0040105f
0x00401062
0x00401067
0x0040106a
0x00401071
0x00401077
0x0040107a
0x0040107b
0x00401125
0x00401125
0x0040112b
0x00000000
0x00000000
0x00401084
0x00401089
0x004010a6
0x004010c0
0x004010cc
0x004010db
0x004010e5
0x004010ea
0x004010f0
0x004010f5
0x004010f8
0x004010ff
0x00401109
0x0040110d
0x00401110
0x00401115
0x00401118
0x0040111b
0x00401120
0x00401124
0x00401124
0x00401135
0x0040113b
0x00401147
0x0040114e
0x00401150
0x00401151
0x00401157
0x0040115e
0x00401165
0x0040116d
0x00401170
0x0040117a
0x0040117d
0x00401181
0x00401188
0x0040118c
0x0040118f
0x0040119b
0x004011a3
0x004011a7
0x004011af
0x004011b7
0x004011ba
0x004011bf
0x004011c2
0x004011c6
0x004011c9
0x004011ce
0x004011d0
0x004011d8
0x004011d8
0x00401151
0x004011e6
0x004011eb
0x004011ec
0x004011ed
0x0040120e
0x00401215
0x00401215
0x0040101a
0x00401020
0x00401026
0x0040102a
0x0040102a
0x00401206
0x00000000

APIs

BeginPaint.USER32 ref: 00401045
GetClientRect.USER32 ref: 00401062
CreateFontIndirectA.GDI32(?), ref: 00401147
SetBkMode.GDI32(?,00000000), ref: 00401170
SetTextColor.GDI32 ref: 00401181
SelectObject.GDI32 ref: 0040118F
DrawTextA.USER32(?,?,?,0011F030,0011F030), ref: 004011BA
SelectObject.GDI32 ref: 004011C9
DeleteObject.GDI32(00000000), ref: 004011D3
EndPaint.USER32(?), ref: 004011E6
DefWindowProcA.USER32 ref: 00401206

Strings

Immunity Debugger Setup, xrefs: 004011AF

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Object$PaintSelectText$BeginClientColorCreateDeleteDrawFontIndirectModeProcRectWindow
String ID: Immunity Debugger Setup
API String ID: 815648636-3272910282
Opcode ID: 791ac4c3e4a0de4abfc06c2446babe94c54aea43a7d78b6d289116e080621d60
Instruction ID: 81741bbe4615816025b50cd91f06b1cf7e3b7b85c3eae9d0fa53d7bb167b72d5
Opcode Fuzzy Hash: 791ac4c3e4a0de4abfc06c2446babe94c54aea43a7d78b6d289116e080621d60
Instruction Fuzzy Hash: 755149B1905304EFC714DF6AC9809AEBBF9FF88304F10892EE485A7292D738A8449F55

Uniqueness

Uniqueness Score: -1.00%

Function 00407B78, Relevance: 16.7, APIs: 11, Instructions: 171
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00407B78(int __ecx, void* __edx, CHAR* _a4, struct _OVERLAPPED* _a8) {
				void* _v16;
				long _v32;
				int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _v68;
				void* _v72;
				intOrPtr _v76;
				CHAR* _v80;
				DWORD* _v84;
				struct _OVERLAPPED* _v88;
				CHAR* _v92;
				long _v96;
				intOrPtr _v100;
				void* __ebx;
				intOrPtr* _t55;
				void* _t56;
				intOrPtr _t58;
				long _t61;
				void* _t63;
				void* _t66;
				intOrPtr* _t68;
				void* _t75;
				struct _OVERLAPPED* _t77;
				CHAR* _t78;
				struct _OVERLAPPED* _t79;
				long _t80;
				struct _OVERLAPPED* _t81;
				int _t82;
				long _t83;
				intOrPtr _t88;
				void* _t92;
				CHAR* _t93;
				void* _t94;
				void* _t95;
				struct _OVERLAPPED** _t102;

				_t82 = __ecx;
				_t93 = _a4;
				_t79 = _a8;
				_v92 = 1;
				_t55 = E00407B28(__ecx, __edx);
				_push(__edx);
				if(_t55 == 0) {
					L2:
					 *0x42e4b8 = 0x4c554e;
					if(_t79 == 0) {
						L5:
						_t56 = GetShortPathNameA(_t93, 0x42e8b8, 0x400);
						if(_t56 <= 0x400 && _t56 != 0) {
							_v80 = 0x42e8b8;
							_v84 = 0x42e4b8;
							_v48 = wsprintfA(0x42ecb8, "%s=%s\r\n");
							_t58 =  *0x4307fc; // 0x11f030
							E00407769(0x42e8b8,  *((intOrPtr*)(_t58 + 0x128)));
							_v84 = 4;
							_v88 = 0xc0000000;
							_v92 = 0x42e8b8;
							_t56 = E0040743D(_t79, _t82);
							_t92 = _t56;
							if(_t56 != 0xffffffff) {
								_t61 = GetFileSize(_t56, 0);
								_t88 = _v48;
								_t80 = _t61;
								_v80 = _t61 + _t88 + 0xa;
								_v84 = 0x40;
								_t63 = GlobalAlloc(_t82, _t82);
								_push(_t93);
								_push(_t93);
								_t94 = _t63;
								if(_t63 != 0 && ReadFile(_t92, _t94, _t80,  &_v32, 0) != 0 && _t80 == _v32) {
									_v80 = "[Rename]\r\n";
									_v84 = _t94;
									_t66 = E0040737D(_t82);
									_push(_t88);
									_push(_t88);
									if(_t66 != 0) {
										_v80 = "\n[";
										_v84 = _t66 + 0xa;
										_t68 = E0040737D(_t82);
										_t83 = _t80;
										_push(_t88);
										_push(_t88);
										if(_t68 != 0) {
											_t34 = _t68 + 1; // 0x1
											_v52 = _t34;
											_v56 = _t94 + _t80;
											while(1) {
												_t68 = _t68 + 1;
												if(_t68 >= _v56) {
													break;
												}
												 *((char*)(_t68 + _v48)) =  *_t68;
											}
											_t83 = _v52 - _t94;
										}
									} else {
										_t75 = _t94 + _t80;
										_t80 = _t80 + 0xa;
										E00407667(_t75, "[Rename]\r\n");
										_t83 = _t80;
									}
									_t82 = _t94 + _t83;
									_v84 = _t82;
									_v80 = 0x42ecb8;
									_v76 = _v48;
									E004073E4();
									_t81 = _t80 + _v48;
									_v84 = 0;
									_v88 = 0;
									_v92 = 0;
									_v96 = _t92;
									SetFilePointer(??, ??, ??, ??);
									_v88 = _t81;
									_v80 = 0;
									_v84 =  &_v32;
									_v92 = _t94;
									_v96 = _t92;
									WriteFile(??, ??, ??, ??, ??);
									_v96 = _t94;
									GlobalFree(??);
									_push(_t81);
								}
								_t56 = CloseHandle(_t92);
								_push(_t82);
							}
							goto L20;
						}
					} else {
						_v84 = 1;
						_v88 = 0;
						_v92 = _t79;
						_t77 = E0040743D(_t79, _t82);
						_t102 = _t95 - 0xc;
						 *_t102 = _t77;
						_t78 = CloseHandle(??);
						_v96 = 0x400;
						_v100 = 0x42e4b8;
						 *_t102 = _t79;
						_t56 = GetShortPathNameA(_t78, ??, ??);
						_t95 = _t102 - 0xc;
						if(_t56 <= 0x400 && _t56 != 0) {
							goto L5;
						}
					}
				} else {
					_v84 = 5;
					_v88 = _t79;
					_v92 = _t93;
					_t56 =  *_t55();
					_t95 = _t95 - 0xc;
					if(_t56 != 0) {
						L20:
						 *0x4307cc =  *0x4307cc + 1;
					} else {
						goto L2;
					}
				}
				return _t56;
			}

0x00407b78
0x00407b81
0x00407b84
0x00407b87
0x00407b8e
0x00407b95
0x00407b96
0x00407bb4
0x00407bb6
0x00407bc0
0x00407c14
0x00407c27
0x00407c34
0x00407c42
0x00407c4a
0x00407c66
0x00407c69
0x00407c7f
0x00407c86
0x00407c8e
0x00407c96
0x00407c9d
0x00407ca8
0x00407caa
0x00407cbb
0x00407cc0
0x00407cc4
0x00407ccb
0x00407ccf
0x00407cd6
0x00407cdd
0x00407cde
0x00407cdf
0x00407ce1
0x00407d1a
0x00407d22
0x00407d25
0x00407d2c
0x00407d2d
0x00407d2e
0x00407d4f
0x00407d57
0x00407d5a
0x00407d5f
0x00407d61
0x00407d64
0x00407d65
0x00407d67
0x00407d6d
0x00407d70
0x00407d7d
0x00407d7d
0x00407d81
0x00000000
0x00000000
0x00407d7a
0x00407d7a
0x00407d86
0x00407d86
0x00407d30
0x00407d30
0x00407d33
0x00407d41
0x00407d48
0x00407d48
0x00407d8b
0x00407d8d
0x00407d90
0x00407d98
0x00407d9c
0x00407da1
0x00407da7
0x00407daf
0x00407db7
0x00407dbf
0x00407dc2
0x00407dcd
0x00407dd1
0x00407dd9
0x00407ddd
0x00407de1
0x00407de4
0x00407dec
0x00407def
0x00407df4
0x00407df4
0x00407df8
0x00407dfd
0x00407dfd
0x00000000
0x00407caa
0x00407bc2
0x00407bc2
0x00407bca
0x00407bd2
0x00407bd5
0x00407bda
0x00407bdd
0x00407be0
0x00407be6
0x00407bee
0x00407bf6
0x00407bf9
0x00407bfe
0x00407c06
0x00000000
0x00000000
0x00407c06
0x00407b98
0x00407b98
0x00407ba0
0x00407ba4
0x00407ba7
0x00407ba9
0x00407bae
0x00407dfe
0x00407dfe
0x00000000
0x00000000
0x00000000
0x00407bae
0x00407e0b

APIs

Part of subcall function 00407B28: GetModuleHandleA.KERNEL32(?,?,004040BB), ref: 00407B3D
Part of subcall function 00407B28: LoadLibraryA.KERNEL32(?,?,?,004040BB), ref: 00407B4C
Part of subcall function 00407B28: GetProcAddress.KERNEL32 ref: 00407B68

CloseHandle.KERNEL32(?,?,?,?,00000000,?,0040808C,?,?,?,00000000,00000000,?,00000000,00000000), ref: 00407BE0
GetShortPathNameA.KERNEL32 ref: 00407BF9
GetShortPathNameA.KERNEL32 ref: 00407C27
wsprintfA.USER32 ref: 00407C61
GetFileSize.KERNEL32 ref: 00407CBB
GlobalAlloc.KERNEL32 ref: 00407CD6
ReadFile.KERNEL32(00000000,00000000), ref: 00407D01

Part of subcall function 0040737D: lstrlenA.KERNEL32 ref: 0040738F
Part of subcall function 0040737D: lstrlenA.KERNEL32(00000000), ref: 004073CC

SetFilePointer.KERNEL32 ref: 00407DC2
WriteFile.KERNEL32 ref: 00407DE4
GlobalFree.KERNEL32 ref: 00407DEF
CloseHandle.KERNEL32(00000000,00000000), ref: 00407DF8

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID:
API String ID: 3772915668-0
Opcode ID: 8b072cb5370d8e152176f6118fba493a97de4fbb76437e7175384da7a6673d18
Instruction ID: 6ee590e0074e54f2014c60db73fd16f653cb05901022cfa34f333416d347e029
Opcode Fuzzy Hash: 8b072cb5370d8e152176f6118fba493a97de4fbb76437e7175384da7a6673d18
Instruction Fuzzy Hash: 82611AB09083119ED700AF69D58466FBBF4EF84708F40C93EE888A7381D7789845DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00404BAE, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 00404BD4
GetSysColor.USER32 ref: 00404BF0
SetTextColor.GDI32 ref: 00404C03
SetBkMode.GDI32(00000000,00000000), ref: 00404C14
GetSysColor.USER32(00000000), ref: 00404C2A
SetBkColor.GDI32(00000000,00000000), ref: 00404C43
DeleteObject.GDI32(00000000), ref: 00404C60
CreateBrushIndirect.GDI32(00000000), ref: 00404C6C

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 379b07564c2291d53497f74594596c9ff6e2cba18ee84c13a11cf20a31804e72
Instruction ID: 4204cc8b7e4b8b7d2eb38899d680156853d5f3141f2ff7750d15276aded5dcf0
Opcode Fuzzy Hash: 379b07564c2291d53497f74594596c9ff6e2cba18ee84c13a11cf20a31804e72
Instruction Fuzzy Hash: 062151F15097049BD720AF7A8984A5BBBF8EF85704F05492EE985E3282D739E8048B65

Uniqueness

Uniqueness Score: -1.00%

Function 004023FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004023FC(int __ecx, int __edx, signed int* __edi) {
				struct HDC__* _t10;
				struct HDC__* _t13;
				signed int _t14;
				intOrPtr _t17;
				signed char _t18;
				struct HFONT__* _t22;
				LOGFONTA* _t26;
				int _t28;
				int _t29;
				void* _t36;
				void* _t40;
				struct HDC__** _t42;
				signed int** _t43;

				_t29 = __edx;
				_t28 = __ecx;
				 *_t42 =  *(_t40 - 0x190);
				_t10 = GetDC(??);
				_t42[1] = 0x5a;
				 *_t42 = _t10;
				_t26 = GetDeviceCaps(??, ??);
				_t13 = E0040145B(2, _t28);
				_t42[1] = _t26;
				_t42[2] = 0x48;
				 *_t42 = _t13;
				_t14 = MulDiv(_t28, _t28, _t29);
				_t43 = _t42 - 0xc;
				 *0x40d408 =  ~_t14;
				_t17 = E0040145B(3, _t28);
				 *0x40d41f = 1;
				 *_t43 = 0x40d424;
				 *0x40d418 = _t17;
				_t18 =  *((intOrPtr*)(_t40 - 0x2c));
				 *0x40d41c = _t18 & 0x00000001;
				 *0x40d41e = _t18 & 0x00000004;
				 *0x40d41d = _t18 & 0x00000002;
				_t43[1] =  *(_t40 - 0x38);
				E00407769();
				 *_t43 = 0x40d408;
				_t22 = CreateFontIndirectA(_t26);
				 *_t43 = __edi;
				_t43[1] = _t22;
				E004075A4(_t36, _t26);
				_push(__edi);
				_push(__edi);
				 *0x4307c4 =  *0x4307c4;
				return 0;
			}

0x004023fc
0x004023fc
0x00402402
0x00402405
0x0040240b
0x00402413
0x0040241c
0x00402424
0x00402429
0x0040242d
0x00402435
0x00402438
0x0040243f
0x00402442
0x0040244c
0x00402451
0x00402458
0x0040245f
0x00402464
0x0040246c
0x00402477
0x00402482
0x00402488
0x0040248c
0x00402493
0x0040249a
0x004024a2
0x004024a5
0x004024a9
0x004024ae
0x004024af
0x00403754
0x00403765

APIs

GetDC.USER32 ref: 00402405
GetDeviceCaps.GDI32 ref: 00402416
MulDiv.KERNEL32 ref: 00402438
CreateFontIndirectA.GDI32(00000000), ref: 0040249A

Part of subcall function 004075A4: wsprintfA.USER32 ref: 004075BF

Strings

Z, xrefs: 0040240B
H, xrefs: 0040242D

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectwsprintf
String ID: H$Z
API String ID: 1586071882-4221459494
Opcode ID: 905b12f19ab40188e63d6b036e0e80f2618269f9c71dbdf266d7ab0e01114c98
Instruction ID: dd16930853f6efc4d9b9fee47cc0422d1b1594ba4cf70e259357dadda4c8dda1
Opcode Fuzzy Hash: 905b12f19ab40188e63d6b036e0e80f2618269f9c71dbdf266d7ab0e01114c98
Instruction Fuzzy Hash: 5A1163B5D093509AD700BFB9D98125DBBF4EF99308F00847EF588F3292C2785948CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00405FFC
GetMessagePos.USER32 ref: 0040600A
ScreenToClient.USER32 ref: 00406025
SendMessageA.USER32 ref: 00406043
SendMessageA.USER32 ref: 0040607B

Strings

f, xrefs: 0040604E

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b8d00296f0b20d212e3b0bb80ca8a416459a5509b378b6a53beef506cc1f5fee
Instruction ID: e9c62509b00f2d678e78efab70d6e43bd091d7167752d0d2838b5038adb90170
Opcode Fuzzy Hash: b8d00296f0b20d212e3b0bb80ca8a416459a5509b378b6a53beef506cc1f5fee
Instruction Fuzzy Hash: 0611DAB1804308AED700EF69C9856AEBFF4EF44314F00891EE99867282D77999548F96

Uniqueness

Uniqueness Score: -1.00%

Function 0040383C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 0040386C
MulDiv.KERNEL32 ref: 004038A1
wsprintfA.USER32 ref: 004038B8
SetWindowTextA.USER32 ref: 004038C4

Strings

d, xrefs: 0040388B

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: TextTimerWindowwsprintf
String ID: d
API String ID: 2438957755-2564639436
Opcode ID: d8be0f7fd779177297e6cdac7cc662cc2fd2d81b655593819c1395b09eff9541
Instruction ID: 57cf433a87ed6c2f766ec810785acbd575885207997ce6280f1b184f712a17cb
Opcode Fuzzy Hash: d8be0f7fd779177297e6cdac7cc662cc2fd2d81b655593819c1395b09eff9541
Instruction Fuzzy Hash: 991133B1808304AFD700BF25C98565EBFE8EF44754F10C83EF588A7281D3799954DB86

Uniqueness

Uniqueness Score: -1.00%

Function 004038ED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004038ED(void* __ecx, void* __edx, intOrPtr _a4) {
				struct HWND__* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				long _t7;
				struct HINSTANCE__* _t8;
				struct HWND__* _t9;
				int _t10;
				struct HWND__* _t12;
				void* _t14;
				void* _t15;

				_t14 = __edx;
				if(_a4 != 0) {
					_t12 =  *0x40dc4c; // 0x0
					if(_t12 != 0) {
						_t12 = DestroyWindow(_t12);
						_push(_t12);
					}
					 *0x40dc4c = 0;
					return _t12;
				}
				if( *0x40dc4c != 0) {
					return E004080B2(0);
				}
				_t7 = GetTickCount();
				if(_t7 >  *0x430840) {
					_t8 =  *0x430858; // 0x400000
					_v28 = 0;
					_t9 = CreateDialogParamA(_t8, 0x6f, 0, E0040383C);
					 *0x40dc4c = _t9;
					_v44 = 5;
					 *(_t15 - 0x14) = _t9;
					_t10 = ShowWindow(??, ??);
					_push(_t14);
					_push(_t14);
					return _t10;
				}
				return _t7;
			}

0x004038ed
0x004038f7
0x004038f9
0x00403900
0x00403905
0x0040390a
0x0040390a
0x0040390b
0x00000000
0x0040390b
0x0040391e
0x00000000
0x0040392c
0x0040392f
0x0040393a
0x0040393c
0x00403941
0x00403964
0x0040396c
0x00403971
0x00403979
0x0040397c
0x00403981
0x00403982
0x00000000
0x00403982
0x00403984

APIs

DestroyWindow.USER32 ref: 00403905
GetTickCount.KERNEL32 ref: 0040392F
CreateDialogParamA.USER32 ref: 00403964
ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,Error launching installer,Error launching installer), ref: 0040397C

Strings

o, xrefs: 00403959

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID: o
API String ID: 2102729457-252678980
Opcode ID: 4a1a94e4e0c0e4e54270e173b2b17cf2ca169b59783e92fd079ccba6599f6f99
Instruction ID: f3c08ab1ebd5ba8dd53531f28b0b35bd415eabcda5178afa1bf0da0984cc1041
Opcode Fuzzy Hash: 4a1a94e4e0c0e4e54270e173b2b17cf2ca169b59783e92fd079ccba6599f6f99
Instruction Fuzzy Hash: F0012CB4408300DAE714BF66D98971A7AE8AB80709F00893EE485673D1D7BC8988CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 004014EA, Relevance: 7.6, APIs: 5, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00401528
RegEnumKeyA.ADVAPI32 ref: 0040157F
RegCloseKey.ADVAPI32 ref: 00401591

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 4555f12b04c4c9e60b86e92eeed736e5cf19cfa7152a65b904f5dbe432e094b6
Instruction ID: 3c5a33f501ffc93819d602d0387b2e521dc08db7720231a58f8dfa74bb86fde8
Opcode Fuzzy Hash: 4555f12b04c4c9e60b86e92eeed736e5cf19cfa7152a65b904f5dbe432e094b6
Instruction Fuzzy Hash: 09214FB4914301AAD710AF6AD98576FFBF8EB84304F00883FE885A7291D37CD8458F56

Uniqueness

Uniqueness Score: -1.00%

Function 00402687, Relevance: 7.6, APIs: 5, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION ref: 004026AC
GlobalAlloc.KERNEL32 ref: 004026E0
GetFileVersionInfoA.VERSION ref: 00402710
VerQueryValueA.VERSION ref: 00402735

Part of subcall function 004075A4: wsprintfA.USER32 ref: 004075BF

GlobalFree.KERNEL32 ref: 00402775

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 479aa7baf7528a0f238ab76710fb489097e1c34c82bac89c7bb78f503a26af90
Instruction ID: f420f1749b597f5adb4afb33d0e672eb46a21e3a72e11c37b8b4f01310256f1e
Opcode Fuzzy Hash: 479aa7baf7528a0f238ab76710fb489097e1c34c82bac89c7bb78f503a26af90
Instruction Fuzzy Hash: C231E9B59043049FD710EF69C984A9AFBF4AF88704F0085AEE998E7292E7789D40CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00402356, Relevance: 7.5, APIs: 5, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00402356(struct HWND__* __eax, struct HINSTANCE__* __ecx) {
				struct HWND__* _t22;
				void* _t23;
				long _t24;
				struct HWND__* _t27;
				struct HINSTANCE__* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t39;
				struct HWND__** _t41;
				struct HWND__** _t42;
				long* _t43;

				_t29 = __ecx;
				_t30 =  *(_t39 - 0x190);
				_t41[1] = __eax;
				 *_t41 = _t30;
				_t27 = GetDlgItem(??, ??);
				_t41[1] = _t39 - 0x180;
				 *_t41 = _t27;
				GetClientRect(_t30, _t30);
				_t34 =  *(_t39 - 0x34);
				_t22 = E0040140C(0, _t27, _t30);
				_t41[5] = 0x10;
				_t41[4] =  *(_t39 - 0x174) * _t34;
				_t41[3] = _t34 *  *(_t39 - 0x178);
				_t41[2] = 0;
				 *_t41 = 0;
				_t41[1] = _t22;
				_t23 = LoadImageA(_t29, _t29, ??, ??, ??, ??);
				_t42 = _t41 - 0x18;
				_t42[3] = _t23;
				_t42[2] = 0;
				_t42[1] = 0x172;
				 *_t42 = _t27;
				_t24 = SendMessageA(??, ??, ??, ??);
				_t43 = _t42 - 0x10;
				if(_t24 != 0) {
					 *_t43 = _t24;
					_push(DeleteObject(??));
				}
				 *0x4307c4 =  *0x4307c4;
				return 0;
			}

0x00402356
0x00402356
0x0040235c
0x00402360
0x00402369
0x00402372
0x00402376
0x00402379
0x0040237e
0x00402395
0x0040239a
0x004023a2
0x004023a6
0x004023ac
0x004023b4
0x004023bb
0x004023bf
0x004023c4
0x004023c7
0x004023cb
0x004023d3
0x004023db
0x004023de
0x004023e3
0x004023e8
0x004023ee
0x004023f6
0x004023f6
0x00403754
0x00403765

APIs

GetDlgItem.USER32 ref: 00402363
GetClientRect.USER32 ref: 00402379
LoadImageA.USER32 ref: 004023BF
SendMessageA.USER32 ref: 004023DE
DeleteObject.GDI32 ref: 004023F1

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: a2330cfe685203adeaea13d59d912b77085670e5ea583154582c5e59ae437be7
Instruction ID: 4078ec02332ee15ddad6c8d9d47820dc1c5ddacfdd3ee171b0d28d906d8d611b
Opcode Fuzzy Hash: a2330cfe685203adeaea13d59d912b77085670e5ea583154582c5e59ae437be7
Instruction Fuzzy Hash: 7C111FB2908314AFD700AF36C94539EFBF4EF84704F01896EE588A7252D77899448F86

Uniqueness

Uniqueness Score: -1.00%

Function 004021A2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004021A2(void* __ecx, void* __edx, intOrPtr __edi) {
				void* _t42;
				long _t44;
				void* _t47;
				intOrPtr _t50;
				long _t51;
				intOrPtr _t56;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t75;
				void* _t78;
				intOrPtr* _t80;
				intOrPtr* _t81;
				void* _t85;

				_t72 = __edi;
				_t66 = __edx;
				_t60 = __ecx;
				_t56 = E0040145B(3, __ecx);
				_t74 = E0040145B(4, __ecx);
				if(( *(_t78 - 0x28) & 0x00000001) != 0) {
					_t56 = E0040140C(0x33, _t56, _t66);
				}
				if(( *(_t78 - 0x28) & 0x00000002) != 0) {
					_t74 = E0040140C(0x44, _t56, _t66);
				}
				_t85 =  *((intOrPtr*)(_t78 - 0x40)) - 0x21;
				if(_t85 != 0) {
					 *((intOrPtr*)(_t78 - 0x198)) = E0040140C(1, _t56, _t66);
					_t42 = E0040140C(0x12, _t56, _t40);
					_t68 =  *((intOrPtr*)(_t78 - 0x198));
					_t43 =  ==  ? 0 : _t42;
					 *((intOrPtr*)(_t80 + 0xc)) =  ==  ? 0 : _t42;
					 *((intOrPtr*)(_t80 + 4)) = _t74;
					_t69 =  ==  ? 0 : _t68;
					 *((intOrPtr*)(_t80 + 8)) =  ==  ? 0 : _t68;
					 *_t80 = _t56;
					_t44 = FindWindowExA(??, ??, ??, ??);
					goto L9;
				} else {
					 *((intOrPtr*)(_t78 - 0x198)) = E0040145B(1, _t60);
					_t50 = E0040145B(2, _t60);
					_t71 =  *((intOrPtr*)(_t78 - 0x198));
					 *(_t78 - 0x18c) =  *(_t78 - 0x28) >> 2;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t80 + 0xc)) = _t74;
						 *((intOrPtr*)(_t80 + 8)) = _t56;
						 *_t80 = _t71;
						 *((intOrPtr*)(_t80 + 4)) = _t50;
						_t44 = SendMessageA(??, ??, ??, ??);
						L9:
						_t81 = _t80 - 0x10;
						_t75 = 0;
						 *(_t78 - 0x24) = _t44;
					} else {
						 *((intOrPtr*)(_t80 + 0x18)) = _t78 - 0x24;
						 *((intOrPtr*)(_t80 + 0xc)) = _t74;
						 *((intOrPtr*)(_t80 + 8)) = _t56;
						 *((intOrPtr*)(_t80 + 0x10)) = 0;
						 *(_t80 + 0x14) =  *(_t78 - 0x18c);
						 *((intOrPtr*)(_t80 + 4)) = _t50;
						 *_t80 = _t71;
						_t51 = SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
						_t81 = _t80 - 0x1c;
						_t75 = 0 | _t51 == 0x00000000;
					}
				}
				if( *((intOrPtr*)(_t78 - 0x3c)) >= 0) {
					 *_t81 = _t72;
					 *(_t81 + 4) =  *(_t78 - 0x24);
					_t47 = E004075A4();
					_push(_t47);
					_push(_t47);
				}
				 *0x4307c4 =  *0x4307c4 + _t75;
				return 0;
			}

0x004021a2
0x004021a2
0x004021a2
0x004021ac
0x004021bc
0x004021be
0x004021ca
0x004021ca
0x004021d0
0x004021dc
0x004021dc
0x004021de
0x004021e7
0x00402271
0x00402277
0x0040227c
0x00402287
0x0040228d
0x00402291
0x00402295
0x00402298
0x0040229c
0x0040229f
0x00000000
0x004021e9
0x004021f5
0x004021fb
0x00402203
0x0040220c
0x00402212
0x0040224f
0x00402253
0x00402257
0x0040225a
0x0040225e
0x004022a4
0x004022a4
0x004022a7
0x004022a9
0x00402214
0x00402217
0x00402221
0x00402225
0x0040222b
0x00402233
0x00402237
0x0040223b
0x0040223e
0x00402243
0x0040224b
0x0040224b
0x00402212
0x004022b0
0x004022b9
0x004022bc
0x004022c0
0x004022c5
0x004022c6
0x004022c6
0x00403754
0x00403765

APIs

SendMessageTimeoutA.USER32 ref: 0040223E
SendMessageA.USER32 ref: 0040225E

Strings

!, xrefs: 004021DE

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3016c6ab1442b4b284dabaecddba5fe2215b8d6f456abfae96c27b7d70012836
Instruction ID: 79f3426b0fd5bdd0e4c29d2e368c82f653f407f669459f2089c2d3b700a76ef5
Opcode Fuzzy Hash: 3016c6ab1442b4b284dabaecddba5fe2215b8d6f456abfae96c27b7d70012836
Instruction Fuzzy Hash: D0316BB0D083159FD714EFBAC58539DBBE0AF88304F1085BFE549A7392D6788D818B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040696E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040696E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v16;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v76;
				intOrPtr _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				int _t22;
				intOrPtr _t23;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;

				_t28 = __edx;
				_t27 = __ecx;
				_t32 = _t31 - 0x2c;
				_t29 = _a4;
				_t26 = _a8;
				_t30 = _a16;
				if(_a12 != 0x20 || _t26 != 0x102) {
					__eflags = _t26 - 0x200;
					if(_t26 != 0x200) {
						__eflags = _t26 - 0x419;
						if(_t26 != 0x419) {
							L9:
							_v44 = _t30;
							_v52 = _t26;
							_v56 = _t29;
							_v48 = _a12;
							_t16 =  *0x42d464; // 0x0
							 *_t32 = _t16;
							_t17 = CallWindowProcA(??, ??, ??, ??, ??);
							goto L10;
						}
						L7:
						__eflags =  *0x42d460 - _t30; // 0x0
						_t26 = 0x419;
						if(__eflags != 0) {
							 *0x42d460 = _t30;
							_v56 = 0x434000;
							 *_t32 = 0x42bc18;
							_t18 = E00407667();
							_v64 = _t30;
							 *_t32 = 0x434000;
							_t19 = E004075A4(_t18, _t18);
							_v76 = 6;
							_t20 = E00403813(_t27, _t19);
							_v76 = 0x42bc18;
							 *_t32 = 0x434000;
							_t21 = E00407667(_t20, _t19);
							_push(_t21);
							_push(_t21);
						}
						goto L9;
					}
					 *_t32 = _t29;
					_t22 = IsWindowVisible(??);
					__eflags = _t22;
					_push(_t27);
					if(_t22 == 0) {
						goto L9;
					}
					_v56 = 1;
					 *_t32 = _t29;
					_t23 = E00405FD6();
					_push(_t28);
					_t30 = _t23;
					_push(_t28);
					goto L7;
				} else {
					E0040476D(0x413);
					_t17 = 0;
					L10:
					return _t17;
				}
			}

0x0040696e
0x0040696e
0x00406974
0x00406977
0x0040697e
0x00406981
0x00406984
0x0040699f
0x004069a5
0x004069ca
0x004069d0
0x00406a30
0x00406a33
0x00406a37
0x00406a3b
0x00406a3f
0x00406a43
0x00406a48
0x00406a4b
0x00000000
0x00406a50
0x004069d2
0x004069d2
0x004069d8
0x004069dd
0x004069df
0x004069e5
0x004069ed
0x004069f4
0x004069fb
0x004069ff
0x00406a06
0x00406a0d
0x00406a14
0x00406a1a
0x00406a22
0x00406a29
0x00406a2e
0x00406a2f
0x00406a2f
0x00000000
0x004069dd
0x004069a7
0x004069aa
0x004069af
0x004069b1
0x004069b2
0x00000000
0x00000000
0x004069b4
0x004069bc
0x004069bf
0x004069c4
0x004069c5
0x004069c7
0x00000000
0x0040698e
0x00406993
0x00406998
0x00406a53
0x00406a5a
0x00406a5a

APIs

IsWindowVisible.USER32 ref: 004069AA
CallWindowProcA.USER32 ref: 00406A4B

Part of subcall function 0040476D: SendMessageA.USER32 ref: 00404794

Strings

Immunity Debugger Setup: Completed, xrefs: 004069ED, 00406A1A
, xrefs: 0040697A

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $Immunity Debugger Setup: Completed
API String ID: 3748168415-2620869181
Opcode ID: f9c0f9e16e74f8352496baecf472a6626d3a03f22172073c08023046bd69594a
Instruction ID: 3b08ae08d9735405f9d67f3f10abe6c05918c5c6f953439bbbec7c5adc1b9571
Opcode Fuzzy Hash: f9c0f9e16e74f8352496baecf472a6626d3a03f22172073c08023046bd69594a
Instruction Fuzzy Hash: 0E2121B0518314AFD710BF59D98066BB7E8EB84718F41883FF985A3381D37968518BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402572, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A5D: SetWindowTextA.USER32(00000000,00000000), ref: 00406AF3
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B2C
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B5D
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B7F

Part of subcall function 00407100: CreateProcessA.KERNEL32 ref: 0040715D
Part of subcall function 00407100: CloseHandle.KERNEL32 ref: 00407171

WaitForSingleObject.KERNEL32 ref: 004025C8
GetExitCodeProcess.KERNEL32 ref: 004025E0
CloseHandle.KERNEL32 ref: 00402616

Strings

d, xrefs: 004025BD

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindow
String ID: d
API String ID: 3497458054-2564639436
Opcode ID: c847e63f1c0c56f5cf350884e963a6cfc560a698d4f512a960c638150af2ac25
Instruction ID: a04a261822fa13e78cf14fea1682fe84556dcbc580bc0c3d0c781e7a5d7fb5b8
Opcode Fuzzy Hash: c847e63f1c0c56f5cf350884e963a6cfc560a698d4f512a960c638150af2ac25
Instruction Fuzzy Hash: 0B118EB1905310EAC710AF65898479EBAF4EF88B14F11497EF985B32C2D2B95D40CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402781, Relevance: 6.1, APIs: 4, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402781(intOrPtr* __eax, void* __ebx, char __ecx, void* __edx, intOrPtr* __edi) {
				char _t38;
				void* _t41;

				_t41 = __edx;
				_t38 = __ecx;
				 *__edi =  *__edi + __ecx;
				 *((char*)(__ecx)) = __ecx;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax - 0x10)) =  *((intOrPtr*)(__eax - 0x10)) + __ebx;
			}

0x00402781
0x00402781
0x00402786
0x00402788
0x0040278a
0x0040278c

APIs

GetModuleHandleA.KERNEL32 ref: 004027AE

Part of subcall function 00406A5D: SetWindowTextA.USER32(00000000,00000000), ref: 00406AF3
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B2C
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B5D
Part of subcall function 00406A5D: SendMessageA.USER32 ref: 00406B7F

LoadLibraryExA.KERNEL32 ref: 004027CD
GetProcAddress.KERNEL32 ref: 004027E6
FreeLibrary.KERNEL32 ref: 00402874

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: MessageSend$Library$AddressFreeHandleLoadModuleProcTextWindow
String ID:
API String ID: 2049714024-0
Opcode ID: 9a01322adce287887c53fb3e89c58882aa0638896c2ea57728ffc75bcfc44e70
Instruction ID: af119c1ed8b636d47e55b94e6de8cac0a4e3906f1ee1b1adb66028be94e84a58
Opcode Fuzzy Hash: 9a01322adce287887c53fb3e89c58882aa0638896c2ea57728ffc75bcfc44e70
Instruction Fuzzy Hash: C23195B19043119FD7007F35898436EBAE8AF84718F15893FE984A72C2E7BC8C45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0, Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407704
CharNextA.USER32(?,?,?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407722
CharNextA.USER32(?,?,00000000,?,00000000,?,00403FEE), ref: 0040772D
CharPrevA.USER32(?,?,?,00000000,?,00000000,?,00403FEE), ref: 00407745

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID:
API String ID: 589700163-0
Opcode ID: 3350aa5bbe843ac7b6bfc9fe3c251623384593e7f72c0bbcf5f5bfc747817d4c
Instruction ID: 495e7b782d379a8b479215f773338bc742cc2b732f6d6d29bff0a531603f07b3
Opcode Fuzzy Hash: 3350aa5bbe843ac7b6bfc9fe3c251623384593e7f72c0bbcf5f5bfc747817d4c
Instruction Fuzzy Hash: 4A21A3B1C0C740AEEB216F39888177ABFE49B85750F4588BFE4C457282E3796841876B

Uniqueness

Uniqueness Score: -1.00%

Function 004080B2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 004080C5
PeekMessageA.USER32 ref: 004080E6

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004080B6

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error
API String ID: 1770753511-4070331281
Opcode ID: 8e0ad5247df5f9fbc20e452aa1bfd723e81af41767b9517d0d03c07c2ba81a5f
Instruction ID: 991efd49862811d6e7a8037ca616b4dec007c6f99a3aee42a1a872fbd1453bce
Opcode Fuzzy Hash: 8e0ad5247df5f9fbc20e452aa1bfd723e81af41767b9517d0d03c07c2ba81a5f
Instruction Fuzzy Hash: 34E065B14093059BC700AF15C58169FBFF8EB10398F01882FF48563242D37699588BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00407298, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 004072A5
CharPrevA.USER32 ref: 004072B9

Strings

Error launching installer, xrefs: 0040729B

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: Error launching installer
API String ID: 2709904686-66219284
Opcode ID: 3f102c18c37614bce289e8ebc88f827b9b32d33fedb8843f928347a96a88783a
Instruction ID: 92c85f4251a43b3d0950b4e6373950790f0a48f67f8b417584a71efd658b73b9
Opcode Fuzzy Hash: 3f102c18c37614bce289e8ebc88f827b9b32d33fedb8843f928347a96a88783a
Instruction Fuzzy Hash: 35E04FE0918389AFE700FF25CCC1A2B7EA8AB15348F0549BDA18597383D278AC408736

Uniqueness

Uniqueness Score: -1.00%

Function 0040737D, Relevance: 5.0, APIs: 4, Instructions: 44stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0040738F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004073AE
CharNextA.USER32(?,?,00000000,00000000), ref: 004073C1
lstrlenA.KERNEL32(00000000), ref: 004073CC

Memory Dump Source

Source File: 00000000.00000002.498564047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.498548554.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498589462.000000000040B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.498599382.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498668251.000000000042D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498680193.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498696124.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.498708090.000000000043C000.00000008.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ImmunityDebugger_1_85_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: acd97e64683cdf00c1b0d164e2d81dae4e785f5899e31beef44683a377b769bd
Instruction ID: 61c25bd79658a8c86d81821d880fb14c54426ec009de4acacc40feb8999eb8e8
Opcode Fuzzy Hash: acd97e64683cdf00c1b0d164e2d81dae4e785f5899e31beef44683a377b769bd
Instruction Fuzzy Hash: CF017C74509245AED710AF7A98C09AEBBE4EF49314F00483EEDC497342D138A844C7A6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ImmunityDebugger_1_85_setup.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: ImmunityDebugger_1_85_setup.exe PID: 6200 Parent PID: 5668

General

Chronological Activities

Disassembly

Function 00406B9F, Relevance: 65.1, APIs: 36, Strings: 1, Instructions: 339
windowclipboardmemoryCOMMON

Function 0040407F, Relevance: 49.3, APIs: 20, Strings: 8, Instructions: 331
filecomstringCOMMON

Function 004053A4, Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 293
COMMON

Function 00407769, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225
stringCOMMON

Function 004028AD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
comCOMMON

Function 00404C82, Relevance: 61.7, APIs: 32, Strings: 3, Instructions: 433
windowCOMMON

Function 004057D7, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 225
windowCOMMON

Function 00405B86, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 251
registrylibrarystringCOMMON

Function 00403CB7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 198
memoryCOMMON

Function 00403A01, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 187
fileCOMMON

Function 00401AC9, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185
timeCOMMON

Function 004033BA, Relevance: 10.6, APIs: 7, Instructions: 130
memoryfileCOMMON

Function 00406A5D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
windowCOMMON

Function 00401834, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
COMMON

Function 00402D38, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
registryCOMMON

Function 004074FE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
registryCOMMON

Function 00407A78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
stringCOMMON

Function 00402E70, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Function 00404874, Relevance: 3.0, APIs: 2, Instructions: 45
comCOMMON

Function 00401487, Relevance: 1.5, APIs: 1, Instructions: 29
registryCOMMON

Function 00403FDC, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 00407E0E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 193
filestringCOMMON

Function 0040334A, Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 164
COMMON

Function 00407B78, Relevance: 16.7, APIs: 11, Instructions: 171
filememoryCOMMON